web: Flesh out module driven tag names.

# What

Extracts and normalizes the *massive* switch/case statement into a table, eliminating as much repetition as possible. Where the server-side stage token and the client-side component have the same tag, only one is required. There were three different patterns for prop definitions, and those have been regularized into an expression with a compile-time type check, and the most common one can be omitted from the stage definition table.

# Why

1.  Because it’s hella cleaner. Stages are clear and easy to spot in the table (especially when it’s alphabetically ordered, OMG). Stages that disagree in name with their components, stages that take props different from the “standard” set, and stages that need `import` statements, are all easy to identify.
2.  Because identifying what we *do* with our web components is critical to their success, and to the success of the styling system the authentik web team envisions. FlowExecutor provides selection and execution of stages, but it also provides the inspector, the locale selector, headers, footers, customizations, and branding. Clearing away clutter to make that easier to see makes future refactoring for compatibility mode and dark theme handling much easier.

.cargo/config.toml

@@ -1,5 +0,0 @@
-[alias]
-t = ["nextest", "run", "--workspace"]
-
-[build]
-rustflags = ["--cfg", "tokio_unstable"]

.cargo/deny.toml

@@ -1,47 +0,0 @@
-[licenses]
-allow = [
-  "Apache-2.0 WITH LLVM-exception",
-  "Apache-2.0",
-  "BSD-3-Clause",
-  "CC0-1.0",
-  "CDLA-Permissive-2.0",
-  "ISC",
-  "MIT",
-  "MPL-2.0",
-  "OpenSSL",
-  "Unicode-3.0",
-  "Zlib",
-]
-
-[licenses.private]
-ignore = true
-
-[bans]
-multiple-versions = "allow"
-wildcards = "deny"
-[bans.workspace-dependencies]
-duplicates = "deny"
-include-path-dependencies = true
-unused = "deny"
-
-# No non-FIPS compliant dependencies
-[[bans.deny]]
-name = "native-tls"
-[[bans.deny]]
-name = "openssl"
-[[bans.deny]]
-name = "openssl-sys"
-[[bans.deny]]
-name = "ring"
-[[bans.features]]
-allow = [
-  "alloc",
-  "aws-lc-sys",
-  "default",
-  "fips",
-  "prebuilt-nasm",
-  "ring-io",
-  "ring-sig-verify",
-]
-name = "aws-lc-rs"
-exact = true

.cargo/rustfmt.toml

@@ -1,15 +0,0 @@
-comment_width = 100
-format_code_in_doc_comments = true
-format_strings = true
-group_imports = "StdExternalCrate"
-hex_literal_case = "Lower"
-imports_granularity = "Crate"
-max_width = 100
-newline_style = "Unix"
-normalize_comments = true
-normalize_doc_attributes = true
-reorder_impl_items = true
-style_edition = "2024"
-use_field_init_shorthand = true
-use_try_shorthand = true
-wrap_comments = true

.dockerignore

@@ -9,5 +9,7 @@ build_docs/**
 **/*Dockerfile
 blueprints/local
 .git
+!gen-ts-api/node_modules
+!gen-ts-api/dist/**
+!gen-go-api/
 .venv
-target

.gitattributes

@@ -1,9 +0,0 @@
-packages/client-*/** linguist-generated
-web/packages/lex/* linguist-vendored
-web/packages/node-domexception/* linguist-vendored
-web/packages/formdata-polyfill/* linguist-vendored
-web/packages/sfe/vendored/* linguist-vendored
-website/vendored/* linguist-vendored
-website/docs/** linguist-documentation
-website/integrations/** linguist-documentation
-website/api/** linguist-documentation

.github/actions/cherry-pick/action.yml

@@ -115,13 +115,20 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
-        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
-        REASON: ${{ steps.should_run.outputs.reason }}
       run: |
         set -e -o pipefail
+        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
+
+        # Get PR details
+        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
+        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
+        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
+
+        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
+        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
 
         # Determine which labels to process
-        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
+        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
           # Only process the specific label that was just added
           if [ "${{ github.event_name }}" = "issues" ]; then
             LABEL_NAME="${{ github.event.label.name }}"
@@ -145,13 +152,13 @@ runs:
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
-        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE: ${{ github.event.pull_request.title }}
-        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
-        LABELS: '${{ steps.pr_details.outputs.labels }}'
       run: |
         set -e -o pipefail
+        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
+        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
+        LABELS='${{ steps.pr_details.outputs.labels }}'
 
         echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
         echo "Found backport labels: $LABELS"

.github/actions/docker-push-variables/action.yml

@@ -54,6 +54,10 @@ outputs:
 runs:
   using: "composite"
   steps:
+    - name: Setup authentik env
+      uses: ./.github/actions/setup
+      with:
+        dependencies: "python"
     - name: Generate config
       id: ev
       shell: bash
@@ -64,4 +68,4 @@ runs:
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         REF: ${{ github.ref }}
       run: |
-        python3 ${{ github.action_path }}/push_vars.py
+        uv run python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -2,19 +2,10 @@
 
 import os
 from json import dumps
-from pathlib import Path
 from sys import exit as sysexit
 from time import time
-from typing import Any
 
-
-def authentik_version() -> str:
-    init = Path(__file__).parent.parent.parent.parent / "authentik" / "__init__.py"
-    with open(init) as f:
-        content = f.read()
-    locals: dict[str, Any] = {}
-    exec(content, None, locals)  # nosec
-    return str(locals["VERSION"])
+from authentik import authentik_version
 
 
 def must_or_fail(input: str | None, error: str) -> str:
@@ -106,7 +97,6 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args_str = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -119,4 +109,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args_str}", file=_output)
+    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)

.github/actions/setup/action.yml

@@ -4,95 +4,49 @@ description: "Setup authentik testing environment"
 inputs:
   dependencies:
     description: "List of dependencies to setup"
-    default: "system,python,rust,node,go,runtime"
+    default: "system,python,node,go,runtime"
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
-  working-directory:
-    description: |
-      Optional working directory if this repo isn't in the root of the actions workspace.
-      When set, needs to contain a trailing slash
-    default: ""
 
 runs:
   using: "composite"
   steps:
-    - name: Cleanup apt
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
-      shell: bash
-      run: sudo apt-get remove --purge man-db
-    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
-      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
-      with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
-        update: true
-        upgrade: false
-        install-recommends: false
-    - name: Make space on disk
+    - name: Install apt deps & cleanup
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       shell: bash
       run: |
-        sudo mkdir -p /tmp/empty/
-        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
+        sudo apt-get remove --purge man-db
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v5
+      uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
       with:
-        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
+        python-version-file: "pyproject.toml"
     - name: Install Python deps
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: uv sync --all-extras --dev --locked
-    - name: Setup rust (stable)
-      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
-      with:
-        rustflags: ""
-    - name: Setup rust (nightly)
-      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
-      with:
-        toolchain: nightly
-        components: rustfmt
-        rustflags: ""
-    - name: Setup rust dependencies
-      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
-      with:
-        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
-    - name: Setup node (web)
+      run: uv sync --all-extras --dev --frozen
+    - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
       with:
-        node-version-file: "${{ inputs.working-directory }}web/package.json"
+        node-version-file: web/package.json
         cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Setup node (root)
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: "${{ inputs.working-directory }}package.json"
-        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Install Node deps
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: npm ci
+        cache-dependency-path: web/package-lock.json
+        registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5
       with:
-        go-version-file: "${{ inputs.working-directory }}go.mod"
+        go-version-file: "go.mod"
     - name: Setup docker cache
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
@@ -101,15 +55,13 @@ runs:
     - name: Setup dependencies
       if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
-      working-directory: ${{ inputs.working-directory }}
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/compose.yml up -d --wait
-        cd web && npm ci
+        docker compose -f .github/actions/setup/compose.yml up -d
+        cd web && npm i
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}
-      working-directory: ${{ inputs.working-directory }}
       run: |
         from authentik.lib.generators import generate_id
         from yaml import safe_dump

.github/actions/setup/compose.yml

@@ -2,20 +2,14 @@ services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
-      - db-data:/var/lib/postgresql
+      - db-data:/var/lib/postgresql/data
     command: "-c log_statement=all"
     environment:
       POSTGRES_USER: authentik
       POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
       POSTGRES_DB: authentik
-      PGDATA: /var/lib/postgresql/data/pgdata
     ports:
       - 5432:5432
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB} -h 127.0.0.1"]
-      interval: 1s
-      timeout: 5s
-      retries: 60
     restart: always
   s3:
     container_name: s3

.github/actions/test-results/action.yml

@@ -2,22 +2,18 @@ name: "Process test results"
 description: Convert test results to JUnit, add them to GitHub Actions and codecov
 
 inputs:
-  files:
-    description: Comma-separated explicit list of files to upload
   flags:
     description: Codecov flags
 
 runs:
   using: "composite"
   steps:
-    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
       with:
-        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
       with:
-        files: ${{ inputs.files }}
         flags: ${{ inputs.flags }}
         use_oidc: true
         report_type: test_results

.github/codecov.yml

@@ -8,6 +8,3 @@ coverage:
         threshold: 1%
 comment:
   after_n_builds: 3
-ignore:
-  - packages/client-rust
-  - packages/client-ts

.github/codespell-dictionary.txt

@@ -0,0 +1 @@
+authentic->authentik

.github/codespell-words.txt

@@ -0,0 +1,32 @@
+akadmin
+asgi
+assertIn
+authentik
+authn
+crate
+docstrings
+entra
+goauthentik
+gunicorn
+hass
+jwe
+jwks
+keypair
+keypairs
+kubernetes
+oidc
+ontext
+openid
+passwordless
+plex
+saml
+scim
+singed
+slo
+sso
+totp
+traefik
+# https://github.com/codespell-project/codespell/issues/1224
+upToDate
+warmup
+webauthn

.github/dependabot.yml

@@ -20,8 +20,6 @@ updates:
       prefix: "ci:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
 
   #endregion
 
@@ -37,56 +35,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - "golang.org/x/crypto"
-        - "golang.org/x/net"
-        - "github.com/golang-jwt/jwt/*"
-        - "github.com/coreos/go-oidc/*"
-        - "github.com/go-ldap/ldap/*"
-
-  #endregion
-
-  #region Rust
-
-  - package-ecosystem: cargo
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - aws-lc-fips-sys
-        - aws-lc-rs
-        - aws-lc-sys
-        - rustls
-        - rustls-pki-types
-        - rustls-platform-verifier
-        - rustls-webpki
-
-  - package-ecosystem: rust-toolchain
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
-    cooldown:
-      default-days: 3
 
   #endregion
 
@@ -105,10 +53,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -172,10 +116,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "core, web:"
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
     groups:
       sentry:
         patterns:
@@ -234,10 +174,6 @@ updates:
       prefix: "website:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
     groups:
       docusaurus:
         patterns:
@@ -276,10 +212,6 @@ updates:
       prefix: "lifecycle/aws:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
 
   #endregion
 
@@ -295,18 +227,6 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - "django"
-        - "cryptography"
-        - "pyjwt"
-        - "xmlsec"
-        - "lxml"
-        - "psycopg"
-        - "pyopenssl"
 
   #endregion
 
@@ -314,7 +234,7 @@ updates:
 
   - package-ecosystem: docker
     directories:
-      - /lifecycle/container
+      - /
       - /website
     schedule:
       interval: daily
@@ -324,14 +244,10 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
   - package-ecosystem: docker-compose
     directories:
-      - /packages/client-go
-      - /packages/client-rust
-      - /packages/client-ts
       # - /scripts # Maybe
+      - /scripts/api
       - /tests/e2e
     schedule:
       interval: daily
@@ -341,7 +257,5 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-    cooldown:
-      default-days: 3
 
   #endregion

.github/pull_request_template.md

@@ -26,7 +26,7 @@ REPLACE ME
 
 If an API change has been made
 
--   [ ] The API schema and clients have been updated (`make gen`)
+-   [ ] The API schema has been updated (`make gen-build`)
 
 If changes to the frontend have been made
 

.github/workflows/_reusable-docker-build-single.yml

@@ -43,8 +43,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -56,19 +56,31 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: "go.mod"
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
       - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           context: .
@@ -83,7 +95,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -79,25 +79,25 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@fa55f72001a6c74b0f4997dca65c70d334905180 # v2
+      - uses: int128/docker-manifest-create-action@a39573caa37b6a8a03302d43b57c3f48635096e2 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -0,0 +1,66 @@
+---
+name: API - Publish Typescript client
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "schema.yml"
+  workflow_dispatch:
+
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: generate_token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+        with:
+          node-version-file: web/package.json
+          registry-url: "https://registry.npmjs.org"
+      - name: Generate API Client
+        run: make gen-client-ts
+      - name: Publish package
+        working-directory: gen-ts-api/
+        run: |
+          npm i
+          npm publish --tag generated
+      - name: Upgrade /web
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        id: cpr
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          branch: update-web-api-client
+          commit-message: "web: bump API Client version"
+          title: "web: bump API Client version"
+          body: "web: bump API Client version"
+          delete-branch: true
+          signoff: true
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+          labels: dependencies
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+          merge-method: squash

.github/workflows/ci-api-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
         with:
           name: api-docs
           path: website/api/build
@@ -67,11 +67,11 @@ jobs:
       - build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"

.github/workflows/ci-docs.yml

@@ -36,7 +36,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -53,7 +53,7 @@ jobs:
       NODE_ENV: production
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -77,9 +77,9 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -89,14 +89,14 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -105,7 +105,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/ci-main-daily.yml

@@ -6,10 +6,6 @@ on:
   schedule:
     # Every night at 3am
     - cron: "0 3 * * *"
-  pull_request:
-    paths:
-      # Needs to refer to itself
-      - .github/workflows/ci-main-daily.yml
 
 jobs:
   test-container:
@@ -19,20 +15,14 @@ jobs:
       matrix:
         version:
           - docs
-          - version-2025-12
-          - version-2026-2
+          - version-2025-4
+          - version-2025-2
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - run: |
-          set -euo pipefail
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"
-          # 2025.12 still serves the legacy docker-compose filename; newer sites use compose.yml.
-          compose_path="compose.yml"
-          if [ "${{ matrix.version }}" = "version-2025-12" ]; then
-            compose_path="docker-compose.yml"
-          fi
-          mkdir -p "${dir}/lifecycle/container"
-          cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/${compose_path}" -O "${dir}/lifecycle/container/compose.yml"
-          "${current}/scripts/test_docker.sh"
+          mkdir -p $dir
+          cd $dir
+          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
+          ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -28,52 +28,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        include:
-          - job: bandit
-            deps: python
-          - job: black
-            deps: python
-          - job: spellcheck
-            deps: node
-          - job: pending-migrations
-            deps: python,runtime
-          - job: ruff
-            deps: python
-          - job: mypy
-            deps: python
-          - job: cargo-deny
-            deps: rust
-          - job: cargo-machete
-            deps: rust
-          - job: clippy
-            deps: rust
-          - job: rustfmt
-            deps: rust-nightly
+        job:
+          - bandit
+          - black
+          - codespell
+          - pending-migrations
+          - ruff
+          - mypy
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: ${{ matrix.deps }}
       - name: run job
-        run: make ci-lint-${{ matrix.job }}
-  test-gen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
-      - name: generate schema
-        run: make migrate gen-build
-      - name: generate API clients
-        run: make gen-clients
-      - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
+        run: uv run make ci-${{ matrix.job }}
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -127,10 +95,7 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
-        run: |
-          docker ps
-          docker logs setup-postgresql-1
-          uv run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
@@ -195,11 +160,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
-          uv run coverage combine
           uv run coverage xml
       - uses: ./.github/actions/test-results
         if: ${{ always() }}
@@ -215,60 +179,47 @@ jobs:
         job:
           - name: proxy
             glob: tests/e2e/test_provider_proxy*
-            profiles: selenium
           - name: oauth
             glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-            profiles: selenium
           - name: oauth-oidc
             glob: tests/e2e/test_provider_oidc*
-            profiles: selenium
           - name: saml
             glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-            profiles: selenium
           - name: ldap
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: rac
-            glob: tests/e2e/test_provider_rac*
-            profiles: selenium
           - name: ws-fed
             glob: tests/e2e/test_provider_ws_fed*
-            profiles: selenium
           - name: radius
             glob: tests/e2e/test_provider_radius*
           - name: scim
             glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
-            profiles: selenium
           - name: endpoints
             glob: tests/e2e/test_endpoints_*
-            profiles: selenium
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Setup e2e env
-        env:
-          COMPOSE_PROFILES: ${{ matrix.job.profiles }}
+      - name: Setup e2e env (chrome, etc)
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
-        if: contains(matrix.job.profiles, 'selenium')
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
+        if: steps.cache-web.outputs.cache-hit != 'true'
         working-directory: web
         run: |
           npm ci
+          make -C .. gen-client-ts
           npm run build
           npm run build:sfe
       - name: run e2e
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage combine
           uv run coverage xml
       - uses: ./.github/actions/test-results
         if: ${{ always() }}
@@ -282,32 +233,22 @@ jobs:
       fail-fast: false
       matrix:
         job:
-          - name: oidc_basic
-            glob: tests/openid_conformance/test_oidc_basic.py
-          - name: oidc_implicit
-            glob: tests/openid_conformance/test_oidc_implicit.py
-          - name: oidc_rp-initiated
-            glob: tests/openid_conformance/test_oidc_rp_initiated.py
-          - name: oidc_frontchannel
-            glob: tests/openid_conformance/test_oidc_frontchannel.py
-          - name: oidc_backchannel
-            glob: tests/openid_conformance/test_oidc_backchannel.py
-          - name: ssf_transmitter
-            glob: tests/openid_conformance/test_ssf_transmitter.py
+          - name: basic
+            glob: tests/openid_conformance/test_basic.py
+          - name: implicit
+            glob: tests/openid_conformance/test_implicit.py
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
-        env:
-          COMPOSE_PROFILES: selenium
         run: |
           docker compose -f tests/e2e/compose.yml up -d --quiet-pull
       - name: Setup conformance suite
         run: |
           docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -316,50 +257,26 @@ jobs:
         working-directory: web
         run: |
           npm ci
+          make -C .. gen-client-ts
           npm run build
           npm run build:sfe
       - name: run conformance
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage combine
           uv run coverage xml
       - uses: ./.github/actions/test-results
         if: ${{ always() }}
         with:
           flags: conformance
       - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: conformance-certification-${{ matrix.job.name }}
           path: tests/openid_conformance/exports/
-  test-rust:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: rust,runtime
-      - name: run tests
-        run: |
-          cargo llvm-cov --no-report nextest --workspace
-          cargo llvm-cov report --codecov --output-path target/llvm-cov-target/rust.json
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
-        with:
-          files: target/llvm-cov-target/rust.json
-          flags: rust
-      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: test-rust
-          path: target/llvm-cov-target/rust.json
   ci-core-mark:
     if: always()
     needs:
       - lint
-      - test-gen
       - test-migrations
       - test-migrations-from-stable
       - test-unittest

