release: 2025.10.2

website/docs: add 2025.8.5 and 2025.10.2 release notes (#18268)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.github/ISSUE_TEMPLATE/1-bug-report.yml

@@ -1,81 +0,0 @@
-name: Bug report
-description: Create a report to help us improve
-labels: ["bug", "triage"]
-type: bug
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thank you for taking the time to fill out this bug report!
-  - type: textarea
-    id: describe-the-bug
-    attributes:
-      label: Describe the bug
-      description: "A clear and concise description of what the bug is."
-      placeholder: "Describe the issue"
-    validations:
-      required: true
-  - type: textarea
-    id: how-to-reproduce
-    attributes:
-      label: How to reproduce
-      description: "Steps to reproduce the behavior."
-      placeholder: |
-        1. Go to '...'
-        2. Click on '....'
-        3. Scroll down to '....'
-        4. See error
-    validations:
-      required: true
-  - type: textarea
-    id: expected-behavior
-    attributes:
-      label: Expected behavior
-      description: "A clear and concise description of what you expected to happen."
-      placeholder: "The behavior that I expect to see is [...]"
-    validations:
-      required: true
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: "If applicable, add screenshots to help explain your problem."
-    validations:
-      required: false
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: "Add any other context about the problem here."
-      placeholder: "Also note that [...]"
-    validations:
-      required: false
-  - type: dropdown
-    id: deployment-method
-    attributes:
-      label: Deployment Method
-      description: "What deployment method are you using for authentik? Only Docker, Kubernetes and AWS CloudFormation are supported."
-      options:
-        - Docker
-        - Kubernetes
-        - AWS CloudFormation
-        - Other (please specify)
-      default: 0
-    validations:
-      required: true
-  - type: input
-    id: version
-    attributes:
-      label: Version
-      description: "What version of authentik are you using?"
-      placeholder: "[e.g. 2025.10.1]"
-    validations:
-      required: true
-  - type: textarea
-    id: logs
-    attributes:
-      label: Relevant log output
-      description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks."
-      render: shell
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/2-docs-issue.yml

@@ -1,49 +0,0 @@
-name: Documentation suggestion/problem
-description: Suggest an improvement or report a problem in our docs
-labels: ["area: docs", "triage"]
-type: task
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thank you for taking the time to fill out this documentation issue!
-  - type: markdown
-    attributes:
-      value: |
-
-        **Consider opening a PR!**
-        If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR.
-
-        For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
-  - type: textarea
-    id: issue
-    attributes:
-      label: Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
-      description: "A clear and concise description of what the problem is, or where the document can be improved."
-      placeholder: "I believe we need more details about [...]"
-    validations:
-      required: true
-  - type: input
-    id: link
-    attributes:
-      label: Link
-      description: "Provide the URL or link to the exact page in the documentation to which you are referring."
-      placeholder: "If there are multiple pages, list them all"
-    validations:
-      required: true
-  - type: textarea
-    id: solution
-    attributes:
-      label: Solution
-      description: "A clear and concise description of what you suggest as a solution"
-      placeholder: "This issue could be resolved by [...]"
-    validations:
-      required: true
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: "Add any other context or screenshots about the documentation issue here."
-      placeholder: "Also note that [...]"
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/3-feature-request.yml

@@ -1,41 +0,0 @@
-name: Feature request
-description: Suggest an idea for a feature
-labels: ["enhancement", "triage"]
-type: feature
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thank you for taking the time to fill out this feature request!
-  - type: textarea
-    id: related-to-problem
-    attributes:
-      label: Is your feature request related to a problem?
-      description: "A clear and concise description of what the problem is."
-      placeholder: "I'm always frustrated when [...]"
-    validations:
-      required: true
-  - type: textarea
-    id: feature
-    attributes:
-      label: Describe the solution you'd like
-      description: A clear and concise description of what you want to happen.
-      placeholder: "I'd like authentik to have [...]"
-    validations:
-      required: false
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Describe alternatives that you've considered
-      description: "A clear and concise description of any alternative solutions or features you've considered."
-      placeholder: "I've tried this but [...]"
-    validations:
-      required: true
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: "Add any other context or screenshots about the feature request here."
-      placeholder: "Also note that [...]"
-    validations:
-      required: false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,39 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ""
+labels: bug
+assignees: ""
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Output of docker-compose logs or kubectl logs respectively
+
+**Version and Deployment (please complete the following information):**
+
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+-   authentik version: [e.g. 2025.2.0]
+-   Deployment: [e.g. docker-compose, helm]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: Question
-    url: https://github.com/goauthentik/authentik/discussions
-    about: Please ask questions via GitHub Discussions rather than creating issues.
-  - name: authentik Discord
-    url: https://discord.com/invite/jg33eMhnj6
-    about: For community support, visit our Discord server.

.github/ISSUE_TEMPLATE/docs_issue.md

@@ -0,0 +1,22 @@
+---
+name: Documentation issue
+about: Suggest an improvement or report a problem
+title: ""
+labels: documentation
+assignees: ""
+---
+
+**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
+A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
+
+**Provide the URL or link to the exact page in the documentation to which you are referring.**
+If there are multiple pages, list them all, and be sure to state the header or section where the content is.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Additional context**
+Add any other context or screenshots about the documentation issue here.
+
+**Consider opening a PR!**
+If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,19 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ""
+labels: enhancement
+assignees: ""
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/hackathon_idea.md

@@ -0,0 +1,17 @@
+---
+name: Hackathon Idea
+about: Propose an idea for the hackathon
+title: ""
+labels: hackathon
+assignees: ""
+---
+
+**Describe the idea**
+
+A clear concise description of the idea you want to implement
+
+You're also free to work on existing GitHub issues, whether they be feature requests or bugs, just link the existing GitHub issue here.
+
+<!-- Don't modify below here -->
+
+If you want to help working on this idea or want to contribute in any other way, react to this issue with a :rocket:

.github/ISSUE_TEMPLATE/issue_template.md

@@ -1,7 +0,0 @@
----
-name: Blank issue
-about: This issue type is only for internal use
-title:
-labels:
-assignees:
----

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,32 @@
+---
+name: Question
+about: Ask a question about a feature or specific configuration
+title: ""
+labels: question
+assignees: ""
+---
+
+**Describe your question/**
+A clear and concise description of what you're trying to do.
+
+**Relevant info**
+i.e. Version of other software you're using, specifics of your setup
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Output of docker-compose logs or kubectl logs respectively
+
+**Version and Deployment (please complete the following information):**
+
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+
+-   authentik version: [e.g. 2025.2.0]
+-   Deployment: [e.g. docker-compose, helm]
+
+**Additional context**
+Add any other context about the problem here.

.github/actions/setup/action.yml

@@ -21,7 +21,7 @@ runs:
         sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v5
+      uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v5
       with:
         enable-cache: true
     - name: Setup python

.github/workflows/_reusable-docker-build-single.yml

@@ -42,8 +42,8 @@ jobs:
       # Needed for checkout
       contents: read
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables

.github/workflows/_reusable-docker-build.yml

@@ -49,7 +49,7 @@ jobs:
       tags: ${{ steps.ev.outputs.imageTagsJSON }}
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -69,7 +69,7 @@ jobs:
       matrix:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev

.github/workflows/api-ts-publish.yml

@@ -22,7 +22,7 @@ jobs:
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5

.github/workflows/ci-api-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Install Dependencies
         working-directory: website/
         run: npm ci
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: api-docs
           path: website/api/build
@@ -66,8 +66,8 @@ jobs:
       - lint
       - build
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
-      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
         with:
           name: api-docs
           path: website/api/build

.github/workflows/ci-aws-cfn.yml

@@ -21,7 +21,7 @@ jobs:
   check-changes-applied:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
@@ -42,6 +42,6 @@ jobs:
       - check-changes-applied
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/ci-docs-source.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs

.github/workflows/ci-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Install dependencies
         working-directory: website/
         run: npm ci
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: website/package.json
@@ -69,11 +69,11 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
@@ -117,6 +117,6 @@ jobs:
       - build-container
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/ci-main-daily.yml

@@ -18,7 +18,7 @@ jobs:
           - version-2025-4
           - version-2025-2
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"

.github/workflows/ci-main.yml

@@ -37,7 +37,7 @@ jobs:
           - mypy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
@@ -45,7 +45,7 @@ jobs:
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
@@ -71,12 +71,11 @@ jobs:
           - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
       - name: checkout stable
         run: |
-          set -e -o pipefail
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
@@ -84,7 +83,7 @@ jobs:
           # Previous stable tag
           prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
           # Current version family based on
-          current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
+          current_version_family=$(python -c "from authentik import VERSION; print(VERSION)" | grep -vE -- 'rc[0-9]+$')
           if [[ -n $current_version_family ]]; then
               prev_stable=$current_version_family
           fi
@@ -138,7 +137,7 @@ jobs:
           - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -158,11 +157,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
@@ -196,7 +195,7 @@ jobs:
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
@@ -234,7 +233,7 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build:
@@ -262,7 +261,7 @@ jobs:
       pull-requests: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: prepare variables

.github/workflows/ci-outpost.yml

@@ -21,7 +21,7 @@ jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
@@ -34,7 +34,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
         with:
           version: latest
           args: --timeout 5000s --verbose
@@ -42,7 +42,7 @@ jobs:
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
@@ -63,7 +63,7 @@ jobs:
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
@@ -86,11 +86,11 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
@@ -145,7 +145,7 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6

.github/workflows/ci-web.yml

@@ -31,7 +31,7 @@ jobs:
           - command: lit-analyse
             project: web
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
@@ -48,7 +48,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json
@@ -68,7 +68,7 @@ jobs:
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+      - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   test:
@@ -76,7 +76,7 @@ jobs:
       - ci-web-mark
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
         with:
           node-version-file: web/package.json

.github/workflows/gen-image-compress.yml

@@ -33,12 +33,12 @@ jobs:
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
+        uses: calibreapp/image-actions@05b1cf44e88c3b041b841452482df9497f046ef7 # main
         with:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env

.github/workflows/gh-cherry-pick.yml

@@ -17,7 +17,7 @@ jobs:
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
         env:
           GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         if: ${{ steps.app-token.outcome != 'skipped' }}
         with:
           fetch-depth: 0

.github/workflows/gh-gha-cache-cleanup.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Cleanup
         run: |

.github/workflows/packages-npm-publish.yml

@@ -30,7 +30,7 @@ jobs:
           - packages/tsconfig
           - packages/esbuild-plugin-live-reload
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 2
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5

.github/workflows/qa-codeql.yml

@@ -24,7 +24,7 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL

.github/workflows/qa-semgrep.yml

@@ -26,5 +26,5 @@ jobs:
       image: semgrep/semgrep
     if: (github.actor != 'dependabot[bot]')
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - run: semgrep ci

.github/workflows/release-branch-off.yml

@@ -34,7 +34,7 @@ jobs:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: main
           token: "${{ steps.app-token.outputs.token }}"
@@ -62,7 +62,7 @@ jobs:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: main
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/release-next-branch.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: main
       - run: |

.github/workflows/release-publish.yml

@@ -31,9 +31,9 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
@@ -83,12 +83,12 @@ jobs:
           - radius
           - rac
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
@@ -146,7 +146,7 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
           go-version-file: "go.mod"
@@ -186,7 +186,7 @@ jobs:
       AWS_REGION: eu-central-1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
@@ -202,7 +202,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
@@ -218,7 +218,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -232,7 +232,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
+        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -35,10 +35,8 @@ jobs:
           echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
       - id: changelog-url
         run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ]; then
+          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
-          elif [ "${{ inputs.release_reason }}" = "prerelease" ]; then
-            changelog_url="https://next.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
           else
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
           fi
@@ -50,7 +48,7 @@ jobs:
     name: Pre-release test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - run: make test-docker
   bump-authentik:
     name: Bump authentik version
@@ -70,7 +68,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
           token: "${{ steps.app-token.outputs.token }}"
@@ -118,7 +116,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           repository: "${{ github.repository_owner }}/helm"
           token: "${{ steps.app-token.outputs.token }}"
@@ -160,7 +158,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           repository: "${{ github.repository_owner }}/version"
           token: "${{ steps.app-token.outputs.token }}"

.github/workflows/translation-extract-compile.yml

@@ -25,11 +25,11 @@ jobs:
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup

.github/workflows/translation-rename.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - id: generate_token
         uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
         with:

Dockerfile

@@ -26,7 +26,7 @@ RUN npm run build && \
     npm run build:sfe
 
 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.4-trixie@sha256:27e1c927a07ed2c7295d39941d6d881424739dbde9ae3055d0d3013699ed35e8 AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-trixie@sha256:7534a6264850325fcce93e47b87a0e3fddd96b308440245e6ab1325fa8a44c91 AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -76,7 +76,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.9.10@sha256:29bd45092ea8902c0bbb7f0a338f0494a382b1f4b18355df5be270ade679ff1d AS uv
+FROM ghcr.io/astral-sh/uv:0.9.6@sha256:4b96ee9429583983fd172c33a02ecac5242d63fb46bc27804748e38c1cc9ad0d AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base
 

README.md

@@ -10,7 +10,7 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://explore.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
 
 ## What is authentik?
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version    | Supported  |
-| ---------- | ---------- |
-| 2025.8.x   | ✅         |
-| 2025.10.x  | ✅         |
+| Version   | Supported |
+| --------- | --------- |
+| 2025.6.x  | ✅        |
+| 2025.8.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.12.0-rc1"
+VERSION = "2025.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/v1/importer.py

@@ -313,7 +313,6 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        override_serializer_instance = False
         if (
             not isinstance(model(), BaseMetaModel)
             and model_instance
@@ -342,7 +341,11 @@ class Importer:
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )
-            override_serializer_instance = True
+            model_instance = model()
+            # pk needs to be set on the model instance otherwise a new one will be generated
+            if "pk" in updated_identifiers:
+                model_instance.pk = updated_identifiers["pk"]
+            serializer_kwargs["instance"] = model_instance
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
@@ -365,12 +368,6 @@ class Importer:
                 entry=entry,
                 serializer=serializer,
             ) from exc
-        if override_serializer_instance:
-            model_instance = model()
-            # pk needs to be set on the model instance otherwise a new one will be generated
-            if "pk" in updated_identifiers:
-                model_instance.pk = updated_identifiers["pk"]
-            serializer.instance = model_instance
         return serializer
 
     def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
@@ -449,7 +446,7 @@ class Importer:
                 self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
-                if instance and instance.pk:
+                if instance.pk:
                     instance.delete()
                     self.logger.debug("Deleted model", mode=instance)
                     continue

authentik/core/models.py

@@ -44,19 +44,18 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 
 LOGGER = get_logger()
+USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
+USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
+USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
+USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
+USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
+USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
+USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = "goauthentik.io/user/token-maximum-lifetime"  # nosec
+USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
+USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
-_USER_ATTR_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/user"
-USER_ATTRIBUTE_DEBUG = f"{_USER_ATTR_PREFIX}/debug"
-USER_ATTRIBUTE_GENERATED = f"{_USER_ATTR_PREFIX}/generated"
-USER_ATTRIBUTE_EXPIRES = f"{_USER_ATTR_PREFIX}/expires"
-USER_ATTRIBUTE_DELETE_ON_LOGOUT = f"{_USER_ATTR_PREFIX}/delete-on-logout"
-USER_ATTRIBUTE_SOURCES = f"{_USER_ATTR_PREFIX}/sources"
-USER_ATTRIBUTE_TOKEN_EXPIRING = f"{_USER_ATTR_PREFIX}/token-expires"  # nosec
-USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = f"{_USER_ATTR_PREFIX}/token-maximum-lifetime"  # nosec
-USER_ATTRIBUTE_CHANGE_USERNAME = f"{_USER_ATTR_PREFIX}/can-change-username"
-USER_ATTRIBUTE_CHANGE_NAME = f"{_USER_ATTR_PREFIX}/can-change-name"
-USER_ATTRIBUTE_CHANGE_EMAIL = f"{_USER_ATTR_PREFIX}/can-change-email"
-USER_PATH_SERVICE_ACCOUNT = f"{USER_PATH_SYSTEM_PREFIX}/service-accounts"
+USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
 
 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
     # used_by API that allows models to specify if they shadow an object

authentik/core/templates/base/header_js.html

@@ -1,13 +1,11 @@
 {% load i18n %}
 {% get_current_language as LANGUAGE_CODE %}
 
-<script data-id="authentik-config">
-    "use strict";
-
+<script>
     window.authentik = {
         locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}' || "{}"),
-        brand: JSON.parse('{{ brand_json|escapejs }}' || "{}"),
+        config: JSON.parse('{{ config_json|escapejs }}'),
+        brand: JSON.parse('{{ brand_json|escapejs }}'),
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",

authentik/core/templates/base/placeholder.html

@@ -1,13 +0,0 @@
-{% load i18n %}
-
-<div class="ak-c-placeholder" id="ak-placeholder" slot="placeholder">
-    <span
-        class="pf-c-spinner"
-        role="progressbar"
-        aria-valuetext="Loading..."
-        >
-        <span class="pf-c-spinner__clipper"></span>
-        <span class="pf-c-spinner__lead-ball"></span>
-        <span class="pf-c-spinner__tail-ball"></span>
-    </span>
-</div>

authentik/core/templates/base/skeleton.html

@@ -3,10 +3,8 @@
 {% load authentik_core %}
 
 <!DOCTYPE html>
-<html
-    data-theme="{% if ui_theme == "dark" %}dark{% else %}light{% endif %}"
-    data-theme-choice="{% if ui_theme == "dark" %}dark{% elif ui_theme == "light" %}light{% else %}auto{% endif %}"
->
+
+<html>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -20,8 +18,11 @@
 
         {% include "base/theme.html" %}
 
-        <style data-id="brand-css">{{ brand_css }}</style>
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+
+        <style>{{ brand_css }}</style>
         <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
         {% for key, value in html_meta.items %}

authentik/core/templates/base/theme.html

@@ -1,45 +1,10 @@
-{% load static %}
-{% load authentik_core %}
-
-<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
-
 {% if ui_theme == "dark" %}
   <meta name="color-scheme" content="dark" />
   <meta name="theme-color" content="#18191a">
-
-  {% elif ui_theme == "light" %}
+{% elif ui_theme == "light" %}
   <meta name="color-scheme" content="light" />
   <meta name="theme-color" content="#ffffff">
 {% else %}
-  <script data-id="theme-script">
-    "use strict";
-
-    (function () {
-        try {
-            const initialThemeChoice =
-                new URLSearchParams(window.location.search).get("theme") ||
-                window.localStorage?.getItem("theme");
-
-            const themeChoice =
-                initialThemeChoice || document.documentElement.dataset.themeChoice || "auto";
-
-            document.documentElement.dataset.themeChoice = themeChoice;
-
-            if (themeChoice === "auto") {
-                document.documentElement.dataset.theme = window.matchMedia(
-                    "(prefers-color-scheme: dark)",
-                ).matches
-                    ? "dark"
-                    : "light";
-            } else {
-                document.documentElement.dataset.theme = themeChoice;
-            }
-        } catch (e) {
-            console.error("Failed to apply theme", e);
-        }
-    })();
-  </script>
-
   <meta name="color-scheme" content="light dark" />
   <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
   <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">

authentik/core/templates/if/admin.html

@@ -11,6 +11,6 @@
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
-    {% include "base/placeholder.html" %}
+    <ak-loading></ak-loading>
 </ak-interface-admin>
 {% endblock %}

authentik/core/templates/if/error.html

@@ -12,13 +12,10 @@
 {% endblock %}
 
 {% block card %}
-<div class="pf-c-form">
+<form method="POST" class="pf-c-form">
     <p>{% trans message %}</p>
-
-    <div class="pf-c-form__group">
-        <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary pf-m-block">
-            {% trans 'Go home' %}
-        </a>
-    </div>
-</div>
+    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
+        {% trans 'Go home' %}
+    </a>
+</form>
 {% endblock %}

authentik/core/templates/if/user.html

@@ -11,6 +11,6 @@
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <ak-interface-user>
-    {% include "base/placeholder.html" %}
+    <ak-loading></ak-loading>
 </ak-interface-user>
 {% endblock %}

authentik/core/templates/login/base_full.html

@@ -2,66 +2,82 @@
 
 {% load static %}
 {% load i18n %}
-{% load authentik_core %}
 
 {% block head_before %}
 <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
+<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 
 {% block head %}
-<style data-id="static-styles">
-    :root {
-        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
-    }
+<style>
+:root {
+    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
+    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+}
+/* