initial steps for concurrent execution

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/comment-pr-instructions/action.yml

@@ -10,14 +10,14 @@ runs:
   using: "composite"
   steps:
     - name: Find Comment
-      uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v2
+      uses: peter-evans/find-comment@v2
       id: fc
       with:
         issue-number: ${{ github.event.pull_request.number }}
         comment-author: "github-actions[bot]"
         body-includes: authentik PR Installation instructions
     - name: Create or update comment
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v2
+      uses: peter-evans/create-or-update-comment@v2
       with:
         comment-id: ${{ steps.fc.outputs.comment-id }}
         issue-number: ${{ github.event.pull_request.number }}

.github/actions/setup/action.yml

@@ -21,12 +21,12 @@ runs:
         sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v5
+      uses: astral-sh/setup-uv@v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
+      uses: actions/setup-python@v5
       with:
         python-version-file: "pyproject.toml"
     - name: Install Python deps
@@ -35,15 +35,14 @@ runs:
       run: uv sync --all-extras --dev --frozen
     - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v4
+      uses: actions/setup-node@v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
-        registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
+      uses: actions/setup-go@v5
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
@@ -57,7 +56,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm i
+        cd web && npm ci
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}

.github/actions/test-results/action.yml

@@ -8,11 +8,11 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
+    - uses: codecov/codecov-action@v5
       with:
         flags: ${{ inputs.flags }}
         use_oidc: true
-    - uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1
+    - uses: codecov/test-results-action@v1
       with:
         flags: ${{ inputs.flags }}
         file: unittest.xml

.github/dependabot.yml

@@ -1,15 +1,7 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    directories:
-      - /
-      # Required to update composite actions
-      # https://github.com/dependabot/dependabot-core/issues/6704
-      - /.github/actions/cherry-pick
-      - /.github/actions/setup
-      - /.github/actions/docker-push-variables
-      - /.github/actions/comment-pr-instructions
-      - /.github/actions/test-results
+    directory: "/"
     schedule:
       interval: daily
       time: "04:00"
@@ -142,9 +134,7 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: docker
-    directories:
-      - /
-      - /website
+    directory: "/"
     schedule:
       interval: daily
       time: "04:00"
@@ -156,7 +146,6 @@ updates:
   - package-ecosystem: docker-compose
     directories:
       # - /scripts # Maybe
-      - /scripts/api
       - /tests/e2e
     schedule:
       interval: daily

.github/workflows/_reusable-docker-build-single.yml

@@ -42,9 +42,9 @@ jobs:
       # Needed for checkout
       contents: read
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+      - uses: actions/checkout@v5
+      - uses: docker/setup-qemu-action@v3.6.0
+      - uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -56,13 +56,13 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -74,7 +74,7 @@ jobs:
           mkdir -p ./gen-go-api
       - name: Setup node
         if: ${{ !inputs.release }}
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+        uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -83,7 +83,7 @@ jobs:
         if: ${{ !inputs.release }}
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
         id: push
         with:
           context: .
@@ -97,7 +97,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -49,7 +49,7 @@ jobs:
       tags: ${{ steps.ev.outputs.imageTagsJSON }}
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -69,7 +69,7 @@ jobs:
       matrix:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -79,25 +79,25 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@b60433fd4312d7a64a56d769b76ebe3f45cf36b4 # v2
+      - uses: int128/docker-manifest-create-action@v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-ts-publish.yml

@@ -8,24 +8,20 @@ on:
       - "schema.yml"
   workflow_dispatch:
 
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
 jobs:
   build:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
@@ -36,6 +32,8 @@ jobs:
         run: |
           npm i
           npm publish --tag generated
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
         working-directory: web
         run: |
@@ -46,7 +44,7 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -59,7 +57,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/ci-api-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Install Dependencies
         working-directory: website/
         run: npm ci
@@ -32,8 +32,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      - uses: actions/cache@v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+      - uses: actions/upload-artifact@v4
         with:
           name: api-docs
           path: website/api/build
@@ -66,12 +66,12 @@ jobs:
       - lint
       - build
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/download-artifact@v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -21,10 +21,10 @@ jobs:
   check-changes-applied:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"
@@ -35,13 +35,13 @@ jobs:
       - name: Check changes have been applied
         run: |
           uv run make aws-cfn
-          git diff --exit-code lifecycle/aws/template.yaml
+          git diff --exit-code
   ci-aws-cfn-mark:
     if: always()
     needs:
       - check-changes-applied
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/ci-docs-source.yml

@@ -13,10 +13,11 @@ env:
 
 jobs:
   publish-source-docs:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs
@@ -24,9 +25,9 @@ jobs:
           uv run make migrate
           uv run ak build_source_docs
       - name: Publish
+        uses: netlify/actions/cli@master
+        with:
+          args: deploy --dir=source_docs --prod
         env:
           NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: |
-          npm install -g netlify-cli
-          netlify deploy --dir=source_docs --prod

.github/workflows/ci-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Install dependencies
         working-directory: website/
         run: npm ci
@@ -32,8 +32,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -48,8 +48,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -61,6 +61,7 @@ jobs:
         working-directory: website/
         run: npm run build -w integrations
   build-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -69,13 +70,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -85,14 +86,14 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -101,7 +102,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -117,6 +118,7 @@ jobs:
       - build-container
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
+          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}

.github/workflows/ci-main-daily.yml

@@ -9,6 +9,7 @@ on:
 
 jobs:
   test-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -18,7 +19,7 @@ jobs:
           - version-2025-4
           - version-2025-2
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"

.github/workflows/ci-main.yml

@@ -37,7 +37,7 @@ jobs:
           - mypy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
@@ -45,7 +45,7 @@ jobs:
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
@@ -61,17 +61,18 @@ jobs:
   test-migrations-from-stable:
     name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 20
     needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
-          - 14-alpine
-          - 18-alpine
+          - 15-alpine
+          - 16-alpine
+          - 17-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: checkout stable
@@ -119,17 +120,18 @@ jobs:
   test-unittest:
     name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 20
     needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
-          - 14-alpine
-          - 18-alpine
+          - 15-alpine
+          - 16-alpine
+          - 17-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -149,11 +151,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@v1.12.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
@@ -187,14 +189,14 @@ jobs:
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
           docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -225,7 +227,7 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build:
@@ -253,7 +255,7 @@ jobs:
       pull-requests: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: prepare variables

.github/workflows/ci-outpost.yml

@@ -12,17 +12,12 @@ on:
       - main
       - version-*
 
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
 jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -34,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
+        uses: golangci/golangci-lint-action@v8
         with:
           version: latest
           args: --timeout 5000s --verbose
@@ -42,17 +37,14 @@ jobs:
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Generate API
         run: make gen-client-go
-      - name: prepare database
-        run: |
-          uv run make migrate
       - name: Go unittests
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
@@ -63,10 +55,11 @@ jobs:
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -86,13 +79,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -102,7 +95,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -111,7 +104,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -122,7 +115,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -145,13 +138,13 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -31,8 +31,8 @@ jobs:
           - command: lit-analyse
             project: web
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -48,8 +48,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -68,7 +68,7 @@ jobs:
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   test:
@@ -76,8 +76,8 @@ jobs:
       - ci-web-mark
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/gen-image-compress.yml

@@ -29,32 +29,32 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@05b1cf44e88c3b041b841452482df9497f046ef7 # main
+        uses: calibreapp/image-actions@main
         with:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
           title: "*: Auto compress images"
           branch-suffix: timestamp
-          commit-message: "*: compress images"
+          commit-messsage: "*: compress images"
           body: ${{ steps.compress.outputs.markdown }}
           delete-branch: true
           signoff: true
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -13,20 +13,21 @@ env:
 
 jobs:
   build:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -39,7 +40,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/gh-cherry-pick.yml

@@ -10,14 +10,14 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@v2
         if: ${{ env.GH_APP_ID != '' }}
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         if: ${{ steps.app-token.outcome != 'skipped' }}
         with:
           fetch-depth: 0

.github/workflows/gh-gha-cache-cleanup.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v5
 
       - name: Cleanup
         run: |

.github/workflows/gh-ghcr-retention.yml

@@ -5,28 +5,25 @@ on:
   # schedule:
   #   - cron: "0 0 * * *" # every day at midnight
   workflow_dispatch:
-    inputs:
-      dry-run:
-        type: boolean
-        description: Enable dry-run mode
 
 jobs:
   clean-ghcr:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
+        uses: snok/container-retention-policy@v2
         with:
           image-names: dev-server,dev-ldap,dev-proxy
-          image-tags: "!gh-next,!gh-main"
           cut-off: One week ago UTC
-          account: goauthentik
-          tag-selection: untagged
+          account-type: org
+          org-name: goauthentik
+          untagged-only: false
           token: ${{ steps.generate_token.outputs.token }}
-          dry-run: ${{ inputs.dry-run }}
+          skip-tags: gh-next,gh-main

.github/workflows/packages-npm-publish.yml

@@ -12,13 +12,9 @@ on:
       - packages/esbuild-plugin-live-reload/**
   workflow_dispatch:
 
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
 jobs:
   publish:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -30,16 +26,16 @@ jobs:
           - packages/tsconfig
           - packages/esbuild-plugin-live-reload
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json
@@ -50,3 +46,5 @@ jobs:
           npm ci
           npm run build
           npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/qa-codeql.yml

@@ -24,14 +24,14 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v3

.github/workflows/qa-semgrep.yml

@@ -26,5 +26,5 @@ jobs:
       image: semgrep/semgrep
     if: (github.actor != 'dependabot[bot]')
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - run: semgrep ci

.github/workflows/release-branch-off.yml

@@ -29,12 +29,12 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v5
         with:
           ref: main
           token: "${{ steps.app-token.outputs.token }}"
@@ -57,12 +57,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@v5
         with:
           ref: main
           token: ${{ steps.generate_token.outputs.token }}
@@ -73,7 +73,7 @@ jobs:
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
       - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: release-bump-${{ inputs.next_version }}

.github/workflows/release-next-branch.yml

@@ -12,10 +12,11 @@ permissions:
 
 jobs:
   update-next:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           ref: main
       - run: |

.github/workflows/release-publish.yml

@@ -31,11 +31,11 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -44,21 +44,21 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: true
         with:
@@ -83,14 +83,14 @@ jobs:
           - radius
           - rac
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -103,18 +103,18 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Docker Login Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@v6
         id: push
         with:
           push: true
@@ -124,7 +124,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+      - uses: actions/attest-build-provenance@v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -146,11 +146,11 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -168,7 +168,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # v2
+        uses: svenstaro/upload-release-action@v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -186,8 +186,8 @@ jobs:
       AWS_REGION: eu-central-1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5
+      - uses: actions/checkout@v5
+      - uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}
@@ -202,14 +202,14 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker compose pull -q
           docker compose up --no-start
-          docker compose start postgresql
+          docker compose start postgresql redis
           docker compose run -u root server test-all
   sentry-release:
     needs:
@@ -218,7 +218,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -232,7 +232,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3
+        uses: getsentry/action-release@v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -35,10 +35,8 @@ jobs:
           echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
       - id: changelog-url
         run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ]; then
+          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
-          elif [ "${{ inputs.release_reason }}" = "prerelease" ]; then
-            changelog_url="https://next.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
           else
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
           fi
@@ -50,7 +48,7 @@ jobs:
     name: Pre-release test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - run: make test-docker
   bump-authentik:
     name: Bump authentik version
@@ -61,7 +59,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -70,7 +68,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
           token: "${{ steps.app-token.outputs.token }}"
@@ -89,7 +87,7 @@ jobs:
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: goauthentik/action-gh-release@84da137b91a625a58fe8a34f3bd6bdb034a49138
+        uses: softprops/action-gh-release@v2
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -108,7 +106,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -118,7 +116,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           repository: "${{ github.repository_owner }}/helm"
           token: "${{ steps.app-token.outputs.token }}"
@@ -130,7 +128,7 @@ jobs:
           sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
           ./scripts/helm-docs.sh
       - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}
@@ -150,7 +148,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -160,7 +158,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         with:
           repository: "${{ github.repository_owner }}/version"
           token: "${{ steps.app-token.outputs.token }}"
@@ -185,7 +183,7 @@ jobs:
             '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}