.github/workflows/ci-outpost.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -31,6 +31,8 @@ jobs:
           mkdir -p web/dist
           mkdir -p website/help
           touch web/dist/test website/help/test
+      - name: Generate API
+        run: make gen-client-go
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v8
         with:
@@ -41,11 +43,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-go
       - name: prepare database
         run: |
           uv run make migrate
@@ -86,9 +90,9 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -98,14 +102,16 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate API
+        run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -116,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -142,14 +148,16 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
+      - name: Generate API
+        run: make gen-client-go
       - name: Build web
         working-directory: web/
         run: |

.github/workflows/ci-web.yml

@@ -32,7 +32,7 @@ jobs:
             project: web
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -40,6 +40,8 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
+      - name: Generate API
+        run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
@@ -47,13 +49,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
         run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
       - name: build
         working-directory: web/
         run: npm run build
@@ -73,13 +77,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
         run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
       - name: test
         working-directory: web/
         run: npm run test || exit 0

.github/workflows/gen-image-compress.yml

@@ -29,20 +29,20 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@e2cc8db5d49c849e00844dfebf01438318e96fa2 # main
+        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/gen-update-webauthn-mds.yml

@@ -16,17 +16,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gh-cherry-pick.yml

@@ -10,11 +10,11 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5

.github/workflows/gh-ghcr-retention.yml

@@ -16,10 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Delete 'dev' containers older than a week
         uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:

.github/workflows/packages-npm-publish.yml

@@ -29,19 +29,18 @@ jobs:
           - packages/eslint-config
           - packages/prettier-config
           - packages/docusaurus-config
-          - packages/logger-js
           - packages/esbuild-plugin-live-reload
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json

.github/workflows/release-branch-off.yml

@@ -29,10 +29,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -57,10 +57,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         with:
@@ -73,7 +73,7 @@ jobs:
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
       - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: release-bump-${{ inputs.next_version }}

.github/workflows/release-publish.yml

@@ -33,9 +33,9 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -44,21 +44,21 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         if: true
         with:
@@ -84,18 +84,18 @@ jobs:
           - rac
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -103,19 +103,23 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
       - name: Docker Login Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           push: true
@@ -125,7 +129,7 @@ jobs:
           file: lifecycle/container/${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -148,21 +152,18 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
-      - name: Install web dependencies
-        working-directory: web/
-        run: |
-          npm ci
       - name: Build web
         working-directory: web/
         run: |
+          npm ci
           npm run build-proxy
       - name: Build outpost
         run: |
@@ -172,7 +173,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
+        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -191,7 +192,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}
@@ -209,12 +210,12 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env
-          docker compose -f lifecycle/container/compose.yml pull -q
-          docker compose -f lifecycle/container/compose.yml up --no-start
-          docker compose -f lifecycle/container/compose.yml start postgresql
-          docker compose -f lifecycle/container/compose.yml run -u root server test-all
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          docker compose pull -q
+          docker compose up --no-start
+          docker compose start postgresql
+          docker compose run -u root server test-all
   sentry-release:
     needs:
       - build-server
@@ -236,7 +237,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3
+        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -67,10 +67,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - id: get-user-id
         name: Get GitHub app user ID
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -91,12 +91,11 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
           git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git pull
           git commit -a -m "release: ${{ inputs.version }}" --allow-empty
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -115,10 +114,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
           repositories: helm
       - id: get-user-id
         name: Get GitHub app user ID
@@ -137,7 +136,7 @@ jobs:
           sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
           ./scripts/helm-docs.sh
       - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}
@@ -157,10 +156,10 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
           repositories: version
       - id: get-user-id
         name: Get GitHub app user ID
@@ -175,28 +174,24 @@ jobs:
         if: "${{ inputs.release_reason == 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
             --arg changelog_url "${changelog_url}" \
-            --arg reason "${reason}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
           mv version.new.json version.json
       - name: Bump version
         if: "${{ inputs.release_reason != 'feature' }}"
         run: |
           changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          reason="${{ inputs.release_reason }}"
           jq \
             --arg version "${{ inputs.version }}" \
             --arg changelog "See ${changelog_url}" \
             --arg changelog_url "${changelog_url}" \
-            --arg reason "${reason}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}

.github/workflows/repo-stale.yml

@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-extract-compile.yml

@@ -21,10 +21,10 @@ jobs:
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
@@ -33,6 +33,8 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-ts
       - name: run extract
         run: |
           uv run make i18n-extract
@@ -42,7 +44,7 @@ jobs:
           make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.gitignore

@@ -15,9 +15,6 @@ media
 
 node_modules
 
-.cspellcache
-cspell-report.*
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -195,24 +192,6 @@ pyvenv.cfg
 pip-selfcheck.json
 
 # End of https://www.gitignore.io/api/python,django
-
-# Created by https://www.toptal.com/developers/gitignore/api/rust
-# Edit at https://www.toptal.com/developers/gitignore?templates=rust
-
-### Rust ###
-# Generated by Cargo
-# will have compiled files and executables
-debug/
-target/
-
-# These are backup files generated by rustfmt
-**/*.rs.bk
-
-# MSVC Windows builds of rustc generate these, which store debugging information
-*.pdb
-
-# End of https://www.toptal.com/developers/gitignore/api/rust
-
 /static/
 local.env.yml
 
@@ -220,6 +199,7 @@ media/
 *mmdb
 
 .idea/
+/gen-*/
 data/
 
 # Local Netlify folder
@@ -229,11 +209,6 @@ source_docs/
 
 ### Golang ###
 /vendor/
-server
-proxy
-ldap
-rac
-radius
 
 ### Docker ###
 tests/openid_conformance/exports/*.zip

.prettierignore

@@ -1,7 +1,6 @@
 # Prettier Ignorefile
 
 ## Static Files
-CODEOWNERS
 **/LICENSE
 
 authentik/stages/**/*

.vscode/extensions.json

@@ -17,6 +17,6 @@
         "ms-python.vscode-pylance",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
     ]
 }

.vscode/settings.json

@@ -14,10 +14,6 @@
     "[xml]": {
         "editor.minimap.markSectionHeaderRegex": "<!--\\s*#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\s*-->"
     },
-    "files.associations": {
-        // The built-in "ignore" language gives us enough syntax highlighting to make these files readable.
-        "**/dictionaries/*.txt": "ignore"
-    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
@@ -38,10 +34,10 @@
         "!AtIndex scalar",
         "!ParseJSON scalar"
     ],
-    "js/ts.preferences.importModuleSpecifier": "non-relative",
-    "js/ts.preferences.importModuleSpecifierEnding": "index",
-    "js/ts.tsdk.path": "./node_modules/typescript/lib",
-    "js/ts.tsdk.promptToUseWorkspaceVersion": true,
+    "typescript.preferences.importModuleSpecifier": "non-relative",
+    "typescript.preferences.importModuleSpecifierEnding": "index",
+    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.enablePromptUseWorkspaceTsdk": true,
     "yaml.schemas": {
         "./blueprints/schema.json": "blueprints/**/*.yaml"
     },
@@ -53,17 +49,13 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
+        "-count=1"
+    ],
     "go.testEnvVars": {
         "WORKSPACE_DIR": "${workspaceFolder}"
     },
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"],
-    "search.exclude": {
-        "**/*.code-search": true,
-        "**/bower_components": true,
-        "**/node_modules": true,
-        "**/playwright-report/**": true,
-        "**/website/**/build": true,
-        "**/client-*": true
-    }
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }

CODEOWNERS

@@ -3,7 +3,6 @@
 # Backend
 authentik/                              @goauthentik/backend
 blueprints/                             @goauthentik/backend
-src/                                    @goauthentik/backend
 cmd/                                    @goauthentik/backend
 internal/                               @goauthentik/backend
 lifecycle/                              @goauthentik/backend
@@ -12,13 +11,8 @@ scripts/                                @goauthentik/backend
 tests/                                  @goauthentik/backend
 pyproject.toml                          @goauthentik/backend
 uv.lock                                 @goauthentik/backend
-Cargo.toml                              @goauthentik/backend
-Cargo.lock                              @goauthentik/backend
-build.rs                                @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
-.cargo/                                 @goauthentik/backend
-rust-toolchain.toml                     @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure
@@ -28,23 +22,18 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
-packages/ak-*                           @goauthentik/backend
-packages/client-rust                    @goauthentik/backend
 packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
-tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend
 packages/package.json                   @goauthentik/frontend
 packages/package-lock.json              @goauthentik/frontend
-packages/client-ts                      @goauthentik/frontend
 packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
 packages/prettier-config                @goauthentik/frontend
-packages/logger-js                      @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend

Cargo.toml

@@ -1,289 +0,0 @@
-[workspace]
-members = [
-  "packages/ak-axum",
-  "packages/ak-common",
-  "packages/client-rust",
-  "website/scripts/docsmg",
-]
-resolver = "3"
-
-[workspace.package]
-version = "2026.8.0-rc1"
-authors = ["authentik Team <hello@goauthentik.io>"]
-description = "Making authentication simple."
-edition = "2024"
-readme = "README.md"
-homepage = "https://goauthentik.io"
-repository = "https://github.com/goauthentik/authentik.git"
-license-file = "LICENSE"
-publish = false
-
-[workspace.dependencies]
-arc-swap = "= 1.9.1"
-argh = "= 0.1.19"
-axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
-aws-lc-rs = { version = "= 1.16.3", features = ["fips"] }
-axum = { version = "= 0.8.9", features = ["http2", "macros", "ws"] }
-clap = { version = "= 4.6.1", features = ["derive", "env"] }
-client-ip = { version = "0.2.1", features = ["forwarded-header"] }
-color-eyre = "= 0.6.5"
-colored = "= 3.1.1"
-config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
-  "json",
-  "yaml",
-] }
-console-subscriber = "= 0.5.0"
-dotenvy = "= 0.15.7"
-durstr = "= 0.5.1"
-eyre = "= 0.6.12"
-forwarded-header-value = "= 0.1.1"
-futures = "= 0.3.32"
-glob = "= 0.3.3"
-hyper-unix-socket = "= 0.6.1"
-hyper-util = "= 0.1.20"
-ipnet = { version = "= 2.12.0", features = ["serde"] }
-json-subscriber = "= 0.2.8"
-metrics = "= 0.24.5"
-metrics-exporter-prometheus = { version = "= 0.18.3", default-features = false }
-nix = { version = "= 0.31.2", features = ["hostname", "signal"] }
-notify = "= 8.2.0"
-pin-project-lite = "= 0.2.17"
-pyo3 = "= 0.28.3"
-pyo3-build-config = "= 0.28.3"
-regex = "= 1.12.3"
-reqwest = { version = "= 0.13.3", features = [
-  "form",
-  "json",
-  "multipart",
-  "query",
-  "rustls",
-  "stream",
-] }
-reqwest-middleware = { version = "= 0.5.1", features = [
-  "form",
-  "json",
-  "multipart",
-  "query",
-  "rustls",
-] }
-rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.0", default-features = false, features = [
-  "backtrace",
-  "contexts",
-  "debug-images",
-  "panic",
-  "rustls",
-  "reqwest",
-  "tower",
-  "tracing",
-] }
-serde = { version = "= 1.0.228", features = ["derive"] }
-serde_json = "= 1.0.149"
-serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.18.0", default-features = false, features = [
-  "base64",
-] }
-sqlx = { version = "= 0.8.6", default-features = false, features = [
-  "runtime-tokio",
-  "tls-rustls-aws-lc-rs",
-  "postgres",
-  "derive",
-  "macros",
-  "uuid",
-  "chrono",
-  "ipnet",
-  "json",
-] }
-tempfile = "= 3.27.0"
-thiserror = "= 2.0.18"
-time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
-tokio-retry2 = "= 0.9.1"
-tokio-rustls = "= 0.26.4"
-tokio-util = { version = "= 0.7.18", features = ["full"] }
-tower = "= 0.5.3"
-tower-http = { version = "= 0.6.8", features = ["timeout"] }
-tracing = "= 0.1.44"
-tracing-error = "= 0.2.1"
-tracing-subscriber = { version = "= 0.3.23", features = [
-  "env-filter",
-  "json",
-  "local-time",
-  "tracing-log",
-] }
-url = "= 2.5.8"
-uuid = { version = "= 1.23.1", features = ["serde", "v4"] }
-which = "= 8.0.2"
-
-ak-axum = { package = "authentik-axum", version = "2026.8.0-rc1", path = "./packages/ak-axum" }
-ak-client = { package = "authentik-client", version = "2026.8.0-rc1", path = "./packages/client-rust" }
-ak-common = { package = "authentik-common", version = "2026.8.0-rc1", path = "./packages/ak-common", default-features = false }
-
-[workspace.lints.rust]
-ambiguous_negative_literals = "warn"
-closure_returning_async_block = "warn"
-macro_use_extern_crate = "deny"
-# must_not_suspend = "deny", unstable see https://github.com/rust-lang/rust/issues/83310
-non_ascii_idents = "deny"
-redundant_imports = "warn"
-semicolon_in_expressions_from_macros = "warn"
-trivial_casts = "warn"
-trivial_numeric_casts = "warn"
-unit_bindings = "warn"
-unreachable_pub = "warn"
-unsafe_code = "deny"
-unused_extern_crates = "warn"
-unused_import_braces = "warn"
-unused_lifetimes = "warn"
-unused_macro_rules = "warn"
-unused_qualifications = "warn"
-
-[workspace.lints.rustdoc]
-unescaped_backticks = "warn"
-
-[workspace.lints.clippy]
-### enable all lints
-cargo = { priority = -1, level = "warn" }
-complexity = { priority = -1, level = "warn" }
-correctness = { priority = -1, level = "warn" }
-nursery = { priority = -1, level = "warn" }
-pedantic = { priority = -1, level = "warn" }
-perf = { priority = -1, level = "warn" }
-# Those are too restrictive and disabled by default, however we enable some below
-# restriction = { priority = -1, level = "warn" }
-style = { priority = -1, level = "warn" }
-suspicious = { priority = -1, level = "warn" }
-### and disable the ones we don't want
-### cargo group
-multiple_crate_versions = "allow"
-### pedantic group
-missing_errors_doc = "allow"
-missing_panics_doc = "allow"
-must_use_candidate = "allow"
-redundant_closure_for_method_calls = "allow"
-struct_field_names = "allow"
-too_many_lines = "allow"
-### nursery
-missing_const_for_fn = "allow"
-option_if_let_else = "allow"
-redundant_pub_crate = "allow"
-significant_drop_tightening = "allow"
-### restriction group
-allow_attributes = "warn"
-allow_attributes_without_reason = "warn"
-as_conversions = "warn"
-as_pointer_underscore = "warn"
-as_underscore = "warn"
-assertions_on_result_states = "warn"
-clone_on_ref_ptr = "warn"
-create_dir = "warn"
-dbg_macro = "warn"
-default_numeric_fallback = "warn"
-disallowed_script_idents = "warn"
-empty_drop = "warn"
-empty_enum_variants_with_brackets = "warn"
-empty_structs_with_brackets = "warn"
-error_impl_error = "warn"
-exit = "warn"
-filetype_is_file = "warn"
-float_cmp_const = "warn"
-fn_to_numeric_cast_any = "warn"
-get_unwrap = "warn"
-if_then_some_else_none = "warn"
-impl_trait_in_params = "warn"
-infinite_loop = "warn"
-lossy_float_literal = "warn"
-map_with_unused_argument_over_ranges = "warn"
-mem_forget = "warn"
-missing_asserts_for_indexing = "warn"
-missing_trait_methods = "warn"
-mixed_read_write_in_expression = "warn"
-mutex_atomic = "warn"
-mutex_integer = "warn"
-needless_raw_strings = "warn"
-non_zero_suggestions = "warn"
-panic_in_result_fn = "warn"
-pathbuf_init_then_push = "warn"
-print_stdout = "warn"
-rc_buffer = "warn"
-redundant_test_prefix = "warn"
-redundant_type_annotations = "warn"
-ref_patterns = "warn"
-renamed_function_params = "warn"
-rest_pat_in_fully_bound_structs = "warn"
-return_and_then = "warn"
-same_name_method = "warn"
-semicolon_inside_block = "warn"
-str_to_string = "warn"
-string_add = "warn"
-suspicious_xor_used_as_pow = "warn"
-tests_outside_test_module = "warn"
-todo = "warn"
-try_err = "warn"
-undocumented_unsafe_blocks = "warn"
-unimplemented = "warn"
-unnecessary_safety_comment = "warn"
-unnecessary_safety_doc = "warn"
-unnecessary_self_imports = "warn"
-unneeded_field_pattern = "warn"
-unseparated_literal_suffix = "warn"
-unused_result_ok = "warn"
-unused_trait_names = "warn"
-unwrap_in_result = "warn"
-unwrap_used = "warn"
-verbose_file_reads = "warn"
-
-[profile.dev.package.backtrace]
-opt-level = 3
-
-[profile.dev]
-panic = "abort"
-
-[profile.release]
-debug = 2
-lto = "fat"
-# Because of the async runtime, we want to die straightaway if we panic.
-panic = "abort"
-strip = true
-
-[package]
-name = "authentik"
-version.workspace = true
-authors.workspace = true
-edition.workspace = true
-readme.workspace = true
-homepage.workspace = true
-repository.workspace = true
-license-file.workspace = true
-publish.workspace = true
-
-[features]
-default = ["core", "proxy"]
-core = ["ak-common/core", "dep:pyo3", "dep:sqlx"]
-proxy = ["ak-common/proxy"]
-
-[build-dependencies]
-pyo3-build-config.workspace = true
-
-[dependencies]
-ak-axum.workspace = true
-ak-common.workspace = true
-arc-swap.workspace = true
-argh.workspace = true
-axum.workspace = true
-color-eyre.workspace = true
-eyre.workspace = true
-hyper-unix-socket.workspace = true
-hyper-util.workspace = true
-metrics.workspace = true
-metrics-exporter-prometheus.workspace = true
-nix.workspace = true
-pyo3 = { workspace = true, optional = true }
-sqlx = { workspace = true, optional = true }
-tokio.workspace = true
-tracing.workspace = true
-uuid.workspace = true
-which.workspace = true
-
-[lints]
-workspace = true

Makefile

@@ -15,11 +15,14 @@ else
 	SED_INPLACE = sed -i
 endif
 
+GEN_API_TS = gen-ts-api
+GEN_API_PY = gen-py-api
+GEN_API_GO = gen-go-api
+
 BREW_LDFLAGS :=
 BREW_CPPFLAGS :=
 BREW_PKG_CONFIG_PATH :=
 
-CARGO := cargo
 UV := uv
 
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
@@ -66,29 +69,22 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-go-test:  ## Run the golang tests
+go-test:
 	go test -timeout 0 -v -race -cover ./...
 
-rust-test:  ## Run the Rust tests
-	$(CARGO) nextest run --workspace
-
 test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
-	$(UV) run coverage combine
 	$(UV) run coverage html
 	$(UV) run coverage report
 
-lint-fix-rust:
-	$(CARGO) +nightly fmt --all -- --config-path "${PWD}/.cargo/rustfmt.toml"
-
-lint-fix: lint-fix-rust  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)
 
-lint-spellcheck:  ## Reports spelling errors.
-	npm run lint:spellcheck
+lint-codespell:  ## Reports spelling errors.
+	$(UV) run codespell -w
 
-lint: ci-lint-bandit ci-lint-mypy ci-lint-cargo-deny ci-lint-cargo-machete  ## Lint the python and golang sources
+lint: ci-bandit ci-mypy ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
@@ -109,11 +105,11 @@ i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that requir
 aws-cfn:
 	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn
 
-run:  ## Run the main authentik server and worker processes
-	$(UV) run ak allinone
+run-server:  ## Run the main authentik server process
+	$(UV) run ak server
 
-run-watch:  ## Run the authentik server and worker, with auto reloading
-	watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs,go --no-meta --notify -- $(UV) run ak allinone
+run-worker:  ## Run the main authentik worker process
+	$(UV) run ak worker
 
 core-i18n-extract:
 	$(UV) run ak makemessages \
@@ -121,7 +117,8 @@ core-i18n-extract:
 		--no-obsolete \
 		--ignore web \
 		--ignore internal \
-		--ignore packages/client-ts \
+		--ignore ${GEN_API_TS} \
+		--ignore ${GEN_API_GO} \
 		--ignore website \
 		-l en
 
@@ -144,25 +141,18 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 
 update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl \
-		-L \
-		-o ${PWD}/tests/geoip/GeoLite2-ASN-Test.mmdb \
-		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb
-	curl \
-		-L \
-		-o ${PWD}/tests/geoip/GeoLite2-City-Test.mmdb \
-		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
 
 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
-	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
-	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
-	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"/" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' pyproject.toml
+	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
-	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
+	npm version --no-git-tag-version --allow-same-version $(version)
+	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
 
 #########################
@@ -178,23 +168,13 @@ gen-build:  ## Extract the schema from the database
 gen-compose:
 	$(UV) run scripts/generate_compose.py
 
-gen-changelog:  ## (Release) generate the changelog based from the commits since the last version
-# These are best-effort guesses based on commit messages
-	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
-	$(eval current_commit := $(shell git rev-parse HEAD))
-	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${current_commit} > merged_to_current
-	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${last_version} > merged_to_last
-	grep -Eo 'cherry-pick (#\d+)' merged_to_last | cut -d ' ' -f 2 | sed 's/.*/(&)$$/' > cherry_picked_to_last
-	grep -vf cherry_picked_to_last merged_to_current | sort > changelog.md
-	rm merged_to_current
-	rm merged_to_last
-	rm cherry_picked_to_last
+gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
+	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
 	npx prettier --write changelog.md
 
-gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
-	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
-	git show ${last_version}:schema.yml > schema-old.yml
-	docker compose -f scripts/compose.yml run --rm --user "${UID}:${GID}" diff \
+gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
 		/local/schema-old.yml \
@@ -204,26 +184,51 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	$(SED_INPLACE) 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
-gen-client-go:  ## Build and install the authentik API for Golang
-	$(UV) run make -C "${PWD}/packages/client-go" build
+gen-clean-ts:  ## Remove generated API client for TypeScript
+	rm -rf ${PWD}/${GEN_API_TS}/
+	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
 
-gen-client-rust:  ## Build and install the authentik API for Rust
-	$(UV) run make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
-	make lint-fix-rust
+gen-clean-py:  ## Remove generated API client for Python
+	rm -rf ${PWD}/${GEN_API_PY}
 
-gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
-	make -C "${PWD}/packages/client-ts" build
-	npm --prefix web install
+gen-clean-go:  ## Remove generated API client for Go
+	rm -rf ${PWD}/${GEN_API_GO}
 
-_gen-clients: gen-client-go gen-client-rust gen-client-ts
-gen-clients:  ## Build and install API clients used by authentik
-	$(MAKE) _gen-clients -j
+gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
-gen: gen-build gen-clients  ## Build and install API schema and clients used by authentik
+gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" gen \
+		generate \
+		-i /local/schema.yml \
+		-g typescript-fetch \
+		-o /local/${GEN_API_TS} \
+		-c /local/scripts/api/ts-config.yaml \
+		--additional-properties=npmVersion=${NPM_VERSION} \
+		--git-repo-id authentik \
+		--git-user-id goauthentik
+
+	cd ${PWD}/${GEN_API_TS} && npm i
+	cd ${PWD}/${GEN_API_TS} && npm link
+	cd ${PWD}/web && npm link @goauthentik/api
+
+gen-client-py: gen-clean-py ## Build and install the authentik API for Python
+	mkdir -p ${PWD}/${GEN_API_PY}
+	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
+	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
+
+gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
+	mkdir -p ${PWD}/${GEN_API_GO}
+	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
+	make -C ${PWD}/${GEN_API_GO} build version=${NPM_VERSION}
+	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
 
 gen-dev-config:  ## Generate a local development config file
 	$(UV) run scripts/generate_config.py
 
+gen: gen-build gen-client-ts
+
 #########################
 ## Node.js
 #########################
@@ -271,7 +276,7 @@ docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Au
 docs-install:
 	npm ci --prefix website
 
-docs-lint-fix: lint-spellcheck
+docs-lint-fix: lint-codespell
 	npm run --prefix website prettier
 
 docs-build:
@@ -292,7 +297,7 @@ docs-api-build:
 	npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api generate
+	npm run --prefix website -w api build:api
 	npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
@@ -303,6 +308,7 @@ docs-api-clean: ## Clean generated API documentation
 #########################
 
 docker:  ## Build a docker image of the current source tree
+	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . -f lifecycle/container/Dockerfile --progress plain --tag ${DOCKER_IMAGE}
 
 test-docker:
@@ -315,42 +321,28 @@ test-docker:
 # which makes the YAML File a lot smaller
 
 ci--meta-debug:
-	$(UV) run python -V || echo "No python installed"
-	$(CARGO) --version || echo "No rust installed"
-	node --version || echo "No node installed"
+	$(UV) run python -V
+	node --version
 
-ci-lint-mypy: ci--meta-debug
+ci-mypy: ci--meta-debug
 	$(UV) run mypy --strict $(PY_SOURCES)
 
-ci-lint-black: ci--meta-debug
+ci-black: ci--meta-debug
 	$(UV) run black --check $(PY_SOURCES)
 
-ci-lint-ruff: ci--meta-debug
+ci-ruff: ci--meta-debug
 	$(UV) run ruff check $(PY_SOURCES)
 
-ci-lint-spellcheck: ci--meta-debug
-	npm run lint:spellcheck
+ci-codespell: ci--meta-debug
+	$(UV) run codespell -s
 
-ci-lint-bandit: ci--meta-debug
+ci-bandit: ci--meta-debug
 	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii
 
-ci-lint-pending-migrations: ci--meta-debug
+ci-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check
 
-ci-lint-cargo-deny: ci--meta-debug
-	$(CARGO) deny --locked --workspace check --config "${PWD}/.cargo/deny.toml"
-
-ci-lint-cargo-machete: ci--meta-debug
-	$(CARGO) machete
-
-ci-lint-rustfmt: ci--meta-debug
-	$(CARGO) +nightly fmt --all --check -- --config-path "${PWD}/.cargo/rustfmt.toml"
-
-ci-lint-clippy: ci--meta-debug
-	$(CARGO) clippy --workspace -- -D warnings
-
 ci-test: ci--meta-debug
-	$(UV) run coverage run manage.py test --keepdb --parallel auto authentik
-	$(UV) run coverage combine
+	$(UV) run coverage run manage.py test --keepdb authentik
 	$(UV) run coverage report
 	$(UV) run coverage xml

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2025.12.x | ✅        |
-| 2026.2.x  | ✅        |
+| Version    | Supported  |
+| ---------- | ---------- |
+| 2025.10.x  | ✅         |
+| 2025.12.x  | ✅         |
 
 ## Reporting a Vulnerability
 
@@ -60,40 +60,6 @@ authentik reserves the right to reclassify CVSS as necessary. To determine sever
 | 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |
 
-## Intended functionality
-
-The following capabilities are part of intentional system design and should not be reported as security vulnerabilities:
-
-- Expressions (property mappings/policies/prompts) can execute arbitrary Python code without safeguards.
-
-This is expected behavior. Any user with permission to create or modify objects containing expression fields can write code that is executed within authentik. If a vulnerability allows a user without the required permissions to write or modify code and have it executed, that would be a valid security report.
-
-However, the fact that expressions are executed as part of normal operations is not considered a privilege escalation or security vulnerability.
-
-- Blueprints can access all files on the filesystem.
-
-This access is intentional to allow legitimate configuration and deployment tasks. It does not represent a security problem by itself.
-
-- Importing blueprints allows arbitrary modification of application objects.
-
-This is intended functionality. This behavior reflects the privileged design of blueprint imports. It is "exploitable" when importing blueprints from untrusted sources without reviewing the blueprint beforehand. However, any method to create, modify or execute blueprints without the required permissions would be a valid security report.
-
-- Flow imports may contain objects other than flows (such as policies, users, groups, etc.)
-
-This is expected behavior as flow imports are blueprint files.
-
-- Prompt HTML is not escaped.
-
-Prompts intentionally allow raw HTML, including script tags, so they can be used to create interactive or customized user interface elements. Because of this, scripts within prompts may affect or interact with the surrounding page as designed.
-
-- Open redirects that do not include tokens or other sensitive information are not considered a security vulnerability.
-
-Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
-
-- Outgoing network requests are not filtered.
-
-The destinations of outgoing network requests (HTTP, TCP, etc.) made by authentik to configurable endpoints through objects such as OAuth Sources, SSO Providers, and others are not validated. Depending on your threat model, these requests should be restricted at the network level using appropriate firewall or network policies.
-
 ## Disclosure process
 
 1. Report from Github or Issue is reported via Email as listed above.

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2026.8.0-rc1"
+VERSION = "2026.2.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/meta.py

@@ -8,8 +8,8 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.api import Models
 from authentik.lib.utils.reflection import get_apps
+from authentik.policies.event_matcher.models import model_choices
 
 
 class AppSerializer(PassiveSerializer):
@@ -42,6 +42,6 @@ class ModelViewSet(ViewSet):
     def list(self, request: Request) -> Response:
         """Read-only view list all installed models"""
         data = []
-        for name, label in Models.choices:
+        for name, label in model_choices():
             data.append({"name": name, "label": label})
         return Response(AppSerializer(data, many=True).data)

authentik/admin/files/backends/base.py

@@ -94,7 +94,7 @@ class Backend:
 
         Args:
             file_path: Relative file path
-            request: Optional Django HttpRequest for fully qualified URL building
+            request: Optional Django HttpRequest for fully qualifed URL building
             use_cache: whether to retrieve the URL from cache
 
         Returns:
@@ -106,7 +106,6 @@ class Backend:
         self,
         name: str,
         request: HttpRequest | None = None,
-        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """
         Get URLs for each theme variant when filename contains %(theme)s.
@@ -122,7 +121,7 @@ class Backend:
             return None
 
         return {
-            theme: self.file_url(substitute_theme(name, theme), request, use_cache=use_cache)
+            theme: self.file_url(substitute_theme(name, theme), request, use_cache=True)
             for theme in get_valid_themes()
         }
 

authentik/admin/files/backends/passthrough.py

@@ -51,7 +51,6 @@ class PassthroughBackend(Backend):
         self,
         name: str,
         request: HttpRequest | None = None,
-        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """Support themed URLs for external URLs with %(theme)s placeholder.
 

authentik/admin/files/backends/s3.py

@@ -1,7 +1,7 @@
 from collections.abc import Generator, Iterator
 from contextlib import contextmanager
 from tempfile import SpooledTemporaryFile
-from urllib.parse import urlsplit, urlunsplit
+from urllib.parse import urlsplit
 
 import boto3
 from botocore.config import Config
@@ -100,25 +100,13 @@ class S3Backend(ManageableBackend):
             f"storage.{self.usage.value}.{self.name}.addressing_style",
             CONFIG.get(f"storage.{self.name}.addressing_style", "auto"),
         )
-        signature_version = CONFIG.get(
-            f"storage.{self.usage.value}.{self.name}.signature_version",
-            CONFIG.get(f"storage.{self.name}.signature_version", "s3v4"),
-        )
-        # Keep signature_version pass-through and let boto3/botocore handle it.
-        # In boto3's S3 configuration docs, `s3v4` (default) and deprecated `s3`
-        # are the documented values:
-        # https://github.com/boto/boto3/blob/791a3e8f36d83664a47b4281a0586b3546cef3ec/docs/source/guide/configuration.rst?plain=1#L398-L407
-        # Botocore also supports additional signer names, so we intentionally do
-        # not enforce a restricted allowlist here.
 
         return self.session.client(
             "s3",
             endpoint_url=endpoint_url,
             use_ssl=use_ssl,
             region_name=region_name,
-            config=Config(
-                signature_version=signature_version, s3={"addressing_style": addressing_style}
-            ),
+            config=Config(signature_version="s3v4", s3={"addressing_style": addressing_style}),
         )
 
     @property
@@ -164,19 +152,16 @@ class S3Backend(ManageableBackend):
         )
 
         def _file_url(name: str, request: HttpRequest | None) -> str:
-            client = self.client
             params = {
                 "Bucket": self.bucket_name,
                 "Key": f"{self.base_path}/{name}",
             }
 
-            operation_name = "GetObject"
-            operation_model = client.meta.service_model.operation_model(operation_name)
-            request_dict = client._convert_to_request_dict(
-                params,
-                operation_model,
-                endpoint_url=client.meta.endpoint_url,
-                context={"is_presign_request": True},
+            url = self.client.generate_presigned_url(
+                "get_object",
+                Params=params,
+                ExpiresIn=expires_in,
+                HttpMethod="GET",
             )
 
             # Support custom domain for S3-compatible storage (so not AWS)
@@ -186,8 +171,9 @@ class S3Backend(ManageableBackend):
                 CONFIG.get(f"storage.{self.name}.custom_domain", None),
             )
             if custom_domain:
+                parsed = urlsplit(url)
                 scheme = "https" if use_https else "http"
-                path = request_dict["url_path"]
+                path = parsed.path
 
                 # When using path-style addressing, the presigned URL contains the bucket
                 # name in the path (e.g., /bucket-name/key). Since custom_domain must
@@ -202,22 +188,9 @@ class S3Backend(ManageableBackend):
                 if not path.startswith("/"):
                     path = f"/{path}"
 
-                custom_base = urlsplit(f"{scheme}://{custom_domain}")
+                url = f"{scheme}://{custom_domain}{path}?{parsed.query}"
 
-                # Sign the final public URL instead of signing the internal S3 endpoint and
-                # rewriting it afterwards. Presigned SigV4 URLs include the host header in the
-                # canonical request, so post-sign host changes break strict backends like RustFS.
-                public_path = f"{custom_base.path.rstrip('/')}{path}" if custom_base.path else path
-                request_dict["url_path"] = public_path
-                request_dict["url"] = urlunsplit(
-                    (custom_base.scheme, custom_base.netloc, public_path, "", "")
-                )
-
-            return client._request_signer.generate_presigned_url(
-                request_dict,
-                operation_name,
-                expires_in=expires_in,
-            )
+            return url
 
         if use_cache:
             return self._cache_get_or_set(name, request, _file_url, expires_in)

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -1,7 +1,5 @@
 from unittest import skipUnless
-from urllib.parse import parse_qs, urlsplit
 
-from botocore.exceptions import UnsupportedSignatureVersionError
 from django.test import TestCase
 
 from authentik.admin.files.tests.utils import FileTestS3BackendMixin, s3_test_server_available
@@ -83,27 +81,6 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
         self.assertIn("X-Amz-Signature=", url)
         self.assertIn("test.png", url)
 
-    def test_client_signature_version_default_v4(self):
-        """Test S3 client defaults to v4 signature when not configured."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3v4")
-
-    @CONFIG.patch("storage.s3.signature_version", "s3")
-    def test_client_signature_version_global_override(self):
-        """Test S3 client respects globally configured signature version."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
-
-    @CONFIG.patch("storage.s3.signature_version", "s3v4")
-    @CONFIG.patch("storage.media.s3.signature_version", "s3")
-    def test_client_signature_version_media_override(self):
-        """Test usage-specific signature version takes precedence over global."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
-
-    @CONFIG.patch("storage.media.s3.signature_version", "not-a-real-signature")
-    def test_client_signature_version_unsupported(self):
-        """Test unsupported signature version raises botocore error."""
-        with self.assertRaises(UnsupportedSignatureVersionError):
-            self.media_s3_backend.file_url("test.png", use_cache=False)
-
     @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
     def test_file_exists_true(self):
         """Test file_exists returns True for existing file"""
@@ -169,44 +146,6 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
             f"URL: {url}",
         )
 
-    @CONFIG.patch("storage.s3.secure_urls", False)
-    @CONFIG.patch("storage.s3.addressing_style", "path")
-    def test_file_url_custom_domain_resigns_for_custom_host(self):
-        """Test presigned URLs are signed for the custom domain host.
-
-        Host-changing custom domains must produce a signature query string for
-        the public host, not reuse the internal endpoint signature.
-        """
-        bucket_name = self.media_s3_bucket_name
-        key_name = "application-icons/test.svg"
-        custom_domain = f"files.example.test:8020/{bucket_name}"
-
-        endpoint_signed_url = self.media_s3_backend.client.generate_presigned_url(
-            "get_object",
-            Params={
-                "Bucket": bucket_name,
-                "Key": f"{self.media_s3_backend.base_path}/{key_name}",
-            },
-            ExpiresIn=900,
-            HttpMethod="GET",
-        )
-
-        with CONFIG.patch("storage.media.s3.custom_domain", custom_domain):
-            custom_url = self.media_s3_backend.file_url(key_name, use_cache=False)
-
-        endpoint_parts = urlsplit(endpoint_signed_url)
-        custom_parts = urlsplit(custom_url)
-
-        self.assertEqual(custom_parts.scheme, "http")
-        self.assertEqual(custom_parts.netloc, "files.example.test:8020")
-        self.assertEqual(parse_qs(custom_parts.query)["X-Amz-SignedHeaders"], ["host"])
-        self.assertNotEqual(
-            custom_parts.query,
-            endpoint_parts.query,
-            "Custom-domain URLs must be signed for the public host, not reuse the endpoint "
-            "signature query string.",
-        )
-
     def test_themed_urls_without_theme_variable(self):
         """Test themed_urls returns None when filename has no %(theme)s"""
         result = self.media_s3_backend.themed_urls("logo.png")

authentik/admin/files/manager.py

@@ -74,10 +74,6 @@ class FileManager:
     ) -> str:
         """
         Get URL for accessing the file.
-
-        Set ``use_cache=False`` when the caller needs a fresh signed URL instead
-        of a cached one, for example when serializing flow/login payloads that
-        may be refreshed after the previous JWT has expired.
         """
         if not name:
             return ""
@@ -87,7 +83,7 @@ class FileManager:
 
         for backend in self.backends:
             if backend.supports_file(name):
-                return backend.file_url(name, request, use_cache=use_cache)
+                return backend.file_url(name, request)
 
         LOGGER.warning(f"Could not find file backend for file: {name}")
         return ""
@@ -96,14 +92,10 @@ class FileManager:
         self,
         name: str | None,
         request: HttpRequest | Request | None = None,
-        use_cache: bool = True,
     ) -> dict[str, str] | None:
         """
         Get URLs for each theme variant when filename contains %(theme)s.
 
-        ``use_cache`` has the same semantics as ``file_url()`` and allows
-        callers to force regeneration of expiring signed URLs.
-
         Returns dict mapping theme to URL if %(theme)s present, None otherwise.
         """
         if not name:
@@ -114,7 +106,7 @@ class FileManager:
 
         for backend in self.backends:
             if backend.supports_file(name):
-                return backend.themed_urls(name, request, use_cache=use_cache)
+                return backend.themed_urls(name, request)
 
         return None
 

authentik/admin/files/tests/test_manager.py

@@ -1,7 +1,6 @@
 """Test file service layer"""
 
 from unittest import skipUnless
-from unittest.mock import Mock
 from urllib.parse import urlparse
 
 from django.http import HttpRequest
@@ -54,19 +53,6 @@ class TestResolveFileUrlBasic(TestCase):
         result = manager.file_url("/static/authentik/sources/icon.svg")
         self.assertEqual(result, "/static/authentik/sources/icon.svg")
 
-    def test_file_url_forwards_use_cache(self):
-        """Test file_url forwards use_cache to backend."""
-        manager = FileManager(FileUsage.MEDIA)
-        backend = Mock()
-        backend.supports_file.return_value = True
-        backend.file_url.return_value = "/files/media/public/test.png?token=fresh"
-        manager.backends = [backend]
-
-        result = manager.file_url("test.png", use_cache=False)
-
-        self.assertEqual(result, "/files/media/public/test.png?token=fresh")
-        backend.file_url.assert_called_once_with("test.png", None, use_cache=False)
-
 
 class TestResolveFileUrlFileBackend(FileTestFileBackendMixin, TestCase):
     def test_resolve_storage_file(self):

authentik/api/authentication.py

@@ -106,14 +106,14 @@ class TokenAuthentication(BaseAuthentication):
         if not auth_credentials:
             return None
         # first, check traditional tokens
-        key_token = Token.objects.filter(
+        key_token = Token.filter_not_expired(
             key=auth_credentials, intent=TokenIntents.INTENT_API
         ).first()
         if key_token:
             CTX_AUTH_VIA.set("api_token")
             return key_token.user, key_token
         # then try to auth via JWT
-        jwt_token = AccessToken.objects.filter(
+        jwt_token = AccessToken.filter_not_expired(
             token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
         ).first()
         if jwt_token:

authentik/api/ordering.py

@@ -1,36 +0,0 @@
-from django.db.models import F, QuerySet
-from rest_framework.filters import OrderingFilter
-from rest_framework.request import Request
-from rest_framework.views import APIView
-
-
-class NullsAwareOrderingFilter(OrderingFilter):
-    """OrderingFilter that sorts NULL values consistently.
-
-    For any nullable field, NULLs are treated as the smallest possible value:
-    - ascending  → NULLs appear first  (nulls_first=True)
-    - descending → NULLs appear last   (nulls_last=True)
-    """
-
-    def _nullable_field_names(self, queryset: QuerySet) -> set[str]:
-        return {f.name for f in queryset.model._meta.get_fields() if hasattr(f, "null") and f.null}
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView):
-        queryset = super().filter_queryset(request, queryset, view)
-        ordering = queryset.query.order_by
-        if not ordering:
-            return queryset
-        nullable = self._nullable_field_names(queryset)
-        new_ordering = []
-        changed = False
-        for term in ordering:
-            name = term.lstrip("-")
-            if name in nullable:
-                changed = True
-                if term.startswith("-"):
-                    new_ordering.append(F(name).desc(nulls_last=True))
-                else:
-                    new_ordering.append(F(name).asc(nulls_first=True))
-            else:
-                new_ordering.append(term)
-        return queryset.order_by(*new_ordering) if changed else queryset

authentik/api/pagination.py

@@ -1,18 +1,10 @@
 """Pagination which includes total pages and current page"""
 
-from typing import TYPE_CHECKING
-
 from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
-from authentik.api.search.ql import QLSearch
-from authentik.api.v3.schema.pagination import PAGINATION
-from authentik.api.v3.schema.search import AUTOCOMPLETE_SCHEMA
-
-if TYPE_CHECKING:
-    from django.db.models import QuerySet
-    from rest_framework.request import Request
+from authentik.api.v3.schema.response import PAGINATION
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -21,14 +13,14 @@ class Pagination(pagination.PageNumberPagination):
     page_query_param = "page"
     page_size_query_param = "page_size"
 
-    def get_page_size(self, request: Request) -> int:
+    def get_page_size(self, request):
         if self.page_size_query_param in request.query_params:
             page_size = super().get_page_size(request)
             if page_size is not None:
                 return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
         return request.tenant.pagination_default_page_size
 
-    def get_paginated_response(self, data) -> Response:
+    def get_paginated_response(self, data):
         previous_page_number = 0
         if self.page.has_previous():
             previous_page_number = self.page.previous_page_number()
@@ -47,33 +39,16 @@ class Pagination(pagination.PageNumberPagination):
                     "end_index": self.page.end_index(),
                 },
                 "results": data,
-                "autocomplete": self.get_autocomplete(),
             }
         )
 
-    def paginate_queryset(self, queryset: QuerySet, request: Request, view=None):
-        self.view = view
-        return super().paginate_queryset(queryset, request, view)
-
-    def get_autocomplete(self):
-        schema = QLSearch().get_schema(self.request, self.view)
-        introspections = {}
-        if hasattr(self.view, "get_ql_fields"):
-            from authentik.api.search.schema import AKQLSchemaSerializer
-
-            introspections = AKQLSchemaSerializer().serialize(
-                schema(self.page.paginator.object_list.model)
-            )
-        return introspections
-
     def get_paginated_response_schema(self, schema):
         return build_object_type(
             properties={
                 "pagination": PAGINATION.ref,
                 "results": schema,
-                "autocomplete": AUTOCOMPLETE_SCHEMA.ref,
             },
-            required=["pagination", "results", "autocomplete"],
+            required=["pagination", "results"],
         )
 
 

authentik/api/schema.py

@@ -0,0 +1,103 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+
+from collections.abc import Callable
+from typing import Any
+
+from drf_spectacular.generators import SchemaGenerator
+from drf_spectacular.plumbing import ResolvedComponent
+from drf_spectacular.renderers import OpenApiJsonRenderer
+from drf_spectacular.settings import spectacular_settings
+from structlog.stdlib import get_logger
+
+from authentik.api.apps import AuthentikAPIConfig
+from authentik.api.v3.schema.query import QUERY_PARAMS
+from authentik.api.v3.schema.response import (
+    GENERIC_ERROR,
+    GENERIC_ERROR_RESPONSE,
+    PAGINATION,
+    VALIDATION_ERROR,
+    VALIDATION_ERROR_RESPONSE,
+)
+
+LOGGER = get_logger()
+
+
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
+
+
+def postprocess_schema_register(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Register custom schema components"""
+    LOGGER.debug("Registering custom schemas")
+    generator.registry.register_on_missing(PAGINATION)
+    generator.registry.register_on_missing(GENERIC_ERROR)
+    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
+    generator.registry.register_on_missing(VALIDATION_ERROR)
+    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
+    for query in QUERY_PARAMS.values():
+        generator.registry.register_on_missing(query)
+    return result
+
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Default error responses"""
+    LOGGER.debug("Adding default error responses")
+    for path in result["paths"].values():
+        for method in path.values():
+            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
+            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
+
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+
+    # This is a workaround for authentik/stages/prompt/stage.py
+    # since the serializer PromptChallengeResponse
+    # accepts dynamic keys
+    for component in result["components"]["schemas"]:
+        if component == "PromptChallengeResponseRequest":
+            comp = result["components"]["schemas"][component]
+            comp["additionalProperties"] = {}
+    return result
+
+
+def postprocess_schema_query_params(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    LOGGER.debug("Deduplicating query parameters")
+    for path in result["paths"].values():
+        for method in path.values():
+            for idx, param in enumerate(method.get("parameters", [])):
+                if param["name"] not in QUERY_PARAMS:
+                    continue
+                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
+    return result
+
+
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    count = 0
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
+        if schema_usages >= 1:
+            continue
+        del generator.registry[(key, ResolvedComponent.SCHEMA)]
+        count += 1
+    LOGGER.debug("Removing unused components", count=count)
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result

authentik/api/tests/test_ordering.py

@@ -1,59 +0,0 @@
-from django.db.models import OrderBy
-from django.test import TestCase
-from rest_framework.request import Request
-from rest_framework.test import APIRequestFactory
-
-from authentik.api.ordering import NullsAwareOrderingFilter
-from authentik.core.models import Token, User
-
-
-class MockView:
-    ordering_fields = "__all__"
-    ordering = None
-
-
-class TestNullsAwareOrderingFilter(TestCase):
-
-    def setUp(self):
-        self.filter = NullsAwareOrderingFilter()
-        self.view = MockView()
-        factory = APIRequestFactory()
-        self._req = lambda ordering: Request(factory.get("/", {"ordering": ordering}))
-
-    def _order_by(self, model, ordering):
-        qs = model.objects.all()
-        return self.filter.filter_queryset(self._req(ordering), qs, self.view).query.order_by
-
-    def test_nullable_asc_nulls_first(self):
-        """Ascending sort on a nullable field rewrites to nulls_first=True."""
-        (expr,) = self._order_by(User, "last_login")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertFalse(expr.descending)
-        self.assertTrue(expr.nulls_first)
-
-    def test_nullable_desc_nulls_last(self):
-        """Descending sort on a nullable field rewrites to nulls_last=True."""
-        (expr,) = self._order_by(User, "-last_login")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertTrue(expr.descending)
-        self.assertTrue(expr.nulls_last)
-
-    def test_non_nullable_passes_through(self):
-        """Non-nullable fields are left as plain string terms."""
-        (expr,) = self._order_by(User, "username")
-        self.assertEqual(expr, "username")
-
-    def test_mixed_ordering(self):
-        """Only nullable terms are rewritten; non-nullable terms pass through unchanged."""
-        first, second = self._order_by(User, "username,-last_login")
-        self.assertEqual(first, "username")
-        self.assertIsInstance(second, OrderBy)
-        self.assertTrue(second.descending)
-        self.assertTrue(second.nulls_last)
-
-    def test_expires_nullable(self):
-        """expires on ExpiringModel is nullable and is rewritten correctly."""
-        (expr,) = self._order_by(Token, "-expires")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertTrue(expr.descending)
-        self.assertTrue(expr.nulls_last)

authentik/api/tests/test_schema.py

@@ -1,8 +1,6 @@
 """Schema generation tests"""
 
 from pathlib import Path
-from tempfile import gettempdir
-from uuid import uuid4
 
 from django.core.management import call_command
 from django.urls import reverse
@@ -31,14 +29,15 @@ class TestSchemaGeneration(APITestCase):
 
     def test_build_schema(self):
         """Test schema build command"""
-        tmp = Path(gettempdir())
-        blueprint_file = tmp / f"{str(uuid4())}.json"
-        api_file = tmp / f"{str(uuid4())}.yml"
+        blueprint_file = Path("blueprints/schema.json")
+        api_file = Path("schema.yml")
+        blueprint_file.unlink()
+        api_file.unlink()
         with (
             CONFIG.patch("debug", True),
             CONFIG.patch("tenants.enabled", True),
             CONFIG.patch("outposts.disable_embedded_outpost", True),
         ):
-            call_command("build_schema", blueprint_file=blueprint_file, api_file=api_file)
+            call_command("build_schema")
         self.assertTrue(blueprint_file.exists())
         self.assertTrue(api_file.exists())

authentik/api/tests/test_viewsets.py

@@ -1,73 +1,31 @@
 """authentik API Modelviewset tests"""
 
 from collections.abc import Callable
-from urllib.parse import urlencode
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
-from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
-from authentik.core.tests.utils import RequestFactory, create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.tenants.api.domains import DomainViewSet
-from authentik.tenants.api.tenants import TenantViewSet
-from authentik.tenants.utils import get_current_tenant
 
 
 class TestModelViewSets(TestCase):
     """Test Viewset"""
 
-    def setUp(self):
-        self.user = create_test_admin_user()
-        self.factory = RequestFactory()
 
-
-def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
+def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
     """Test Viewset"""
 
-    def test_attrs(self: TestModelViewSets) -> None:
-        """Test attributes we require on all viewsets"""
-        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+    def tester(self: TestModelViewSets):
         self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
         filterset_class = getattr(test_viewset, "filterset_class", None)
         if not filterset_class:
             self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
 
-    def test_ordering(self: TestModelViewSets) -> None:
-        """Test that all ordering fields are correct"""
-        view = test_viewset.as_view({"get": "list"})
-        for ordering_field in test_viewset.ordering:
-            with self.subTest(ordering_field):
-                req = self.factory.get(
-                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
-                )
-                req.tenant = get_current_tenant()
-                res = view(req)
-                self.assertEqual(res.status_code, 200)
-
-    def test_search(self: TestModelViewSets) -> None:
-        """Test that search fields are correct"""
-        view = test_viewset.as_view({"get": "list"})
-        req = self.factory.get(
-            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
-        )
-        req.tenant = get_current_tenant()
-        res = view(req)
-        self.assertEqual(res.status_code, 200)
-
-    cases = {
-        "attrs": test_attrs,
-    }
-    if full:
-        cases["ordering"] = test_ordering
-        cases["search"] = test_search
-    return cases
+    return tester
 
 
 for _, viewset, _ in router.registry:
     if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
         continue
-    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
-    for test, case in viewset_tester_factory(viewset, full=full).items():
-        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)
+    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))

authentik/api/v3/schema/cleanup.py

@@ -1,75 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
-from collections.abc import Callable
-from typing import Any
-
-from drf_spectacular.contrib.django_filters import (
-    DjangoFilterExtension as BaseDjangoFilterExtension,
-)
-from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    follow_field_source,
-)
-from drf_spectacular.renderers import OpenApiJsonRenderer
-from drf_spectacular.settings import spectacular_settings
-from structlog.stdlib import get_logger
-
-from authentik.api.apps import AuthentikAPIConfig
-
-LOGGER = get_logger()
-
-
-def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
-
-
-def postprocess_schema_remove_unused(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Remove unused components"""
-    # To check if the schema is used, render it to JSON and then substring check that
-    # less efficient than walking through the tree but a lot simpler and no
-    # possibility that we miss something
-    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
-    count = 0
-    for key in result["components"][ResolvedComponent.SCHEMA].keys():
-        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
-        if schema_usages >= 1:
-            continue
-        del generator.registry[(key, ResolvedComponent.SCHEMA)]
-        count += 1
-    LOGGER.debug("Removing unused components", count=count)
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-    return result
-
-
-class DjangoFilterExtension(BaseDjangoFilterExtension):
-    """
-    From https://github.com/netbox-community/netbox/pull/21521:
-
-    Overrides drf-spectacular's DjangoFilterExtension to fix a regression in v0.29.0 where
-    _get_model_field() incorrectly double-appends to_field_name when field_name already ends
-    with that value (e.g. field_name='tags__slug', to_field_name='slug' produces the invalid
-    path ['tags', 'slug', 'slug']). This caused hundreds of spurious warnings during schema
-    generation for filters such as TagFilter, TenancyFilterSet.tenant, and OwnerFilterMixin.owner.
-
-    See: https://github.com/netbox-community/netbox/issues/20787
-         https://github.com/tfranzel/drf-spectacular/issues/1475
-    """
-
-    priority = 1
-
-    def _get_model_field(self, filter_field, model):
-        if not filter_field.field_name:
-            return None
-        path = filter_field.field_name.split("__")
-        to_field_name = filter_field.extra.get("to_field_name")
-        if to_field_name is not None and path[-1] != to_field_name:
-            path.append(to_field_name)
-        return follow_field_source(model, path, emit_warnings=False)

authentik/api/v3/schema/enum.py

@@ -1,287 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
-import functools
-import inspect
-import re
-from collections import defaultdict
-from enum import Enum
-
-from django.db.models import Choices
-from django.utils.translation import get_language
-from drf_spectacular.drainage import error, warn
-from drf_spectacular.hooks import postprocess_schema_enum_id_removal
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    deep_import_string,
-    list_hash,
-    safe_ref,
-)
-from drf_spectacular.settings import spectacular_settings
-from inflection import camelize
-from structlog.stdlib import get_logger
-
-LOGGER = get_logger()
-
-
-# See https://github.com/tfranzel/drf-spectacular/blob/master/drf_spectacular/hooks.py
-# and https://github.com/tfranzel/drf-spectacular/issues/520
-def postprocess_schema_enums(result, generator, **kwargs):  # noqa: PLR0912, PLR0915
-    """
-    simple replacement of Enum/Choices that globally share the same name and have
-    the same choices. Aids client generation to not generate a separate enum for
-    every occurrence. only takes effect when replacement is guaranteed to be correct.
-    """
-
-    def is_enum_prop(prop_schema):
-        return (
-            "enum" in prop_schema
-            or prop_schema.get("type") == "array"
-            and "enum" in prop_schema.get("items", {})
-        )
-
-    def iter_field_schemas():
-        def iter_prop_containers(schema, component_name=None):
-            if not component_name:
-                for _component_name, _schema in schema.items():
-                    if spectacular_settings.COMPONENT_SPLIT_PATCH:
-                        _component_name = re.sub("^Patched(.+)", r"\1", _component_name)
-                    if spectacular_settings.COMPONENT_SPLIT_REQUEST:
-                        _component_name = re.sub("(.+)Request$", r"\1", _component_name)
-                    yield from iter_prop_containers(_schema, _component_name)
-            elif isinstance(schema, list):
-                for item in schema:
-                    yield from iter_prop_containers(item, component_name)
-            elif isinstance(schema, dict):
-                if schema.get("properties"):
-                    yield component_name, schema["properties"]
-                yield from iter_prop_containers(schema.get("oneOf", []), component_name)
-                yield from iter_prop_containers(schema.get("allOf", []), component_name)
-                yield from iter_prop_containers(schema.get("anyOf", []), component_name)
-
-        def iter_path_parameters():
-            for path in result.get("paths", {}).values():
-                for operation in path.values():
-                    for parameter in operation.get("parameters", []):
-                        parameter_schema = parameter.get("schema", {})
-                        if is_enum_prop(parameter_schema):
-                            # Move description into enum schema
-                            if "description" in parameter:
-                                parameter_schema["description"] = parameter.pop("description")
-                        if "name" not in parameter:
-                            continue
-                        yield "", {parameter["name"]: parameter_schema}
-
-        component_schemas = result.get("components", {}).get("schemas", {})
-
-        yield from iter_prop_containers(component_schemas)
-        yield from iter_path_parameters()
-
-    def create_enum_component(name, schema):
-        component = ResolvedComponent(
-            name=name,
-            type=ResolvedComponent.SCHEMA,
-            schema=schema,
-            object=name,
-        )
-        generator.registry.register_on_missing(component)
-        return component
-
-    def extract_hash(schema):
-        if "x-spec-enum-id" in schema:
-            # try to use the injected enum hash first as it generated from (name, value) tuples,
-            # which prevents collisions on choice sets only differing in labels not values.
-            return schema["x-spec-enum-id"]
-        else:
-            # fall back to actual list hashing when we encounter enums not generated by us.
-            # remove blank/null entry for hashing. will be reconstructed in the last step
-            return list_hash([(i, i) for i in schema["enum"] if i not in ("", None)])
-
-    overrides = load_enum_name_overrides()
-
-    prop_hash_mapping = defaultdict(set)
-    hash_name_mapping = defaultdict(set)
-    # collect all enums, their names and choice sets
-    for component_name, props in iter_field_schemas():
-        for prop_name, prop_schema in props.items():
-            _prop_schema = prop_schema
-            if prop_schema.get("type") == "array":
-                _prop_schema = prop_schema.get("items", {})
-            if "enum" not in _prop_schema:
-                continue
-
-            prop_enum_cleaned_hash = extract_hash(_prop_schema)
-            prop_hash_mapping[prop_name].add(prop_enum_cleaned_hash)
-            hash_name_mapping[prop_enum_cleaned_hash].add((component_name, prop_name))
-
-    # get the suffix to be used for enums from settings
-    enum_suffix = spectacular_settings.ENUM_SUFFIX
-
-    # traverse all enum properties and generate a name for the choice set. naming collisions
-    # are resolved and a warning is emitted. giving a choice set multiple names is technically
-    # correct but potentially unwanted. also emit a warning there to make the user aware.
-    enum_name_mapping = {}
-    for prop_name, prop_hash_set in prop_hash_mapping.items():
-        for prop_hash in prop_hash_set:
-            if prop_hash in overrides:
-                enum_name = overrides[prop_hash]
-            elif len(prop_hash_set) == 1:
-                # prop_name has been used exclusively for one choice set (best case)
-                enum_name = f"{camelize(prop_name)}{enum_suffix}"
-            elif len(hash_name_mapping[prop_hash]) == 1:
-                # prop_name has multiple choice sets, but each one limited to one component only
-                component_name, _ = next(iter(hash_name_mapping[prop_hash]))
-                enum_name = f"{camelize(component_name)}{camelize(prop_name)}{enum_suffix}"
-            else:
-                enum_name = f"{camelize(prop_name)}{prop_hash[:3].capitalize()}{enum_suffix}"
-                warn(
-                    f"enum naming encountered a non-optimally resolvable collision for fields "
-                    f'named "{prop_name}". The same name has been used for multiple choice sets '
-                    f'in multiple components. The collision was resolved with "{enum_name}". '
-                    f"add an entry to ENUM_NAME_OVERRIDES to fix the naming."
-                )
-            if enum_name_mapping.get(prop_hash, enum_name) != enum_name:
-                warn(
-                    f"encountered multiple names for the same choice set ({enum_name}). This "
-                    f"may be unwanted even though the generated schema is technically correct. "
-                    f"Add an entry to ENUM_NAME_OVERRIDES to fix the naming."
-                )
-                del enum_name_mapping[prop_hash]
-            else:
-                enum_name_mapping[prop_hash] = enum_name
-            enum_name_mapping[(prop_hash, prop_name)] = enum_name
-
-    # replace all enum occurrences with a enum schema component. cut out the
-    # enum, replace it with a reference and add a corresponding component.
-    for _, props in iter_field_schemas():
-        for prop_name, _prop_schema in props.items():
-            prop_schema = _prop_schema
-            is_array = prop_schema.get("type") == "array"
-            if is_array:
-                prop_schema = prop_schema.get("items", {})
-
-            if "enum" not in prop_schema:
-                continue
-
-            prop_enum_original_list = prop_schema["enum"]
-            prop_schema["enum"] = [i for i in prop_schema["enum"] if i not in ["", None]]
-            prop_hash = extract_hash(prop_schema)
-            # when choice sets are reused under multiple names, the generated name cannot be
-            # resolved from the hash alone. fall back to prop_name and hash for resolution.
-            enum_name = enum_name_mapping.get(prop_hash) or enum_name_mapping[prop_hash, prop_name]
-
-            # split property into remaining property and enum component parts
-            enum_schema = {k: v for k, v in prop_schema.items() if k in ["type", "enum"]}
-            prop_schema = {
-                k: v for k, v in prop_schema.items() if k not in ["type", "enum", "x-spec-enum-id"]
-            }
-
-            # separate actual description from name-value tuples
-            if spectacular_settings.ENUM_GENERATE_CHOICE_DESCRIPTION:
-                if prop_schema.get("description", "").startswith("*"):
-                    enum_schema["description"] = prop_schema.pop("description")
-                elif "\n\n*" in prop_schema.get("description", ""):
-                    _, _, post = prop_schema["description"].partition("\n\n*")
-                    enum_schema["description"] = "*" + post
-
-            components = [create_enum_component(enum_name, schema=enum_schema)]
-            if spectacular_settings.ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE:
-                if "" in prop_enum_original_list:
-                    components.append(
-                        create_enum_component(f"Blank{enum_suffix}", schema={"enum": [""]})
-                    )
-                if None in prop_enum_original_list:
-                    if spectacular_settings.OAS_VERSION.startswith("3.1"):
-                        components.append(
-                            create_enum_component(f"Null{enum_suffix}", schema={"type": "null"})
-                        )
-                    else:
-                        components.append(
-                            create_enum_component(f"Null{enum_suffix}", schema={"enum": [None]})
-                        )
-
-            # undo OAS 3.1 type list NULL construction as we cover
-            # this in a separate component already
-            if spectacular_settings.OAS_VERSION.startswith("3.1") and isinstance(
-                enum_schema["type"], list
-            ):
-                enum_schema["type"] = [t for t in enum_schema["type"] if t != "null"][0]
-
-            if len(components) == 1:
-                prop_schema.update(components[0].ref)
-            else:
-                prop_schema.update({"oneOf": [c.ref for c in components]})
-
-            patch_target = props[prop_name]  # noqa: PLR1733
-            if is_array:
-                patch_target = patch_target["items"]
-
-            # Replace existing schema information with reference
-            patch_target.clear()
-            patch_target.update(safe_ref(prop_schema))
-
-    # sort again with additional components
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-
-    # remove remaining ids that were not part of this hook (operation parameters mainly)
-    postprocess_schema_enum_id_removal(result, generator)
-
-    return result
-
-
-# Fixed version of `load_enum_name_overrides()` with a LRU cache based on language
-# *and* enum overrides.
-# Without this, API generation breaks if there is more than 1 API present (such as in split APIs)
-# Original source: drf-spectacular/drf_spectacular/plumbing.py
-def load_enum_name_overrides():
-    cache_key = get_language() or ""
-
-    for k, v in sorted(spectacular_settings.ENUM_NAME_OVERRIDES.items()):
-        cache_key += f";{k}:{v}"
-
-    return _load_enum_name_overrides(cache_key)
-
-
-# Original source: drf-spectacular/drf_spectacular/plumbing.py
-# Only change: cache_key argument instead of language.
-@functools.lru_cache
-def _load_enum_name_overrides(cache_key):
-    overrides = {}
-    for name, _choices in spectacular_settings.ENUM_NAME_OVERRIDES.items():
-        choices = _choices
-        if isinstance(choices, str):
-            choices = deep_import_string(choices)
-        if not choices:
-            warn(
-                f"unable to load choice override for {name} from ENUM_NAME_OVERRIDES. "
-                f"please check module path string."
-            )
-            continue
-        if inspect.isclass(choices) and issubclass(choices, Choices):
-            choices = choices.choices
-        if inspect.isclass(choices) and issubclass(choices, Enum):
-            choices = [(c.value, c.name) for c in choices]
-        normalized_choices = []
-        for choice in choices:
-            # Allow None values in the simple values list case
-            if isinstance(choice, str) or choice is None:
-                # TODO warning
-                normalized_choices.append((choice, choice))  # simple choice list
-            elif isinstance(choice[1], (list, tuple)):
-                normalized_choices.extend(choice[1])  # categorized nested choices
-            else:
-                normalized_choices.append(choice)  # normal 2-tuple form
-
-        # Get all of choice values that should be used in the hash, blank and
-        # None values get excluded in the post-processing hook for enum overrides,
-        # so we do the same here to ensure the hashes match
-        hashable_values = [
-            (value, label) for value, label in normalized_choices if value not in ["", None]
-        ]
-        overrides[list_hash(hashable_values)] = name
-
-    if len(spectacular_settings.ENUM_NAME_OVERRIDES) != len(overrides):
-        error(
-            "ENUM_NAME_OVERRIDES has duplication issues. Encountered multiple names "
-            "for the same choice set. Enum naming might be unexpected."
-        )
-    return overrides

authentik/api/v3/schema/pagination.py

@@ -1,32 +0,0 @@
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_basic_type,
-    build_object_type,
-)
-from drf_spectacular.types import OpenApiTypes
-
-PAGINATION = ResolvedComponent(
-    name="Pagination",
-    type=ResolvedComponent.SCHEMA,
-    object="Pagination",
-    schema=build_object_type(
-        properties={
-            "next": build_basic_type(OpenApiTypes.NUMBER),
-            "previous": build_basic_type(OpenApiTypes.NUMBER),
-            "count": build_basic_type(OpenApiTypes.NUMBER),
-            "current": build_basic_type(OpenApiTypes.NUMBER),
-            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
-            "start_index": build_basic_type(OpenApiTypes.NUMBER),
-            "end_index": build_basic_type(OpenApiTypes.NUMBER),
-        },
-        required=[
-            "next",
-            "previous",
-            "count",
-            "current",
-            "total_pages",
-            "start_index",
-            "end_index",
-        ],
-    ),
-)

authentik/api/v3/schema/query.py

@@ -1,17 +1,10 @@
-from typing import Any
-
 from django.utils.translation import gettext_lazy as _
-from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
     ResolvedComponent,
     build_basic_type,
     build_parameter_type,
 )
 from drf_spectacular.types import OpenApiTypes
-from structlog.stdlib import get_logger
-
-LOGGER = get_logger()
-
 
 QUERY_PARAMS = {
     "ordering": ResolvedComponent(
@@ -70,18 +63,3 @@ QUERY_PARAMS = {
         ),
     ),
 }
-
-
-def postprocess_schema_query_params(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
-    declare them globally and refer to them"""
-    LOGGER.debug("Deduplicating query parameters")
-    for path in result["paths"].values():
-        for method in path.values():
-            for idx, param in enumerate(method.get("parameters", [])):
-                if param["name"] not in QUERY_PARAMS:
-                    continue
-                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
-    return result

authentik/api/v3/schema/response.py

@@ -1,22 +1,12 @@
-from typing import Any
-
 from django.utils.translation import gettext_lazy as _
-from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
     ResolvedComponent,
     build_array_type,
     build_basic_type,
     build_object_type,
 )
-from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
-from structlog.stdlib import get_logger
-
-from authentik.api.v3.schema.pagination import PAGINATION
-from authentik.api.v3.schema.query import QUERY_PARAMS
-
-LOGGER = get_logger()
 
 GENERIC_ERROR = ResolvedComponent(
     name="GenericError",
@@ -67,40 +57,28 @@ VALIDATION_ERROR_RESPONSE = ResolvedComponent(
         "description": "",
     },
 )
-
-
-def postprocess_schema_register(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Register custom schema components"""
-    LOGGER.debug("Registering custom schemas")
-    generator.registry.register_on_missing(PAGINATION)
-    generator.registry.register_on_missing(GENERIC_ERROR)
-    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
-    generator.registry.register_on_missing(VALIDATION_ERROR)
-    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
-    for query in QUERY_PARAMS.values():
-        generator.registry.register_on_missing(query)
-    return result
-
-
-def postprocess_schema_responses(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Default error responses"""
-    LOGGER.debug("Adding default error responses")
-    for path in result["paths"].values():
-        for method in path.values():
-            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
-            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
-
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-
-    # This is a workaround for authentik/stages/prompt/stage.py
-    # since the serializer PromptChallengeResponse
-    # accepts dynamic keys
-    for component in result["components"]["schemas"]:
-        if component == "PromptChallengeResponseRequest":
-            comp = result["components"]["schemas"][component]
-            comp["additionalProperties"] = {}
-    return result
+PAGINATION = ResolvedComponent(
+    name="Pagination",
+    type=ResolvedComponent.SCHEMA,
+    object="Pagination",
+    schema=build_object_type(
+        properties={
+            "next": build_basic_type(OpenApiTypes.NUMBER),
+            "previous": build_basic_type(OpenApiTypes.NUMBER),
+            "count": build_basic_type(OpenApiTypes.NUMBER),
+            "current": build_basic_type(OpenApiTypes.NUMBER),
+            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
+            "start_index": build_basic_type(OpenApiTypes.NUMBER),
+            "end_index": build_basic_type(OpenApiTypes.NUMBER),
+        },
+        required=[
+            "next",
+            "previous",
+            "count",
+            "current",
+            "total_pages",
+            "start_index",
+            "end_index",
+        ],
+    ),
+)

authentik/api/v3/schema/search.py

@@ -1,20 +0,0 @@
-from typing import TYPE_CHECKING
-
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
-
-if TYPE_CHECKING:
-    from drf_spectacular.generators import SchemaGenerator
-
-
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)
-
-
-def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
-
-    return result

authentik/blueprints/api.py

@@ -1,74 +1,24 @@
 """Serializer mixin for managed models"""
 
-from json import JSONDecodeError, loads
-from typing import cast
-
-from django.conf import settings
-from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
-from rest_framework.exceptions import PermissionDenied, ValidationError
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    DateTimeField,
-    FileField,
-)
-from rest_framework.parsers import MultiPartParser
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.api.validation import validate
 from authentik.blueprints.models import BlueprintInstance
-from authentik.blueprints.v1.common import Blueprint
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
-from authentik.core.models import User
-from authentik.events.logs import LogEventSerializer
 from authentik.rbac.decorators import permission_required
 
 
-def get_blueprints():
-    if settings.DEBUG:
-        return blueprints_find_dict()
-    return blueprints_find_dict.send().get_result(block=True)
-
-
-class BlueprintUploadSerializer(PassiveSerializer):
-    """Serializer to upload file"""
-
-    file = FileField(required=False)
-    path = CharField(required=False)
-    context = CharField(required=False, allow_blank=True)
-
-    def validate_path(self, path: str) -> str:
-        """Ensure the path (if set) specified is retrievable"""
-        if path == "":
-            return path
-        files: list[dict] = get_blueprints()
-        if path not in [file["path"] for file in files]:
-            raise ValidationError(_("Blueprint file does not exist"))
-        return path
-
-    def validate_context(self, context: str) -> dict:
-        """Parse context as a JSON object"""
-        if not context:
-            return {}
-        try:
-            parsed = loads(context)
-        except JSONDecodeError as exc:
-            raise ValidationError(_("Context must be valid JSON")) from exc
-        if not isinstance(parsed, dict):
-            raise ValidationError(_("Context must be a JSON object"))
-        return parsed
-
-
 class ManagedSerializer:
     """Managed Serializer"""
 
@@ -89,7 +39,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
         """Ensure the path (if set) specified is retrievable"""
         if path == "" or path.startswith(OCI_PREFIX):
             return path
-        files: list[dict] = get_blueprints()
+        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
         if path not in [file["path"] for file in files]:
             raise ValidationError(_("Blueprint file does not exist"))
         return path
@@ -138,33 +88,6 @@ class BlueprintInstanceSerializer(ModelSerializer):
         }
 
 
-def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
-    """Check for individual permissions for each model in a blueprint"""
-    for entry in blueprint.iter_entries():
-        full_model = entry.get_model(blueprint)
-        app, __, model = full_model.partition(".")
-        perms = [
-            f"{app}.add_{model}",
-            f"{app}.change_{model}",
-            f"{app}.delete_{model}",
-        ]
-        if explicit_action:
-            perms = [f"{app}.{explicit_action}_{model}"]
-        for perm in perms:
-            if not user.has_perm(perm):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-
-
 class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     """Blueprint instances"""
 
@@ -174,12 +97,6 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     filterset_fields = ["name", "path"]
     ordering = ["name"]
 
-    class BlueprintImportResultSerializer(PassiveSerializer):
-        """Logs of an attempted blueprint import"""
-
-        logs = LogEventSerializer(many=True, read_only=True)
-        success = BooleanField(read_only=True)
-
     @extend_schema(
         responses={
             200: ListSerializer(
@@ -198,7 +115,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     @action(detail=False, pagination_class=None, filter_backends=[])
     def available(self, request: Request) -> Response:
         """Get blueprints"""
-        files: list[dict] = get_blueprints()
+        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
         return Response(files)
 
     @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -214,43 +131,3 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
         blueprint = self.get_object()
         apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
         return self.retrieve(request, *args, **kwargs)
-
-    @extend_schema(
-        request={"multipart/form-data": BlueprintUploadSerializer},
-        responses={200: BlueprintImportResultSerializer},
-    )
-    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
-    @validate(
-        BlueprintUploadSerializer,
-    )
-    def import_(self, request: Request, body: BlueprintUploadSerializer) -> Response:
-        """Import blueprint from .yaml file and apply it once, without creating an instance"""
-        string_contents = ""
-        if body.validated_data.get("file"):
-            file = cast(InMemoryUploadedFile, body.validated_data["file"])
-            string_contents = file.read().decode()
-        elif body.validated_data.get("path"):
-            string_contents = BlueprintInstance(
-                path=body.validated_data.get("path")
-            ).retrieve_file()
-        else:
-            raise ValidationError("Either path or file must be set")
-        context = body.validated_data.get("context") or {}
-        importer = Importer.from_string(string_contents, context)
-
-        check_blueprint_perms(importer.blueprint, request.user)
-
-        valid, logs = importer.validate()
-
-        import_response = self.BlueprintImportResultSerializer(
-            data={
-                "logs": [LogEventSerializer(log).data for log in logs],
-                "success": valid,
-            }
-        )
-        import_response.is_valid(raise_exception=True)
-
-        if valid:
-            import_response.initial_data["success"] = importer.apply()
-            import_response.is_valid()
-        return Response(data=import_response.initial_data, status=200)

authentik/blueprints/apps.py

@@ -3,6 +3,7 @@
 import traceback
 from collections.abc import Callable
 from importlib import import_module
+from inspect import ismethod
 
 from django.apps import AppConfig
 from django.conf import settings
@@ -71,19 +72,12 @@ class ManagedAppConfig(AppConfig):
 
     def _reconcile(self, prefix: str) -> None:
         for meth_name in dir(self):
-            # Check the attribute on the class to avoid evaluating @property descriptors.
-            # Using getattr(self, ...) on a @property would evaluate it, which can trigger
-            # expensive side effects (e.g. tenant_schedule_specs iterating all providers
-            # and running PolicyEngine queries for every user).
-            class_attr = getattr(type(self), meth_name, None)
-            if class_attr is None or isinstance(class_attr, property):
+            meth = getattr(self, meth_name)
+            if not ismethod(meth):
                 continue
-            if not callable(class_attr):
-                continue
-            category = getattr(class_attr, "_authentik_managed_reconcile", None)
+            category = getattr(meth, "_authentik_managed_reconcile", None)
             if category != prefix:
                 continue
-            meth = getattr(self, meth_name)
             name = meth_name.replace(prefix, "")
             try:
                 self.logger.debug("Starting reconciler", name=name)

authentik/blueprints/management/commands/apply_blueprint.py

@@ -1,6 +1,5 @@
 """Apply blueprint from commandline"""
 
-from argparse import ArgumentParser
 from sys import exit as sys_exit
 
 from django.core.management.base import BaseCommand, no_translations
@@ -32,5 +31,5 @@ class Command(BaseCommand):
                         sys_exit(1)
                     importer.apply()
 
-    def add_arguments(self, parser: ArgumentParser):
+    def add_arguments(self, parser):
         parser.add_argument("blueprints", nargs="+", type=str)

authentik/blueprints/tests/test_v1_api.py

@@ -1,19 +1,14 @@
 """Test blueprints v1 api"""
 
-from json import dumps, loads
+from json import loads
 from tempfile import NamedTemporaryFile, mkdtemp
 
-from django.core.files.uploadedfile import SimpleUploadedFile
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump
 
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
-from authentik.lib.generators import generate_id
-from authentik.stages.invitation.models import InvitationStage
-from authentik.stages.user_write.models import UserWriteStage
 
 TMP = mkdtemp("authentik-blueprints")
 
@@ -85,121 +80,3 @@ class TestBlueprintsV1API(APITestCase):
             res.content.decode(),
             {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
         )
-
-    def test_api_import_with_context(self):
-        """Test that the import endpoint applies the supplied context to the real blueprint"""
-        slug = f"invitation-enrollment-{generate_id()}"
-        flow_name = f"Invitation Enrollment {generate_id()}"
-        stage_name = f"invitation-stage-{generate_id()}"
-        user_type = "internal"
-        continue_without_invitation = True
-
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": dumps(
-                    {
-                        "flow_slug": slug,
-                        "flow_name": flow_name,
-                        "stage_name": stage_name,
-                        "continue_flow_without_invitation": continue_without_invitation,
-                        "user_type": user_type,
-                    }
-                ),
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 200)
-        self.assertTrue(res.json()["success"])
-
-        flow = Flow.objects.get(slug=slug)
-        self.assertEqual(flow.name, flow_name)
-        self.assertEqual(flow.title, flow_name)
-
-        invitation_stage = InvitationStage.objects.get(name=stage_name)
-        self.assertEqual(
-            invitation_stage.continue_flow_without_invitation,
-            continue_without_invitation,
-        )
-
-        user_write_stage = UserWriteStage.objects.get(
-            name=f"invitation-enrollment-user-write-{slug}"
-        )
-        self.assertEqual(user_write_stage.user_type, user_type)
-        self.assertEqual(user_write_stage.user_path_template, f"users/{user_type}")
-
-    def test_api_import_blank_path(self):
-        """Validator returns empty path unchanged (covers api.py:53)."""
-        with NamedTemporaryFile(mode="w+", suffix=".yaml") as file:
-            file.write(dump({"version": 1, "entries": []}))
-            file.flush()
-            file.seek(0)
-            res = self.client.post(
-                reverse("authentik_api:blueprintinstance-import-"),
-                data={"path": "", "file": file},
-                format="multipart",
-            )
-        self.assertEqual(res.status_code, 200)
-
-    def test_api_import_invalid_blueprint_returns_result_payload(self):
-        """Invalid blueprint content returns a result payload instead of a 400 response."""
-        file = SimpleUploadedFile("invalid-blueprint.yaml", b'{"version": 3}')
-
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={"file": file},
-            format="multipart",
-        )
-
-        self.assertEqual(res.status_code, 200)
-        self.assertFalse(res.json()["success"])
-        self.assertGreater(len(res.json()["logs"]), 0)
-
-    def test_api_import_unknown_path(self):
-        """Path not in available blueprints is rejected (covers api.py:56)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={"path": "does/not/exist.yaml"},
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertIn("Blueprint file does not exist", res.content.decode())
-
-    def test_api_import_blank_context(self):
-        """Blank context is normalized to empty dict (covers api.py:62)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": "",
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_api_import_invalid_json_context(self):
-        """Malformed JSON context raises ValidationError (covers api.py:65-66)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": "{not json",
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertIn("Context must be valid JSON", res.content.decode())
-
-    def test_api_import_non_object_context(self):
-        """JSON context that isn't an object is rejected (covers api.py:68)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": "[1, 2, 3]",
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertIn("Context must be a JSON object", res.content.decode())

authentik/blueprints/tests/test_v1_conditions.py

@@ -1,11 +1,8 @@
 """Test blueprints v1"""
 
-from unittest.mock import patch
-
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
-from authentik.enterprise.license import LicenseKey
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
@@ -45,45 +42,3 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
         # Ensure objects do not exist
         self.assertFalse(Flow.objects.filter(slug=flow_slug1))
         self.assertFalse(Flow.objects.filter(slug=flow_slug2))
-
-    def test_enterprise_license_context_unlicensed(self):
-        """Test enterprise license context defaults to a false boolean when unlicensed."""
-        license_key = LicenseKey("test", 0, "Test license", 0, 0)
-
-        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
-            importer = Importer.from_string("""
-version: 1
-entries:
-    - identifiers:
-          name: enterprise-test
-          slug: enterprise-test
-      model: authentik_flows.flow
-      conditions:
-          - !Context goauthentik.io/enterprise/licensed
-      attrs:
-          designation: stage_configuration
-          title: foo
-""")
-
-        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], False)
-
-    def test_enterprise_license_context_licensed(self):
-        """Test enterprise license context defaults to a true boolean when licensed."""
-        license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
-
-        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
-            importer = Importer.from_string("""
-version: 1
-entries:
-    - identifiers:
-          name: enterprise-test
-          slug: enterprise-test
-      model: authentik_flows.flow
-      conditions:
-          - !Context goauthentik.io/enterprise/licensed
-      attrs:
-          designation: stage_configuration
-          title: foo
-""")
-
-        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], True)

authentik/blueprints/v1/common.py

@@ -43,6 +43,8 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
             continue
         if _field.read_only:
             data.pop(field_name, None)
+        if _field.get_initial() == data.get(field_name, None):
+            data.pop(field_name, None)
         if field_name.endswith("_set"):
             data.pop(field_name, None)
     return data

authentik/blueprints/v1/importer.py

@@ -146,7 +146,9 @@ class Importer:
         try:
             from authentik.enterprise.license import LicenseKey
 
-            context["goauthentik.io/enterprise/licensed"] = LicenseKey.get_total().status().is_valid
+            context["goauthentik.io/enterprise/licensed"] = (
+                LicenseKey.get_total().status().is_valid,
+            )
         except ModuleNotFoundError:
             pass
         return context
@@ -270,7 +272,7 @@ class Importer:
             and entry.state != BlueprintEntryDesiredState.MUST_CREATED
         ):
             self.logger.debug(
-                "Initialize serializer with instance",
+                "Initialise serializer with instance",
                 model=model,
                 instance=model_instance,
                 pk=model_instance.pk,
@@ -288,7 +290,7 @@ class Importer:
             )
         else:
             self.logger.debug(
-                "Initialized new serializer instance",
+                "Initialised new serializer instance",
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )

authentik/brands/api.py

@@ -64,7 +64,6 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
-            "flow_lockdown",
             "default_application",
             "web_certificate",
             "client_certificates",
@@ -118,7 +117,6 @@ class CurrentBrandSerializer(PassiveSerializer):
     flow_unenrollment = CharField(source="flow_unenrollment.slug", required=False)
     flow_user_settings = CharField(source="flow_user_settings.slug", required=False)
     flow_device_code = CharField(source="flow_device_code.slug", required=False)
-    flow_lockdown = CharField(source="flow_lockdown.slug", required=False)
 
     default_locale = CharField(read_only=True)
     flags = SerializerMethodField()
@@ -156,7 +154,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "flow_unenrollment",
         "flow_user_settings",
         "flow_device_code",
-        "flow_lockdown",
         "web_certificate",
         "client_certificates",
     ]

authentik/brands/migrations/0012_brand_flow_lockdown.py

@@ -1,25 +0,0 @@
-# Generated by Django 5.2.12 on 2026-03-14 02:58
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0011_alter_brand_branding_default_flow_background_and_more"),
-        ("authentik_flows", "0031_alter_flow_layout"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="flow_lockdown",
-            field=models.ForeignKey(
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="brand_lockdown",
-                to="authentik_flows.flow",
-            ),
-        ),
-    ]

authentik/brands/models.py

@@ -58,9 +58,6 @@ class Brand(SerializerModel):
     flow_device_code = models.ForeignKey(
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
-    flow_lockdown = models.ForeignKey(
-        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_lockdown"
-    )
 
     default_application = models.ForeignKey(
         "authentik_core.Application",
@@ -104,23 +101,13 @@ class Brand(SerializerModel):
         """Get themed URLs for branding_favicon if it contains %(theme)s"""
         return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_favicon)
 
-    def branding_default_flow_background_url(self, request=None, use_cache: bool = True) -> str:
+    def branding_default_flow_background_url(self) -> str:
         """Get branding_default_flow_background URL"""
-        return get_file_manager(FileUsage.MEDIA).file_url(
-            self.branding_default_flow_background,
-            request,
-            use_cache=use_cache,
-        )
+        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_default_flow_background)
 
-    def branding_default_flow_background_themed_urls(
-        self, request=None, use_cache: bool = True
-    ) -> dict[str, str] | None:
+    def branding_default_flow_background_themed_urls(self) -> dict[str, str] | None:
         """Get themed URLs for branding_default_flow_background if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(
-            self.branding_default_flow_background,
-            request,
-            use_cache=use_cache,
-        )
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_default_flow_background)
 
     @property
     def serializer(self) -> type[Serializer]:

authentik/brands/tests.py

@@ -20,16 +20,11 @@ class TestBrands(APITestCase):
 
     def setUp(self):
         super().setUp()
+        self.default_flags = {}
+        for flag in Flag.available(visibility="public"):
+            self.default_flags[flag().key] = flag.get()
         Brand.objects.all().delete()
 
-    @property
-    def default_flags(self) -> dict[str, object]:
-        """Get current public flags.
-
-        Some tests define temporary Flag subclasses, so this can't be cached in setUp.
-        """
-        return {flag().key: flag.get() for flag in Flag.available(visibility="public")}
-
     def test_current_brand(self):
         """Test Current brand API"""
         brand = create_test_brand()

authentik/brands/utils.py

@@ -3,7 +3,7 @@
 from typing import Any
 
 from django.db.models import Case, F, IntegerField, Q, Value, When
-from django.db.models.functions import Concat, Length
+from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -26,8 +26,7 @@ def get_brand_for_request(request: HttpRequest) -> Brand:
             domain_length=Length("domain"),
             match_priority=Case(
                 When(
-                    condition=Q(host_domain__iexact=F("domain"))
-                    | Q(host_domain__iendswith=Concat(Value("."), F("domain"))),
+                    condition=Q(host_domain__iendswith=F("domain")),
                     then=F("domain_length"),
                 ),
                 default=Value(-1),

authentik/common/oauth/constants.py

@@ -5,7 +5,6 @@ from django.utils.translation import gettext_lazy as _
 
 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
 GRANT_TYPE_IMPLICIT = "implicit"
-GRANT_TYPE_HYBRID = "hybrid"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
 GRANT_TYPE_PASSWORD = "password"  # nosec
@@ -22,9 +21,6 @@ PROMPT_CONSENT = "consent"
 PROMPT_LOGIN = "login"
 
 PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
-PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
-
-OAUTH2_BINDING = "redirect"
 
 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
@@ -41,9 +37,6 @@ TOKEN_TYPE = "Bearer"  # nosec
 
 SCOPE_AUTHENTIK_API = "goauthentik.io/api"
 
-# URI schemes that are forbidden for redirect URIs
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
-
 # Read/write full user (including email)
 SCOPE_GITHUB_USER = "user"
 # Read user (without email)

authentik/common/saml/constants.py

@@ -28,10 +28,6 @@ SAML_ATTRIBUTES_GROUP = "http://schemas.xmlsoap.org/claims/Group"
 SAML_BINDING_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 SAML_BINDING_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
-SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
-
-DEFAULT_ISSUER = "authentik"
-
 DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 # https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.2

authentik/core/api/application_entitlements.py

@@ -47,8 +47,7 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
     search_fields = [
         "pbm_uuid",
         "name",
-        "app__name",
-        "app__slug",
+        "app",
         "attributes",
     ]
     filterset_fields = [

authentik/core/api/applications.py

@@ -25,7 +25,6 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
-from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -36,13 +35,9 @@ from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()
 
 
-def user_app_cache_key(
-    user_pk: str, page_number: int | None = None, only_with_launch_url: bool = False
-) -> str:
+def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
     """Cache key where application list for user is saved"""
     key = f"{CACHE_PREFIX}app_access/{user_pk}"
-    if only_with_launch_url:
-        key += "/launch"
     if page_number:
         key += f"/{page_number}"
     return key
@@ -52,12 +47,7 @@ class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
     launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(
-        source="get_provider",
-        required=False,
-        read_only=True,
-        allow_null=True,
-    )
+    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
     backchannel_providers_obj = ProviderSerializer(
         source="backchannel_providers", required=False, read_only=True, many=True
     )
@@ -120,7 +110,6 @@ class ApplicationSerializer(ModelSerializer):
             "meta_publisher",
             "policy_engine_mode",
             "group",
-            "meta_hide",
         ]
         extra_kwargs = {
             "backchannel_providers": {"required": False},
@@ -165,16 +154,15 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return queryset
 
     def _get_allowed_applications(
-        self, paginated_apps: Iterator[Application], user: User | None = None
+        self, pagined_apps: Iterator[Application], user: User | None = None
     ) -> list[Application]:
         applications = []
         request = self.request._request
         if user:
             request = copy(request)
             request.user = user
-        for application in paginated_apps:
+        for application in pagined_apps:
             engine = PolicyEngine(application, request.user, request)
-            engine.empty_result = AppAccessWithoutBindings.get()
             engine.build()
             if engine.passing:
                 applications.append(application)
@@ -232,7 +220,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             if not for_user:
                 raise ValidationError({"for_user": "User not found"})
         engine = PolicyEngine(application, for_user, request)
-        engine.empty_result = AppAccessWithoutBindings.get()
         engine.use_cache = False
         with capture_logs() as logs:
             engine.build()
@@ -279,17 +266,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
-        only_with_launch_url = (
-            str(request.query_params.get("only_with_launch_url", "false")).lower()
-        ) == "true"
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()
 
         queryset = self._filter_queryset_for_list(self.get_queryset())
-        queryset = queryset.exclude(meta_hide=True)
-        if only_with_launch_url:
-            # Pre-filter at DB level to skip expensive per-app policy evaluation
-            # for apps that can never appear in the launcher (no meta_launch_url
-            # and no provider, so no possible launch URL).
-            queryset = queryset.exclude(meta_launch_url="", provider__isnull=True)
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
 
@@ -306,6 +287,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             except ValueError as exc:
                 raise ValidationError from exc
             allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+            allowed_applications = self._expand_applications(allowed_applications)
 
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
@@ -315,26 +297,19 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             allowed_applications = self._get_allowed_applications(paginated_apps)
         if should_cache:
             allowed_applications = cache.get(
-                user_app_cache_key(
-                    self.request.user.pk, paginator.page.number, only_with_launch_url
-                )
+                user_app_cache_key(self.request.user.pk, paginator.page.number)
             )
-            if allowed_applications:
-                # Re-fetch cached applications since pickled instances lose prefetched
-                # relationships, causing N+1 queries during serialization
-                allowed_applications = self._expand_applications(allowed_applications)
-            else:
+            if not allowed_applications:
                 LOGGER.debug("Caching allowed application list", page=paginator.page.number)
                 allowed_applications = self._get_allowed_applications(paginated_apps)
                 cache.set(
-                    user_app_cache_key(
-                        self.request.user.pk, paginator.page.number, only_with_launch_url
-                    ),
+                    user_app_cache_key(self.request.user.pk, paginator.page.number),
                     allowed_applications,
                     timeout=86400,
                 )
+        allowed_applications = self._expand_applications(allowed_applications)
 
-        if only_with_launch_url:
+        if only_with_launch_url == "true":
             allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
 
         serializer = self.get_serializer(allowed_applications, many=True)

authentik/core/api/authenticated_sessions.py

@@ -32,19 +32,19 @@ from authentik.rbac.decorators import permission_required
 class UserAgentDeviceDict(TypedDict):
     """User agent device"""
 
-    brand: str | None = None
+    brand: str
     family: str
-    model: str | None = None
+    model: str
 
 
 class UserAgentOSDict(TypedDict):
     """User agent os"""
 
     family: str
-    major: str | None = None
-    minor: str | None = None
-    patch: str | None = None
-    patch_minor: str | None = None
+    major: str
+    minor: str
+    patch: str
+    patch_minor: str
 
 
 class UserAgentBrowserDict(TypedDict):

authentik/core/api/groups.py

@@ -7,7 +7,6 @@ from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from djangoql.schema import BoolField, StrField
 from drf_spectacular.utils import (
     OpenApiParameter,
     OpenApiResponse,
@@ -19,16 +18,13 @@ from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
-from rest_framework.relations import ManyRelatedField, PrimaryKeyRelatedField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authentication import TokenAuthentication
-from authentik.api.search.fields import (
-    JSONSearchField,
-)
 from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -37,77 +33,6 @@ from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
 
-
-class BulkManyRelatedField(ManyRelatedField):
-    """ManyRelatedField that validates all PKs in a single query instead of one per PK."""
-
-    def to_internal_value(self, data):
-        if isinstance(data, str) or not hasattr(data, "__iter__"):
-            self.fail("not_a_list", input_type=type(data).__name__)
-        if not self.allow_empty and len(data) == 0:
-            self.fail("empty")
-
-        child = self.child_relation
-        pk_field = child.pk_field
-        # Coerce PKs through pk_field if defined
-        pk_map = {}
-        for item in data:
-            if isinstance(item, bool):
-                self.fail("incorrect_type", data_type=type(item).__name__)
-            pk = pk_field.to_internal_value(item) if pk_field else item
-            pk_map[pk] = item  # map coerced PK -> original value for error reporting
-
-        queryset = child.get_queryset()
-        # Use count to validate all PKs exist in a single query
-        found_count = queryset.filter(pk__in=pk_map.keys()).count()
-        if found_count < len(pk_map):
-            # Some PKs not found — fall back to per-PK checks for error reporting.
-            # This only runs when there's an actual validation error (rare path).
-            for pk, original in pk_map.items():
-                if not queryset.filter(pk=pk).exists():
-                    child.fail("does_not_exist", pk_value=original)
-
-        # Return raw PKs — Django's M2M set() accepts both objects and PKs,
-        # using get_prep_value() for type coercion. This avoids loading all
-        # objects into memory and avoids triggering post_init signals.
-        return list(pk_map.keys())
-
-    def to_representation(self, iterable):
-        # For non-prefetched querysets, get PKs directly without loading model instances.
-        # When prefetched, _result_cache is a list (possibly empty); when not, it's None.
-        if hasattr(iterable, "values_list") and getattr(iterable, "_result_cache", None) is None:
-            return list(iterable.values_list("pk", flat=True))
-        return super().to_representation(iterable)
-
-
-class BulkPrimaryKeyRelatedField(PrimaryKeyRelatedField):
-    """PrimaryKeyRelatedField that uses bulk validation when many=True."""
-
-    @classmethod
-    def many_init(cls, *args, **kwargs):
-        allow_empty = kwargs.pop("allow_empty", None)
-        max_length = kwargs.pop("max_length", None)
-        min_length = kwargs.pop("min_length", None)
-        child_relation = cls(*args, **kwargs)
-        list_kwargs = {
-            "child_relation": child_relation,
-        }
-        if allow_empty is not None:
-            list_kwargs["allow_empty"] = allow_empty
-        if max_length is not None:
-            list_kwargs["max_length"] = max_length
-        if min_length is not None:
-            list_kwargs["min_length"] = min_length
-        list_kwargs.update(
-            {
-                key: value
-                for key, value in kwargs.items()
-                if key in ("required", "default", "source")
-            }
-        )
-        return BulkManyRelatedField(**list_kwargs)
-
-
 PARTIAL_USER_SERIALIZER_MODEL_FIELDS = [
     "pk",
     "username",
@@ -150,7 +75,6 @@ class GroupSerializer(ModelSerializer):
     """Group Serializer"""
 
     attributes = JSONDictField(required=False)
-    users = BulkPrimaryKeyRelatedField(queryset=User.objects.all(), many=True, default=list)
     parents = PrimaryKeyRelatedField(queryset=Group.objects.all(), many=True, required=False)
     parents_obj = SerializerMethodField(allow_null=True)
     children_obj = SerializerMethodField(allow_null=True)
@@ -265,6 +189,9 @@ class GroupSerializer(ModelSerializer):
             "children_obj",
         ]
         extra_kwargs = {
+            "users": {
+                "default": list,
+            },
             "children": {
                 "required": False,
                 "default": list,
@@ -294,7 +221,6 @@ class GroupFilter(FilterSet):
     members_by_pk = ModelMultipleChoiceFilter(
         field_name="users",
         queryset=User.objects.all(),
-        distinct=False,
     )
 
     def filter_attributes(self, queryset, name, value):
@@ -339,6 +265,12 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     ]
 
     def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            JSONSearchField,
+        )
+
         return [
             StrField(Group, "name"),
             BoolField(Group, "is_superuser", nullable=True),
@@ -346,8 +278,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
         ]
 
     def get_queryset(self):
-        # Always prefetch parents and children since their PKs are always serialized
-        base_qs = Group.objects.all().prefetch_related("roles", "parents", "children")
+        base_qs = Group.objects.all().prefetch_related("roles")
 
         if self.serializer_class(context={"request": self.request})._should_include_users:
             # Only fetch fields needed by PartialUserSerializer to reduce DB load and instantiation
@@ -358,9 +289,16 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
                     queryset=User.objects.all().only(*PARTIAL_USER_SERIALIZER_MODEL_FIELDS),
                 )
             )
-        # When include_users=false, skip users prefetch entirely.
-        # BulkManyRelatedField.to_representation will use values_list to get PKs
-        # directly without loading User instances into memory.
+        else:
+            base_qs = base_qs.prefetch_related(
+                Prefetch("users", queryset=User.objects.all().only("id"))
+            )
+
+        if self.serializer_class(context={"request": self.request})._should_include_children:
+            base_qs = base_qs.prefetch_related("children")
+
+        if self.serializer_class(context={"request": self.request})._should_include_parents:
+            base_qs = base_qs.prefetch_related("parents")
 
         return base_qs
 

authentik/core/api/tokens.py

@@ -124,7 +124,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
     """Token Viewset"""
 
     lookup_field = "identifier"
-    queryset = Token.objects.including_expired().all()
+    queryset = Token.objects.all()
     serializer_class = TokenSerializer
     search_fields = [
         "identifier",

authentik/core/api/transactional_applications.py

@@ -2,8 +2,9 @@
 
 from django.apps import apps
 from django.db.models import Model
+from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -12,7 +13,6 @@ from rest_framework.views import APIView
 from yaml import ScalarNode
 
 from authentik.api.validation import validate
-from authentik.blueprints.api import check_blueprint_perms
 from authentik.blueprints.v1.common import (
     Blueprint,
     BlueprintEntry,
@@ -165,7 +165,21 @@ class TransactionalApplicationView(APIView):
     def put(self, request: Request, body: TransactionApplicationSerializer) -> Response:
         """Convert data into a blueprint, validate it and apply it"""
         blueprint: Blueprint = body.validated_data
-        check_blueprint_perms(blueprint, request.user, explicit_action="add")
+        for entry in blueprint.entries:
+            full_model = entry.get_model(blueprint)
+            app, __, model = full_model.partition(".")
+            if not request.user.has_perm(f"{app}.add_{model}"):
+                raise PermissionDenied(
+                    {
+                        entry.id: _(
+                            "User lacks permission to create {model}".format_map(
+                                {
+                                    "model": full_model,
+                                }
+                            )
+                        )
+                    }
+                )
         importer = Importer(blueprint, {})
         applied = importer.apply()
         response = {"applied": False, "logs": []}

authentik/core/api/users.py

@@ -6,7 +6,6 @@ from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import AnonymousUser, Permission
-from django.db.models import Exists, OuterRef, Prefetch, Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -14,7 +13,6 @@ from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from django.utils.translation import gettext_lazy
 from django_filters.filters import (
     BooleanFilter,
     CharFilter,
@@ -24,7 +22,6 @@ from django_filters.filters import (
     UUIDFilter,
 )
 from django_filters.filterset import FilterSet
-from djangoql.schema import BoolField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
     OpenApiParameter,
@@ -58,10 +55,6 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authentication import TokenAuthentication
-from authentik.api.search.fields import (
-    ChoiceSearchField,
-    JSONSearchField,
-)
 from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
@@ -79,7 +72,6 @@ from authentik.core.middleware import (
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_PATH_SERVICE_ACCOUNT,
-    USERNAME_MAX_LENGTH,
     Group,
     Session,
     Token,
@@ -107,10 +99,6 @@ from authentik.stages.email.utils import TemplateEmailMessage
 
 LOGGER = get_logger()
 
-INVALID_PASSWORD_HASH_MESSAGE = gettext_lazy(
-    "Invalid password hash format. Must be a valid Django password hash."
-)
-
 
 class ParamUserSerializer(PassiveSerializer):
     """Partial serializer for query parameters to select a user"""
@@ -137,7 +125,7 @@ class PartialGroupSerializer(ModelSerializer):
 class UserSerializer(ModelSerializer):
     """User Serializer"""
 
-    is_superuser = SerializerMethodField()
+    is_superuser = BooleanField(read_only=True)
     avatar = SerializerMethodField()
     attributes = JSONDictField(required=False)
     groups = PrimaryKeyRelatedField(
@@ -156,7 +144,7 @@ class UserSerializer(ModelSerializer):
     roles_obj = SerializerMethodField(allow_null=True)
     uid = CharField(read_only=True)
     username = CharField(
-        max_length=USERNAME_MAX_LENGTH,
+        max_length=150,
         validators=[UniqueValidator(queryset=User.objects.all().order_by("username"))],
     )
 
@@ -174,14 +162,6 @@ class UserSerializer(ModelSerializer):
             return True
         return str(request.query_params.get("include_roles", "true")).lower() == "true"
 
-    @extend_schema_field(BooleanField)
-    def get_is_superuser(self, instance: User) -> bool:
-        """Use annotation if available to avoid N+1 query"""
-        ann = getattr(instance, "_annotated_is_superuser", None)
-        if ann is not None:
-            return ann
-        return instance.is_superuser
-
     @extend_schema_field(PartialGroupSerializer(many=True))
     def get_groups_obj(self, instance: User) -> list[PartialGroupSerializer] | None:
         if not self._should_include_groups:
@@ -195,79 +175,47 @@ class UserSerializer(ModelSerializer):
         return RoleSerializer(instance.roles, many=True).data
 
     def __init__(self, *args, **kwargs):
-        """Setting password and permissions directly is allowed only in blueprints."""
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
-            self.fields["password_hash"] = CharField(required=False, allow_null=True)
             self.fields["permissions"] = ListField(
                 required=False,
                 child=ChoiceField(choices=get_permission_choices()),
             )
 
     def create(self, validated_data: dict) -> User:
-        """Create a user, with blueprint-only password and permission writes."""
-        is_blueprint = SERIALIZER_CONTEXT_BLUEPRINT in self.context
-        if is_blueprint:
-            password = validated_data.pop("password", None)
-            password_hash = validated_data.pop("password_hash", None)
-            permissions = validated_data.pop("permissions", [])
-            self._validate_password_inputs(password, password_hash)
-
+        """If this serializer is used in the blueprint context, we allow for
+        directly setting a password. However should be done via the `set_password`
+        method instead of directly setting it like rest_framework."""
+        password = validated_data.pop("password", None)
+        perms_qs = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        ).values_list("content_type__app_label", "codename")
+        perms_list = [f"{ct}.{name}" for ct, name in list(perms_qs)]
         instance: User = super().create(validated_data)
-        if is_blueprint:
-            self._set_password(instance, password, password_hash)
-            perms_qs = Permission.objects.filter(
-                codename__in=[permission.split(".")[1] for permission in permissions]
-            ).values_list("content_type__app_label", "codename")
-            perms_list = [f"{ct}.{name}" for ct, name in perms_qs]
-            instance.assign_perms_to_managed_role(perms_list)
-        self._ensure_password_not_empty(instance)
+        self._set_password(instance, password)
+        instance.assign_perms_to_managed_role(perms_list)
         return instance
 
     def update(self, instance: User, validated_data: dict) -> User:
-        """Update a user, with blueprint-only password and permission writes."""
-        is_blueprint = SERIALIZER_CONTEXT_BLUEPRINT in self.context
-        if is_blueprint:
-            password = validated_data.pop("password", None)
-            password_hash = validated_data.pop("password_hash", None)
-            permissions = validated_data.pop("permissions", [])
-            self._validate_password_inputs(password, password_hash)
-
+        """Same as `create` above, set the password directly if we're in a blueprint
+        context"""
+        password = validated_data.pop("password", None)
+        perms_qs = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        ).values_list("content_type__app_label", "codename")
+        perms_list = [f"{ct}.{name}" for ct, name in list(perms_qs)]
         instance = super().update(instance, validated_data)
-        if is_blueprint:
-            self._set_password(instance, password, password_hash)
-            perms_qs = Permission.objects.filter(
-                codename__in=[permission.split(".")[1] for permission in permissions]
-            ).values_list("content_type__app_label", "codename")
-            perms_list = [f"{ct}.{name}" for ct, name in perms_qs]
-            instance.assign_perms_to_managed_role(perms_list)
-        self._ensure_password_not_empty(instance)
+        self._set_password(instance, password)
+        instance.assign_perms_to_managed_role(perms_list)
         return instance
 
-    def _validate_password_inputs(self, password: str | None, password_hash: str | None):
-        """Validate mutually-exclusive password inputs before any model mutation."""
-        if password is not None and password_hash is not None:
-            raise ValidationError(_("Cannot set both password and password_hash. Use only one."))
-        if password_hash is None:
-            return
-        try:
-            User.validate_password_hash(password_hash)
-        except ValueError as exc:
-            LOGGER.warning("Failed to identify password hash format", exc_info=exc)
-            raise ValidationError(INVALID_PASSWORD_HASH_MESSAGE) from exc
-
-    def _set_password(self, instance: User, password: str | None, password_hash: str | None = None):
-        """Set password from plain text or hash."""
-        if password_hash is not None:
-            instance.set_password_from_hash(password_hash)
-            instance.save()
-        elif password:
+    def _set_password(self, instance: User, password: str | None):
+        """Set password of user if we're in a blueprint context, and if it's an empty
+        string then use an unusable password"""
+        if SERIALIZER_CONTEXT_BLUEPRINT in self.context and password:
             instance.set_password(password)
             instance.save()
-
-    def _ensure_password_not_empty(self, instance: User):
-        """Store an explicit unusable password instead of an empty password field."""
         if len(instance.password) == 0:
             instance.set_unusable_password()
             instance.save()
@@ -436,12 +384,6 @@ class UserPasswordSetSerializer(PassiveSerializer):
     password = CharField(required=True)
 
 
-class UserPasswordHashSetSerializer(PassiveSerializer):
-    """Payload to set a users' password hash directly"""
-
-    password = CharField(required=True)
-
-
 class UserServiceAccountSerializer(PassiveSerializer):
     """Payload to create a service account"""
 
@@ -563,9 +505,6 @@ class UsersFilter(FilterSet):
 
 
 class UserViewSet(
-    ConditionalInheritance(
-        "authentik.enterprise.stages.account_lockdown.api.UserAccountLockdownMixin"
-    ),
     ConditionalInheritance("authentik.enterprise.reports.api.reports.ExportMixin"),
     UsedByMixin,
     ModelViewSet,
@@ -584,6 +523,13 @@ class UserViewSet(
     ]
 
     def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            ChoiceSearchField,
+            JSONSearchField,
+        )
+
         return [
             StrField(User, "username"),
             StrField(User, "name"),
@@ -596,30 +542,10 @@ class UserViewSet(
 
     def get_queryset(self):
         base_qs = User.objects.all().exclude_anonymous()
-        # Always prefetch groups since group PKs are always serialized.
-        # Use full prefetch when include_groups=true (for groups_obj), ID-only otherwise.
         if self.serializer_class(context={"request": self.request})._should_include_groups:
             base_qs = base_qs.prefetch_related("groups")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("groups", queryset=Group.objects.all().only("group_uuid"))
-            )
         if self.serializer_class(context={"request": self.request})._should_include_roles:
             base_qs = base_qs.prefetch_related("roles")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("roles", queryset=Role.objects.all().only("uuid"))
-            )
-        # Annotate is_superuser to avoid N+1 query per user
-        base_qs = base_qs.annotate(
-            _annotated_is_superuser=Exists(
-                Group.objects.filter(
-                    is_superuser=True,
-                ).filter(
-                    Q(users=OuterRef("pk")) | Q(descendant_nodes__descendant__users=OuterRef("pk"))
-                )
-            )
-        )
         return base_qs
 
     @extend_schema(
@@ -788,11 +714,6 @@ class UserViewSet(
         self.request.session.modified = True
         return Response(serializer.initial_data)
 
-    def _update_session_hash_after_password_change(self, request: Request, user: User):
-        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
-            LOGGER.debug("Updating session hash after password change")
-            update_session_auth_hash(self.request, user)
-
     @permission_required("authentik_core.reset_user_password")
     @extend_schema(
         request=UserPasswordSetSerializer,
@@ -816,45 +737,9 @@ class UserViewSet(
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)
             return Response(status=400)
-        self._update_session_hash_after_password_change(request, user)
-        return Response(status=204)
-
-    @permission_required("authentik_core.reset_user_password")
-    @extend_schema(
-        request=UserPasswordHashSetSerializer,
-        responses={
-            204: OpenApiResponse(description="Successfully changed password"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        methods=["POST"],
-        permission_classes=[IsAuthenticated],
-    )
-    @validate(UserPasswordHashSetSerializer)
-    def set_password_hash(
-        self, request: Request, pk: int, body: UserPasswordHashSetSerializer
-    ) -> Response:
-        """Set a user's password from a pre-hashed Django password value.
-
-        Submit the Django password hash in the shared ``password`` request field.
-
-        This updates authentik's local password verifier only. It does not attempt
-        to propagate the password change to LDAP or Kerberos because no raw password
-        is available from the request payload.
-        """
-        user: User = self.get_object()
-        try:
-            user.set_password_from_hash(body.validated_data["password"], request=request)
-            user.save()
-        except ValueError as exc:
-            LOGGER.debug("Failed to set password hash", exc=exc)
-            return Response(data={"password": [INVALID_PASSWORD_HASH_MESSAGE]}, status=400)
-        except (ValidationError, IntegrityError) as exc:
-            LOGGER.debug("Failed to set password hash", exc=exc)
-            return Response(status=400)
-        self._update_session_hash_after_password_change(request, user)
+        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
+            LOGGER.debug("Updating session hash after password change")
+            update_session_auth_hash(self.request, user)
         return Response(status=204)
 
     @permission_required("authentik_core.reset_user_password")

authentik/core/apps.py

@@ -1,26 +1,7 @@
 """authentik core app config"""
 
-from django.utils.translation import gettext_lazy as _
-
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.tasks.schedules.common import ScheduleSpec
-from authentik.tenants.flags import Flag
-
-
-class Setup(Flag[bool], key="setup"):
-
-    default = False
-    visibility = "system"
-
-
-class AppAccessWithoutBindings(Flag[bool], key="core_default_app_access"):
-
-    default = True
-    visibility = "none"
-    description = _(
-        "Configure if applications without any policy/group/user bindings "
-        "should be accessible to any user."
-    )
 
 
 class AuthentikCoreConfig(ManagedAppConfig):
@@ -32,10 +13,6 @@ class AuthentikCoreConfig(ManagedAppConfig):
     mountpoint = ""
     default = True
 
