web/a11y: Accessible preference classes.

Makefile: Fix kerberos tests for brew users (#17223 )
Makefile: Fix kerberos tests for brew users Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local>
2026-05-06 07:02:51 +02:00 · 2025-11-20 18:48:56 +01:00 · 2025-11-19 09:52:26 -08:00 · 2025-11-19 15:24:06 +01:00 · 2025-11-19 15:21:16 +01:00 · 2025-11-19 15:01:06 +01:00
445 changed files with 20772 additions and 20438 deletions
--- a/.github/ISSUE_TEMPLATE/1-bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/1-bug-report.yml
@@ -0,0 +1,81 @@
+name: Bug report
+description: Create a report to help us improve
+labels: ["bug", "triage"]
+type: bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this bug report!
+  - type: textarea
+    id: describe-the-bug
+    attributes:
+      label: Describe the bug
+      description: "A clear and concise description of what the bug is."
+      placeholder: "Describe the issue"
+    validations:
+      required: true
+  - type: textarea
+    id: how-to-reproduce
+    attributes:
+      label: How to reproduce
+      description: "Steps to reproduce the behavior."
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected behavior
+      description: "A clear and concise description of what you expected to happen."
+      placeholder: "The behavior that I expect to see is [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: "If applicable, add screenshots to help explain your problem."
+    validations:
+      required: false
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context about the problem here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
+  - type: dropdown
+    id: deployment-method
+    attributes:
+      label: Deployment Method
+      description: "What deployment method are you using for authentik? Only Docker, Kubernetes and AWS CloudFormation are supported."
+      options:
+        - Docker
+        - Kubernetes
+        - AWS CloudFormation
+        - Other (please specify)
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: "What version of authentik are you using?"
+      placeholder: "[e.g. 2025.10.1]"
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks."
+      render: shell
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/2-docs-issue.yml
+++ b/.github/ISSUE_TEMPLATE/2-docs-issue.yml
@@ -0,0 +1,49 @@
+name: Documentation suggestion/problem
+description: Suggest an improvement or report a problem in our docs
+labels: ["area: docs", "triage"]
+type: task
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this documentation issue!
+  - type: markdown
+    attributes:
+      value: |
+
+        **Consider opening a PR!**
+        If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR.
+
+        For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
+  - type: textarea
+    id: issue
+    attributes:
+      label: Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
+      description: "A clear and concise description of what the problem is, or where the document can be improved."
+      placeholder: "I believe we need more details about [...]"
+    validations:
+      required: true
+  - type: input
+    id: link
+    attributes:
+      label: Link
+      description: "Provide the URL or link to the exact page in the documentation to which you are referring."
+      placeholder: "If there are multiple pages, list them all"
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Solution
+      description: "A clear and concise description of what you suggest as a solution"
+      placeholder: "This issue could be resolved by [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the documentation issue here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/3-feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/3-feature-request.yml
@@ -0,0 +1,41 @@
+name: Feature request
+description: Suggest an idea for a feature
+labels: ["enhancement", "triage"]
+type: feature
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this feature request!
+  - type: textarea
+    id: related-to-problem
+    attributes:
+      label: Is your feature request related to a problem?
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: feature
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+      placeholder: "I'd like authentik to have [...]"
+    validations:
+      required: false
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives that you've considered
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+      placeholder: "I've tried this but [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,39 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
-title: ""
-labels: bug
-assignees: ""
---
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-   authentik version: [e.g. 2025.2.0]
-   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question
+    url: https://github.com/goauthentik/authentik/discussions
+    about: Please ask questions via GitHub Discussions rather than creating issues.
+  - name: authentik Discord
+    url: https://discord.com/invite/jg33eMhnj6
+    about: For community support, visit our Discord server.
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@@ -1,22 +0,0 @@
---
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
---
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,19 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ""
-labels: enhancement
-assignees: ""
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/hackathon_idea.md
+++ b/.github/ISSUE_TEMPLATE/hackathon_idea.md
@@ -1,17 +0,0 @@
---
-name: Hackathon Idea
-about: Propose an idea for the hackathon
-title: ""
-labels: hackathon
-assignees: ""
---
-
-**Describe the idea**
-
-A clear concise description of the idea you want to implement
-
-You're also free to work on existing GitHub issues, whether they be feature requests or bugs, just link the existing GitHub issue here.
-
-<!-- Don't modify below here -->
-
-If you want to help working on this idea or want to contribute in any other way, react to this issue with a :rocket:
--- a/.github/ISSUE_TEMPLATE/issue_template.md
+++ b/.github/ISSUE_TEMPLATE/issue_template.md
@@ -0,0 +1,7 @@
+---
+name: Blank issue
+about: This issue type is only for internal use
+title:
+labels:
+assignees:
+---
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -1,32 +0,0 @@
---
-name: Question
-about: Ask a question about a feature or specific configuration
-title: ""
-labels: question
-assignees: ""
---
-
-**Describe your question/**
-A clear and concise description of what you're trying to do.
-
-**Relevant info**
-i.e. Version of other software you're using, specifics of your setup
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-
-   authentik version: [e.g. 2025.2.0]
-   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -21,7 +21,7 @@ runs:
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v5
+      uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v5
      with:
        enable-cache: true
    - name: Setup python
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -42,8 +42,8 @@ jobs:
      # Needed for checkout
      contents: read
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -49,7 +49,7 @@ jobs:
      tags: ${{ steps.ev.outputs.imageTagsJSON }}
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -69,7 +69,7 @@ jobs:
      matrix:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -22,7 +22,7 @@ jobs:
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -21,7 +21,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Install Dependencies
        working-directory: website/
        run: npm ci
@@ -32,7 +32,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: website/package.json
@@ -66,7 +66,7 @@ jobs:
      - lint
      - build
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
        with:
          name: api-docs
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -21,7 +21,7 @@ jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
--- a/.github/workflows/ci-docs-source.yml
+++ b/.github/workflows/ci-docs-source.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: generate docs
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -21,7 +21,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Install dependencies
        working-directory: website/
        run: npm ci
@@ -32,7 +32,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: website/package.json
@@ -48,7 +48,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: website/package.json
@@ -69,11 +69,11 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -18,7 +18,7 @@ jobs:
          - version-2025-4
          - version-2025-2
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -37,7 +37,7 @@ jobs:
          - mypy
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
@@ -45,7 +45,7 @@ jobs:
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
@@ -71,16 +71,25 @@ jobs:
          - 18-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          fetch-depth: 0
      - name: checkout stable
        run: |
+          set -e -o pipefail
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
          cp -R scripts ..
-          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Previous stable tag
+          prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Current version family based on
+          current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
+          if [[ -n $current_version_family ]]; then
+              prev_stable=$current_version_family
+          fi
+          echo "::notice::Checking out ${prev_stable} as stable version..."
+          git checkout $(prev_stable)
          rm -rf .github/ scripts/
          mv ../.github ../scripts .
      - name: Setup authentik env (stable)
@@ -129,7 +138,7 @@ jobs:
          - 18-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
@@ -149,11 +158,11 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
      - name: run integration
        run: |
          uv run coverage run manage.py test tests/integration
@@ -187,7 +196,7 @@ jobs:
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
@@ -253,7 +262,7 @@ jobs:
      pull-requests: write
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: prepare variables
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -21,7 +21,7 @@ jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
        with:
          go-version-file: "go.mod"
@@ -34,7 +34,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
+        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v8
        with:
          version: latest
          args: --timeout 5000s --verbose
@@ -42,7 +42,7 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
        with:
          go-version-file: "go.mod"
@@ -86,11 +86,11 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -145,7 +145,7 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -31,7 +31,7 @@ jobs:
          - command: lit-analyse
            project: web
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: ${{ matrix.project }}/package.json
@@ -48,7 +48,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: web/package.json
@@ -76,7 +76,7 @@ jobs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: web/package.json
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -33,12 +33,12 @@ jobs:
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
        id: compress
-        uses: calibreapp/image-actions@05b1cf44e88c3b041b841452482df9497f046ef7 # main
+        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
        with:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -20,7 +20,7 @@ jobs:
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -17,7 +17,7 @@ jobs:
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
        env:
          GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        if: ${{ steps.app-token.outcome != 'skipped' }}
        with:
          fetch-depth: 0
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

      - name: Cleanup
        run: |
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -30,7 +30,7 @@ jobs:
          - packages/tsconfig
          - packages/esbuild-plugin-live-reload
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          fetch-depth: 2
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -24,7 +24,7 @@ jobs:
        language: ["go", "javascript", "python"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -26,5 +26,5 @@ jobs:
      image: semgrep/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - run: semgrep ci
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -34,7 +34,7 @@ jobs:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: main
          token: "${{ steps.app-token.outputs.token }}"
@@ -62,7 +62,7 @@ jobs:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: main
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: main
      - run: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -31,9 +31,9 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -83,12 +83,12 @@ jobs:
          - radius
          - rac
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -146,7 +146,7 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
        with:
          go-version-file: "go.mod"
@@ -186,7 +186,7 @@ jobs:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
@@ -202,7 +202,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: Run test suite in final docker images
        run: |
          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
@@ -218,7 +218,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -232,7 +232,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3
+        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -50,7 +50,7 @@ jobs:
    name: Pre-release test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - run: make test-docker
  bump-authentik:
    name: Bump authentik version
@@ -70,7 +70,7 @@ jobs:
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
          token: "${{ steps.app-token.outputs.token }}"
@@ -89,7 +89,7 @@ jobs:
          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
          git push --follow-tags
      - name: Create Release
-        uses: goauthentik/action-gh-release@84da137b91a625a58fe8a34f3bd6bdb034a49138
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
        with:
          token: "${{ steps.app-token.outputs.token }}"
          tag_name: "version/${{ inputs.version }}"
@@ -118,7 +118,7 @@ jobs:
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          repository: "${{ github.repository_owner }}/helm"
          token: "${{ steps.app-token.outputs.token }}"
@@ -160,7 +160,7 @@ jobs:
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          repository: "${{ github.repository_owner }}/version"
          token: "${{ steps.app-token.outputs.token }}"
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -25,11 +25,11 @@ jobs:
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      - id: generate_token
        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
        with:
--- a/4
+++ b/4
@@ -26,7 +26,7 @@ RUN npm run build && \
    npm run build:sfe

 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.4-trixie@sha256:728cbef6ce5da50a5da2455cf8a13ddc4f71eb5a3245d9a5a3cce260f8ca9898 AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@@ -76,7 +76,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.9.7@sha256:ba4857bf2a068e9bc0e64eed8563b065908a4cd6bfb66b531a9c424c8e25e142 AS uv
+FROM ghcr.io/astral-sh/uv:0.9.10@sha256:29bd45092ea8902c0bbb7f0a338f0494a382b1f4b18355df5be270ade679ff1d AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base

--- a/31
+++ b/31
@@ -17,21 +17,20 @@ pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)

-UNAME := $(shell uname)
-
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
 # to prevent SAML-related tests from failing and ensure correct pip dependency compilation
-ifeq ($(UNAME), Darwin)
-# Only add for brew users who installed libxmlsec1
-	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
-	ifdef BREW_EXISTS
-		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
-		ifdef LIBXML2_EXISTS
-			BREW_LDFLAGS := -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
-			BREW_CPPFLAGS := -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
-			BREW_PKG_CONFIG_PATH := $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
-		endif
-	endif
+# These functions are only evaluated when called in specific targets
+LIBXML2_EXISTS = $(shell brew list libxml2 2> /dev/null)
+KRB5_EXISTS = $(shell brew list krb5 2> /dev/null)
+
+LIBXML2_LDFLAGS = -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
+LIBXML2_CPPFLAGS = -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
+LIBXML2_PKG_CONFIG = $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
+
+KRB_PATH =
+
+ifneq ($(KRB5_EXISTS),)
+	KRB_PATH = PATH="$(shell brew --prefix krb5)/sbin:$(shell brew --prefix krb5)/bin:$$PATH"
 endif

 all: lint-fix lint gen web test  ## Lint, build, and test everything
@@ -50,7 +49,7 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
+	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
 	uv run coverage html
 	uv run coverage report

@@ -66,11 +65,11 @@ lint: ## Lint the python and golang sources
 	golangci-lint run -v

 core-install:
-ifdef LIBXML2_EXISTS
+ifneq ($(LIBXML2_EXISTS),)
 # Clear cache to ensure fresh compilation
 	uv cache clean
 # Force compilation from source for lxml and xmlsec with correct environment
-	LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
+	LDFLAGS="$(LIBXML2_LDFLAGS)" CPPFLAGS="$(LIBXML2_CPPFLAGS)" PKG_CONFIG_PATH="$(LIBXML2_PKG_CONFIG)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
 else
 	uv sync --frozen
 endif
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@@ -2,27 +2,23 @@

 from collections.abc import Callable
 from functools import wraps
-from typing import ParamSpec, TypeVar

 from django.apps import apps

 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.blueprints.models import BlueprintInstance

-P = ParamSpec("P")
-R = TypeVar("R")

-
-def apply_blueprint(*files: str) -> Callable[[Callable[P, R]], Callable[P, R]]:
+def apply_blueprint(*files: str):
    """Apply blueprint before test"""

    from authentik.blueprints.v1.importer import Importer

-    def wrapper_outer(func: Callable[P, R]) -> Callable[P, R]:
+    def wrapper_outer(func: Callable):
        """Apply blueprint before test"""

        @wraps(func)
-        def wrapper(*args: P.args, **kwargs: P.kwargs) -> R:
+        def wrapper(*args, **kwargs):
            for file in files:
                content = BlueprintInstance(path=file).retrieve()
                Importer.from_string(content).apply()
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@@ -1,8 +1,11 @@
 """Test brands"""

+from json import loads
+
 from django.urls import reverse
 from rest_framework.test import APITestCase