.github/workflows/repo-mirror-cleanup.yml

@@ -0,0 +1,22 @@
+---
+name: Repo - Cleanup internal mirror
+
+on:
+  workflow_dispatch:
+
+jobs:
+  to_internal:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - if: ${{ env.MIRROR_KEY != '' }}
+        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        with:
+          target_repo_url: git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
+          args: --tags --force --prune
+        env:
+          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-mirror.yml

@@ -0,0 +1,21 @@
+---
+name: Repo - Mirror to internal
+
+on: [push, delete]
+
+jobs:
+  to_internal:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - if: ${{ env.MIRROR_KEY != '' }}
+        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        with:
+          target_repo_url: git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
+          args: --tags --force
+        env:
+          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -12,14 +12,15 @@ permissions:
 
 jobs:
   stale:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/stale@v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-advice.yml

@@ -20,14 +20,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Find Comment
-        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
+        uses: peter-evans/find-comment@v4
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: "github-actions[bot]"
           body-includes: authentik translations instructions
       - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
+        uses: peter-evans/create-or-update-comment@v5
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/translation-extract-compile.yml

@@ -17,19 +17,20 @@ env:
 
 jobs:
   compile:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
@@ -44,7 +45,7 @@ jobs:
           make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.github/workflows/translation-rename.yml

@@ -16,12 +16,12 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v5
       - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Get current title
         id: title
         env:
@@ -34,7 +34,7 @@ jobs:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
           gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+      - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ github.event.pull_request.number }}

.gitignore

@@ -72,7 +72,7 @@ unittest.xml
 
 # Translations
 # Have to include binary mo files as they are annoying to compile at build time
-# since a full postgres instance is required
+# since a full postgres and redis instance are required
 # *.mo
 
 # Django stuff:

.vscode/settings.json

@@ -49,9 +49,6 @@
     "go.testFlags": [
         "-count=1"
     ],
-    "go.testEnvVars": {
-        "WORKSPACE_DIR": "${workspaceFolder}"
-    },
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

CODEOWNERS

@@ -24,7 +24,6 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
-packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:45babd1b4ce0349fb12c4e24bf017b90b96d52806db32e001e3013f341bef0fe AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -26,7 +26,7 @@ RUN npm run build && \
     npm run build:sfe
 
 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.1-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -63,7 +63,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1@sha256:faecdca22579730ab0b7dea5aa9af350bb3c93cb9d39845c173639ead30346d2 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.9.7@sha256:ba4857bf2a068e9bc0e64eed8563b065908a4cd6bfb66b531a9c424c8e25e142 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.22 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -139,7 +139,6 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
 LABEL org.opencontainers.image.authors="Authentik Security Inc." \
-    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
     org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
     org.opencontainers.image.documentation="https://docs.goauthentik.io" \
     org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \

Makefile

@@ -16,6 +16,7 @@ GEN_API_GO = gen-go-api
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)
 
 UNAME := $(shell uname)
 
@@ -106,6 +107,7 @@ dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
+	redis-cli -n ${redis_db} flushall
 
 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -149,13 +151,14 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since
 	npx prettier --write changelog.md
 
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" diff \
-		--markdown \
-		/local/diff.md \
-		/local/schema-old.yml \
-		/local/schema.yml
-	rm schema-old.yml
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
+		--markdown /local/diff.md \
+		/local/old_schema.yml /local/schema.yml
+	rm old_schema.yml
 	sed -i 's/{/{/g' diff.md
 	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
@@ -164,21 +167,28 @@ gen-clean-ts:  ## Remove generated API client for TypeScript
 	rm -rf ${PWD}/${GEN_API_TS}/
 	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
 
-gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}
-
 gen-clean-go:  ## Remove generated API client for Go
+	mkdir -p ${PWD}/${GEN_API_GO}
+ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
+	make -C ${PWD}/${GEN_API_GO} clean
+else
 	rm -rf ${PWD}/${GEN_API_GO}
+endif
+
+gen-clean-py:  ## Remove generated API client for Python
+	rm -rf ${PWD}/${GEN_API_PY}/
 
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" gen \
-		generate \
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api/ts-config.yaml \
+		-c /local/scripts/api-ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
@@ -188,14 +198,17 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	cd ${PWD}/web && npm link @goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	mkdir -p ${PWD}/${GEN_API_PY}
-ifeq ($(wildcard ${PWD}/${GEN_API_PY}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
-else
-	cd ${PWD}/${GEN_API_PY} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
-	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
+		-i /local/schema.yml \
+		-g python \
+		-o /local/${GEN_API_PY} \
+		-c /local/scripts/api-py-config.yaml \
+		--additional-properties=packageVersion=${NPM_VERSION} \
+		--git-repo-id authentik \
+		--git-user-id goauthentik
 
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ${PWD}/${GEN_API_GO}

README.md

@@ -10,7 +10,7 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://explore.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
 
 ## What is authentik?
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.8.x   | ✅         |
-| 2025.10.x  | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.6.x  | ✅        |
+| 2025.8.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.12.0-rc1"
+VERSION = "2025.10.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/pagination.py

@@ -1,10 +1,44 @@
 """Pagination which includes total pages and current page"""
 
-from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
-from authentik.api.v3.schema.response import PAGINATION
+PAGINATION_COMPONENT_NAME = "Pagination"
+PAGINATION_SCHEMA = {
+    "type": "object",
+    "properties": {
+        "next": {
+            "type": "number",
+        },
+        "previous": {
+            "type": "number",
+        },
+        "count": {
+            "type": "number",
+        },
+        "current": {
+            "type": "number",
+        },
+        "total_pages": {
+            "type": "number",
+        },
+        "start_index": {
+            "type": "number",
+        },
+        "end_index": {
+            "type": "number",
+        },
+    },
+    "required": [
+        "next",
+        "previous",
+        "count",
+        "current",
+        "total_pages",
+        "start_index",
+        "end_index",
+    ],
+}
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -36,13 +70,14 @@ class Pagination(pagination.PageNumberPagination):
         )
 
     def get_paginated_response_schema(self, schema):
-        return build_object_type(
-            properties={
-                "pagination": PAGINATION.ref,
+        return {
+            "type": "object",
+            "properties": {
+                "pagination": {"$ref": f"#/components/schemas/{PAGINATION_COMPONENT_NAME}"},
                 "results": schema,
             },
-            required=["pagination", "results"],
-        )
+            "required": ["pagination", "results"],
+        }
 
 
 class SmallerPagination(Pagination):

authentik/api/schema.py

@@ -3,23 +3,53 @@
 from collections.abc import Callable
 from typing import Any
 
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import ResolvedComponent
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_array_type,
+    build_basic_type,
+    build_object_type,
+)
 from drf_spectacular.renderers import OpenApiJsonRenderer
 from drf_spectacular.settings import spectacular_settings
-from structlog.stdlib import get_logger
+from drf_spectacular.types import OpenApiTypes
+from rest_framework.settings import api_settings
 
 from authentik.api.apps import AuthentikAPIConfig
-from authentik.api.v3.schema.query import QUERY_PARAMS
-from authentik.api.v3.schema.response import (
-    GENERIC_ERROR,
-    GENERIC_ERROR_RESPONSE,
-    PAGINATION,
-    VALIDATION_ERROR,
-    VALIDATION_ERROR_RESPONSE,
+from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
+
+GENERIC_ERROR = build_object_type(
+    description=_("Generic API Error"),
+    properties={
+        "detail": build_basic_type(OpenApiTypes.STR),
+        "code": build_basic_type(OpenApiTypes.STR),
+    },
+    required=["detail"],
+)
+VALIDATION_ERROR = build_object_type(
+    description=_("Validation Error"),
+    properties={
+        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_basic_type(OpenApiTypes.STR)),
+        "code": build_basic_type(OpenApiTypes.STR),
+    },
+    required=[],
+    additionalProperties={},
 )
 
-LOGGER = get_logger()
+
+def create_component(
+    generator: SchemaGenerator, name: str, schema: Any, type_=ResolvedComponent.SCHEMA
+) -> ResolvedComponent:
+    """Register a component and return a reference to it."""
+    component = ResolvedComponent(
+        name=name,
+        type=type_,
+        schema=schema,
+        object=name,
+    )
+    generator.registry.register_on_missing(component)
+    return component
 
 
 def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
@@ -31,30 +61,45 @@ def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Calla
     ]
 
 
-def postprocess_schema_register(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Register custom schema components"""
-    LOGGER.debug("Registering custom schemas")
-    generator.registry.register_on_missing(PAGINATION)
-    generator.registry.register_on_missing(GENERIC_ERROR)
-    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
-    generator.registry.register_on_missing(VALIDATION_ERROR)
-    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
-    for query in QUERY_PARAMS.values():
-        generator.registry.register_on_missing(query)
-    return result
-
-
 def postprocess_schema_responses(
     result: dict[str, Any], generator: SchemaGenerator, **kwargs
 ) -> dict[str, Any]:
-    """Default error responses"""
-    LOGGER.debug("Adding default error responses")
+    """Workaround to set a default response for endpoints.
+    Workaround suggested at
+    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
+    for the missing drf-spectacular feature discussed in
+    <https://github.com/tfranzel/drf-spectacular/issues/101>.
+    """
+
+    create_component(generator, PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA)
+
+    generic_error = create_component(generator, "GenericError", GENERIC_ERROR)
+    validation_error = create_component(generator, "ValidationError", VALIDATION_ERROR)
+
     for path in result["paths"].values():
         for method in path.values():
-            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
-            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
+            method["responses"].setdefault(
+                "400",
+                {
+                    "content": {
+                        "application/json": {
+                            "schema": validation_error.ref,
+                        }
+                    },
+                    "description": "",
+                },
+            )
+            method["responses"].setdefault(
+                "403",
+                {
+                    "content": {
+                        "application/json": {
+                            "schema": generic_error.ref,
+                        }
+                    },
+                    "description": "",
+                },
+            )
 
     result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
 
@@ -68,18 +113,67 @@ def postprocess_schema_responses(
     return result
 
 
-def postprocess_schema_query_params(
+def postprocess_schema_pagination(
     result: dict[str, Any], generator: SchemaGenerator, **kwargs
 ) -> dict[str, Any]:
     """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
     declare them globally and refer to them"""
-    LOGGER.debug("Deduplicating query parameters")
+    to_replace = {
+        "ordering": create_component(
+            generator,
+            "QueryPaginationOrdering",
+            {
+                "name": "ordering",
+                "required": False,
+                "in": "query",
+                "description": "Which field to use when ordering the results.",
+                "schema": {"type": "string"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "page": create_component(
+            generator,
+            "QueryPaginationPage",
+            {
+                "name": "page",
+                "required": False,
+                "in": "query",
+                "description": "A page number within the paginated result set.",
+                "schema": {"type": "integer"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "page_size": create_component(
+            generator,
+            "QueryPaginationPageSize",
+            {
+                "name": "page_size",
+                "required": False,
+                "in": "query",
+                "description": "Number of results to return per page.",
+                "schema": {"type": "integer"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+        "search": create_component(
+            generator,
+            "QuerySearch",
+            {
+                "name": "search",
+                "required": False,
+                "in": "query",
+                "description": "A search term.",
+                "schema": {"type": "string"},
+            },
+            ResolvedComponent.PARAMETER,
+        ),
+    }
     for path in result["paths"].values():
         for method in path.values():
             for idx, param in enumerate(method.get("parameters", [])):
-                if param["name"] not in QUERY_PARAMS:
-                    continue
-                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
+                for replace_name, replace_ref in to_replace.items():
+                    if param["name"] == replace_name:
+                        method["parameters"][idx] = replace_ref.ref
     return result
 
 
@@ -91,13 +185,9 @@ def postprocess_schema_remove_unused(
     # less efficient than walking through the tree but a lot simpler and no
     # possibility that we miss something
     raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
-    count = 0
     for key in result["components"][ResolvedComponent.SCHEMA].keys():
-        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
-        if schema_usages >= 1:
+        if raw.count(key) > 1:
             continue
-        del generator.registry[(key, ResolvedComponent.SCHEMA)]
-        count += 1
-    LOGGER.debug("Removing unused components", count=count)
+        del generator.registry._components[(key, ResolvedComponent.SCHEMA)]
     result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
     return result

authentik/api/v3/config.py

@@ -56,6 +56,7 @@ class ConfigSerializer(PassiveSerializer):
     cache_timeout = IntegerField(required=True)
     cache_timeout_flows = IntegerField(required=True)
     cache_timeout_policies = IntegerField(required=True)
+    cache_timeout_reputation = IntegerField(required=True)
 
 
 class ConfigView(APIView):
@@ -102,6 +103,7 @@ class ConfigView(APIView):
                 "cache_timeout": CONFIG.get_int("cache.timeout"),
                 "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
                 "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
             }
         )
 

authentik/api/v3/schema/query.py

@@ -1,65 +0,0 @@
-from django.utils.translation import gettext_lazy as _
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_basic_type,
-    build_parameter_type,
-)
-from drf_spectacular.types import OpenApiTypes
-
-QUERY_PARAMS = {
-    "ordering": ResolvedComponent(
-        name="QueryPaginationOrdering",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryPaginationOrdering",
-        schema=build_parameter_type(
-            name="ordering",
-            schema=build_basic_type(OpenApiTypes.STR),
-            location="query",
-            description=_("Which field to use when ordering the results."),
-        ),
-    ),
-    "page": ResolvedComponent(
-        name="QueryPaginationPage",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryPaginationPage",
-        schema=build_parameter_type(
-            name="page",
-            schema=build_basic_type(OpenApiTypes.INT),
-            location="query",
-            description=_("A page number within the paginated result set."),
-        ),
-    ),
-    "page_size": ResolvedComponent(
-        name="QueryPaginationPageSize",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryPaginationPageSize",
-        schema=build_parameter_type(
-            name="page_size",
-            schema=build_basic_type(OpenApiTypes.INT),
-            location="query",
-            description=_("Number of results to return per page."),
-        ),
-    ),
-    "search": ResolvedComponent(
-        name="QuerySearch",
-        type=ResolvedComponent.PARAMETER,
-        object="QuerySearch",
-        schema=build_parameter_type(
-            name="search",
-            schema=build_basic_type(OpenApiTypes.STR),
-            location="query",
-            description=_("A search term."),
-        ),
-    ),
-    # Not related to pagination but a very common query param
-    "name": ResolvedComponent(
-        name="QueryName",
-        type=ResolvedComponent.PARAMETER,
-        object="QueryName",
-        schema=build_parameter_type(
-            name="name",
-            schema=build_basic_type(OpenApiTypes.STR),
-            location="query",
-        ),
-    ),
-}

authentik/api/v3/schema/response.py

@@ -1,84 +0,0 @@
-from django.utils.translation import gettext_lazy as _
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_array_type,
-    build_basic_type,
-    build_object_type,
-)
-from drf_spectacular.types import OpenApiTypes
-from rest_framework.settings import api_settings
-
-GENERIC_ERROR = ResolvedComponent(
-    name="GenericError",
-    type=ResolvedComponent.SCHEMA,
-    object="GenericError",
-    schema=build_object_type(
-        description=_("Generic API Error"),
-        properties={
-            "detail": build_basic_type(OpenApiTypes.STR),
-            "code": build_basic_type(OpenApiTypes.STR),
-        },
-        required=["detail"],
-    ),
-)
-GENERIC_ERROR_RESPONSE = ResolvedComponent(
-    name="GenericErrorResponse",
-    type=ResolvedComponent.RESPONSE,
-    object="GenericErrorResponse",
-    schema={
-        "content": {"application/json": {"schema": GENERIC_ERROR.ref}},
-        "description": "",
-    },
-)
-VALIDATION_ERROR = ResolvedComponent(
-    "ValidationError",
-    object="ValidationError",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(
-        description=_("Validation Error"),
-        properties={
-            api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_basic_type(OpenApiTypes.STR)),
-            "code": build_basic_type(OpenApiTypes.STR),
-        },
-        required=[],
-        additionalProperties={},
-    ),
-)
-VALIDATION_ERROR_RESPONSE = ResolvedComponent(
-    name="ValidationErrorResponse",
-    type=ResolvedComponent.RESPONSE,
-    object="ValidationErrorResponse",
-    schema={
-        "content": {
-            "application/json": {
-                "schema": VALIDATION_ERROR.ref,
-            }
-        },
-        "description": "",
-    },
-)
-PAGINATION = ResolvedComponent(
-    name="Pagination",
-    type=ResolvedComponent.SCHEMA,
-    object="Pagination",
-    schema=build_object_type(
-        properties={
-            "next": build_basic_type(OpenApiTypes.NUMBER),
-            "previous": build_basic_type(OpenApiTypes.NUMBER),
-            "count": build_basic_type(OpenApiTypes.NUMBER),
-            "current": build_basic_type(OpenApiTypes.NUMBER),
-            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
-            "start_index": build_basic_type(OpenApiTypes.NUMBER),
-            "end_index": build_basic_type(OpenApiTypes.NUMBER),
-        },
-        required=[
-            "next",
-            "previous",
-            "count",
-            "current",
-            "total_pages",
-            "start_index",
-            "end_index",
-        ],
-    ),
-)

authentik/blueprints/tests/__init__.py

@@ -2,27 +2,23 @@
 
 from collections.abc import Callable
 from functools import wraps
-from typing import ParamSpec, TypeVar
 
 from django.apps import apps
 
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.blueprints.models import BlueprintInstance
 
-P = ParamSpec("P")
-R = TypeVar("R")
 
-
-def apply_blueprint(*files: str) -> Callable[[Callable[P, R]], Callable[P, R]]:
+def apply_blueprint(*files: str):
     """Apply blueprint before test"""
 
     from authentik.blueprints.v1.importer import Importer
 
-    def wrapper_outer(func: Callable[P, R]) -> Callable[P, R]:
+    def wrapper_outer(func: Callable):
         """Apply blueprint before test"""
 
         @wraps(func)
-        def wrapper(*args: P.args, **kwargs: P.kwargs) -> R:
+        def wrapper(*args, **kwargs):
             for file in files:
                 content = BlueprintInstance(path=file).retrieve()
                 Importer.from_string(content).apply()

authentik/blueprints/v1/importer.py

@@ -15,7 +15,6 @@ from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
-from django_channels_postgres.models import GroupChannel, Message
 from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
@@ -72,15 +71,13 @@ from authentik.providers.oauth2.models import (
     DeviceToken,
     RefreshToken,
 )
-from authentik.providers.proxy.models import ProxySession
 from authentik.providers.rac.models import ConnectionToken
-from authentik.providers.saml.models import SAMLSession
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.stages.consent.models import UserConsent
-from authentik.tasks.models import Task, TaskLog
+from authentik.tasks.models import Task
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
@@ -123,12 +120,10 @@ def excluded_models() -> list[type[Model]]:
         SCIMProviderUser,
         Tenant,
         Task,
-        TaskLog,
         ConnectionToken,
         AuthorizationCode,
         AccessToken,
         RefreshToken,
-        ProxySession,
         Reputation,
         WebAuthnDeviceType,
         SCIMSourceUser,
@@ -142,9 +137,6 @@ def excluded_models() -> list[type[Model]]:
         DeviceToken,
         StreamEvent,
         UserConsent,
-        SAMLSession,
-        Message,
-        GroupChannel,
     )
 
 
@@ -313,7 +305,6 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        override_serializer_instance = False
         if (
             not isinstance(model(), BaseMetaModel)
             and model_instance
@@ -342,7 +333,11 @@ class Importer:
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )
-            override_serializer_instance = True
+            model_instance = model()
+            # pk needs to be set on the model instance otherwise a new one will be generated
+            if "pk" in updated_identifiers:
+                model_instance.pk = updated_identifiers["pk"]
+            serializer_kwargs["instance"] = model_instance
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
@@ -365,12 +360,6 @@ class Importer:
                 entry=entry,
                 serializer=serializer,
             ) from exc
-        if override_serializer_instance:
-            model_instance = model()
-            # pk needs to be set on the model instance otherwise a new one will be generated
-            if "pk" in updated_identifiers:
-                model_instance.pk = updated_identifiers["pk"]
-            serializer.instance = model_instance
         return serializer
 
     def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
@@ -449,7 +438,7 @@ class Importer:
                 self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
-                if instance and instance.pk:
+                if instance.pk:
                     instance.delete()
                     self.logger.debug("Deleted model", mode=instance)
                     continue

authentik/blueprints/v1/tasks.py

@@ -112,6 +112,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
 
 @actor(
     description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
+    throws=(DatabaseError, ProgrammingError, InternalError),
     priority=PRIORITY_HIGH,
 )
 def blueprints_find_dict():
@@ -150,7 +151,10 @@ def blueprints_find() -> list[BlueprintFile]:
     return blueprints
 
 
-@actor(description=_("Find blueprints and check if they need to be created in the database."))
+@actor(
+    description=_("Find blueprints and check if they need to be created in the database."),
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
 def blueprints_discovery(path: str | None = None):
     self = CurrentTask.get_task()
     count = 0

authentik/commands/apps.py

@@ -1,8 +0,0 @@
-from authentik.blueprints.apps import ManagedAppConfig
-
-
-class AuthentikCommandsConfig(ManagedAppConfig):
-    name = "authentik.commands"
-    label = "authentik_commands"
-    verbose_name = "authentik Commands"
-    default = True

authentik/commands/management/commands/__init__.py

@@ -1,8 +0,0 @@
-from django.db.migrations.autodetector import MigrationAutodetector as BaseMigrationAutodetector
-from pgtrigger.migrations import MigrationAutodetectorMixin
-
-MigrationAutodetector = type(
-    "MigrationAutodetector",
-    (MigrationAutodetectorMixin, BaseMigrationAutodetector),
-    {},
-)

authentik/commands/management/commands/makemigrations.py

@@ -1,7 +0,0 @@
-from django.core.management.commands.makemigrations import Command as BaseCommand
-
-from authentik.commands.management.commands import MigrationAutodetector
-
-
-class Command(BaseCommand):
-    autodetector = MigrationAutodetector

authentik/commands/management/commands/migrate.py

@@ -1,7 +0,0 @@
-from django_tenants.management.commands.migrate import Command as BaseCommand
-
-from authentik.commands.management.commands import MigrationAutodetector
-
-
-class Command(BaseCommand):
-    autodetector = MigrationAutodetector  # type: ignore[assignment]

authentik/commands/management/commands/migrate_schemas.py

@@ -1,7 +0,0 @@
-from django_tenants.management.commands.migrate_schemas import Command as BaseCommand
-
-from authentik.commands.management.commands import MigrationAutodetector
-
-
-class Command(BaseCommand):
-    autodetector = MigrationAutodetector  # type: ignore[assignment]

authentik/core/api/groups.py

@@ -228,19 +228,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     filterset_class = GroupFilter
     ordering = ["name"]
 
-    def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import (
-            JSONSearchField,
-        )
-
-        return [
-            StrField(Group, "name"),
-            BoolField(Group, "is_superuser", nullable=True),
-            JSONSearchField(Group, "attributes", suggest_nested=False),
-        ]
-
     def get_queryset(self):
         base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
 

authentik/core/expression/evaluator.py

@@ -3,11 +3,12 @@
 from types import CodeType
 from typing import Any
 
+from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram
 
 from authentik.core.expression.exceptions import SkipObjectException
-from authentik.core.models import PropertyMapping, User
+from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
 from authentik.policies.types import PolicyRequest
@@ -22,13 +23,13 @@ PROPERTY_MAPPING_TIME = Histogram(
 class PropertyMappingEvaluator(BaseEvaluator):
     """Custom Evaluator that adds some different context variables."""
 
-    dry_run: bool | None
-    model: PropertyMapping
+    dry_run: bool
+    model: Model
     _compiled: CodeType | None = None
 
     def __init__(
         self,
-        model: PropertyMapping,
+        model: Model,
         user: User | None = None,
         request: HttpRequest | None = None,
         dry_run: bool | None = False,

authentik/core/management/commands/shell.py

@@ -1,9 +1,13 @@
 """authentik shell command"""
 
+import code
 import platform
+import sys
+import traceback
 from pprint import pprint
 
-from django.core.management.commands.shell import Command as BaseCommand
+from django.apps import apps
+from django.core.management.base import BaseCommand
 from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
 
@@ -22,12 +26,29 @@ def get_banner_text(shell_type="shell") -> str:
 class Command(BaseCommand):
     """Start the Django shell with all authentik models already imported"""
 
-    def get_namespace(self, **options):
-        return {
-            **super().get_namespace(**options),
+    django_models = {}
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-c",
+            "--command",
+            help="Python code to execute (instead of starting an interactive shell)",
+        )
+
+    def get_namespace(self):
+        """Prepare namespace with all models"""
+        namespace = {
             "pprint": pprint,
         }
 
+        # Gather Django models and constants from each app
+        for app in apps.get_app_configs():
+            # Load models from each app
+            for model in app.get_models():
+                namespace[model.__name__] = model
+
+        return namespace
+
     @staticmethod
     def post_save_handler(sender, instance: Model, created: bool, **_):
         """Signal handler for all object's post_save"""
@@ -58,9 +79,41 @@ class Command(BaseCommand):
         ).save()
 
     def handle(self, **options):
+        namespace = self.get_namespace()
+
         post_save.connect(Command.post_save_handler)
         pre_delete.connect(Command.pre_delete_handler)
 
-        print(get_banner_text())
+        # If Python code has been passed, execute it and exit.
+        if options["command"]:
 
-        super().handle(**options)
+            exec(options["command"], namespace)  # nosec # noqa
+            return
+
+        try:
+            hook = sys.__interactivehook__
+        except AttributeError:
+            # Match the behavior of the cpython shell where a missing
+            # sys.__interactivehook__ is ignored.
+            pass
+        else:
+            try:
+                hook()
+            except Exception:  # noqa
+                # Match the behavior of the cpython shell where an error in
+                # sys.__interactivehook__ prints a warning and the exception
+                # and continues.
+                print("Failed calling sys.__interactivehook__")
+                traceback.print_exc()
+        # Try to enable tab-complete
+        try:
+            import readline
+            import rlcompleter
+        except ModuleNotFoundError:
+            pass
+        else:
+            readline.set_completer(rlcompleter.Completer(namespace).complete)
+            readline.parse_and_bind("tab: complete")
+
+        # Run interactive shell
+        code.interact(banner=get_banner_text(), local=namespace)

authentik/core/models.py

@@ -29,7 +29,6 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
-from authentik.lib.config import CONFIG
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
 from authentik.lib.merge import MERGE_LIST_UNIQUE
@@ -575,12 +574,8 @@ class Application(SerializerModel, PolicyBindingModel):
         it is returned as-is"""
         if not self.meta_icon:
             return None
-        if self.meta_icon.name.startswith("http"):
+        if "://" in self.meta_icon.name or self.meta_icon.name.startswith("/static"):
             return self.meta_icon.name
-        if self.meta_icon.name.startswith("fa://"):
-            return self.meta_icon.name
-        if self.meta_icon.name.startswith("/"):
-            return CONFIG.get("web.path", "/")[:-1] + self.meta_icon.name
         return self.meta_icon.url
 
     def get_launch_url(self, user: Optional["User"] = None) -> str | None:
@@ -782,12 +777,8 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         starts with http it is returned as-is"""
         if not self.icon:
             return None
-        if self.icon.name.startswith("http"):
+        if "://" in self.icon.name or self.icon.name.startswith("/static"):
             return self.icon.name
-        if self.icon.name.startswith("fa://"):
-            return self.icon.name
-        if self.icon.name.startswith("/"):
-            return CONFIG.get("web.path", "/")[:-1] + self.icon.name
         return self.icon.url
 
     def get_user_path(self) -> str:

authentik/core/tasks.py

@@ -4,7 +4,6 @@ from datetime import datetime, timedelta
 
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_channels_postgres.models import GroupChannel, Message
 from django_postgres_cache.tasks import clear_expired_cache
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
@@ -35,8 +34,6 @@ def clean_expired_models():
         LOGGER.debug("Expired models", model=cls, amount=amount)
         self.info(f"Expired {amount} {cls._meta.verbose_name_plural}")
     clear_expired_cache()
-    Message.delete_expired()
-    GroupChannel.delete_expired()
 
 
 @actor(description=_("Remove temporary users created by SAML Sources."))

authentik/core/tests/test_applications_api.py

@@ -82,66 +82,6 @@ class TestApplicationsAPI(APITestCase):
         self.assertEqual(self.allowed.get_meta_icon, app["meta_icon"])
         self.assertEqual(self.allowed.meta_icon.read(), b"text")
 
-    def test_set_icon_relative(self):
-        """Test set_icon (relative path)"""
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse(
-                "authentik_api:application-set-icon-url",
-                kwargs={"slug": self.allowed.slug},
-            ),
-            data={"url": "relative/path"},
-        )
-        self.assertEqual(response.status_code, 200)
-
-        self.allowed.refresh_from_db()
-        self.assertEqual(self.allowed.get_meta_icon, "/media/public/relative/path")
-
-    def test_set_icon_absolute(self):
-        """Test set_icon (absolute path)"""
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse(
-                "authentik_api:application-set-icon-url",
-                kwargs={"slug": self.allowed.slug},
-            ),
-            data={"url": "/relative/path"},
-        )
-        self.assertEqual(response.status_code, 200)
-
-        self.allowed.refresh_from_db()
-        self.assertEqual(self.allowed.get_meta_icon, "/relative/path")
-
-    def test_set_icon_url(self):
-        """Test set_icon (url)"""
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse(
-                "authentik_api:application-set-icon-url",
-                kwargs={"slug": self.allowed.slug},
-            ),
-            data={"url": "https://authentik.company/img.png"},
-        )
-        self.assertEqual(response.status_code, 200)
-
-        self.allowed.refresh_from_db()
-        self.assertEqual(self.allowed.get_meta_icon, "https://authentik.company/img.png")
-
-    def test_set_icon_fa(self):
-        """Test set_icon (url)"""
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse(
-                "authentik_api:application-set-icon-url",
-                kwargs={"slug": self.allowed.slug},
-            ),
-            data={"url": "fa://fa-check-circle"},
-        )
-        self.assertEqual(response.status_code, 200)
-
-        self.allowed.refresh_from_db()
-        self.assertEqual(self.allowed.get_meta_icon, "fa://fa-check-circle")
-
     def test_check_access(self):
         """Test check_access operation"""
         self.client.force_login(self.user)

authentik/enterprise/apps.py

@@ -1,21 +1,11 @@
 """Enterprise app config"""
 
 from django.conf import settings
-from prometheus_client import Gauge
 
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 
-GAUGE_LICENSE_USAGE = Gauge(
-    "authentik_enterprise_license_usage",
-    "Enterprise license usage (percentage per user type).",
-    ["user_type"],
-)
-GAUGE_LICENSE_EXPIRY = Gauge(
-    "authentik_enterprise_license_expiry_seconds", "Duration until license expires, in seconds."
-)
-
 
 class EnterpriseConfig(ManagedAppConfig):
     """Base app config for all enterprise apps"""

authentik/enterprise/license.py

@@ -217,7 +217,7 @@ class LicenseKey:
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
         status = self.status()
-        latest_valid = datetime.fromtimestamp(self.exp).replace(tzinfo=UTC)
+        latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
             latest_valid=latest_valid,
             internal_users=self.internal_users,

authentik/enterprise/providers/google_workspace/api/groups.py

@@ -1,9 +1,13 @@
 """GoogleWorkspaceProviderGroup API Views"""
 
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
     group_obj = PartialGroupSerializer(source="group", read_only=True)
 
     class Meta:
+
         model = GoogleWorkspaceProviderGroup
         fields = [
             "id",
@@ -24,7 +29,15 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
         extra_kwargs = {"attributes": {"read_only": True}}
 
 
-class GoogleWorkspaceProviderGroupViewSet(OutgoingSyncConnectionViewSet):
+class GoogleWorkspaceProviderGroupViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """GoogleWorkspaceProviderGroup Viewset"""
 
     queryset = GoogleWorkspaceProviderGroup.objects.all().select_related("group")

authentik/enterprise/providers/google_workspace/api/providers.py

@@ -1,13 +1,16 @@
 """Google Provider API Views"""
 
+from rest_framework.viewsets import ModelViewSet
+
 from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.enterprise.providers.google_workspace.tasks import (
     google_workspace_sync,
     google_workspace_sync_objects,
 )
-from authentik.lib.sync.outgoing.api import OutgoingSyncProviderViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
 
 
 class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
@@ -34,23 +37,23 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
             "user_delete_action",
             "group_delete_action",
             "default_group_email_domain",
-            "sync_page_size",
-            "sync_page_timeout",
             "dry_run",
         ]
         extra_kwargs = {}
 
 
-class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderViewSet):
+class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
     """GoogleWorkspaceProvider Viewset"""
 
     queryset = GoogleWorkspaceProvider.objects.all()
     serializer_class = GoogleWorkspaceProviderSerializer
-    filterset_fields = OutgoingSyncProviderViewSet.filterset_fields + [
-        "delegated_subject",
-    ]
-    search_fields = OutgoingSyncProviderViewSet.search_fields + [
+    filterset_fields = [
+        "name",
+        "exclude_users_service_account",
         "delegated_subject",
+        "filter_group",
     ]
+    search_fields = ["name"]
+    ordering = ["name"]
     sync_task = google_workspace_sync
     sync_objects_task = google_workspace_sync_objects

authentik/enterprise/providers/google_workspace/api/users.py

@@ -1,9 +1,13 @@
 """GoogleWorkspaceProviderUser API Views"""
 
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
 from authentik.core.api.groups import PartialUserSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
     user_obj = PartialUserSerializer(source="user", read_only=True)
 
     class Meta:
+
         model = GoogleWorkspaceProviderUser
         fields = [
             "id",
@@ -24,7 +29,15 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
         extra_kwargs = {"attributes": {"read_only": True}}
 
 
-class GoogleWorkspaceProviderUserViewSet(OutgoingSyncConnectionViewSet):
+class GoogleWorkspaceProviderUserViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """GoogleWorkspaceProviderUser Viewset"""
 
     queryset = GoogleWorkspaceProviderUser.objects.all().select_related("user")

authentik/enterprise/providers/google_workspace/clients/groups.py

@@ -25,7 +25,7 @@ class GoogleWorkspaceGroupClient(
     """Google client for groups"""
 
     connection_type = GoogleWorkspaceProviderGroup
-    connection_type_query = "group"
+    connection_attr = "googleworkspaceprovidergroup_set"
     can_discover = True
 
     def __init__(self, provider: GoogleWorkspaceProvider) -> None:
@@ -208,11 +208,11 @@ class GoogleWorkspaceGroupClient(
         )
         if not matching_authentik_group:
             return
-        GoogleWorkspaceProviderGroup.objects.update_or_create(
+        GoogleWorkspaceProviderGroup.objects.get_or_create(
             provider=self.provider,
             group=matching_authentik_group,
             google_id=google_id,
-            defaults={"attributes": group},
+            attributes=group,
         )
 
     def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):

authentik/enterprise/providers/google_workspace/clients/users.py

@@ -20,7 +20,7 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
     """Sync authentik users into google workspace"""
 
     connection_type = GoogleWorkspaceProviderUser
-    connection_type_query = "user"
+    connection_attr = "googleworkspaceprovideruser_set"
     can_discover = True
 
     def __init__(self, provider: GoogleWorkspaceProvider) -> None:
@@ -113,11 +113,11 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
         matching_authentik_user = self.provider.get_object_qs(User).filter(email=email).first()
         if not matching_authentik_user:
             return
-        GoogleWorkspaceProviderUser.objects.update_or_create(
+        GoogleWorkspaceProviderUser.objects.get_or_create(
             provider=self.provider,
             user=matching_authentik_user,
             google_id=email,
-            defaults={"attributes": user},
+            attributes=user,
         )
 
     def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):

authentik/enterprise/providers/google_workspace/migrations/0005_googleworkspaceprovider_sync_page_size_and_more.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.7 on 2025-10-21 12:35
-
-import authentik.lib.utils.time
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_google_workspace", "0004_googleworkspaceprovider_dry_run"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="googleworkspaceprovider",
-            name="sync_page_size",
-            field=models.PositiveIntegerField(
-                default=100,
-                help_text="Controls the number of objects synced in a single task",
-                validators=[django.core.validators.MinValueValidator(1)],
-            ),
-        ),
-        migrations.AddField(
-            model_name="googleworkspaceprovider",
-            name="sync_page_timeout",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Timeout for synchronization of a single page",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-    ]

authentik/enterprise/providers/google_workspace/models.py

@@ -12,6 +12,7 @@ from google.oauth2.service_account import Credentials
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import (
+    BackchannelProvider,
     Group,
     PropertyMapping,
     User,
@@ -83,7 +84,7 @@ class GoogleWorkspaceProviderGroup(SerializerModel):
         return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
 
 
-class GoogleWorkspaceProvider(OutgoingSyncProvider):
+class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
     """Sync users from authentik into Google Workspace."""
 
     delegated_subject = models.EmailField()
@@ -138,7 +139,11 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider):
         if type == User:
             # Get queryset of all users with consistent ordering
             # according to the provider's settings
-            base = User.objects.all().exclude_anonymous()
+            base = (
+                User.objects.prefetch_related("googleworkspaceprovideruser_set")
+                .all()
+                .exclude_anonymous()
+            )
             if self.exclude_users_service_account:
                 base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                     type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@@ -148,7 +153,11 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider):
             return base.order_by("pk")
         if type == Group:
             # Get queryset of all groups with consistent ordering
-            return Group.objects.all().order_by("pk")
+            return (
+                Group.objects.prefetch_related("googleworkspaceprovidergroup_set")
+                .all()
+                .order_by("pk")
+            )
         raise ValueError(f"Invalid type {type}")
 
     def google_credentials(self):

authentik/enterprise/providers/google_workspace/tests/test_groups.py

@@ -292,7 +292,7 @@ class GoogleWorkspaceGroupTests(TestCase):
                 ).exists()
             )
 
-    def test_sync_discover(self):
+    def test_sync_task(self):
         """Test group discovery"""
         uid = generate_id()
         http = MockHTTP()
@@ -332,57 +332,3 @@ class GoogleWorkspaceGroupTests(TestCase):
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             self.assertEqual(len(http.requests()), 5)
-
-    def test_sync_discover_multiple(self):
-        """Test group discovery"""
-        uid = generate_id()
-        http = MockHTTP()
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/customer/my_customer/domains?key={self.api_key}&alt=json",
-            domains_list_v1_mock,
-        )
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",
-            method="GET",
-            body={"users": []},
-        )
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",
-            method="GET",
-            body={"groups": [{"id": uid, "name": uid}]},
-        )
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/groups/{uid}?key={self.api_key}&alt=json",
-            method="PUT",
-            body={"id": uid},
-        )
-        self.app.backchannel_providers.remove(self.provider)
-        different_group = Group.objects.create(
-            name=uid,
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with patch(
-            "authentik.enterprise.providers.google_workspace.models.GoogleWorkspaceProvider.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            google_workspace_sync.send(self.provider.pk).get_result()
-            self.assertTrue(
-                GoogleWorkspaceProviderGroup.objects.filter(
-                    group=different_group, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
-            # Change response to trigger update
-            http.add_response(
-                f"https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",
-                method="GET",
-                body={"groups": [{"id": uid, "name": uid, "bar": "baz"}]},
-            )
-            google_workspace_sync.send(self.provider.pk).get_result()
-            self.assertTrue(
-                GoogleWorkspaceProviderGroup.objects.filter(
-                    group=different_group, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())

authentik/enterprise/providers/google_workspace/tests/test_users.py

@@ -269,7 +269,7 @@ class GoogleWorkspaceUserTests(TestCase):
                 ).exists()
             )
 
-    def test_sync_discover(self):
+    def test_sync_task(self):
         """Test user discovery"""
         uid = generate_id()
         http = MockHTTP()
@@ -310,63 +310,3 @@ class GoogleWorkspaceUserTests(TestCase):
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             self.assertEqual(len(http.requests()), 5)
-
-    def test_sync_discover_multiple(self):
-        """Test user discovery, running multiple times"""
-        uid = generate_id()
-        http = MockHTTP()
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/customer/my_customer/domains?key={self.api_key}&alt=json",
-            domains_list_v1_mock,
-        )
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",
-            method="GET",
-            body={"users": [{"primaryEmail": f"{uid}@goauthentik.io"}]},
-        )
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/groups?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",
-            method="GET",
-            body={"groups": []},
-        )
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/users/{uid}%40goauthentik.io?key={self.api_key}&alt=json",
-            method="PUT",
-            body={"primaryEmail": f"{uid}@goauthentik.io"},
-        )
-        self.app.backchannel_providers.remove(self.provider)
-        different_user = User.objects.create(
-            username=uid,
-            email=f"{uid}@goauthentik.io",
-        )
-        self.app.backchannel_providers.add(self.provider)
-        # Sync once
-        with patch(
-            "authentik.enterprise.providers.google_workspace.models.GoogleWorkspaceProvider.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            google_workspace_sync.send(self.provider.pk).get_result()
-            self.assertTrue(
-                GoogleWorkspaceProviderUser.objects.filter(
-                    user=different_user, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 5)
-            # Change response, which will trigger a discovery update
-            http.add_response(
-                f"https://admin.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&key={self.api_key}&alt=json",
-                method="GET",
-                body={
-                    "users": [
-                        {"primaryEmail": f"{uid}@goauthentik.io", "foo": "bar"},
-                    ]
-                },
-            )
-            google_workspace_sync.send(self.provider.pk).get_result()
-            self.assertTrue(
-                GoogleWorkspaceProviderUser.objects.filter(
-                    user=different_user, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())

authentik/enterprise/providers/microsoft_entra/api/groups.py

@@ -1,9 +1,13 @@
 """MicrosoftEntraProviderGroup API Views"""
 
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import PartialGroupSerializer
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
     group_obj = PartialGroupSerializer(source="group", read_only=True)
 
     class Meta:
+
         model = MicrosoftEntraProviderGroup
         fields = [
             "id",
@@ -24,7 +29,15 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
         extra_kwargs = {"attributes": {"read_only": True}}
 
 
-class MicrosoftEntraProviderGroupViewSet(OutgoingSyncConnectionViewSet):
+class MicrosoftEntraProviderGroupViewSet(
+    mixins.CreateModelMixin,
+    OutgoingSyncConnectionCreateMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """MicrosoftEntraProviderGroup Viewset"""
 
     queryset = MicrosoftEntraProviderGroup.objects.all().select_related("group")

authentik/enterprise/providers/microsoft_entra/api/providers.py

@@ -1,13 +1,16 @@
 """Microsoft Provider API Views"""
 
+from rest_framework.viewsets import ModelViewSet
+
 from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.enterprise.providers.microsoft_entra.tasks import (
     microsoft_entra_sync,
     microsoft_entra_sync_objects,
 )
-from authentik.lib.sync.outgoing.api import OutgoingSyncProviderViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
 
 
 class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
@@ -33,17 +36,22 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
             "filter_group",
             "user_delete_action",
             "group_delete_action",
-            "sync_page_size",
-            "sync_page_timeout",
             "dry_run",
         ]
         extra_kwargs = {}
 
 
-class MicrosoftEntraProviderViewSet(OutgoingSyncProviderViewSet):
+class MicrosoftEntraProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
     """MicrosoftEntraProvider Viewset"""
 
     queryset = MicrosoftEntraProvider.objects.all()
     serializer_class = MicrosoftEntraProviderSerializer
+    filterset_fields = [
+        "name",
+        "exclude_users_service_account",
+        "filter_group",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
     sync_task = microsoft_entra_sync
     sync_objects_task = microsoft_entra_sync_objects

authentik/enterprise/providers/microsoft_entra/api/users.py

@@ -1,9 +1,13 @@
 """MicrosoftEntraProviderUser API Views"""
 
+from rest_framework import mixins
+from rest_framework.viewsets import GenericViewSet
+
 from authentik.core.api.groups import PartialUserSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionViewSet
+from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class MicrosoftEntraProviderUserSerializer(ModelSerializer):
@@ -12,6 +16,7 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
     user_obj = PartialUserSerializer(source="user", read_only=True)
 
     class Meta:
+
         model = MicrosoftEntraProviderUser
         fields = [
             "id",
@@ -24,7 +29,15 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
         extra_kwargs = {"attributes": {"read_only": True}}
 
 
-class MicrosoftEntraProviderUserViewSet(OutgoingSyncConnectionViewSet):
+class MicrosoftEntraProviderUserViewSet(
+    OutgoingSyncConnectionCreateMixin,
+    mixins.CreateModelMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
     """MicrosoftEntraProviderUser Viewset"""
 
     queryset = MicrosoftEntraProviderUser.objects.all().select_related("user")

authentik/enterprise/providers/microsoft_entra/clients/groups.py

@@ -29,7 +29,7 @@ class MicrosoftEntraGroupClient(
     """Microsoft client for groups"""
 
     connection_type = MicrosoftEntraProviderGroup
-    connection_type_query = "group"
+    connection_attr = "microsoftentraprovidergroup_set"
     can_discover = True
 
     def __init__(self, provider: MicrosoftEntraProvider) -> None:
@@ -220,11 +220,11 @@ class MicrosoftEntraGroupClient(
         )
         if not matching_authentik_group:
             return
-        MicrosoftEntraProviderGroup.objects.update_or_create(
+        MicrosoftEntraProviderGroup.objects.get_or_create(
             provider=self.provider,
             group=matching_authentik_group,
             microsoft_id=group.id,
-            defaults={"attributes": self.entity_as_dict(group)},
+            attributes=self.entity_as_dict(group),
         )
 
     def update_single_attribute(self, connection: MicrosoftEntraProviderGroup):

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -24,7 +24,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
     """Sync authentik users into microsoft entra"""
 
     connection_type = MicrosoftEntraProviderUser
-    connection_type_query = "user"
+    connection_attr = "microsoftentraprovideruser_set"
     can_discover = True
 
     def __init__(self, provider: MicrosoftEntraProvider) -> None:
@@ -159,11 +159,11 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
         matching_authentik_user = self.provider.get_object_qs(User).filter(email=user.mail).first()
         if not matching_authentik_user:
             return
-        MicrosoftEntraProviderUser.objects.update_or_create(
+        MicrosoftEntraProviderUser.objects.get_or_create(
             provider=self.provider,
             user=matching_authentik_user,
             microsoft_id=user.id,
-            defaults={"attributes": self.entity_as_dict(user)},
+            attributes=self.entity_as_dict(user),
         )
 
     def update_single_attribute(self, connection: MicrosoftEntraProviderUser):

authentik/enterprise/providers/microsoft_entra/migrations/0004_microsoftentraprovider_sync_page_size_and_more.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.7 on 2025-10-21 12:35
-
-import authentik.lib.utils.time
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_microsoft_entra", "0003_microsoftentraprovider_dry_run"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="microsoftentraprovider",
-            name="sync_page_size",
-            field=models.PositiveIntegerField(
-                default=100,
-                help_text="Controls the number of objects synced in a single task",
-                validators=[django.core.validators.MinValueValidator(1)],
-            ),
-        ),
-        migrations.AddField(
-            model_name="microsoftentraprovider",
-            name="sync_page_timeout",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Timeout for synchronization of a single page",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-    ]

authentik/enterprise/providers/microsoft_entra/models.py

@@ -12,6 +12,7 @@ from dramatiq.actor import Actor
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import (
+    BackchannelProvider,
     Group,
     PropertyMapping,
     User,
@@ -74,7 +75,7 @@ class MicrosoftEntraProviderGroup(SerializerModel):
         return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
 
 
-class MicrosoftEntraProvider(OutgoingSyncProvider):
+class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
     """Sync users from authentik into Microsoft Entra."""
 
     client_id = models.TextField()
@@ -127,7 +128,11 @@ class MicrosoftEntraProvider(OutgoingSyncProvider):
         if type == User:
             # Get queryset of all users with consistent ordering
             # according to the provider's settings
-            base = User.objects.all().exclude_anonymous()
+            base = (
+                User.objects.prefetch_related("microsoftentraprovideruser_set")
+                .all()
+                .exclude_anonymous()
+            )
             if self.exclude_users_service_account:
                 base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                     type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@@ -137,7 +142,11 @@ class MicrosoftEntraProvider(OutgoingSyncProvider):
             return base.order_by("pk")
         if type == Group:
             # Get queryset of all groups with consistent ordering
-            return Group.objects.all().order_by("pk")
+            return (
+                Group.objects.prefetch_related("microsoftentraprovidergroup_set")
+                .all()
+                .order_by("pk")
+            )
         raise ValueError(f"Invalid type {type}")
 
     def microsoft_credentials(self):

authentik/enterprise/providers/microsoft_entra/tests/test_groups.py

@@ -369,7 +369,7 @@ class MicrosoftEntraGroupTests(TestCase):
             group_create.assert_called_once()
             group_delete.assert_not_called()
 
-    def test_sync_discover(self):
+    def test_sync_task(self):
         """Test group discovery"""
         uid = generate_id()
         self.app.backchannel_providers.remove(self.provider)
@@ -430,84 +430,3 @@ class MicrosoftEntraGroupTests(TestCase):
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             user_list.assert_called_once()
             group_list.assert_called_once()
-
-    def test_sync_discover_multiple(self):
-        """Test group discovery"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        different_group = Group.objects.create(
-            name=uid,
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.groups.item.group_item_request_builder.GroupItemRequestBuilder.patch",
-                AsyncMock(return_value=MSGroup(id=uid)),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.get",
-                AsyncMock(
-                    return_value=UserCollectionResponse(
-                        value=[MSUser(mail=f"{uid}@goauthentik.io", id=uid)]
-                    )
-                ),
-            ) as user_list,
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.get",
-                AsyncMock(
-                    return_value=GroupCollectionResponse(
-                        value=[MSGroup(display_name=uid, unique_name=uid, id=uid)]
-                    )
-                ),
-            ) as group_list,
-        ):
-            microsoft_entra_sync.send(self.provider.pk).get_result()
-            self.assertTrue(
-                MicrosoftEntraProviderGroup.objects.filter(
-                    group=different_group, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_list.assert_called_once()
-            group_list.assert_called_once()
-
-            with patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.get",
-                AsyncMock(
-                    return_value=GroupCollectionResponse(
-                        value=[
-                            MSGroup(display_name=uid, unique_name=uid, id=uid, description="foo")
-                        ]
-                    )
-                ),
-            ) as mod_group_list:
-                microsoft_entra_sync.send(self.provider.pk).get_result()
-                self.assertTrue(
-                    MicrosoftEntraProviderGroup.objects.filter(
-                        group=different_group, provider=self.provider
-                    ).exists()
-                )
-                self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-                mod_group_list.assert_called_once()

authentik/enterprise/providers/microsoft_entra/tests/test_users.py

@@ -356,7 +356,7 @@ class MicrosoftEntraUserTests(APITestCase):
             user_patch.assert_not_called()
             user_delete.assert_not_called()
 
-    def test_sync_discover(self):
+    def test_sync_task(self):
         """Test user discovery"""
         uid = generate_id()
         self.app.backchannel_providers.remove(self.provider)
@@ -406,73 +406,6 @@ class MicrosoftEntraUserTests(APITestCase):
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             user_list.assert_called_once()
 
-    def test_sync_discover_multiple(self):
-        """Test user discovery (multiple times)"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        different_user = User.objects.create(
-            username=uid,
-            email=f"{uid}@goauthentik.io",
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.get",
-                AsyncMock(
-                    return_value=UserCollectionResponse(
-                        value=[MSUser(mail=f"{uid}@goauthentik.io", id=uid)]
-                    )
-                ),
-            ) as user_list,
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.get",
-                AsyncMock(return_value=GroupCollectionResponse(value=[])),
-            ),
-        ):
-            microsoft_entra_sync.send(self.provider.pk).get_result()
-            self.assertTrue(
-                MicrosoftEntraProviderUser.objects.filter(
-                    user=different_user, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_list.assert_called_once()
-
-            with patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.get",
-                AsyncMock(
-                    return_value=UserCollectionResponse(
-                        value=[MSUser(mail=f"{uid}@goauthentik.io", id=uid, about_me="foo")]
-                    )
-                ),
-            ) as mod_user_list:
-                microsoft_entra_sync.send(self.provider.pk).get_result()
-                self.assertTrue(
-                    MicrosoftEntraProviderUser.objects.filter(
-                        user=different_user, provider=self.provider
-                    ).exists()
-                )
-                self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-                mod_user_list.assert_called_once()
-
     def test_connect_manual(self):
         """test manual user connection"""
         uid = generate_id()

authentik/enterprise/search/pagination.py

@@ -1,7 +1,7 @@
 from rest_framework.response import Response
 
 from authentik.api.pagination import Pagination
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA, QLSearch
+from authentik.enterprise.search.ql import AUTOCOMPLETE_COMPONENT_NAME, QLSearch
 
 
 class AutocompletePagination(Pagination):
@@ -46,6 +46,8 @@ class AutocompletePagination(Pagination):
 
     def get_paginated_response_schema(self, schema):
         final_schema = super().get_paginated_response_schema(schema)
-        final_schema["properties"]["autocomplete"] = AUTOCOMPLETE_SCHEMA.ref
+        final_schema["properties"]["autocomplete"] = {
+            "$ref": f"#/components/schemas/{AUTOCOMPLETE_COMPONENT_NAME}"
+        }
         final_schema["required"].append("autocomplete")
         return final_schema

authentik/enterprise/search/ql.py

@@ -6,7 +6,6 @@ from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
 from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
@@ -14,12 +13,11 @@ from structlog.stdlib import get_logger
 from authentik.enterprise.search.fields import JSONSearchField
 
 LOGGER = get_logger()
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)
+AUTOCOMPLETE_COMPONENT_NAME = "Autocomplete"
+AUTOCOMPLETE_SCHEMA = {
+    "type": "object",
+    "additionalProperties": {},
+}
 
 
 class BaseSchema(DjangoQLSchema):

authentik/enterprise/search/schema.py

@@ -1,8 +1,9 @@
 from djangoql.serializers import DjangoQLSchemaSerializer
 from drf_spectacular.generators import SchemaGenerator
 
+from authentik.api.schema import create_component
 from authentik.enterprise.search.fields import JSONSearchField
-from authentik.enterprise.search.ql import AUTOCOMPLETE_SCHEMA
+from authentik.enterprise.search.ql import AUTOCOMPLETE_COMPONENT_NAME, AUTOCOMPLETE_SCHEMA
 
 
 class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
@@ -23,6 +24,6 @@ class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
 
 
 def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
+    create_component(generator, AUTOCOMPLETE_COMPONENT_NAME, AUTOCOMPLETE_SCHEMA)
 
     return result

authentik/enterprise/search/settings.py

@@ -1,8 +1,7 @@
 SPECTACULAR_SETTINGS = {
     "POSTPROCESSING_HOOKS": [
-        "authentik.api.schema.postprocess_schema_register",
         "authentik.api.schema.postprocess_schema_responses",
-        "authentik.api.schema.postprocess_schema_query_params",
+        "authentik.api.schema.postprocess_schema_pagination",
         "authentik.api.schema.postprocess_schema_remove_unused",
         "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
         "drf_spectacular.hooks.postprocess_schema_enums",

authentik/enterprise/signals.py

@@ -1,41 +1,18 @@
 """Enterprise signals"""
 
-from datetime import UTC, datetime
+from datetime import datetime
 
 from django.core.cache import cache
 from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
-from django.utils.timezone import get_current_timezone, now
+from django.utils.timezone import get_current_timezone
 
-from authentik.enterprise.apps import GAUGE_LICENSE_EXPIRY, GAUGE_LICENSE_USAGE
-from authentik.enterprise.license import CACHE_KEY_ENTERPRISE_LICENSE, LicenseKey
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.license import CACHE_KEY_ENTERPRISE_LICENSE
+from authentik.enterprise.models import License
 from authentik.enterprise.tasks import enterprise_update_usage
-from authentik.root.monitoring import monitoring_set
 from authentik.tasks.schedules.models import Schedule
 
 
-@receiver(monitoring_set)
-def monitoring_set_enterprise(sender, **kwargs):
-    """set enterprise gauges"""
-    summary = LicenseKey.cached_summary()
-    if summary.status == LicenseUsageStatus.UNLICENSED:
-        return
-    percentage_internal = (
-        0
-        if summary.internal_users <= 0
-        else LicenseKey.get_internal_user_count() / (summary.internal_users / 100)
-    )
-    percentage_external = (
-        0
-        if summary.external_users <= 0
-        else LicenseKey.get_external_user_count() / (summary.external_users / 100)
-    )
-    GAUGE_LICENSE_USAGE.labels(user_type="internal").set(percentage_internal)
-    GAUGE_LICENSE_USAGE.labels(user_type="external").set(percentage_external)
-    GAUGE_LICENSE_EXPIRY.set((summary.latest_valid.replace(tzinfo=UTC) - now()).total_seconds())
-
-
 @receiver(pre_save, sender=License)
 def pre_save_license(sender: type[License], instance: License, **_):
     """Extract data from license jwt and save it into model"""

authentik/enterprise/tests/test_metrics.py

@@ -1,49 +0,0 @@
-"""Enterprise metrics tests"""
-
-from unittest.mock import MagicMock, patch
-
-from django.test import TestCase
-from prometheus_client import REGISTRY
-
-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_user
-from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import License
-from authentik.enterprise.tests.test_license import expiry_valid
-from authentik.lib.generators import generate_id
-from authentik.root.monitoring import monitoring_set
-
-
-class TestEnterpriseMetrics(TestCase):
-    """Enterprise metrics tests"""
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    def test_usage_empty(self):
-        """Test usage (no users)"""
-        License.objects.create(key=generate_id())
-        User.objects.all().delete()
-        create_test_user()
-        monitoring_set.send_robust(self)
-        self.assertEqual(
-            REGISTRY.get_sample_value(
-                "authentik_enterprise_license_usage", {"user_type": "internal"}
-            ),
-            1.0,
-        )
-        self.assertEqual(
-            REGISTRY.get_sample_value(
-                "authentik_enterprise_license_usage", {"user_type": "external"}
-            ),
-            0,
-        )

authentik/events/models.py

@@ -237,7 +237,7 @@ class Event(SerializerModel, ExpiringModel):
         self.save()
         return self
 
-    def save(self, *args: Any, **kwargs: Any) -> None:
+    def save(self, *args, **kwargs):
         if self._state.adding:
             LOGGER.info(
                 "Created Event",

authentik/events/utils.py

@@ -30,10 +30,7 @@ from authentik.policies.types import PolicyRequest
 
 # Special keys which are *not* cleaned, even when the default filter
 # is matched
-ALLOWED_SPECIAL_KEYS = re.compile(
-    r"passing|password_change_date|^auth_method(_args)?$",
-    flags=re.I,
-)
+ALLOWED_SPECIAL_KEYS = re.compile("passing|password_change_date", flags=re.I)
 
 
 def cleanse_item(key: str, value: Any) -> Any:

authentik/flows/challenge.py

@@ -54,6 +54,7 @@ class Challenge(PassiveSerializer):
 
     flow_info = ContextualFlowInfo(required=False)
     component = CharField(default="")
+    xid = CharField(required=False)
 
     response_errors = DictField(
         child=ErrorDetailSerializer(many=True), allow_empty=True, required=False

authentik/flows/models.py

@@ -190,7 +190,7 @@ class Flow(SerializerModel, PolicyBindingModel):
             )
         if self.background.name.startswith("http"):
             return self.background.name
-        if self.background.name.startswith("/"):
+        if self.background.name.startswith("/static"):
             return CONFIG.get("web.path", "/")[:-1] + self.background.name
         return self.background.url
 

authentik/flows/planner.py

@@ -143,10 +143,12 @@ class FlowPlan:
         request: HttpRequest,
         flow: Flow,
         allowed_silent_types: list["StageView"] | None = None,
+        **get_params,
     ) -> HttpResponse:
         """Redirect to the flow executor for this flow plan"""
         from authentik.flows.views.executor import (
             SESSION_KEY_PLAN,
+            FlowContainer,
             FlowExecutorView,
         )
 
@@ -157,6 +159,7 @@ class FlowPlan:
             # No unskippable stages found, so we can directly return the response of the last stage
             final_stage: type[StageView] = self.bindings[-1].stage.view
             temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
+            temp_exec.container = FlowContainer(request)
             temp_exec.current_stage = self.bindings[-1].stage
             temp_exec.current_stage_view = final_stage
             temp_exec.setup(request, flow.slug)
@@ -174,6 +177,9 @@ class FlowPlan:
         ):
             get_qs["inspector"] = "available"
 
+        for key, value in get_params:
+            get_qs[key] = value
+
         return redirect_with_qs(
             "authentik_core:if-flow",
             get_qs,

authentik/flows/stage.py

@@ -192,6 +192,7 @@ class ChallengeStageView(StageView):
                 )
                 flow_info.is_valid()
                 challenge.initial_data["flow_info"] = flow_info.data
+            challenge.initial_data["xid"] = self.executor.container.exec_id
             if isinstance(challenge, WithUserInfoChallenge):
                 # If there's a pending user, update the `username` field
                 # this field is only used by password managers.

authentik/flows/templates/if/flow.html

@@ -29,7 +29,7 @@ window.authentik.flow = {
 {% block body %}
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-<ak-flow-executor flowSlug="{{ flow.slug }}">
+<ak-flow-executor flowSlug="{{ flow.slug }}" xid="{{ xid }}">
     <ak-loading></ak-loading>
 </ak-flow-executor>
 {% endblock %}

authentik/flows/tests/test_executor.py

@@ -13,7 +13,6 @@ from authentik.core.models import Group, User
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import (
-    FlowAuthenticationRequirement,
     FlowDeniedAction,
     FlowDesignation,
     FlowStageBinding,
@@ -178,25 +177,6 @@ class TestFlowExecutor(FlowTestCase):
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, "/unique-string")
 
-    @patch(
-        "authentik.flows.views.executor.to_stage_response",
-        TO_STAGE_RESPONSE_MOCK,
-    )
-    def test_valid_flow_redirect_authenticated(self):
-        """Test valid flow with valid redirect destination, authenticated already"""
-        flow = create_test_flow()
-        flow.designation = FlowDesignation.AUTHENTICATION
-        flow.authentication = FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED
-        flow.save()
-        self.client.force_login(create_test_user())
-
-        dest = "/unique-string"
-        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
-
-        response = self.client.get(url + f"?{QS_QUERY}={urlencode({NEXT_ARG_NAME: dest})}")
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, "/unique-string")
-
     @patch(
         "authentik.flows.views.executor.to_stage_response",
         TO_STAGE_RESPONSE_MOCK,

authentik/flows/views/executor.py

@@ -1,6 +1,7 @@
 """authentik multi-stage authentication engine"""
 
 from copy import deepcopy
+from uuid import uuid4
 
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
@@ -63,6 +64,7 @@ from authentik.policies.engine import PolicyEngine
 LOGGER = get_logger()
 # Argument used to redirect user after login
 NEXT_ARG_NAME = "next"
+SESSION_KEY_PLAN_CONTAINER = "authentik/flows/plan_container/%s"
 SESSION_KEY_PLAN = "authentik/flows/plan"
 SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
@@ -70,6 +72,7 @@ SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"
+QS_EXEC_ID = "xid"
 
 
 def challenge_types():
@@ -96,6 +99,88 @@ class InvalidStageError(SentryIgnoredException):
     """Error raised when a challenge from a stage is not valid"""
 
 
+class FlowContainer:
+    """Allow for multiple concurrent flow executions in the same session"""
+
+    def __init__(self, request: HttpRequest, exec_id: str | None = None) -> None:
+        self.request = request
+        self.exec_id = exec_id
+
+    @staticmethod
+    def new(request: HttpRequest):
+        exec_id = str(uuid4())
+        request.session[SESSION_KEY_PLAN_CONTAINER % exec_id] = {}
+        return FlowContainer(request, exec_id)
+
+    def exists(self) -> bool:
+        """Check if flow exists in container/session"""
+        return SESSION_KEY_PLAN in self.session
+
+    def save(self):
+        self.request.session.modified = True
+
+    @property
+    def session(self):
+        # Backwards compatibility: store session plan/etc directly in session
+        if not self.exec_id:
+            return self.request.session
+        self.request.session.setdefault(SESSION_KEY_PLAN_CONTAINER % self.exec_id, {})
+        return self.request.session.get(SESSION_KEY_PLAN_CONTAINER % self.exec_id, {})
+
+    @property
+    def plan(self) -> FlowPlan:
+        return self.session.get(SESSION_KEY_PLAN)
+
+    def to_redirect(
+        self,
+        request: HttpRequest,
+        flow: Flow,
+        allowed_silent_types: list[StageView] | None = None,
+        **get_params,
+    ) -> HttpResponse:
+        get_params[QS_EXEC_ID] = self.exec_id
+        return self.plan.to_redirect(
+            request, flow, allowed_silent_types=allowed_silent_types, **get_params
+        )
+
+    @plan.setter
+    def plan(self, value: FlowPlan):
+        self.session[SESSION_KEY_PLAN] = value
+        self.request.session.modified = True
+        self.save()
+
+    @property
+    def application_pre(self):
+        return self.session.get(SESSION_KEY_APPLICATION_PRE)
+
+    @property
+    def get(self) -> QueryDict:
+        return self.session.get(SESSION_KEY_GET)
+
+    @get.setter
+    def get(self, value: QueryDict):
+        self.session[SESSION_KEY_GET] = value
+        self.save()
+
+    @property
+    def post(self) -> QueryDict:
+        return self.session.get(SESSION_KEY_POST)
+
+    @post.setter
+    def post(self, value: QueryDict):
+        self.session[SESSION_KEY_POST] = value
+        self.save()
+
+    @property
+    def history(self) -> list[FlowPlan]:
+        return self.session.get(SESSION_KEY_HISTORY)
+
+    @history.setter
+    def history(self, value: list[FlowPlan]):
+        self.session[SESSION_KEY_HISTORY] = value
+        self.save()
+
+
 @method_decorator(xframe_options_sameorigin, name="dispatch")
 class FlowExecutorView(APIView):
     """Flow executor, passing requests to Stage Views"""
@@ -103,8 +188,9 @@ class FlowExecutorView(APIView):
     permission_classes = [AllowAny]
 
     flow: Flow = None
-
     plan: FlowPlan | None = None
+    container: FlowContainer
+
     current_binding: FlowStageBinding | None = None
     current_stage: Stage
     current_stage_view: View
@@ -160,10 +246,12 @@ class FlowExecutorView(APIView):
             if QS_KEY_TOKEN in get_params:
                 plan = self._check_flow_token(get_params[QS_KEY_TOKEN])
                 if plan:
-                    self.request.session[SESSION_KEY_PLAN] = plan
+                    container = FlowContainer.new(request)
+                    container.plan = plan
             # Early check if there's an active Plan for the current session
-            if SESSION_KEY_PLAN in self.request.session:
-                self.plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
+            self.container = FlowContainer(request, request.GET.get(QS_EXEC_ID))
+            if self.container.exists():
+                self.plan: FlowPlan = self.container.plan
                 if self.plan.flow_pk != self.flow.pk.hex:
                     self._logger.warning(
                         "f(exec): Found existing plan for other flow, deleting plan",
@@ -176,21 +264,15 @@ class FlowExecutorView(APIView):
                     self._logger.debug("f(exec): Continuing existing plan")
 
             # Initial flow request, check if we have an upstream query string passed in
-            request.session[SESSION_KEY_GET] = get_params
+            self.container.get = get_params
             # Don't check session again as we've either already loaded the plan or we need to plan
             if not self.plan:
-                request.session[SESSION_KEY_HISTORY] = []
+                self.container.history = []
                 self._logger.debug("f(exec): No active Plan found, initiating planner")
                 try:
                     self.plan = self._initiate_plan()
+                    self.container.plan = self.plan
                 except FlowNonApplicableException as exc:
-                    # If we're this flow is for authentication and the user is already authenticated
-                    # continue to the next URL
-                    if (
-                        self.flow.designation == FlowDesignation.AUTHENTICATION
-                        and self.request.user.is_authenticated
-                    ):
-                        return self._flow_done()
                     self._logger.warning("f(exec): Flow not applicable to current user", exc=exc)
                     return self.handle_invalid_flow(exc)
                 except EmptyFlowException as exc:
@@ -262,12 +344,19 @@ class FlowExecutorView(APIView):
         request=OpenApiTypes.NONE,
         parameters=[
             OpenApiParameter(
-                name="query",
+                name=QS_QUERY,
                 location=OpenApiParameter.QUERY,
                 required=True,
                 description="Querystring as received",
                 type=OpenApiTypes.STR,
-            )
+            ),
+            OpenApiParameter(
+                name=QS_EXEC_ID,
+                location=OpenApiParameter.QUERY,
+                required=False,
+                description="Flow execution ID",
+                type=OpenApiTypes.STR,
+            ),
         ],
         operation_id="flows_executor_get",
     )
@@ -294,8 +383,8 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Stage", self.current_stage_view)
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
-                return to_stage_response(request, stage_response)
-        except Exception as exc:  # noqa
+                return to_stage_response(request, stage_response, self.container.exec_id)
+        except Exception as exc:
             return self.handle_exception(exc)
 
     @extend_schema(
@@ -313,12 +402,19 @@ class FlowExecutorView(APIView):
         ),
         parameters=[
             OpenApiParameter(
-                name="query",
+                name=QS_QUERY,
                 location=OpenApiParameter.QUERY,
                 required=True,
                 description="Querystring as received",
                 type=OpenApiTypes.STR,
-            )
+            ),
+            OpenApiParameter(
+                name=QS_EXEC_ID,
+                location=OpenApiParameter.QUERY,
+                required=True,
+                description="Flow execution ID",
+                type=OpenApiTypes.STR,
+            ),
         ],
         operation_id="flows_executor_solve",
     )
@@ -345,14 +441,15 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Stage", self.current_stage_view)
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
-                return to_stage_response(request, stage_response)
+                return to_stage_response(request, stage_response, self.container.exec_id)
         except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     def _initiate_plan(self) -> FlowPlan:
         planner = FlowPlanner(self.flow)
         plan = planner.plan(self.request)
-        self.request.session[SESSION_KEY_PLAN] = plan
+        container = FlowContainer.new(self.request)
+        container.plan = plan
         try:
             # Call the has_stages getter to check that
             # there are no issues with the class we might've gotten
@@ -376,7 +473,7 @@ class FlowExecutorView(APIView):
         except FlowNonApplicableException as exc:
             self._logger.warning("f(exec): Flow restart not applicable to current user", exc=exc)
             return self.handle_invalid_flow(exc)
-        self.request.session[SESSION_KEY_PLAN] = plan
+        self.container.plan = plan
         kwargs = self.kwargs
         kwargs.update({"flow_slug": self.flow.slug})
         return redirect_with_qs("authentik_api:flow-executor", self.request.GET, **kwargs)
@@ -398,9 +495,13 @@ class FlowExecutorView(APIView):
         )
         self.cancel()
         if next_param and not is_url_absolute(next_param):
-            return to_stage_response(self.request, redirect_with_qs(next_param))
+            return to_stage_response(
+                self.request, redirect_with_qs(next_param), self.container.exec_id
+            )
         return to_stage_response(
-            self.request, self.stage_invalid(error_message=_("Invalid next URL"))
+            self.request,
+            self.stage_invalid(error_message=_("Invalid next URL")),
+            self.container.exec_id,
         )
 
     def stage_ok(self) -> HttpResponse:
@@ -414,7 +515,7 @@ class FlowExecutorView(APIView):
             self.current_stage_view.cleanup()
         self.request.session.get(SESSION_KEY_HISTORY, []).append(deepcopy(self.plan))
         self.plan.pop()
-        self.request.session[SESSION_KEY_PLAN] = self.plan
+        self.container.plan = self.plan
         if self.plan.bindings:
             self._logger.debug(
                 "f(exec): Continuing with next stage",
@@ -457,6 +558,7 @@ class FlowExecutorView(APIView):
 
     def cancel(self):
         """Cancel current flow execution"""
+        # TODO: Clean up container
         keys_to_delete = [
             SESSION_KEY_APPLICATION_PRE,
             SESSION_KEY_PLAN,
@@ -479,8 +581,8 @@ class CancelView(View):
 
     def get(self, request: HttpRequest) -> HttpResponse:
         """View which canels the currently active plan"""
-        if SESSION_KEY_PLAN in request.session:
-            del request.session[SESSION_KEY_PLAN]
+        if FlowContainer(request, request.GET.get(QS_EXEC_ID)).exists():
+            del request.session[SESSION_KEY_PLAN_CONTAINER % request.GET.get(QS_EXEC_ID)]
             LOGGER.debug("Canceled current plan")
         return redirect("authentik_flows:default-invalidation")
 
@@ -528,19 +630,12 @@ class ToDefaultFlow(View):
 
     def dispatch(self, request: HttpRequest) -> HttpResponse:
         flow = self.get_flow()
-        # If user already has a pending plan, clear it so we don't have to later.
-        if SESSION_KEY_PLAN in self.request.session:
-            plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
-            if plan.flow_pk != flow.pk.hex:
-                LOGGER.warning(
-                    "f(def): Found existing plan for other flow, deleting plan",
-                    flow_slug=flow.slug,
-                )
-                del self.request.session[SESSION_KEY_PLAN]
-        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
+        get_qs = request.GET.copy()
+        get_qs[QS_EXEC_ID] = str(uuid4())
+        return redirect_with_qs("authentik_core:if-flow", get_qs, flow_slug=flow.slug)
 
 
-def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpResponse:
+def to_stage_response(request: HttpRequest, source: HttpResponse, xid: str) -> HttpResponse:
     """Convert normal HttpResponse into JSON Response"""
     if (
         isinstance(source, HttpResponseRedirect)
@@ -559,6 +654,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
             RedirectChallenge(
                 {
                     "to": str(redirect_url),
+                    "xid": xid,
                 }
             )
         )
@@ -567,6 +663,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
             ShellChallenge(
                 {
                     "body": source.render().content.decode("utf-8"),
+                    "xid": xid,
                 }
             )
         )
@@ -576,6 +673,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
             ShellChallenge(
                 {
                     "body": source.content.decode("utf-8"),
+                    "xid": xid,
                 }
             )
         )
@@ -607,4 +705,6 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
         except FlowNonApplicableException:
             LOGGER.warning("Flow not applicable to user")
             raise Http404 from None
-        return plan.to_redirect(request, stage.configure_flow)
+        container = FlowContainer.new(request)
+        container.plan = plan
+        return container.to_redirect(request, stage.configure_flow)

authentik/flows/views/interface.py

@@ -7,6 +7,7 @@ from ua_parser.user_agent_parser import Parse
 
 from authentik.core.views.interface import InterfaceView
 from authentik.flows.models import Flow
+from authentik.flows.views.executor import QS_EXEC_ID
 
 
 class FlowInterfaceView(InterfaceView):
@@ -17,6 +18,7 @@ class FlowInterfaceView(InterfaceView):
         kwargs["flow"] = flow
         kwargs["flow_background_url"] = flow.background_url(self.request)
         kwargs["inspector"] = "inspector" in self.request.GET
+        kwargs["xid"] = self.request.GET.get(QS_EXEC_ID)
         return super().get_context_data(**kwargs)
 
     def compat_needs_sfe(self) -> bool:

authentik/lib/avatars.py

@@ -3,7 +3,7 @@
 from base64 import b64encode
 from functools import cache as funccache
 from hashlib import md5, sha256
-from typing import TYPE_CHECKING, cast
+from typing import TYPE_CHECKING
 from urllib.parse import urlencode
 
 from django.core.cache import cache
@@ -27,7 +27,7 @@ CACHE_KEY_GRAVATAR_AVAILABLE = "goauthentik.io/lib/avatars/gravatar_available"
 GRAVATAR_STATUS_TTL_SECONDS = 60 * 60 * 8  # 8 Hours
 
 SVG_XML_NS = "http://www.w3.org/2000/svg"
-SVG_NS_MAP: dict[str, str] = cast(dict[str, str], {None: SVG_XML_NS})
+SVG_NS_MAP = {None: SVG_XML_NS}
 # Match fonts used in web UI
 SVG_FONTS = [
     "'RedHatText'",
@@ -39,7 +39,7 @@ SVG_FONTS = [
 ]
 
 
-def avatar_mode_none(user: "User", mode: str) -> str:
+def avatar_mode_none(user: "User", mode: str) -> str | None:
     """No avatar"""
     return DEFAULT_AVATAR
 
@@ -62,7 +62,7 @@ def avatar_mode_gravatar(user: "User", mode: str) -> str | None:
     full_key = CACHE_KEY_GRAVATAR + mail_hash
     if cache.has_key(full_key):
         cache.touch(full_key)
-        return cast(str | None, cache.get(full_key))
+        return cache.get(full_key)
 
     try:
         # Since we specify a default of 404, do a HEAD request
@@ -129,16 +129,16 @@ def generate_avatar_from_name(
     bg_hex, text_hex = generate_colors(name)
 
     half_size = size // 2
-    shape_type = "circle" if rounded else "rect"
+    shape = "circle" if rounded else "rect"
     font_weight = "600" if bold else "400"
 
-    root_element = Element(f"{{{SVG_XML_NS}}}svg", nsmap=SVG_NS_MAP)
+    root_element: Element = Element(f"{{{SVG_XML_NS}}}svg", nsmap=SVG_NS_MAP)
     root_element.attrib["width"] = f"{size}px"
     root_element.attrib["height"] = f"{size}px"
     root_element.attrib["viewBox"] = f"0 0 {size} {size}"
     root_element.attrib["version"] = "1.1"
 
-    shape = SubElement(root_element, f"{{{SVG_XML_NS}}}{shape_type}", nsmap=SVG_NS_MAP)
+    shape = SubElement(root_element, f"{{{SVG_XML_NS}}}{shape}", nsmap=SVG_NS_MAP)
     shape.attrib["fill"] = f"#{bg_hex}"
     shape.attrib["cx"] = f"{half_size}"
     shape.attrib["cy"] = f"{half_size}"
@@ -150,7 +150,7 @@ def generate_avatar_from_name(
     text.attrib["x"] = "50%"
     text.attrib["y"] = "50%"
     text.attrib["style"] = (
-        f"color: #{text_hex}; line-height: 1; font-family: {','.join(SVG_FONTS)}; "
+        f"color: #{text_hex}; " "line-height: 1; " f"font-family: {','.join(SVG_FONTS)}; "
     )
     text.attrib["fill"] = f"#{text_hex}"
     text.attrib["alignment-baseline"] = "middle"
@@ -197,7 +197,7 @@ def get_avatar(user: "User", request: HttpRequest | None = None) -> str:
     }
     tenant = None
     if request:
-        tenant = request.tenant  # type: ignore[attr-defined]
+        tenant = request.tenant
     else:
         tenant = get_current_tenant()
     modes: str = tenant.avatars