-    def import_related(self):
-        super().import_related()
-        self.import_module("authentik.core.setup.signals")
-
     @ManagedAppConfig.reconcile_tenant
     def source_inbuilt(self):
         """Reconcile inbuilt source"""

authentik/core/auth.py

@@ -81,7 +81,7 @@ class TokenBackend(InbuiltBackend):
             User().set_password(password, request=request)
             return None
 
-        tokens = Token.objects.filter(
+        tokens = Token.filter_not_expired(
             user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
         )
         if not tokens.exists():

authentik/core/management/commands/hash_password.py

@@ -1,28 +0,0 @@
-"""Hash password using Django's password hashers"""
-
-from django.contrib.auth.hashers import make_password
-from django.core.management.base import BaseCommand, CommandError
-
-
-class Command(BaseCommand):
-    """Hash a password using Django's password hashers"""
-
-    help = "Hash a password for use with AUTHENTIK_BOOTSTRAP_PASSWORD_HASH"
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            "password",
-            type=str,
-            help="Password to hash",
-        )
-
-    def handle(self, *args, **options):
-        password = options["password"]
-
-        if not password:
-            raise CommandError("Password cannot be empty")
-        try:
-            hashed = make_password(password)
-            self.stdout.write(hashed)
-        except ValueError as exc:
-            raise CommandError(f"Error hashing password: {exc}") from exc

authentik/core/migrations/0058_setup.py

@@ -1,61 +0,0 @@
-# Generated by Django 5.2.13 on 2026-04-21 18:49
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-from django.db import migrations
-
-
-def check_is_already_setup(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from django.conf import settings
-    from authentik.flows.models import FlowAuthenticationRequirement
-
-    VersionHistory = apps.get_model("authentik_admin", "VersionHistory")
-    Flow = apps.get_model("authentik_flows", "Flow")
-    User = apps.get_model("authentik_core", "User")
-
-    db_alias = schema_editor.connection.alias
-
-    # Upgrading from a previous version
-    if not settings.TEST and VersionHistory.objects.using(db_alias).count() > 1:
-        return True
-    # OOBE flow sets itself to this authentication requirement once finished
-    if (
-        Flow.objects.using(db_alias)
-        .filter(
-            slug="initial-setup", authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER
-        )
-        .exists()
-    ):
-        return True
-    # non-akadmin and non-guardian anonymous user exist
-    if (
-        User.objects.using(db_alias)
-        .exclude(username="akadmin")
-        .exclude(username="AnonymousUser")
-        .exists()
-    ):
-        return True
-    return False
-
-
-def update_setup_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.core.apps import Setup
-    from authentik.tenants.utils import get_current_tenant
-
-    is_already_setup = check_is_already_setup(apps, schema_editor)
-    if is_already_setup:
-        tenant = get_current_tenant()
-        tenant.flags[Setup().key] = True
-        tenant.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0057_remove_user_groups_remove_user_user_permissions_and_more"),
-        # 0024_flow_authentication adds the `authentication` field.
-        ("authentik_flows", "0024_flow_authentication"),
-    ]
-
-    operations = [migrations.RunPython(update_setup_flag, migrations.RunPython.noop)]

authentik/core/migrations/0059_add_application_meta_hide.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-09 18:04
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_blank_launch_url(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
-    Application = apps.get_model("authentik_core", "Application")
-
-    Application.objects.using(db_alias).filter(meta_launch_url="blank://blank").update(
-        meta_hide=True, meta_launch_url=""
-    )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0058_setup"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="application",
-            name="meta_hide",
-            field=models.BooleanField(
-                default=False,
-                help_text="Hide this application from the user's My applications page.",
-            ),
-        ),
-        migrations.RunPython(migrate_blank_launch_url, migrations.RunPython.noop),
-    ]

authentik/core/models.py

@@ -1,8 +1,6 @@
 """authentik core models"""
 
-import re
-import traceback
-from datetime import datetime
+from datetime import datetime, timedelta
 from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Self
@@ -10,13 +8,14 @@ from uuid import uuid4
 
 import pgtrigger
 from deepmerge import always_merger
-from django.contrib.auth.hashers import check_password, identify_hasher
+from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser, Permission
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
-from django.db.models import Manager, Q, QuerySet, options
+from django.db.models import Q, QuerySet, options
+from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -44,8 +43,6 @@ from authentik.lib.models import (
     DomainlessFormattedURLValidator,
     SerializerModel,
 )
-from authentik.lib.utils.inheritance import get_deepest_child
-from authentik.lib.utils.reflection import class_to_path
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -53,7 +50,6 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 
 LOGGER = get_logger()
-USERNAME_MAX_LENGTH = 150
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
 _USER_ATTR_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/user"
 USER_ATTRIBUTE_DEBUG = f"{_USER_ATTR_PREFIX}/debug"
@@ -518,7 +514,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
     @property
     def ak_groups(self):
         """This is a proxy for a renamed, deprecated field."""
-        from authentik.events.models import Event
+        from authentik.events.models import Event, EventAction
 
         deprecation = "authentik.core.models.User.ak_groups"
         replacement = "authentik.core.models.User.groups"
@@ -531,23 +527,23 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
             "default: in 30 days). See authentik logs for every will invocation of this "
             "deprecation."
         )
-        stacktrace = traceback.format_stack()
-        # The last line is this function, the next-to-last line is its caller
-        cause = stacktrace[-2] if len(stacktrace) > 1 else "Unknown, see stacktrace in logs"
-        if search := re.search(r'"(.*?)"', cause):
-            cause = f"Property mapping or Expression policy named {search.group(1)}"
-
         LOGGER.warning(
             "deprecation used",
             message=message_logger,
             deprecation=deprecation,
             replacement=replacement,
-            cause=cause,
-            stacktrace=stacktrace,
-        )
-        Event.log_deprecation(
-            deprecation, message=message_event, cause=cause, replacement=replacement
         )
+        if not Event.filter_not_expired(
+            action=EventAction.CONFIGURATION_WARNING, context__deprecation=deprecation
+        ).exists():
+            event = Event.new(
+                EventAction.CONFIGURATION_WARNING,
+                deprecation=deprecation,
+                replacement=replacement,
+                message=message_event,
+            )
+            event.expires = datetime.now() + timedelta(days=30)
+            event.save()
         return self.groups
 
     def set_password(self, raw_password, signal=True, sender=None, request=None):
@@ -560,33 +556,6 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
         self.password_change_date = now()
         return super().set_password(raw_password)
 
-    @staticmethod
-    def validate_password_hash(password_hash: str):
-        """Validate that the value is a recognized Django password hash."""
-        identify_hasher(password_hash)  # Raises ValueError if invalid
-
-    def set_password_from_hash(self, password_hash: str, signal=True, sender=None, request=None):
-        """Set password directly from a pre-hashed value.
-
-        Unlike set_password(), this does not hash the input again. The provided value
-        must already be a valid Django password hash, and it is stored directly on the
-        user after validation.
-
-        Because no raw password is available, downstream password sync integrations
-        such as LDAP and Kerberos cannot be updated from this code path.
-
-        Raises ValueError if the hash format is not recognized.
-        """
-        self.validate_password_hash(password_hash)
-        if self.pk and signal:
-            from authentik.core.signals import password_hash_changed
-
-            if not sender:
-                sender = self
-            password_hash_changed.send(sender=sender, user=self, request=request)
-        self.password = password_hash
-        self.password_change_date = now()
-
     def check_password(self, raw_password: str) -> bool:
         """
         Return a boolean of whether the raw_password was correct. Handles
@@ -762,9 +731,6 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_icon = FileField(default="", blank=True)
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
-    meta_hide = models.BooleanField(
-        default=False, help_text=_("Hide this application from the user's My applications page.")
-    )
 
     objects = ApplicationQuerySet.as_manager()
 
@@ -820,21 +786,35 @@ class Application(SerializerModel, PolicyBindingModel):
 
     def get_provider(self) -> Provider | None:
         """Get casted provider instance. Needs Application queryset with_provider"""
-        if hasattr(self, "_cached_provider"):
-            return self._cached_provider
         if not self.provider:
-            self._cached_provider = None
             return None
-        self._cached_provider = get_deepest_child(self.provider)
-        return self._cached_provider
+
+        candidates = []
+        base_class = Provider
+        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
+            parent = self.provider
+            for level in subclass.split(LOOKUP_SEP):
+                try:
+                    parent = getattr(parent, level)
+                except AttributeError:
+                    break
+            if parent in candidates:
+                continue
+            idx = subclass.count(LOOKUP_SEP)
+            if type(parent) is not base_class:
+                idx += 1
+            candidates.insert(idx, parent)
+        if not candidates:
+            return None
+        return candidates[-1]
 
     def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
         """Get Backchannel provider for a specific type"""
-        provider: BackchannelProvider | None = self.backchannel_providers.filter(
+        providers = self.backchannel_providers.filter(
             **{f"{provider_type._meta.model_name}__isnull": False},
             **kwargs,
-        ).first()
-        return getattr(provider, provider_type._meta.model_name) if provider else None
+        )
+        return getattr(providers.first(), provider_type._meta.model_name)
 
     def __str__(self):
         return str(self.name)
@@ -985,34 +965,21 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
 
     objects = InheritanceManager()
 
-    def get_icon_url(self, request=None, use_cache: bool = True) -> str | None:
-        """Get the URL to the source icon."""
-        if not self.icon:
-            return None
-        return get_file_manager(FileUsage.MEDIA).file_url(self.icon, request, use_cache=use_cache)
-
     @property
     def icon_url(self) -> str | None:
         """Get the URL to the source icon"""
-        return self.get_icon_url()
-
-    def get_icon_themed_urls(
-        self,
-        request=None,
-        use_cache: bool = True,
-    ) -> dict[str, str] | None:
-        """Get themed URLs for icon if it contains %(theme)s."""
         if not self.icon:
             return None
-        return get_file_manager(FileUsage.MEDIA).themed_urls(
-            self.icon,
-            request,
-            use_cache=use_cache,
-        )
+
+        return get_file_manager(FileUsage.MEDIA).file_url(self.icon)
 
     @property
     def icon_themed_urls(self) -> dict[str, str] | None:
-        return self.get_icon_themed_urls()
+        """Get themed URLs for icon if it contains %(theme)s"""
+        if not self.icon:
+            return None
+
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.icon)
 
     def get_user_path(self) -> str:
         """Get user path, fallback to default for formatting errors"""
@@ -1132,24 +1099,12 @@ class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("group", "source"),)
 
 
-class ExpiringManager(Manager):
-    """Manager for expiring objects which filters out expired objects by default"""
-
-    def get_queryset(self):
-        return QuerySet(self.model, using=self._db).exclude(expires__lt=now(), expiring=True)
-
-    def including_expired(self):
-        return QuerySet(self.model, using=self._db)
-
-
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
     expires = models.DateTimeField(default=None, null=True)
     expiring = models.BooleanField(default=True)
 
-    objects = ExpiringManager()
-
     class Meta:
         abstract = True
         indexes = [
@@ -1163,33 +1118,13 @@ class ExpiringModel(models.Model):
         default the object is deleted. This is less efficient compared
         to bulk deleting objects, but classes like Token() need to change
         values instead of being deleted."""
-        try:
-            return self.delete(*args, **kwargs)
-        except self.DoesNotExist:
-            # Object has already been deleted, so this should be fine
-            return None
+        return self.delete(*args, **kwargs)
 
     @classmethod
     def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        from authentik.events.models import Event
-
-        deprecation_id = f"{class_to_path(cls)}.filter_not_expired"
-
-        Event.log_deprecation(
-            deprecation_id,
-            message=(
-                ".filter_not_expired() is deprecated as the default lookup now excludes "
-                "expired objects."
-            ),
-        )
-
-        for obj in (
-            cls.objects.including_expired()
-            .filter(**kwargs)
-            .filter(Q(expires__lt=now(), expiring=True))
-        ):
+        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
             obj.delete()
         return cls.objects.filter(**kwargs)
 

authentik/core/sessions.py

@@ -72,7 +72,6 @@ class SessionStore(SessionBase):
             #                  and their descriptors fail to initialize (e.g., missing storage)
             # TypeError - can happen with incompatible pickled objects
             # If any of these happen, just return an empty dictionary (an empty session)
-            LOGGER.warning("Failed to decode session data", exc_info=True)
             pass
         return {}
 

authentik/core/setup/signals.py

@@ -1,42 +0,0 @@
-from os import getenv
-
-from django.dispatch import receiver
-from structlog.stdlib import get_logger
-
-from authentik.blueprints.models import BlueprintInstance
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.apps import Setup
-from authentik.root.signals import post_startup
-from authentik.tenants.models import Tenant
-
-BOOTSTRAP_BLUEPRINT = "system/bootstrap.yaml"
-
-LOGGER = get_logger()
-
-
-@receiver(post_startup)
-def post_startup_setup_bootstrap(sender, **_):
-    if (
-        not getenv("AUTHENTIK_BOOTSTRAP_PASSWORD")
-        and not getenv("AUTHENTIK_BOOTSTRAP_PASSWORD_HASH")
-        and not getenv("AUTHENTIK_BOOTSTRAP_TOKEN")
-    ):
-        return
-    LOGGER.info("Configuring authentik through bootstrap environment variables")
-    content = BlueprintInstance(path=BOOTSTRAP_BLUEPRINT).retrieve()
-    # If we have bootstrap credentials set, run bootstrap tasks outside of main server
-    # sync, so that we can sure the first start actually has working bootstrap
-    # credentials
-    for tenant in Tenant.objects.filter(ready=True):
-        if Setup.get(tenant=tenant):
-            LOGGER.info("Tenant is already setup, skipping", tenant=tenant.schema_name)
-            continue
-        with tenant:
-            importer = Importer.from_string(content)
-            valid, logs = importer.validate()
-            if not valid:
-                LOGGER.warning("Blueprint invalid", tenant=tenant.schema_name)
-                for log in logs:
-                    log.log()
-            importer.apply()
-            Setup.set(True, tenant=tenant)

authentik/core/setup/views.py

@@ -1,80 +0,0 @@
-from functools import lru_cache
-from http import HTTPMethod, HTTPStatus
-
-from django.contrib.staticfiles import finders
-from django.db import transaction
-from django.http import HttpRequest, HttpResponse
-from django.shortcuts import redirect
-from django.urls import reverse
-from django.views import View
-from structlog.stdlib import get_logger
-
-from authentik.blueprints.models import BlueprintInstance
-from authentik.core.apps import Setup
-from authentik.flows.models import Flow, FlowAuthenticationRequirement, in_memory_stage
-from authentik.flows.planner import FlowPlanner
-from authentik.flows.stage import StageView
-
-LOGGER = get_logger()
-FLOW_CONTEXT_START_BY = "goauthentik.io/core/setup/started-by"
-
-
-@lru_cache
-def read_static(path: str) -> str | None:
-    result = finders.find(path)
-    if not result:
-        return None
-    with open(result, encoding="utf8") as _file:
-        return _file.read()
-
-
-class SetupView(View):
-
-    setup_flow_slug = "initial-setup"
-
-    def dispatch(self, request: HttpRequest, *args, **kwargs):
-        if request.method != HTTPMethod.HEAD and Setup.get():
-            return redirect(reverse("authentik_core:root-redirect"))
-        return super().dispatch(request, *args, **kwargs)
-
-    def head(self, request: HttpRequest, *args, **kwargs):
-        if Setup.get():
-            return HttpResponse(status=HTTPStatus.SERVICE_UNAVAILABLE)
-        if not Flow.objects.filter(slug=self.setup_flow_slug).exists():
-            return HttpResponse(status=HTTPStatus.SERVICE_UNAVAILABLE)
-        return HttpResponse(status=HTTPStatus.OK)
-
-    def get(self, request: HttpRequest):
-        flow = Flow.objects.filter(slug=self.setup_flow_slug).first()
-        if not flow:
-            LOGGER.info("Setup flow does not exist yet, waiting for worker to finish")
-            return HttpResponse(
-                read_static("dist/standalone/loading/startup.html"),
-                status=HTTPStatus.SERVICE_UNAVAILABLE,
-            )
-        planner = FlowPlanner(flow)
-        plan = planner.plan(request, {FLOW_CONTEXT_START_BY: "setup"})
-        plan.append_stage(in_memory_stage(PostSetupStageView))
-        return plan.to_redirect(request, flow)
-
-
-class PostSetupStageView(StageView):
-    """Run post-setup tasks"""
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Wrapper when this stage gets hit with a post request"""
-        return self.get(request, *args, **kwargs)
-
-    def get(self, requeset: HttpRequest, *args, **kwargs):
-        with transaction.atomic():
-            # Remember we're setup
-            Setup.set(True)
-            # Disable OOBE Blueprints
-            BlueprintInstance.objects.filter(
-                **{"metadata__labels__blueprints.goauthentik.io/system-oobe": "true"}
-            ).update(enabled=False)
-            # Make flow inaccessible
-            Flow.objects.filter(slug="initial-setup").update(
-                authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER
-            )
-        return self.executor.stage_ok()

authentik/core/signals.py

@@ -1,5 +1,6 @@
 """authentik core signals"""
 
+from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
@@ -23,10 +24,7 @@ from authentik.root.ws.consumer import build_device_group
 
 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: user: User, request: HttpRequest | None
-password_hash_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest,
-#            stage: Stage, context: dict[str, any]
+# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
 login_failed = Signal()
 
 LOGGER = get_logger()
@@ -58,7 +56,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
     layer = get_channel_layer()
     device_cookie = request.COOKIES.get("authentik_device")
     if device_cookie:
-        layer.group_send_blocking(
+        async_to_sync(layer.group_send)(
             build_device_group(device_cookie),
             {"type": "event.session.authenticated"},
         )

authentik/core/tasks.py

@@ -27,10 +27,7 @@ def clean_expired_models():
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
         objects = (
-            cls.objects.including_expired()
-            .all()
-            .exclude(expiring=False)
-            .exclude(expiring=True, expires__gt=now())
+            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
         )
         amount = objects.count()
         for obj in chunked_queryset(objects):

authentik/core/templates/base/skeleton.html

@@ -21,10 +21,6 @@
         {% block head_before %}
         {% endblock %}
 
-        {% block interface_stylesheet %}
-        <link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
-        {% endblock %}
-
         {% include "base/theme.html" %}
 
         <style data-id="brand-css">{{ brand_css }}</style>

authentik/core/templates/base/theme.html

@@ -1,6 +1,8 @@
 {% load static %}
 {% load authentik_core %}
 
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+
 {% if ui_theme == "dark" %}
   <meta name="color-scheme" content="dark" />
   <meta name="theme-color" content="#18191a">