+from authentik.blueprints.tests import apply_blueprint
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
@@ -23,6 +26,7 @@ class TestBrands(APITestCase):
            _flag = flag()
            if _flag.visibility == "public":
                self.default_flags[_flag.key] = _flag.get()
+        Brand.objects.all().delete()

    def test_current_brand(self):
        """Test Current brand API"""
@@ -44,7 +48,6 @@ class TestBrands(APITestCase):

    def test_brand_subdomain(self):
        """Test Current brand API"""
-        Brand.objects.all().delete()
        Brand.objects.create(domain="bar.baz", branding_title="custom")
        self.assertJSONEqual(
            self.client.get(
@@ -65,7 +68,6 @@ class TestBrands(APITestCase):

    def test_fallback(self):
        """Test fallback brand"""
-        Brand.objects.all().delete()
        self.assertJSONEqual(
            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
            {
@@ -81,6 +83,109 @@ class TestBrands(APITestCase):
            },
        )

+    @apply_blueprint("default/default-brand.yaml")
+    def test_blueprint(self):
+        """Test Current brand API"""
+        response = loads(self.client.get(reverse("authentik_api:brand-current")).content.decode())
+        response.pop("flow_authentication", None)
+        response.pop("flow_invalidation", None)
+        response.pop("flow_user_settings", None)
+        self.assertEqual(
+            response,
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "branding_custom_css": "",
+                "matched_domain": "authentik-default",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    @apply_blueprint("default/default-brand.yaml")
+    def test_blueprint_with_other_brand(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom")
+        response = loads(self.client.get(reverse("authentik_api:brand-current")).content.decode())
+        response.pop("flow_authentication", None)
+        response.pop("flow_invalidation", None)
+        response.pop("flow_user_settings", None)
+        self.assertEqual(
+            response,
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "branding_custom_css": "",
+                "matched_domain": "authentik-default",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom",
+                "branding_custom_css": "",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_same_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom-weak")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom-strong")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom-strong",
+                "branding_custom_css": "",
+                "matched_domain": "foo.bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_other_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom-weak")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom-strong")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="other.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom-weak",
+                "branding_custom_css": "",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
    def test_create_default_multiple(self):
        """Test attempted creation of multiple default brands"""
        Brand.objects.create(
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@@ -2,8 +2,8 @@

 from typing import Any

-from django.db.models import F, Q
-from django.db.models import Value as V
+from django.db.models import Case, F, IntegerField, Q, Value, When
+from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -19,15 +19,36 @@ DEFAULT_BRAND = Brand(domain="fallback")

 def get_brand_for_request(request: HttpRequest) -> Brand:
    """Get brand object for current request"""
-    db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()))
-        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("default")
+
+    brand = (
+        Brand.objects.annotate(
+            host_domain=Value(request.get_host()),
+            domain_length=Length("domain"),
+            match_priority=Case(
+                When(
+                    condition=Q(host_domain__iendswith=F("domain")),
+                    then=F("domain_length"),
+                ),
+                default=Value(-1),
+                output_field=IntegerField(),
+            ),
+            is_default_fallback=Case(
+                When(
+                    condition=Q(default=True),
+                    then=Value(0),
+                ),
+                default=Value(-2),
+                output_field=IntegerField(),
+            ),
+        )
+        .filter(Q(match_priority__gt=-1) | Q(default=True))
+        .order_by("-match_priority", "-is_default_fallback")
+        .first()
    )
-    brands = list(db_brands.all())
-    if len(brands) < 1:
+
+    if brand is None:
        return DEFAULT_BRAND
-    return brands[0]
+    return brand


 def context_processor(request: HttpRequest) -> dict[str, Any]:
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@@ -3,11 +3,12 @@
 from types import CodeType
 from typing import Any

+from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram

 from authentik.core.expression.exceptions import SkipObjectException
-from authentik.core.models import PropertyMapping, User
+from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
 from authentik.policies.types import PolicyRequest
@@ -22,13 +23,13 @@ PROPERTY_MAPPING_TIME = Histogram(
 class PropertyMappingEvaluator(BaseEvaluator):
    """Custom Evaluator that adds some different context variables."""

-    dry_run: bool | None
-    model: PropertyMapping
+    dry_run: bool
+    model: Model
    _compiled: CodeType | None = None

    def __init__(
        self,
-        model: PropertyMapping,
+        model: Model,
        user: User | None = None,
        request: HttpRequest | None = None,
        dry_run: bool | None = False,
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -15,7 +15,7 @@ from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
-from django.utils.functional import SimpleLazyObject, cached_property
+from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_cte import CTE, with_cte
@@ -44,18 +44,19 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier

 LOGGER = get_logger()
-USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
-USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
-USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
-USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
-USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
-USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
-USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = "goauthentik.io/user/token-maximum-lifetime"  # nosec
-USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
-USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
-USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
-USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
+_USER_ATTR_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/user"
+USER_ATTRIBUTE_DEBUG = f"{_USER_ATTR_PREFIX}/debug"
+USER_ATTRIBUTE_GENERATED = f"{_USER_ATTR_PREFIX}/generated"
+USER_ATTRIBUTE_EXPIRES = f"{_USER_ATTR_PREFIX}/expires"
+USER_ATTRIBUTE_DELETE_ON_LOGOUT = f"{_USER_ATTR_PREFIX}/delete-on-logout"
+USER_ATTRIBUTE_SOURCES = f"{_USER_ATTR_PREFIX}/sources"
+USER_ATTRIBUTE_TOKEN_EXPIRING = f"{_USER_ATTR_PREFIX}/token-expires"  # nosec
+USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = f"{_USER_ATTR_PREFIX}/token-maximum-lifetime"  # nosec
+USER_ATTRIBUTE_CHANGE_USERNAME = f"{_USER_ATTR_PREFIX}/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = f"{_USER_ATTR_PREFIX}/can-change-name"
+USER_ATTRIBUTE_CHANGE_EMAIL = f"{_USER_ATTR_PREFIX}/can-change-email"
+USER_PATH_SERVICE_ACCOUNT = f"{USER_PATH_SYSTEM_PREFIX}/service-accounts"

 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
    # used_by API that allows models to specify if they shadow an object
@@ -585,18 +586,16 @@ class Application(SerializerModel, PolicyBindingModel):

    def get_launch_url(self, user: Optional["User"] = None) -> str | None:
        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
+        from authentik.core.api.users import UserSerializer
+
        url = None
        if self.meta_launch_url:
            url = self.meta_launch_url
        elif provider := self.get_provider():
            url = provider.launch_url
        if user and url:
-            if isinstance(user, SimpleLazyObject):
-                user._setup()
-                user = user._wrapped
            try:
-                return url % user.__dict__
-
+                return url % UserSerializer(instance=user).data
            except Exception as exc:  # noqa
                LOGGER.warning("Failed to format launch url", exc=exc)
                return url
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@@ -1,11 +1,13 @@
 {% load i18n %}
 {% get_current_language as LANGUAGE_CODE %}

-<script>
+<script data-id="authentik-config">
+    "use strict";
+
    window.authentik = {
        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        brand: JSON.parse('{{ brand_json|escapejs }}'),
+        config: JSON.parse('{{ config_json|escapejs }}' || "{}"),
+        brand: JSON.parse('{{ brand_json|escapejs }}' || "{}"),
        versionFamily: "{{ version_family }}",
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
--- a/authentik/core/templates/base/placeholder.html
+++ b/authentik/core/templates/base/placeholder.html
@@ -0,0 +1,13 @@
+{% load i18n %}
+
+<div class="ak-c-placeholder" id="ak-placeholder" slot="placeholder">
+    <span
+        class="pf-c-spinner"
+        role="progressbar"
+        aria-valuetext="Loading..."
+        >
+        <span class="pf-c-spinner__clipper"></span>
+        <span class="pf-c-spinner__lead-ball"></span>
+        <span class="pf-c-spinner__tail-ball"></span>
+    </span>
+</div>
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -3,8 +3,10 @@
 {% load authentik_core %}

 <!DOCTYPE html>
-
-<html>
+<html
+    data-theme="{% if ui_theme == "dark" %}dark{% else %}light{% endif %}"
+    data-theme-choice="{% if ui_theme == "dark" %}dark{% elif ui_theme == "light" %}light{% else %}auto{% endif %}"
+>
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -18,11 +20,8 @@

        {% include "base/theme.html" %}

-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-
-        <style>{{ brand_css }}</style>
+        <style data-id="brand-css">{{ brand_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
        {% for key, value in html_meta.items %}
--- a/authentik/core/templates/base/theme.html
+++ b/authentik/core/templates/base/theme.html
@@ -1,10 +1,45 @@
+{% load static %}
+{% load authentik_core %}
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+
 {% if ui_theme == "dark" %}
  <meta name="color-scheme" content="dark" />
  <meta name="theme-color" content="#18191a">
-{% elif ui_theme == "light" %}
+
+  {% elif ui_theme == "light" %}
  <meta name="color-scheme" content="light" />
  <meta name="theme-color" content="#ffffff">
 {% else %}
+  <script data-id="theme-script">
+    "use strict";
+
+    (function () {
+        try {
+            const initialThemeChoice =
+                new URLSearchParams(window.location.search).get("theme") ||
+                window.localStorage?.getItem("theme");
+
+            const themeChoice =
+                initialThemeChoice || document.documentElement.dataset.themeChoice || "auto";
+
+            document.documentElement.dataset.themeChoice = themeChoice;
+
+            if (themeChoice === "auto") {
+                document.documentElement.dataset.theme = window.matchMedia(
+                    "(prefers-color-scheme: dark)",
+                ).matches
+                    ? "dark"
+                    : "light";
+            } else {
+                document.documentElement.dataset.theme = themeChoice;
+            }
+        } catch (e) {
+            console.error("Failed to apply theme", e);
+        }
+    })();
+  </script>
+
  <meta name="color-scheme" content="light dark" />
  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@@ -11,6 +11,6 @@
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
-    <ak-loading></ak-loading>
+    {% include "base/placeholder.html" %}
 </ak-interface-admin>
 {% endblock %}
--- a/authentik/core/templates/if/error.html
+++ b/authentik/core/templates/if/error.html
@@ -12,10 +12,13 @@
 {% endblock %}

 {% block card %}
-<form method="POST" class="pf-c-form">
+<div class="pf-c-form">
    <p>{% trans message %}</p>
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go home' %}
-    </a>
-</form>
+
+    <div class="pf-c-form__group">
+        <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary pf-m-block">
+            {% trans 'Go home' %}
+        </a>
+    </div>
+</div>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@@ -11,6 +11,6 @@
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <ak-interface-user>
-    <ak-loading></ak-loading>
+    {% include "base/placeholder.html" %}
 </ak-interface-user>
 {% endblock %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@@ -2,82 +2,66 @@

 {% load static %}
 {% load i18n %}
+{% load authentik_core %}

 {% block head_before %}
 <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}

 {% block head %}
-<style>
-:root {
-    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
-}
-/* Form with user */
-.form-control-static {
-    margin-top: var(--pf-global--spacer--sm);
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-}
-.form-control-static .avatar {
-    display: flex;
-    align-items: center;
-}
-.form-control-static img {
-    margin-right: var(--pf-global--spacer--xs);
-}
-.form-control-static a {
-    padding-top: var(--pf-global--spacer--xs);
-    padding-bottom: var(--pf-global--spacer--xs);
-    line-height: var(--pf-global--spacer--xl);
-}
+<style data-id="static-styles">
+    :root {
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
+    }
 </style>
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}

 {% block body %}
-<div class="pf-c-background-image">
-</div>
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-<div class="pf-c-login stacked">
-    <div class="ak-login-container">
-        <main class="pf-c-login__main">
-            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+
+<div class="pf-c-page__drawer">
+    <div class="pf-c-drawer pf-m-collapsed">
+        <div class="pf-c-drawer__main">
+            <div class="pf-c-drawer__content">
+                <div class="pf-c-drawer__body">
+                    <div class="pf-c-login" data-layout="stacked">
+                        <main class="pf-c-login__main" aria-label="Authentication form">
+                            <div class="pf-c-login__main-header pf-c-brand">
+                                <img class="branding-logo" src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                            </div>
+                            <div class="pf-c-login__main-header">
+                                <h1 class="pf-c-title pf-m-3xl" data-test-id="card-title">
+                                    {% block card_title %}
+                                    {% endblock %}
+                                </h1>
+                            </div>
+                            <div class="pf-c-login__main-body">
+                                {% block card %}
+                                {% endblock %}
+                            </div>
+                        </main>
+                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
+                            <ul class="pf-c-list pf-m-inline">
+                                {% for link in footer_links %}
+                                <li>
+                                    <a href="{{ link.href }}">{{ link.name }}</a>
+                                </li>
+                                {% endfor %}
+                                <li>
+                                    <span>
+                                        {% trans 'Powered by authentik' %}
+                                    </span>
+                                </li>
+                            </ul>
+                        </footer>
+                    </div>
+                </div>
            </div>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    {% block card_title %}
-                    {% endblock %}
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                {% block card %}
-                {% endblock %}
-            </div>
-        </main>
-        <footer class="pf-c-login__footer">
-            <ul class="pf-c-list pf-m-inline">
-                {% for link in footer_links %}
-                <li>
-                    <a href="{{ link.href }}">{{ link.name }}</a>
-                </li>
-                {% endfor %}
-                <li>
-                    <span>
-                        {% trans 'Powered by authentik' %}
-                    </span>
-                </li>
-            </ul>
-        </footer>
+        </div>
    </div>
 </div>
 {% endblock %}
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@@ -9,9 +9,14 @@ from django.http.response import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django_filters import FilterSet
-from django_filters.filters import BooleanFilter
+from django_filters.filters import BooleanFilter, MultipleChoiceFilter
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
@@ -33,7 +38,7 @@ from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
-from authentik.crypto.models import CertificateKeyPair
+from authentik.crypto.models import CertificateKeyPair, KeyType
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
@@ -50,7 +55,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
    cert_expiry = SerializerMethodField()
    cert_subject = SerializerMethodField()
    private_key_available = SerializerMethodField()
-    private_key_type = SerializerMethodField()
+    key_type = SerializerMethodField()

    certificate_download_url = SerializerMethodField()
    private_key_download_url = SerializerMethodField()
@@ -90,14 +95,12 @@ class CertificateKeyPairSerializer(ModelSerializer):
        """Show if this keypair has a private key configured or not"""
        return instance.key_data != "" and instance.key_data is not None

-    def get_private_key_type(self, instance: CertificateKeyPair) -> str | None:
-        """Get the private key's type, if set"""
+    @extend_schema_field(ChoiceField(choices=KeyType.choices, allow_null=True))
+    def get_key_type(self, instance: CertificateKeyPair) -> str | None:
+        """Get the key algorithm type from the certificate's public key"""
        if not self._should_include_details:
            return None
-        key = instance.private_key
-        if key:
-            return key.__class__.__name__.replace("_", "").lower().replace("privatekey", "")
-        return None
+        return instance.key_type

    def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
        """Get URL to download certificate"""
@@ -161,7 +164,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
            "cert_expiry",
            "cert_subject",
            "private_key_available",
-            "private_key_type",
+            "key_type",
            "certificate_download_url",
            "private_key_download_url",
            "managed",
@@ -198,12 +201,31 @@ class CertificateKeyPairFilter(FilterSet):
        label="Only return certificate-key pairs with keys", method="filter_has_key"
    )

+    key_type = MultipleChoiceFilter(
+        choices=KeyType.choices,
+        label="Filter by key algorithm type",
+        method="filter_key_type",
+    )
+
    def filter_has_key(self, queryset, name, value):  # pragma: no cover
        """Only return certificate-key pairs with keys"""
        if not value:
            return queryset
        return queryset.exclude(key_data__exact="")

+    def filter_key_type(self, queryset, name, value):  # pragma: no cover
+        """Filter certificates by key type using the public key from the certificate"""
+        if not value:
+            return queryset
+
+        # value is a list of KeyType enum values from MultipleChoiceFilter
+        filtered_pks = []
+        for cert in queryset:
+            if cert.key_type in value:
+                filtered_pks.append(cert.pk)
+
+        return queryset.filter(pk__in=filtered_pks)
+
    class Meta:
        model = CertificateKeyPair
        fields = ["name", "managed"]
@@ -228,6 +250,17 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
                required=False,
                description="Only return certificate-key pairs with keys",
            ),
+            OpenApiParameter(
+                "key_type",
+                OpenApiTypes.STR,
+                required=False,
+                many=True,
+                enum=[choice[0] for choice in KeyType.choices],
+                description=(
+                    "Filter by key algorithm type (RSA, EC, DSA, etc). "
+                    "Can be specified multiple times (e.g. '?key_type=rsa&key_type=ec')"
+                ),
+            ),
            OpenApiParameter("include_details", bool, default=True),
        ]
    )
--- a/authentik/crypto/apps.py
+++ b/authentik/crypto/apps.py
@@ -2,6 +2,8 @@

 from datetime import UTC, datetime

+from dramatiq.broker import get_broker
+
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import fqdn_rand
@@ -70,6 +72,12 @@ class AuthentikCryptoConfig(ManagedAppConfig):
            },
        )

+    @ManagedAppConfig.reconcile_global
+    def tasks_middlewares(self):
+        from authentik.crypto.tasks import CertificateWatcherMiddleware
+
+        get_broker().add_middleware(CertificateWatcherMiddleware())
+
    @property
    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
        from authentik.crypto.tasks import certificate_discovery
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@@ -6,6 +6,11 @@ from uuid import uuid4

 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
+from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import Certificate, load_pem_x509_certificate
@@ -20,6 +25,16 @@ from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 LOGGER = get_logger()


+class KeyType(models.TextChoices):
+    """Cryptographic key algorithm types"""
+
+    RSA = "rsa", _("RSA")
+    EC = "ec", _("Elliptic Curve")
+    DSA = "dsa", _("DSA")
+    ED25519 = "ed25519", _("Ed25519")
+    ED448 = "ed448", _("Ed448")
+
+
 def fingerprint_sha256(cert: Certificate) -> str:
    """Get SHA256 Fingerprint of certificate"""
    return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")
@@ -103,6 +118,22 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
            else ""
        )  # nosec

+    @property
+    def key_type(self) -> str | None:
+        """Get the key algorithm type from the certificate's public key"""
+        public_key = self.certificate.public_key()
+        if isinstance(public_key, RSAPublicKey):
+            return KeyType.RSA
+        if isinstance(public_key, EllipticCurvePublicKey):
+            return KeyType.EC
+        if isinstance(public_key, DSAPublicKey):
+            return KeyType.DSA
+        if isinstance(public_key, Ed25519PublicKey):
+            return KeyType.ED25519
+        if isinstance(public_key, Ed448PublicKey):
+            return KeyType.ED448
+        return None
+
    def __str__(self) -> str:
        return f"Certificate-Key Pair {self.name}"

--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@@ -2,17 +2,29 @@

 from glob import glob
 from pathlib import Path
+from sys import platform

 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509.base import load_pem_x509_certificate
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import actor
+from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
+from watchdog.events import (
+    FileCreatedEvent,
+    FileModifiedEvent,
+    FileSystemEvent,
+    FileSystemEventHandler,
+)
+from watchdog.observers import Observer

 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
 from authentik.tasks.middleware import CurrentTask
+from authentik.tasks.schedules.models import Schedule
+from authentik.tenants.models import Tenant

 LOGGER = get_logger()

@@ -35,6 +47,65 @@ def ensure_certificate_valid(body: str):
    return body


+class CertificateWatcherMiddleware(Middleware):
+    """Middleware to start certificate file watcher"""
+
+    def start_certificate_watcher(self):
+        """Start certificate file watcher"""
+        observer = Observer()
+        kwargs = {}
+        if platform.startswith("linux"):
+            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
+        observer.schedule(
+            CertificateEventHandler(),
+            CONFIG.get("cert_discovery_dir"),
+            recursive=True,
+            **kwargs,
+        )
+        observer.start()
+
+    def after_worker_boot(self, broker, worker):
+        if not settings.TEST:
+            self.start_certificate_watcher()
+
+
+class CertificateEventHandler(FileSystemEventHandler):
+    """Event handler for certificate file events"""
+
+    # We only ever get creation and modification events.
+    # See the creation of the Observer instance above for the event filtering.
+
+    # Even though we filter to only get file events, we might still get
+    # directory events as some implementations such as inotify do not support
+    # filtering on file/directory.
+
+    def dispatch(self, event: FileSystemEvent) -> None:
+        """Call specific event handler method. Ignores directory changes."""
+        if event.is_directory:
+            return None
+        return super().dispatch(event)
+
+    def on_created(self, event: FileSystemEvent):
+        """Process certificate file creation"""
+        LOGGER.debug(
+            "Certificate file created, triggering discovery",
+            file=event.src_path,
+        )
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                Schedule.dispatch_by_actor(certificate_discovery)
+
+    def on_modified(self, event: FileSystemEvent):
+        """Process certificate file modification"""
+        LOGGER.debug(
+            "Certificate file modified, triggering discovery",
+            file=event.src_path,
+        )
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                Schedule.dispatch_by_actor(certificate_discovery)
+
+
@actor(description=_("Discover, import and update certificates from the filesystem."))
 def certificate_discovery():
    self = CurrentTask.get_task()
@@ -66,12 +137,35 @@ def certificate_discovery():
        except (OSError, ValueError) as exc:
            LOGGER.warning("Failed to open file or invalid format", exc=exc, file=path)
    for name, cert_data in certs.items():
+        # First, try to find by filename-based managed field
        cert = CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % name).first()
+
+        # If not found by filename and we have a private key, check for existing key match
+        if not cert and name in private_keys:
+            existing_with_key = (
+                CertificateKeyPair.objects.filter(
+                    managed__startswith="goauthentik.io/crypto/discovered/",
+                    key_data=private_keys[name],
+                )
+                .exclude(key_data="")
+                .first()
+            )
+            if existing_with_key:
+                cert = existing_with_key
+                # Update name and managed field to reflect the new filename
+                if cert.name != name:
+                    cert.name = name
+                    cert.managed = MANAGED_DISCOVERED % name
+                    cert.save()
+
+        # Create new certificate if not found
        if not cert:
            cert = CertificateKeyPair(
                name=name,
                managed=MANAGED_DISCOVERED % name,
            )
+
+        # Update certificate data if changed
        dirty = False
        if cert.certificate_data != cert_data:
            cert.certificate_data = cert_data
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@@ -2,6 +2,7 @@

 from json import loads
 from os import makedirs
+from pathlib import Path
 from tempfile import TemporaryDirectory

 from cryptography.x509.extensions import SubjectAlternativeName
@@ -319,6 +320,8 @@ class TestCrypto(APITestCase):

    def test_discovery(self):
        """Test certificate discovery"""
+        # This test generates 2 separate cert/key combinations
+        # and verifies they both import properly
        name = generate_id()
        builder = CertificateBuilder(name)
        with self.assertRaises(ValueError):
@@ -327,6 +330,15 @@ class TestCrypto(APITestCase):
            subject_alt_names=[],
            validity_days=3,
        )
+
+        name2 = generate_id()
+        builder2 = CertificateBuilder(name2)
+        with self.assertRaises(ValueError):
+            builder2.save()
+        builder2.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
        with TemporaryDirectory() as temp_dir:
            with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
                _cert.write(builder.certificate)
@@ -334,9 +346,9 @@ class TestCrypto(APITestCase):
                _key.write(builder.private_key)
            makedirs(f"{temp_dir}/foo.bar", exist_ok=True)
            with open(f"{temp_dir}/foo.bar/fullchain.pem", "w+", encoding="utf-8") as _cert:
-                _cert.write(builder.certificate)
+                _cert.write(builder2.certificate)
            with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
-                _key.write(builder.private_key)
+                _key.write(builder2.private_key)
            with CONFIG.patch("cert_discovery_dir", temp_dir):
                certificate_discovery.send()
        keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
@@ -348,3 +360,58 @@ class TestCrypto(APITestCase):
        self.assertTrue(
            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
        )
+
+    def test_discovery_updating_same_private_key(self):
+        """Test certificate discovery updating certs with matching private keys"""
+        name = generate_id()
+        builder = CertificateBuilder(name)
+        builder.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
+
+        with TemporaryDirectory() as temp_dir:
+            # First discovery: write cert as "original"
+            with open(f"{temp_dir}/original.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/original.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                certificate_discovery.send()
+
+            # Verify "original" cert was created
+            original = CertificateKeyPair.objects.filter(
+                managed=MANAGED_DISCOVERED % "original"
+            ).first()
+            self.assertIsNotNone(original)
+            self.assertEqual(original.name, "original")
+            self.assertIsNotNone(original.private_key)
+
+            # Second discovery: write same cert/key as "renamed"
+            Path(f"{temp_dir}/original.pem").unlink()
+            Path(f"{temp_dir}/original.key").unlink()
+
+            with open(f"{temp_dir}/renamed.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/renamed.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                certificate_discovery.send()
+
+            # Verify the cert was updated
+            renamed = CertificateKeyPair.objects.filter(
+                managed=MANAGED_DISCOVERED % "renamed"
+            ).first()
+            self.assertIsNotNone(renamed, "Renamed certificate should exist")
+            self.assertEqual(renamed.name, "renamed")
+            self.assertEqual(renamed.pk, original.pk, "Should be same database object")
+
+            # Verify no new cert was created
+            final_count = CertificateKeyPair.objects.filter(
+                managed__startswith="goauthentik.io/crypto/discovered/"
+            ).count()
+            self.assertEqual(
+                1, final_count, "Should not create duplicate cert for same private key"
+            )
--- a/authentik/enterprise/providers/google_workspace/api/groups.py
+++ b/authentik/enterprise/providers/google_workspace/api/groups.py
@@ -1,9 +1,13 @@
 """GoogleWorkspaceProviderGroup API Views"""

+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
    group_obj = PartialGroupSerializer(source="group", read_only=True)

    class Meta:
+
        model = GoogleWorkspaceProviderGroup
        fields = [
            "id",
@@ -24,7 +29,15 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
        extra_kwargs = {"attributes": {"read_only": True}}


-class GoogleWorkspaceProviderGroupViewSet(OutgoingSyncConnectionViewSet):
+class GoogleWorkspaceProviderGroupViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
    """GoogleWorkspaceProviderGroup Viewset"""

    queryset = GoogleWorkspaceProviderGroup.objects.all().select_related("group")
--- a/authentik/enterprise/providers/google_workspace/api/providers.py
+++ b/authentik/enterprise/providers/google_workspace/api/providers.py
@@ -1,13 +1,16 @@
 """Google Provider API Views"""

+from rest_framework.viewsets import ModelViewSet
+
 from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.enterprise.providers.google_workspace.tasks import (
    google_workspace_sync,
    google_workspace_sync_objects,
 )
-from authentik.lib.sync.outgoing.api import OutgoingSyncProviderViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin


 class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
@@ -41,16 +44,18 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
        extra_kwargs = {}


-class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderViewSet):
+class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
    """GoogleWorkspaceProvider Viewset"""

    queryset = GoogleWorkspaceProvider.objects.all()
    serializer_class = GoogleWorkspaceProviderSerializer
-    filterset_fields = OutgoingSyncProviderViewSet.filterset_fields + [
-        "delegated_subject",
-    ]
-    search_fields = OutgoingSyncProviderViewSet.search_fields + [
+    filterset_fields = [
+        "name",
+        "exclude_users_service_account",
        "delegated_subject",
+        "filter_group",
    ]
+    search_fields = ["name"]
+    ordering = ["name"]
    sync_task = google_workspace_sync
    sync_objects_task = google_workspace_sync_objects
--- a/authentik/enterprise/providers/google_workspace/api/users.py
+++ b/authentik/enterprise/providers/google_workspace/api/users.py
@@ -1,9 +1,13 @@
 """GoogleWorkspaceProviderUser API Views"""

+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
 from authentik.core.api.groups import PartialUserSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
    user_obj = PartialUserSerializer(source="user", read_only=True)

    class Meta:
+
        model = GoogleWorkspaceProviderUser
        fields = [
            "id",
@@ -24,7 +29,15 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
        extra_kwargs = {"attributes": {"read_only": True}}


-class GoogleWorkspaceProviderUserViewSet(OutgoingSyncConnectionViewSet):
+class GoogleWorkspaceProviderUserViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
    """GoogleWorkspaceProviderUser Viewset"""

    queryset = GoogleWorkspaceProviderUser.objects.all().select_related("user")
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@@ -12,6 +12,7 @@ from google.oauth2.service_account import Credentials
 from rest_framework.serializers import Serializer

 from authentik.core.models import (
+    BackchannelProvider,
    Group,
    PropertyMapping,
    User,
@@ -83,7 +84,7 @@ class GoogleWorkspaceProviderGroup(SerializerModel):
        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"


-class GoogleWorkspaceProvider(OutgoingSyncProvider):
+class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
    """Sync users from authentik into Google Workspace."""

    delegated_subject = models.EmailField()
--- a/authentik/enterprise/providers/microsoft_entra/api/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/groups.py
@@ -1,9 +1,13 @@
 """MicrosoftEntraProviderGroup API Views"""

+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
    group_obj = PartialGroupSerializer(source="group", read_only=True)

    class Meta:
+
        model = MicrosoftEntraProviderGroup
        fields = [
            "id",
@@ -24,7 +29,15 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
        extra_kwargs = {"attributes": {"read_only": True}}


-class MicrosoftEntraProviderGroupViewSet(OutgoingSyncConnectionViewSet):
+class MicrosoftEntraProviderGroupViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
    """MicrosoftEntraProviderGroup Viewset"""

    queryset = MicrosoftEntraProviderGroup.objects.all().select_related("group")
--- a/authentik/enterprise/providers/microsoft_entra/api/providers.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/providers.py
@@ -1,13 +1,16 @@
 """Microsoft Provider API Views"""

+from rest_framework.viewsets import ModelViewSet
+
 from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.enterprise.providers.microsoft_entra.tasks import (
    microsoft_entra_sync,
    microsoft_entra_sync_objects,
 )
-from authentik.lib.sync.outgoing.api import OutgoingSyncProviderViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin


 class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
@@ -40,10 +43,17 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
        extra_kwargs = {}


-class MicrosoftEntraProviderViewSet(OutgoingSyncProviderViewSet):
+class MicrosoftEntraProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
    """MicrosoftEntraProvider Viewset"""

    queryset = MicrosoftEntraProvider.objects.all()
    serializer_class = MicrosoftEntraProviderSerializer
+    filterset_fields = [
+        "name",
+        "exclude_users_service_account",
+        "filter_group",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
    sync_task = microsoft_entra_sync
    sync_objects_task = microsoft_entra_sync_objects
--- a/authentik/enterprise/providers/microsoft_entra/api/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/users.py
@@ -1,9 +1,13 @@
 """MicrosoftEntraProviderUser API Views"""

+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
 from authentik.core.api.groups import PartialUserSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class MicrosoftEntraProviderUserSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
    user_obj = PartialUserSerializer(source="user", read_only=True)

    class Meta:
+
        model = MicrosoftEntraProviderUser
        fields = [
            "id",
@@ -24,7 +29,15 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
        extra_kwargs = {"attributes": {"read_only": True}}


-class MicrosoftEntraProviderUserViewSet(OutgoingSyncConnectionViewSet):
+class MicrosoftEntraProviderUserViewSet(
+    OutgoingSyncConnectionCreateMixin,
+    mixins.CreateModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
    """MicrosoftEntraProviderUser Viewset"""

    queryset = MicrosoftEntraProviderUser.objects.all().select_related("user")
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@@ -12,6 +12,7 @@ from dramatiq.actor import Actor
 from rest_framework.serializers import Serializer

 from authentik.core.models import (
+    BackchannelProvider,
    Group,
    PropertyMapping,
    User,
@@ -74,7 +75,7 @@ class MicrosoftEntraProviderGroup(SerializerModel):
        return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"


-class MicrosoftEntraProvider(OutgoingSyncProvider):
+class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
    """Sync users from authentik into Microsoft Entra."""

    client_id = models.TextField()
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
@@ -16,7 +16,7 @@ from authentik.stages.authenticator.models import Device


 class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup Google Chrome Device Trust connection"""
+    """Verify Google Chrome Device Trust connection for the user's browser."""

    credentials = models.JSONField()

--- a/authentik/enterprise/stages/source/models.py
+++ b/authentik/enterprise/stages/source/models.py
@@ -10,7 +10,7 @@ from authentik.lib.utils.time import timedelta_string_validator


 class SourceStage(Stage):
-    """Suspend the current flow execution and send the user to a source,
+    """Suspend the current flow execution and send the user to a federated source,
    after which this flow execution is resumed."""

    source = models.ForeignKey("authentik_core.Source", on_delete=models.CASCADE)
--- a/authentik/events/logs.py
+++ b/authentik/events/logs.py
@@ -1,7 +1,7 @@
 from collections.abc import Generator
 from contextlib import contextmanager
 from dataclasses import dataclass, field
-from datetime import datetime
+from datetime import UTC, datetime
 from typing import Any

 from django.utils.timezone import now
@@ -28,7 +28,7 @@ class LogEvent:
    def from_event_dict(item: EventDict) -> "LogEvent":
        event = item.pop("event")
        log_level = item.pop("level").lower()
-        timestamp = datetime.fromisoformat(item.pop("timestamp"))
+        timestamp = datetime.fromisoformat(item.pop("timestamp")).replace(tzinfo=UTC)
        item.pop("pid", None)
        # Sometimes log entries have both `level` and `log_level` set, but `level` is always set
        item.pop("log_level", None)
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -237,7 +237,7 @@ class Event(SerializerModel, ExpiringModel):
        self.save()
        return self

-    def save(self, *args: Any, **kwargs: Any) -> None:
+    def save(self, *args, **kwargs):
        if self._state.adding:
            LOGGER.info(
                "Created Event",
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@@ -17,7 +17,7 @@
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
-        <style>
+        <style data-id="flow-sfe">
          html,
          body {
            height: 100%;
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@@ -1,35 +1,74 @@
 {% extends "base/skeleton.html" %}

+{% load i18n %}
 {% load static %}
 {% load authentik_core %}

+
 {% block head_before %}
 {{ block.super }}
 <link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: true };</script>
+<script data-id="shady-dom">ShadyDOM = { force: true };</script>
 {% endif %}
 {% include "base/header_js.html" %}
-<script>
-window.authentik.flow = {
-    "layout": "{{ flow.layout }}",
-};
+<script data-id="flow-config">
+    "use strict";
+
+    window.authentik.flow = {
+        "layout": "{{ flow.layout }}",
+    };
 </script>
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}

 {% block head %}
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
-<style>
-:root {
-    --ak-flow-background: url("{{ flow_background_url }}");
-}
+<style data-id="flow-css">
+  :root {
+      --ak-global--background-image: url("{{ flow_background_url }}");
+  }
 </style>
 {% endblock %}

 {% block body %}
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-<ak-flow-executor flowSlug="{{ flow.slug }}">
-    <ak-loading></ak-loading>
-</ak-flow-executor>
+
+<ak-locale-context>
+    <div class="pf-c-page__drawer">
+        <div class="pf-c-drawer pf-m-collapsed" id="flow-drawer">
+            <div class="pf-c-drawer__main">
+                <div class="pf-c-drawer__content">
+                    <div class="pf-c-drawer__body">
+                            <ak-flow-executor
+                                slug="{{ flow.slug }}"
+                                class="pf-c-login"
+                                data-layout="{{ flow.layout|default:'stacked' }}"
+                            >
+                                {% include "base/placeholder.html" %}
+
+                                <ak-brand-links
+                                    slot="footer"
+                                    exportparts="list:brand-links-list, list-item:brand-links-list-item"
+                                    role="contentinfo"
+                                    aria-label="{% trans 'Site footer' %}"
+                                    class="pf-c-login__footer {% if flow.layout == 'stacked' %}pf-m-dark{% endif %}"
+                                ></ak-brand-links>
+                            </ak-flow-executor>
+                        </div>
+                    </div>
+
+                    <ak-flow-inspector
+                        id="flow-inspector"
+                        data-registration="lazy"
+                        class="pf-c-drawer__panel pf-m-width-33"
+                        slug="{{ flow.slug }}"
+                    ></ak-flow-inspector>
+                </div>
+            </div>
+        </div>
+    </div>
+</ak-locale-context>
 {% endblock %}
--- a/authentik/lib/avatars.py
+++ b/authentik/lib/avatars.py
@@ -3,7 +3,7 @@
 from base64 import b64encode
 from functools import cache as funccache
 from hashlib import md5, sha256
-from typing import TYPE_CHECKING, cast
+from typing import TYPE_CHECKING
 from urllib.parse import urlencode

 from django.core.cache import cache
@@ -27,7 +27,7 @@ CACHE_KEY_GRAVATAR_AVAILABLE = "goauthentik.io/lib/avatars/gravatar_available"
 GRAVATAR_STATUS_TTL_SECONDS = 60 * 60 * 8  # 8 Hours

 SVG_XML_NS = "http://www.w3.org/2000/svg"
-SVG_NS_MAP: dict[str, str] = cast(dict[str, str], {None: SVG_XML_NS})
+SVG_NS_MAP = {None: SVG_XML_NS}
 # Match fonts used in web UI
 SVG_FONTS = [
    "'RedHatText'",
@@ -39,7 +39,7 @@ SVG_FONTS = [
 ]


-def avatar_mode_none(user: "User", mode: str) -> str:
+def avatar_mode_none(user: "User", mode: str) -> str | None:
    """No avatar"""
    return DEFAULT_AVATAR

@@ -62,7 +62,7 @@ def avatar_mode_gravatar(user: "User", mode: str) -> str | None:
    full_key = CACHE_KEY_GRAVATAR + mail_hash
    if cache.has_key(full_key):
        cache.touch(full_key)
-        return cast(str | None, cache.get(full_key))
+        return cache.get(full_key)

    try:
        # Since we specify a default of 404, do a HEAD request
@@ -129,16 +129,16 @@ def generate_avatar_from_name(
    bg_hex, text_hex = generate_colors(name)

    half_size = size // 2
-    shape_type = "circle" if rounded else "rect"
+    shape = "circle" if rounded else "rect"
    font_weight = "600" if bold else "400"

-    root_element = Element(f"{{{SVG_XML_NS}}}svg", nsmap=SVG_NS_MAP)
+    root_element: Element = Element(f"{{{SVG_XML_NS}}}svg", nsmap=SVG_NS_MAP)
    root_element.attrib["width"] = f"{size}px"
    root_element.attrib["height"] = f"{size}px"
    root_element.attrib["viewBox"] = f"0 0 {size} {size}"
    root_element.attrib["version"] = "1.1"

-    shape = SubElement(root_element, f"{{{SVG_XML_NS}}}{shape_type}", nsmap=SVG_NS_MAP)
+    shape = SubElement(root_element, f"{{{SVG_XML_NS}}}{shape}", nsmap=SVG_NS_MAP)
    shape.attrib["fill"] = f"#{bg_hex}"
    shape.attrib["cx"] = f"{half_size}"
    shape.attrib["cy"] = f"{half_size}"
@@ -150,7 +150,7 @@ def generate_avatar_from_name(
    text.attrib["x"] = "50%"
    text.attrib["y"] = "50%"
    text.attrib["style"] = (
-        f"color: #{text_hex}; line-height: 1; font-family: {','.join(SVG_FONTS)}; "
+        f"color: #{text_hex}; " "line-height: 1; " f"font-family: {','.join(SVG_FONTS)}; "
    )
    text.attrib["fill"] = f"#{text_hex}"
    text.attrib["alignment-baseline"] = "middle"
@@ -197,7 +197,7 @@ def get_avatar(user: "User", request: HttpRequest | None = None) -> str:
    }
    tenant = None
    if request:
-        tenant = request.tenant  # type: ignore[attr-defined]
+        tenant = request.tenant
    else:
        tenant = get_current_tenant()
    modes: str = tenant.avatars
--- a/authentik/lib/debug.py
+++ b/authentik/lib/debug.py
@@ -1,5 +1,3 @@
-from typing import Any
-
 from structlog.stdlib import get_logger

 from authentik.lib.config import CONFIG
@@ -7,11 +5,11 @@ from authentik.lib.config import CONFIG
 LOGGER = get_logger()


-def start_debug_server(**kwargs: Any) -> bool:
+def start_debug_server(**kwargs) -> bool:
    """Attempt to start a debugpy server in the current process.
    Returns true if the server was started successfully, otherwise false"""
    if not CONFIG.get_bool("debug") and not CONFIG.get_bool("debugger"):
-        return False
+        return
    try:
        import debugpy
    except ImportError:
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -145,7 +145,6 @@ worker:
  consumer_listen_timeout: "seconds=30"
  task_max_retries: 5
  task_default_time_limit: "minutes=10"
-  lock_purge_interval: "minutes=1"
  task_purge_interval: "days=1"
  task_expiration: "days=30"
  scheduler_interval: "seconds=60"
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@@ -13,9 +13,10 @@ from django.core.exceptions import FieldError
 from django.http import HttpRequest
 from django.utils.text import slugify
 from django.utils.timezone import now
-from guardian.utils import get_anonymous_user
+from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
 from sentry_sdk import start_span
+from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger

 from authentik.core.models import User
@@ -54,7 +55,7 @@ class BaseEvaluator:
    # Filename used for exec
    _filename: str

-    def __init__(self, filename: str | None = None) -> None:
+    def __init__(self, filename: str | None = None):
        self._filename = filename if filename else "BaseEvaluator"
        # update website/docs/expressions/_objects.md
        # update website/docs/expressions/_functions.md
@@ -132,12 +133,12 @@ class BaseEvaluator:
        return re.sub(regex, repl, value)

    @staticmethod
-    def expr_is_group_member(user: User, **group_filters: Any) -> bool:
+    def expr_is_group_member(user: User, **group_filters) -> bool:
        """Check if `user` is member of group with name `group_name`"""
        return user.all_groups().filter(**group_filters).exists()

    @staticmethod
-    def expr_user_by(**filters: Any) -> User | None:
+    def expr_user_by(**filters) -> User | None:
        """Get user by filters"""
        try:
            users = User.objects.filter(**filters)
@@ -159,7 +160,7 @@ class BaseEvaluator:
            return False
        return len(list(user_devices)) > 0

-    def expr_event_create(self, action: str, **kwargs: Any) -> None:
+    def expr_event_create(self, action: str, **kwargs):
        """Create event with supplied data and try to extract as much relevant data
        from the context"""
        context = self._context.copy()
@@ -180,7 +181,7 @@ class BaseEvaluator:
                return
        event.save()

-    def expr_func_call_policy(self, name: str, **kwargs: Any) -> PolicyResult:
+    def expr_func_call_policy(self, name: str, **kwargs) -> PolicyResult:
        """Call policy by name, with current request"""
        policy = Policy.objects.filter(name=name).select_subclasses().first()
        if not policy:
@@ -213,10 +214,10 @@ class BaseEvaluator:
            provider=provider,
            user=user,
            expires=now() + timedelta_from_string(validity),
+            scope=scopes,
            auth_time=now(),
            session=session,
        )
-        access_token.scope = scopes
        access_token.id_token = IDToken.new(provider, access_token, request)
        access_token.save()
        return access_token.token
@@ -228,7 +229,7 @@ class BaseEvaluator:
        body: str | None = None,
        stage: "EmailStage | None" = None,
        template: str | None = None,
-        context: dict[str, Any] | None = None,
+        context: dict | None = None,
    ) -> bool:
        """Send an email using authentik's email system

@@ -315,6 +316,7 @@ class BaseEvaluator:
        If any exception is raised during execution, it is raised.
        The result is returned without any type-checking."""
        with start_span(op="authentik.lib.evaluator.evaluate") as span:
+            span: Span
            span.description = self._filename
            span.set_data("expression", expression_source)
            try:
@@ -341,7 +343,7 @@ class BaseEvaluator:
                raise exc
            return result

-    def handle_error(self, exc: Exception, expression_source: str) -> None:  # pragma: no cover
+    def handle_error(self, exc: Exception, expression_source: str):  # pragma: no cover
        """Exception Handler"""
        LOGGER.warning("Expression error", exc=exc)

--- a/authentik/lib/generators.py
+++ b/authentik/lib/generators.py
@@ -4,20 +4,20 @@ import string
 from random import SystemRandom


-def generate_code_fixed_length(length: int = 9) -> str:
+def generate_code_fixed_length(length=9) -> str:
    """Generate a numeric code"""
    rand = SystemRandom()
    num = rand.randrange(1, 10**length)
    return str(num).zfill(length)


-def generate_id(length: int = 40) -> str:
+def generate_id(length=40) -> str:
    """Generate a random client ID"""
    rand = SystemRandom()
    return "".join(rand.choice(string.ascii_letters + string.digits) for x in range(length))


-def generate_key(length: int = 128) -> str:
+def generate_key(length=128) -> str:
    """Generate a suitable client secret"""
    rand = SystemRandom()
    return "".join(
--- a/authentik/lib/logging.py
+++ b/authentik/lib/logging.py
@@ -3,11 +3,9 @@
 import logging
 from logging import Logger
 from os import getpid
-from typing import Any

 import structlog
 from django.db import connection
-from structlog.typing import EventDict

 from authentik.lib.config import CONFIG

@@ -21,9 +19,9 @@ LOG_PRE_CHAIN = [
 ]


-def get_log_level() -> str:
+def get_log_level():
    """Get log level, clamp trace to debug"""
-    level: str = CONFIG.get("log_level").upper()
+    level = CONFIG.get("log_level").upper()
    # We could add a custom level to stdlib logging and structlog, but it's not easy or clean
    # https://stackoverflow.com/questions/54505487/custom-log-level-not-working-with-structlog
    # Additionally, the entire code uses debug as highest level
@@ -33,7 +31,7 @@ def get_log_level() -> str:
    return level


-def structlog_configure() -> None:
+def structlog_configure():
    """Configure structlog itself"""
    structlog.configure_once(
        processors=[
@@ -58,11 +56,11 @@ def structlog_configure() -> None:
    )


-def get_logger_config() -> dict[str, Any]:
+def get_logger_config():
    """Configure python stdlib's logging"""
    debug = CONFIG.get_bool("debug")
    global_level = get_log_level()
-    base_config: dict[str, Any] = {
+    base_config = {
        "version": 1,
        "disable_existing_loggers": False,
        "formatters": {
@@ -123,13 +121,13 @@ def get_logger_config() -> dict[str, Any]:
    return base_config


-def add_process_id(logger: Logger, method_name: str, event_dict: EventDict) -> EventDict:
+def add_process_id(logger: Logger, method_name: str, event_dict):
    """Add the current process ID"""
    event_dict["pid"] = getpid()
    return event_dict


-def add_tenant_information(logger: Logger, method_name: str, event_dict: EventDict) -> EventDict:
+def add_tenant_information(logger: Logger, method_name: str, event_dict):
    """Add the current tenant"""
    tenant = getattr(connection, "tenant", None)
    schema_name = getattr(connection, "schema_name", None)
--- a/authentik/lib/merge.py
+++ b/authentik/lib/merge.py
@@ -1,6 +1,6 @@
 """merge utils"""

-from deepmerge import Merger  # type: ignore[attr-defined]
+from deepmerge import Merger

 MERGE_LIST_UNIQUE = Merger(
    [(list, ["append_unique"]), (dict, ["merge"]), (set, ["union"])], ["override"], ["override"]
--- a/authentik/lib/migrations.py
+++ b/authentik/lib/migrations.py
@@ -1,18 +1,16 @@
 """Migration helpers"""

-from collections.abc import Callable, Collection, Generator
+from collections.abc import Iterable

 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor


-def fallback_names(
-    app: str, model: str, field: str
-) -> Callable[[Apps, BaseDatabaseSchemaEditor], None]:
+def fallback_names(app: str, model: str, field: str):
    """Factory function that checks all instances of `app`.`model` instance's `field`
    to prevent any duplicates"""

-    def migrator(apps: Apps, schema_editor: BaseDatabaseSchemaEditor) -> None:
+    def migrator(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        db_alias = schema_editor.connection.alias

        klass = apps.get_model(app, model)
@@ -37,7 +35,7 @@ def fallback_names(
    return migrator


-def progress_bar[R](iterable: Collection[R]) -> Generator[R]:
+def progress_bar(iterable: Iterable):
    """Call in a loop to create terminal progress bar
    https://stackoverflow.com/questions/3173320/text-progress-bar-in-the-console"""

@@ -52,7 +50,7 @@ def progress_bar[R](iterable: Collection[R]) -> Generator[R]:
    if total < 1:
        return

-    def print_progress_bar(iteration: int) -> None:
+    def print_progress_bar(iteration):
        """Progress Bar Printing Function"""
        percent = ("{0:." + str(decimals) + "f}").format(100 * (iteration / float(total)))
        filled_length = int(length * iteration // total)
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@@ -1,7 +1,7 @@
 """authentik sentry integration"""

 from asyncio.exceptions import CancelledError
-from typing import TYPE_CHECKING, Any
+from typing import Any

 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation, ValidationError
@@ -34,9 +34,6 @@ from authentik.lib.utils.reflection import get_env
 LOGGER = get_logger()
 _root_path = CONFIG.get("web.path", "/")

-if TYPE_CHECKING:
-    from sentry_sdk._types import Event
-

 class SentryIgnoredException(Exception):
    """Base Class for all errors that are suppressed, and not sent to sentry."""
@@ -82,11 +79,10 @@ class SentryTransport(HttpTransport):

    def __init__(self, options: dict[str, Any]) -> None:
        super().__init__(options)
-        assert self.parsed_dsn is not None  # nosec
        self._auth = self.parsed_dsn.to_auth(authentik_user_agent())


-def sentry_init(**sentry_init_kwargs: Any) -> None:
+def sentry_init(**sentry_init_kwargs):
    """Configure sentry SDK"""
    sentry_env = CONFIG.get("error_reporting.environment", "customer")
    kwargs = {
@@ -120,7 +116,7 @@ def sentry_init(**sentry_init_kwargs: Any) -> None:
    set_tag("authentik.component", "backend")


-def traces_sampler(sampling_context: dict[str, Any]) -> float:
+def traces_sampler(sampling_context: dict) -> float:
    """Custom sampler to ignore certain routes"""
    path = sampling_context.get("asgi_scope", {}).get("path", "")
    _type = sampling_context.get("asgi_scope", {}).get("type", "")
@@ -139,7 +135,7 @@ def should_ignore_exception(exc: Exception) -> bool:
    return isinstance(exc, ignored_classes)


-def before_send(event: "Event", hint: dict[str, Any]) -> "Event | None":
+def before_send(event: dict, hint: dict) -> dict | None:
    """Check if error is database error, and ignore if so"""
    exc_value = None
    if "exc_info" in hint:
@@ -161,7 +157,7 @@ def before_send(event: "Event", hint: dict[str, Any]) -> "Event | None":
    return event


-def get_http_meta() -> dict[str, Any]:
+def get_http_meta():
    """Get sentry-related meta key-values"""
    scope = get_current_scope()
    meta = {
--- a/authentik/lib/sync/mapper.py
+++ b/authentik/lib/sync/mapper.py
@@ -1,5 +1,4 @@
 from collections.abc import Generator
-from typing import Any

 from django.db.models import QuerySet
 from django.http import HttpRequest
@@ -21,7 +20,7 @@ class PropertyMappingManager:

    _evaluators: list[PropertyMappingEvaluator]

-    globals: dict[str, Any]
+    globals: dict

    __has_compiled: bool

@@ -41,7 +40,7 @@ class PropertyMappingManager:
        self.globals = {}
        self.__has_compiled = False

-    def compile(self) -> None:
+    def compile(self):
        self._evaluators = []
        for mapping in self.query_set:
            if not isinstance(mapping, self.mapping_subclass):
@@ -59,8 +58,8 @@ class PropertyMappingManager:
        user: User | None,
        request: HttpRequest | None,
        return_mapping: bool = False,
-        **kwargs: Any,
-    ) -> Generator[tuple[Any, PropertyMapping]]:
+        **kwargs,
+    ) -> Generator[tuple[dict, PropertyMapping]]:
        """Iterate over all mappings that were pre-compiled and
        execute all of them with the given context"""
        if not self.__has_compiled:
--- a/authentik/lib/sync/outgoing/api.py
+++ b/authentik/lib/sync/outgoing/api.py
@@ -1,26 +1,15 @@
-from typing import Any
-
 from django.db.models import Model
 from dramatiq.actor import Actor
 from dramatiq.results.errors import ResultFailure
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, ChoiceField
-from rest_framework.mixins import (
-    CreateModelMixin,
-    DestroyModelMixin,
-    ListModelMixin,
-    RetrieveModelMixin,
-)
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import GenericViewSet, ModelViewSet

-from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.events.logs import LogEventSerializer
-from authentik.lib.models import SerializerModel
 from authentik.lib.sync.api import SyncStatusSerializer
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
 from authentik.lib.utils.reflection import class_to_path, path_to_class
@@ -47,19 +36,11 @@ class SyncObjectResultSerializer(PassiveSerializer):
    messages = LogEventSerializer(many=True, read_only=True)


-class OutgoingSyncProviderViewSet(UsedByMixin, ModelViewSet[OutgoingSyncProvider]):
+class OutgoingSyncProviderStatusMixin:
    """Common API Endpoints for Outgoing sync providers"""

-    sync_task: Actor[[int, Actor[[str, int, int, bool], None]], None]
-    sync_objects_task: Actor[[str, int, int, bool, dict[str, Any | None]], None]
-
-    filterset_fields = [
-        "name",
-        "exclude_users_service_account",
-        "filter_group",
-    ]
-    search_fields = ["name"]
-    ordering = ["name"]
+    sync_task: Actor
+    sync_objects_task: Actor

    @extend_schema(responses={200: SyncStatusSerializer()})
    @action(
@@ -87,20 +68,20 @@ class OutgoingSyncProviderViewSet(UsedByMixin, ModelViewSet[OutgoingSyncProvider
        if not sync_schedule:
            return Response(SyncStatusSerializer(status).data)

-        last_task = (
+        last_task: Task = (
            sync_schedule.tasks.filter(state__in=(TaskStatus.DONE, TaskStatus.REJECTED))
            .order_by("-mtime")
            .first()
        )
-        last_successful_task = (
+        last_successful_task: Task = (
            sync_schedule.tasks.filter(aggregated_status__in=(TaskStatus.DONE, TaskStatus.INFO))
            .order_by("-mtime")
            .first()
        )

-        if last_task is not None:
+        if last_task:
            status["last_sync_status"] = last_task.aggregated_status
-        if last_successful_task is not None:
+        if last_successful_task:
            status["last_successful_sync"] = last_successful_task.mtime

        return Response(SyncStatusSerializer(status).data)
@@ -130,7 +111,7 @@ class OutgoingSyncProviderViewSet(UsedByMixin, ModelViewSet[OutgoingSyncProvider
                "page": 1,
                "provider_pk": provider.pk,
                "override_dry_run": params.validated_data["override_dry_run"],
-                "filter": {"pk": pk},
+                "pk": pk,
            },
            retries=0,
            rel_obj=provider,
@@ -145,20 +126,13 @@ class OutgoingSyncProviderViewSet(UsedByMixin, ModelViewSet[OutgoingSyncProvider
        return Response(SyncObjectResultSerializer(instance={"messages": task._messages}).data)


-class OutgoingSyncConnectionViewSet(
-    CreateModelMixin,
-    RetrieveModelMixin,
-    DestroyModelMixin,
-    ListModelMixin,
-    UsedByMixin,
-    GenericViewSet[SerializerModel],
-):
-    def perform_create(self, serializer: ModelSerializer) -> None:  # type: ignore[override]
+class OutgoingSyncConnectionCreateMixin:
+    """Mixin for connection objects that fetches remote data upon creation"""
+
+    def perform_create(self, serializer: ModelSerializer):
        super().perform_create(serializer)
        try:
            instance = serializer.instance
-            if instance is None:
-                return
            client = instance.provider.client_for_model(instance.__class__)
            client.update_single_attribute(instance)
            instance.save()
--- a/authentik/lib/sync/outgoing/base.py
+++ b/authentik/lib/sync/outgoing/base.py
@@ -1,8 +1,7 @@
 """Basic outgoing sync Client"""

-from collections.abc import MutableMapping
 from enum import StrEnum
-from typing import TYPE_CHECKING, Any, cast
+from typing import TYPE_CHECKING

 from deepmerge import always_merger
 from django.db import DatabaseError
@@ -19,11 +18,11 @@ from authentik.lib.sync.outgoing.exceptions import NotFoundSyncException, StopSy
 if TYPE_CHECKING:
    from django.db.models import Model

-    from authentik.core.models import Group, User
    from authentik.lib.sync.outgoing.models import OutgoingSyncProvider


 class Direction(StrEnum):
+
    add = "add"
    remove = "remove"

@@ -37,10 +36,7 @@ SAFE_METHODS = [


 class BaseOutgoingSyncClient[
-    TModel: "User | Group",
-    TConnection: "Model",
-    TSchema: MutableMapping[Any, Any],
-    TProvider: "OutgoingSyncProvider",
+    TModel: "Model", TConnection: "Model", TSchema: dict, TProvider: "OutgoingSyncProvider"
 ]:
    """Basic Outgoing sync client Client"""

@@ -59,17 +55,14 @@ class BaseOutgoingSyncClient[
        """Create object in remote destination"""
        raise NotImplementedError()

-    def update(self, obj: TModel, connection: TConnection) -> None:
+    def update(self, obj: TModel, connection: TConnection):
        """Update object in remote destination"""
        raise NotImplementedError()

-    def update_group(self, group: "Group", action: Direction, users_set: list[Any]) -> None:
-        raise NotImplementedError()
-
-    def write(self, obj: TModel) -> tuple[TConnection | None, bool]:
+    def write(self, obj: TModel) -> tuple[TConnection, bool]:
        """Write object to destination. Uses self.create and self.update, but
        can be overwritten for further logic"""
-        connection = self.connection_type.objects.filter(  # type: ignore[attr-defined]
+        connection = self.connection_type.objects.filter(
            provider=self.provider, **{self.connection_type_query: obj}
        ).first()
        try:
@@ -89,13 +82,13 @@ class BaseOutgoingSyncClient[
                connection.delete()
        return None, False

-    def delete(self, obj: TModel) -> None:
+    def delete(self, obj: TModel):
        """Delete object from destination"""
        raise NotImplementedError()

-    def to_schema(self, obj: TModel, connection: TConnection | None, **defaults: Any) -> TSchema:
+    def to_schema(self, obj: TModel, connection: TConnection | None, **defaults) -> TSchema:
        """Convert object to destination schema"""
-        raw_final_object: dict[Any, Any] = {}
+        raw_final_object = {}
        try:
            eval_kwargs = {
                "request": None,
@@ -104,7 +97,7 @@ class BaseOutgoingSyncClient[
                obj._meta.model_name: obj,
            }
            eval_kwargs.setdefault("user", None)
-            for value in self.mapper.iter_eval(**eval_kwargs):  # type: ignore[arg-type, misc]
+            for value in self.mapper.iter_eval(**eval_kwargs):
                always_merger.merge(raw_final_object, value)
        except ControlFlowException as exc:
            raise exc from exc
@@ -120,16 +113,16 @@ class BaseOutgoingSyncClient[
            raise StopSync(ValueError("No mappings configured"), obj)
        for key, value in defaults.items():
            raw_final_object.setdefault(key, value)
-        return cast(TSchema, raw_final_object)
+        return raw_final_object

-    def discover(self) -> None:
+    def discover(self):
        """Optional method. Can be used to implement a "discovery" where
        upon creation of this provider, this function will be called and can
        pre-link any users/groups in the remote system with the respective
        object in authentik based on a common identifier"""
        raise NotImplementedError()

-    def update_single_attribute(self, connection: TConnection) -> None:
+    def update_single_attribute(self, connection: TConnection):
        """Update connection attributes on a connection object, when the connection
        is manually created"""
        raise NotImplementedError
--- a/authentik/lib/sync/outgoing/exceptions.py
+++ b/authentik/lib/sync/outgoing/exceptions.py
@@ -1,5 +1,3 @@
-from typing import Any
-
 from authentik.lib.sentry import SentryIgnoredException


@@ -26,16 +24,16 @@ class BadRequestSyncException(BaseSyncException):
 class DryRunRejected(BaseSyncException):
    """When dry_run is enabled and a provider dropped a mutating request"""

-    def __init__(self, url: str, method: str, body: dict[Any, Any]) -> None:
+    def __init__(self, url: str, method: str, body: dict):
        super().__init__()
        self.url = url
        self.method = method
        self.body = body

-    def __repr__(self) -> str:
+    def __repr__(self):
        return self.__str__()

-    def __str__(self) -> str:
+    def __str__(self):
        return f"Dry-run rejected request: {self.method} {self.url}"


--- a/authentik/lib/sync/outgoing/models.py
+++ b/authentik/lib/sync/outgoing/models.py
@@ -4,11 +4,11 @@ import pglock
 from django.core.paginator import Paginator
 from django.core.validators import MinValueValidator
 from django.db import connection, models
-from django.db.models import QuerySet, TextChoices
+from django.db.models import Model, QuerySet, TextChoices
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import Actor

-from authentik.core.models import BackchannelProvider, Group, User
+from authentik.core.models import Group, User
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.utils.time import fqdn_rand, timedelta_from_string, timedelta_string_validator
 from authentik.tasks.schedules.common import ScheduleSpec
@@ -24,7 +24,7 @@ class OutgoingSyncDeleteAction(TextChoices):
    SUSPEND = "suspend"


-class OutgoingSyncProvider(ScheduledModel, BackchannelProvider):
+class OutgoingSyncProvider(ScheduledModel, Model):
    """Base abstract models for providers implementing outgoing sync"""

    sync_page_size = models.PositiveIntegerField(
@@ -56,7 +56,7 @@ class OutgoingSyncProvider(ScheduledModel, BackchannelProvider):
    def get_object_qs[T: User | Group](self, type: type[T]) -> QuerySet[T]:
        raise NotImplementedError

-    def get_paginator[T: User | Group](self, type: type[T]) -> "Paginator[T]":
+    def get_paginator[T: User | Group](self, type: type[T]) -> Paginator:
        return Paginator(self.get_object_qs(type), self.sync_page_size)

    def get_object_sync_time_limit_ms[T: User | Group](self, type: type[T]) -> int:
@@ -74,15 +74,13 @@ class OutgoingSyncProvider(ScheduledModel, BackchannelProvider):
    def sync_lock(self) -> pglock.advisory:
        """Postgres lock for syncing to prevent multiple parallel syncs happening"""
        return pglock.advisory(
-            lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",  # type: ignore[attr-defined]
+            lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",
            timeout=0,
            side_effect=pglock.Return,
        )

    @property
-    def sync_actor(
-        self,
-    ) -> Actor[[int, Actor[[str, int, int, bool, dict[str, Any] | None], None]], None]:
+    def sync_actor(self) -> Actor:
        raise NotImplementedError

    @property
@@ -96,6 +94,6 @@ class OutgoingSyncProvider(ScheduledModel, BackchannelProvider):
                    "time_limit": self.get_sync_time_limit_ms(),
                },
                send_on_save=True,
-                crontab=f"{fqdn_rand(str(self.pk))} */4 * * *",
+                crontab=f"{fqdn_rand(self.pk)} */4 * * *",
            ),
        ]
--- a/authentik/lib/sync/outgoing/signals.py
+++ b/authentik/lib/sync/outgoing/signals.py
@@ -1,7 +1,4 @@
-from collections.abc import Iterable
-from typing import Any, TypeVar
-from uuid import UUID
-
+from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete
 from dramatiq.actor import Actor

@@ -10,24 +7,22 @@ from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
 from authentik.lib.utils.reflection import class_to_path

-ModelT = TypeVar("ModelT", bound=User | Group)
-

 def register_signals(
    provider_type: type[OutgoingSyncProvider],
-    task_sync_direct_dispatch: Actor[[str, Any, str], None],
-    task_sync_m2m_dispatch: Actor[[Any, str, list[Any], bool], None],
-) -> None:
+    task_sync_direct_dispatch: Actor[[str, str | int, str], None],
+    task_sync_m2m_dispatch: Actor[[str, str, list[str], bool], None],
+):
    """Register sync signals"""
    uid = class_to_path(provider_type)

    def model_post_save(
-        sender: type[ModelT],
-        instance: ModelT,
+        sender: type[Model],
+        instance: User | Group,
        created: bool,
-        update_fields: Iterable[str] | None = None,
-        **_: Any,
-    ) -> None:
+        update_fields: list[str] | None = None,
+        **_,
+    ):
        """Post save handler"""
        # Special case for user object; don't start sync task when we've only updated `last_login`
        # This primarily happens during user login
@@ -42,7 +37,7 @@ def register_signals(
    post_save.connect(model_post_save, User, dispatch_uid=uid, weak=False)
    post_save.connect(model_post_save, Group, dispatch_uid=uid, weak=False)

-    def model_pre_delete(sender: type[ModelT], instance: ModelT, **_: Any) -> None:
+    def model_pre_delete(sender: type[Model], instance: User | Group, **_):
        """Pre-delete handler"""
        task_sync_direct_dispatch.send(
            class_to_path(instance.__class__),
@@ -54,13 +49,8 @@ def register_signals(
    pre_delete.connect(model_pre_delete, Group, dispatch_uid=uid, weak=False)

    def model_m2m_changed(
-        sender: type[ModelT],
-        instance: ModelT,
-        action: str,
-        pk_set: set[int | UUID],
-        reverse: bool,
-        **_: Any,
-    ) -> None:
+        sender: type[Model], instance, action: str, pk_set: set, reverse: bool, **kwargs
+    ):
        """Sync group membership"""
        if action not in ["post_add", "post_remove"]:
            return
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@@ -1,11 +1,9 @@
-from typing import Any, cast
-
 from django.core.paginator import Paginator
-from django.db.models import Model, Q
+from django.db.models import Model, QuerySet
+from django.db.models.query import Q
 from dramatiq.actor import Actor
 from dramatiq.composition import group
 from dramatiq.errors import Retry
-from dramatiq.message import Message
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.expression.exceptions import SkipObjectException
@@ -40,11 +38,11 @@ class SyncTasks:
        self,
        current_task: Task,
        provider: OutgoingSyncProvider,
-        sync_objects: Actor[[str, int, int, bool, dict[str, Any] | None], None],
-        paginator: "Paginator[User | Group]",
+        sync_objects: Actor[[str, int, int, bool], None],
+        paginator: Paginator,
        object_type: type[User | Group],
-        **options: Any,
-    ) -> list[Message[None]]:
+        **options,
+    ):
        tasks = []
        time_limit = timedelta_from_string(provider.sync_page_timeout).total_seconds() * 1000
        for page in paginator.page_range:
@@ -62,14 +60,14 @@ class SyncTasks:
    def sync(
        self,
        provider_pk: int,
-        sync_objects: Actor[[str, int, int, bool, dict[str, Any] | None], None],
-    ) -> None:
+        sync_objects: Actor[[str, int, int, bool], None],
+    ):
        task = CurrentTask.get_task()
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
            provider_pk=provider_pk,
        )
-        provider = self._provider_model.objects.filter(
+        provider: OutgoingSyncProvider = self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
            pk=provider_pk,
        ).first()
@@ -84,7 +82,7 @@ class SyncTasks:
                self.logger.debug("Failed to acquire sync lock, skipping", provider=provider.name)
                return
            try:
-                users_tasks = group(  # type: ignore[no-untyped-call]
+                users_tasks = group(
                    self.sync_paginator(
                        current_task=task,
                        provider=provider,
@@ -93,7 +91,7 @@ class SyncTasks:
                        object_type=User,
                    )
                )
-                group_tasks = group(  # type: ignore[no-untyped-call]
+                group_tasks = group(
                    self.sync_paginator(
                        current_task=task,
                        provider=provider,
@@ -102,12 +100,12 @@ class SyncTasks:
                        object_type=Group,
                    )
                )
-                users_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(User))  # type: ignore[no-untyped-call]
-                group_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(Group))  # type: ignore[no-untyped-call]
+                users_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(User))
+                group_tasks.run().wait(timeout=provider.get_object_sync_time_limit_ms(Group))
            except TransientSyncException as exc:
                self.logger.warning("transient sync exception", exc=exc)
                task.warning("Sync encountered a transient exception. Retrying", exc=exc)
-                raise Retry() from exc  # type: ignore[no-untyped-call]
+                raise Retry() from exc
            except StopSync as exc:
                task.error(exc)
                return
@@ -117,11 +115,11 @@ class SyncTasks:
        object_type: str,
        page: int,
        provider_pk: int,
-        override_dry_run: bool = False,
-        filter: dict[str, Any] | None = None,
-    ) -> None:
+        override_dry_run=False,
+        **filter,
+    ):
        task = CurrentTask.get_task()
-        _object_type: type[User | Group] = path_to_class(object_type)
+        _object_type: type[Model] = path_to_class(object_type)
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
            provider_pk=provider_pk,
@@ -142,8 +140,6 @@ class SyncTasks:
            client = provider.client_for_model(_object_type)
        except TransientSyncException:
            return
-        if filter is None:
-            filter = {}
        paginator = Paginator(
            provider.get_object_qs(_object_type).filter(**filter),
            provider.sync_page_size,
@@ -154,6 +150,7 @@ class SyncTasks:
        self.logger.debug("starting sync for page", page=page)
        task.info(f"Syncing page {page} or {_object_type._meta.verbose_name_plural}")
        for obj in paginator.page(page).object_list:
+            obj: Model
            try:
                client.write(obj)
            except SkipObjectException:
@@ -192,11 +189,11 @@ class SyncTasks:

    def sync_signal_direct_dispatch(
        self,
-        task_sync_signal_direct: Actor[[str, Any, int, str], None],
+        task_sync_signal_direct: Actor[[str, str | int, int, str], None],
        model: str,
-        pk: Any,
+        pk: str | int,
        raw_op: str,
-    ) -> None:
+    ):
        model_class: type[Model] = path_to_class(model)
        for provider in self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
@@ -210,19 +207,19 @@ class SyncTasks:
    def sync_signal_direct(
        self,
        model: str,
-        pk: Any,
+        pk: str | int,
        provider_pk: int,
        raw_op: str,
-    ) -> None:
+    ):
        task = CurrentTask.get_task()
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
        )
-        model_class: type[User | Group] = path_to_class(model)
+        model_class: type[Model] = path_to_class(model)
        instance = model_class.objects.filter(pk=pk).first()
        if not instance:
            return
-        provider = self._provider_model.objects.filter(
+        provider: OutgoingSyncProvider = self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
            pk=provider_pk,
        ).first()
@@ -247,7 +244,7 @@ class SyncTasks:
            if operation == Direction.remove:
                client.delete(instance)
        except TransientSyncException as exc:
-            raise Retry() from exc  # type: ignore[no-untyped-call]
+            raise Retry() from exc
        except SkipObjectException:
            return
        except DryRunRejected as exc:
@@ -257,12 +254,12 @@ class SyncTasks:

    def sync_signal_m2m_dispatch(
        self,
-        task_sync_signal_m2m: Actor[[Any, int, str, list[Any]], None],
-        instance_pk: Any,
+        task_sync_signal_m2m: Actor[[str, int, str, list[int]], None],
+        instance_pk: str,
        action: str,
-        pk_set: list[Any],
+        pk_set: list[int],
        reverse: bool,
-    ) -> None:
+    ):
        for provider in self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
        ):
@@ -284,11 +281,11 @@ class SyncTasks:

    def sync_signal_m2m(
        self,
-        group_pk: Any,
+        group_pk: str,
        provider_pk: int,
        action: str,
-        pk_set: list[Any],
-    ) -> None:
+        pk_set: list[int],
+    ):
        task = CurrentTask.get_task()
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
@@ -296,7 +293,7 @@ class SyncTasks:
        group = Group.objects.filter(pk=group_pk).first()
        if not group:
            return
-        provider = self._provider_model.objects.filter(
+        provider: OutgoingSyncProvider = self._provider_model.objects.filter(
            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
            pk=provider_pk,
        ).first()
@@ -305,7 +302,7 @@ class SyncTasks:
            return

        # Check if the object is allowed within the provider's restrictions
-        queryset = provider.get_object_qs(Group)
+        queryset: QuerySet = provider.get_object_qs(Group)
        # The queryset we get from the provider must include the instance we've got given
        # otherwise ignore this provider
        if not queryset.filter(pk=group_pk).exists():
@@ -318,9 +315,9 @@ class SyncTasks:
                operation = Direction.add
            if action == "post_remove":
                operation = Direction.remove
-            client.update_group(group, cast(Direction, operation), pk_set)
+            client.update_group(group, operation, pk_set)
        except TransientSyncException as exc:
-            raise Retry() from exc  # type: ignore[no-untyped-call]
+            raise Retry() from exc
        except SkipObjectException:
            return
        except DryRunRejected as exc:
--- a/authentik/lib/tests/test_evaluator.py
+++ b/authentik/lib/tests/test_evaluator.py
@@ -1,6 +1,6 @@
 """Test Evaluator base functions"""

-from unittest.mock import NonCallableMock, patch
+from unittest.mock import patch

 from django.test import RequestFactory, TestCase
 from django.urls import reverse
@@ -17,27 +17,27 @@ from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 class TestEvaluator(TestCase):
    """Test Evaluator base functions"""

-    def test_expr_regex_match(self) -> None:
+    def test_expr_regex_match(self):
        """Test expr_regex_match"""
        self.assertFalse(BaseEvaluator.expr_regex_match("foo", "bar"))
        self.assertTrue(BaseEvaluator.expr_regex_match("foo", "foo"))

-    def test_expr_regex_replace(self) -> None:
+    def test_expr_regex_replace(self):
        """Test expr_regex_replace"""
        self.assertEqual(BaseEvaluator.expr_regex_replace("foo", "o", "a"), "faa")

-    def test_expr_user_by(self) -> None:
+    def test_expr_user_by(self):
        """Test expr_user_by"""
        user = create_test_admin_user()
        self.assertIsNotNone(BaseEvaluator.expr_user_by(username=user.username))
        self.assertIsNone(BaseEvaluator.expr_user_by(username="bar"))
        self.assertIsNone(BaseEvaluator.expr_user_by(foo="bar"))

-    def test_expr_is_group_member(self) -> None:
+    def test_expr_is_group_member(self):
        """Test expr_is_group_member"""
        self.assertFalse(BaseEvaluator.expr_is_group_member(create_test_admin_user(), name="test"))

-    def test_expr_event_create(self) -> None:
+    def test_expr_event_create(self):
        """Test expr_event_create"""
        evaluator = BaseEvaluator(generate_id())
        evaluator._context = {
@@ -46,11 +46,10 @@ class TestEvaluator(TestCase):
        evaluator.evaluate("ak_create_event('foo', bar='baz')")
        event = Event.objects.filter(action="custom_foo").first()
        self.assertIsNotNone(event)
-        assert event is not None  # nosec
        self.assertEqual(event.context, {"bar": "baz", "foo": "bar"})

    @apply_blueprint("system/providers-oauth2.yaml")
-    def test_expr_create_jwt(self) -> None:
+    def test_expr_create_jwt(self):
        """Test expr_create_jwt"""
        rf = RequestFactory()
        user = create_test_user()
@@ -82,7 +81,7 @@ class TestEvaluator(TestCase):
        self.assertEqual(decoded["preferred_username"], user.username)

    @patch("authentik.stages.email.tasks.send_mails")
-    def test_expr_send_email_with_body(self, mock_send_mails: NonCallableMock) -> None:
+    def test_expr_send_email_with_body(self, mock_send_mails):
        """Test ak_send_email with body parameter"""
        user = create_test_user()
        evaluator = BaseEvaluator(generate_id())
@@ -109,7 +108,7 @@ class TestEvaluator(TestCase):
        self.assertEqual(message.body, "Test Body")

    @patch("authentik.stages.email.tasks.send_mails")
-    def test_expr_send_email_with_template(self, mock_send_mails: NonCallableMock) -> None:
+    def test_expr_send_email_with_template(self, mock_send_mails):
        """Test ak_send_email with template parameter"""
        user = create_test_user()
        evaluator = BaseEvaluator(generate_id())
@@ -124,7 +123,7 @@ class TestEvaluator(TestCase):
        self.assertTrue(result)
        mock_send_mails.assert_called_once()

-    def test_expr_send_email_validation_errors(self) -> None:
+    def test_expr_send_email_validation_errors(self):
        """Test ak_send_email validation errors"""
        evaluator = BaseEvaluator(generate_id())

@@ -142,7 +141,7 @@ class TestEvaluator(TestCase):
        self.assertIn("Either body or template parameter must be provided", str(cm.exception))

    @patch("authentik.stages.email.tasks.send_mails")
-    def test_expr_send_email_with_custom_stage(self, mock_send_mails: NonCallableMock) -> None:
+    def test_expr_send_email_with_custom_stage(self, mock_send_mails):
        """Test ak_send_email with custom EmailStage"""
        from authentik.stages.email.models import EmailStage

@@ -171,7 +170,7 @@ class TestEvaluator(TestCase):
        self.assertFalse(stage.use_global_settings)

    @patch("authentik.stages.email.tasks.send_mails")
-    def test_expr_send_email_with_context(self, mock_send_mails: NonCallableMock) -> None:
+    def test_expr_send_email_with_context(self, mock_send_mails):
        """Test ak_send_email with custom context parameter"""
        user = create_test_user()
        evaluator = BaseEvaluator(generate_id())
@@ -200,7 +199,7 @@ class TestEvaluator(TestCase):
        self.assertIn("http://localhost", message.body)

    @patch("authentik.stages.email.tasks.send_mails")
-    def test_expr_send_email_multiple_addresses(self, mock_send_mails: NonCallableMock) -> None:
+    def test_expr_send_email_multiple_addresses(self, mock_send_mails):
        """Test ak_send_email with multiple email addresses"""
        user = create_test_user()
        evaluator = BaseEvaluator(generate_id())
@@ -227,7 +226,7 @@ class TestEvaluator(TestCase):
        self.assertEqual(message.to, ["user1@example.com", "user2@example.com"])
        self.assertEqual(message.body, "Test Body")

-    def test_expr_send_email_multiple_addresses_validation(self) -> None:
+    def test_expr_send_email_multiple_addresses_validation(self):
        """Test ak_send_email validation with multiple addresses"""
        evaluator = BaseEvaluator(generate_id())

--- a/authentik/lib/tests/test_http.py
+++ b/authentik/lib/tests/test_http.py
@@ -15,27 +15,27 @@ class TestHTTP(TestCase):
        self.user = create_test_admin_user()
        self.factory = RequestFactory()

-    def test_bad_request_message(self) -> None:
+    def test_bad_request_message(self):
        """test bad_request_message"""
        request = self.factory.get("/")
        self.assertEqual(bad_request_message(request, "foo").status_code, 400)

-    def test_normal(self) -> None:
+    def test_normal(self):
        """Test normal request"""
        request = self.factory.get("/")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")

-    def test_forward_for(self) -> None:
+    def test_forward_for(self):
        """Test x-forwarded-for request"""
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")

-    def test_forward_for_invalid(self) -> None:
+    def test_forward_for_invalid(self):
        """Test invalid forward for"""
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)

-    def test_fake_outpost(self) -> None:
+    def test_fake_outpost(self):
        """Test faked IP which is overridden by an outpost"""
        token = Token.objects.create(
            identifier="test", user=self.user, intent=TokenIntents.INTENT_API
@@ -43,7 +43,7 @@ class TestHTTP(TestCase):
        # Invalid, non-existent token
        request = self.factory.get(
            "/",
-            **{  # type: ignore[arg-type]
+            **{
                ClientIPMiddleware.outpost_remote_ip_header: "1.2.3.4",
                ClientIPMiddleware.outpost_token_header: "abc",
            },
@@ -52,7 +52,7 @@ class TestHTTP(TestCase):
        # Invalid, user doesn't have permissions
        request = self.factory.get(
            "/",
-            **{  # type: ignore[arg-type]
+            **{
                ClientIPMiddleware.outpost_remote_ip_header: "1.2.3.4",
                ClientIPMiddleware.outpost_token_header: token.key,
            },
@@ -63,7 +63,7 @@ class TestHTTP(TestCase):
        self.user.save()
        request = self.factory.get(
            "/",
-            **{  # type: ignore[arg-type]
+            **{
                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
                ClientIPMiddleware.outpost_token_header: token.key,
            },
@@ -74,7 +74,7 @@ class TestHTTP(TestCase):
        self.user.save()
        request = self.factory.get(
            "/",
-            **{  # type: ignore[arg-type]
+            **{
                ClientIPMiddleware.outpost_remote_ip_header: "1.2.3.4",
                ClientIPMiddleware.outpost_token_header: token.key,
            },
--- a/authentik/lib/tests/test_sentry.py
+++ b/authentik/lib/tests/test_sentry.py
@@ -8,10 +8,10 @@ from authentik.lib.sentry import SentryIgnoredException, should_ignore_exception
 class TestSentry(TestCase):
    """test sentry integration"""

-    def test_error_not_sent(self) -> None:
+    def test_error_not_sent(self):
        """Test SentryIgnoredError not sent"""
        self.assertTrue(should_ignore_exception(SentryIgnoredException()))

-    def test_error_sent(self) -> None:
+    def test_error_sent(self):
        """Test error sent"""
        self.assertFalse(should_ignore_exception(ValueError()))
--- a/authentik/lib/tests/test_serializer_model.py
+++ b/authentik/lib/tests/test_serializer_model.py
@@ -5,6 +5,7 @@ from collections.abc import Callable
 from django.test import TestCase
 from rest_framework.serializers import BaseSerializer

+from authentik.flows.models import Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.reflection import all_subclasses

@@ -13,10 +14,10 @@ class TestModels(TestCase):
    """Generic model properties tests"""


-def model_tester_factory(test_model: type[SerializerModel]) -> Callable[[TestModels], None]:
+def model_tester_factory(test_model: type[Stage]) -> Callable:
    """Test a form"""

-    def tester(self: TestModels) -> None:
+    def tester(self: TestModels):
        try:
            model_class = None
            if test_model._meta.abstract:  # pragma: no cover
@@ -30,4 +31,4 @@ def model_tester_factory(test_model: type[SerializerModel]) -> Callable[[TestMod


 for model in all_subclasses(SerializerModel):
-    setattr(TestModels, f"test_model_{model.__name__}", model_tester_factory(model))  # type: ignore[type-abstract]
+    setattr(TestModels, f"test_model_{model.__name__}", model_tester_factory(model))
--- a/authentik/lib/tests/test_utils_reflection.py
+++ b/authentik/lib/tests/test_utils_reflection.py
@@ -10,6 +10,6 @@ from authentik.lib.utils.reflection import path_to_class
 class TestReflectionUtils(TestCase):
    """Test Reflection-utils"""

-    def test_path_to_class(self) -> None:
+    def test_path_to_class(self):
        """Test path_to_class"""
        self.assertEqual(path_to_class("datetime.datetime"), datetime)
--- a/authentik/lib/tests/test_utils_time.py
+++ b/authentik/lib/tests/test_utils_time.py
@@ -11,20 +11,20 @@ from authentik.lib.utils.time import timedelta_from_string, timedelta_string_val
 class TestTimeUtils(TestCase):
    """Test time-utils"""

-    def test_valid(self) -> None:
+    def test_valid(self):
        """Test valid expression"""
        expr = "hours=3;minutes=1"
        expected = timedelta(hours=3, minutes=1)
        self.assertEqual(timedelta_from_string(expr), expected)

-    def test_invalid(self) -> None:
+    def test_invalid(self):
        """Test invalid expression"""
        with self.assertRaises(ValueError):
            timedelta_from_string("foo")
        with self.assertRaises(ValueError):
            timedelta_from_string("bar=baz")

-    def test_validation(self) -> None:
+    def test_validation(self):
        """Test Django model field validator"""
        with self.assertRaises(ValidationError):
            timedelta_string_validator("foo")
--- a/authentik/lib/tests/utils.py
+++ b/authentik/lib/tests/utils.py
@@ -2,31 +2,23 @@

 from inspect import currentframe
 from pathlib import Path
-from typing import Any

 from django.contrib.messages.middleware import MessageMiddleware
 from django.contrib.sessions.middleware import SessionMiddleware
-from django.core.handlers.wsgi import WSGIRequest
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest
 from django.test.client import RequestFactory
 from guardian.utils import get_anonymous_user

-from authentik.core.models import User

-
-def dummy_get_response(request: HttpRequest) -> HttpResponse:  # pragma: no cover
+def dummy_get_response(request: HttpRequest):  # pragma: no cover
    """Dummy get_response for SessionMiddleware"""
-    return HttpResponse()
+    return None


-def load_fixture(path: str, **kwargs: Any) -> str:
+def load_fixture(path: str, **kwargs) -> str:
    """Load fixture, optionally formatting it with kwargs"""
    current = currentframe()
-    if current is None:
-        return ""
    parent = current.f_back
-    if parent is None:
-        return ""
    calling_file_path = parent.f_globals["__file__"]
    with open(Path(calling_file_path).resolve().parent / Path(path), encoding="utf-8") as _fixture:
        fixture = _fixture.read()
@@ -36,17 +28,17 @@ def load_fixture(path: str, **kwargs: Any) -> str:
            return fixture


-def get_request(*args: Any, user: User | None = None, **kwargs: Any) -> WSGIRequest:
+def get_request(*args, user=None, **kwargs):
    """Get a request with usable session"""
    request = RequestFactory().get(*args, **kwargs)
-    if user is not None:
+    if user:
        request.user = user
    else:
        request.user = get_anonymous_user()
-    session_middleware = SessionMiddleware(dummy_get_response)
-    session_middleware.process_request(request)
+    middleware = SessionMiddleware(dummy_get_response)
+    middleware.process_request(request)
    request.session.save()
-    message_middleware = MessageMiddleware(dummy_get_response)
-    message_middleware.process_request(request)
+    middleware = MessageMiddleware(dummy_get_response)
+    middleware.process_request(request)
    request.session.save()
    return request
--- a/authentik/lib/utils/db.py
+++ b/authentik/lib/utils/db.py
@@ -1,22 +1,16 @@
 """authentik database utilities"""

 import gc
-from collections.abc import Generator
-from typing import TypeVar

 from django.db import reset_queries
-from django.db.models import Model, QuerySet
-
-ModelT_co = TypeVar("ModelT_co", bound=Model, covariant=True)
+from django.db.models import QuerySet


-def chunked_queryset(
-    queryset: QuerySet[ModelT_co], chunk_size: int = 1_000
-) -> Generator[ModelT_co]:
+def chunked_queryset(queryset: QuerySet, chunk_size: int = 1_000):
    if not queryset.exists():
-        return
+        return []

-    def get_chunks(qs: QuerySet[ModelT_co]) -> Generator[QuerySet[ModelT_co]]:
+    def get_chunks(qs: QuerySet):
        qs = qs.order_by("pk")
        pks = qs.values_list("pk", flat=True)
        start_pk = pks[0]
--- a/authentik/lib/utils/dict.py
+++ b/authentik/lib/utils/dict.py
@@ -1,14 +1,7 @@
-from typing import Any, cast
-
-type rdict[R] = dict[str, "rdict[R] | R"]
+from typing import Any


-def get_path_from_dict[R: Any](
-    root: rdict[R],
-    path: str,
-    sep: str = ".",
-    default: R | None = None,
-) -> Any | None:
+def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
    If at any point a dict does not exist, return default"""
    walk: Any = root
@@ -17,10 +10,10 @@ def get_path_from_dict[R: Any](
            walk = walk.get(comp)
        else:
            return default
-    return cast(R, walk)
+    return walk


-def set_path_in_dict[R: Any](root: rdict[R], path: str, value: R, sep: str = ".") -> None:
+def set_path_in_dict(root: dict, path: str, value: Any, sep="."):
    """Recursively walk through `root`, checking each part of `path` separated by `sep`
    and setting the last value to `value`"""
    # Walk each component of the path
--- a/authentik/lib/utils/file.py
+++ b/authentik/lib/utils/file.py
@@ -1,7 +1,7 @@
 """file utils"""

 from django.db.models import Model
-from django.http import HttpResponse, HttpResponseBadRequest
+from django.http import HttpResponseBadRequest
 from rest_framework.fields import BooleanField, CharField, FileField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -25,7 +25,7 @@ class FilePathSerializer(PassiveSerializer):
    url = CharField()


-def set_file(request: Request, obj: Model, field_name: str) -> HttpResponse:
+def set_file(request: Request, obj: Model, field_name: str):
    """Upload file"""
    field = getattr(obj, field_name)
    file = request.FILES.get("file", None)
@@ -45,7 +45,7 @@ def set_file(request: Request, obj: Model, field_name: str) -> HttpResponse:
    return HttpResponseBadRequest()


-def set_file_url(request: Request, obj: Model, field_name: str) -> HttpResponse:
+def set_file_url(request: Request, obj: Model, field_name: str):
    """Set file field to URL"""
    field = getattr(obj, field_name)
    url = request.data.get("url", None)
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@@ -1,18 +1,13 @@
 """http helpers"""

-from typing import TYPE_CHECKING, Any
 from uuid import uuid4

-from requests.models import Response
 from requests.sessions import PreparedRequest, Session
 from structlog.stdlib import get_logger

 from authentik import authentik_full_version
 from authentik.lib.config import CONFIG

-if TYPE_CHECKING:
-    from requests.sessions import _Timeout
-
 LOGGER = get_logger()


@@ -24,40 +19,50 @@ def authentik_user_agent() -> str:
 class TimeoutSession(Session):
    """Always set a default HTTP request timeout"""

-    def __init__(self, default_timeout: int | None = None) -> None:
+    def __init__(self, default_timeout=None):
        super().__init__()
        self.timeout = default_timeout

    def send(
        self,
-        request: PreparedRequest,
+        request,
        *,
-        timeout: "_Timeout | None" = None,
-        **kwargs: Any,
-    ) -> Response:
+        stream=...,
+        verify=...,
+        proxies=...,
+        cert=...,
+        timeout=...,
+        allow_redirects=...,
+        **kwargs,
+    ):
        if not timeout and self.timeout:
            timeout = self.timeout
-        return super().send(request, timeout=timeout, **kwargs)
+        return super().send(
+            request,
+            stream=stream,
+            verify=verify,
+            proxies=proxies,
+            cert=cert,
+            timeout=timeout,
+            allow_redirects=allow_redirects,
+            **kwargs,
+        )


 class DebugSession(TimeoutSession):
    """requests session which logs http requests and responses"""

-    def send(
-        self,
-        request: PreparedRequest,
-        **kwargs: Any,
-    ) -> Response:
+    def send(self, req: PreparedRequest, *args, **kwargs):
        request_id = str(uuid4())
        LOGGER.debug(
            "HTTP request sent",
            uid=request_id,
-            url=request.url,
-            method=request.method,
-            headers=request.headers,
-            body=request.body,
+            url=req.url,
+            method=req.method,
+            headers=req.headers,
+            body=req.body,
        )
-        resp = super().send(request, **kwargs)
+        resp = super().send(req, *args, **kwargs)
        LOGGER.debug(
            "HTTP response received",
            uid=request_id,
--- a/authentik/lib/utils/reflection.py
+++ b/authentik/lib/utils/reflection.py
@@ -1,13 +1,10 @@
 """authentik lib reflection utilities"""

 import os
-from collections.abc import Generator
 from importlib import import_module
 from pathlib import Path
 from tempfile import gettempdir
-from typing import cast

-from django.apps.config import AppConfig
 from django.conf import settings
 from django.utils.module_loading import import_string

@@ -16,9 +13,9 @@ from authentik.lib.config import CONFIG
 SERVICE_HOST_ENV_NAME = "KUBERNETES_SERVICE_HOST"


-def all_subclasses[T: type](cls: T, sort: bool = True) -> list[T] | set[T]:
+def all_subclasses[T: type](cls: T, sort=True) -> list[T] | set[T]:
    """Recursively return all subclassess of cls"""
-    classes: list[T] | set[T] = set(cls.__subclasses__()).union(
+    classes = set(cls.__subclasses__()).union(
        [s for c in cls.__subclasses__() for s in all_subclasses(c, sort=sort)]
    )
    # Check if we're in debug mode, if not exclude classes which have `__debug_only__`
@@ -41,10 +38,10 @@ def path_to_class(path: str = "") -> type:
    parts = path.split(".")
    package = ".".join(parts[:-1])
    _class = getattr(import_module(package), parts[-1])
-    return cast(type, _class)
+    return _class


-def get_apps() -> Generator[AppConfig]:
+def get_apps():
    """Get list of all authentik apps"""
    from django.apps.registry import apps

@@ -68,11 +65,11 @@ def get_env() -> str:
    return "custom"


-def ConditionalInheritance(path: str) -> type:
+def ConditionalInheritance(path: str):
    """Conditionally inherit from a class, intended for things like authentik.enterprise,
    without which authentik should still be able to run"""
    try:
        cls = import_string(path)
-        return cast(type, cls)
+        return cls
    except ModuleNotFoundError:
        return object
--- a/authentik/lib/utils/time.py
+++ b/authentik/lib/utils/time.py
@@ -19,7 +19,7 @@ ALLOWED_KEYS = (
 )


-def timedelta_string_validator(value: str) -> None:
+def timedelta_string_validator(value: str):
    """Validator for Django that checks if value can be parsed with `timedelta_from_string`"""
    try:
        timedelta_from_string(value)
--- a/authentik/lib/utils/urls.py
+++ b/authentik/lib/utils/urls.py
@@ -1,6 +1,5 @@
 """URL-related utils"""

-from typing import Any
 from urllib.parse import urlparse

 from django.http import HttpResponse, QueryDict
@@ -11,12 +10,12 @@ from structlog.stdlib import get_logger
 LOGGER = get_logger()


-def is_url_absolute(url: str | bytes | bytearray | None) -> bool:
+def is_url_absolute(url):
    """Check if domain is absolute to prevent user from being redirect somewhere else"""
    return bool(urlparse(url).netloc)


-def redirect_with_qs(view: str, qs: QueryDict | None = None, **kwargs: Any) -> HttpResponse:
+def redirect_with_qs(view: str, get_query_set: QueryDict | None = None, **kwargs) -> HttpResponse:
    """Wrapper to redirect whilst keeping GET Parameters"""
    try:
        target = reverse(view, kwargs=kwargs)
@@ -25,14 +24,14 @@ def redirect_with_qs(view: str, qs: QueryDict | None = None, **kwargs: Any) -> H
            return redirect(view)
        LOGGER.warning("redirect target is not a valid view", view=view)
        raise
-    if qs:
-        target += "?" + qs.urlencode()
+    if get_query_set:
+        target += "?" + get_query_set.urlencode()
    return redirect(target)


-def reverse_with_qs(view: str, qs: QueryDict | None = None, **kwargs: Any) -> str:
+def reverse_with_qs(view: str, query: QueryDict | None = None, **kwargs) -> str:
    """Reverse a view to it's url but include get params"""
    url = reverse(view, **kwargs)
-    if qs:
-        url += "?" + qs.urlencode()
+    if query:
+        url += "?" + query.urlencode()
    return url
--- a/authentik/lib/validators.py
+++ b/authentik/lib/validators.py
@@ -1,17 +1,10 @@
 """Serializer validators"""

-from typing import TYPE_CHECKING, Any, TypeVar
-
 from django.utils.translation import gettext_lazy as _
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import Serializer
 from rest_framework.utils.representation import smart_repr

-if TYPE_CHECKING:
-    from django.utils.functional import _StrPromise
-
-_IN = TypeVar("_IN")  # Instance Type
-

 class RequiredTogetherValidator:
    """Serializer-level validator that ensures all fields in `fields` are only
@@ -19,13 +12,13 @@ class RequiredTogetherValidator:

    fields: list[str]
    requires_context = True
-    message: "str | _StrPromise" = _("The fields {field_names} must be used together.")
+    message = _("The fields {field_names} must be used together.")

-    def __init__(self, fields: list[str], message: "str | _StrPromise | None" = None) -> None:
+    def __init__(self, fields: list[str], message: str | None = None) -> None:
        self.fields = fields
        self.message = message or self.message

-    def __call__(self, attrs: dict[Any, Any], serializer: Serializer[_IN]) -> None:
+    def __call__(self, attrs: dict, serializer: Serializer):
        """Check that if any of the fields in `self.fields` are set, all of them must be set"""
        if any(field in attrs for field in self.fields) and not all(
            field in attrs for field in self.fields
@@ -34,5 +27,5 @@ class RequiredTogetherValidator:
            message = self.message.format(field_names=field_names)
            raise ValidationError(message, code="required")

-    def __repr__(self) -> str:
+    def __repr__(self):
        return f"<{self.__class__.__name__}(fields={smart_repr(self.fields)})>"
--- a/Show More
+++ b/Show More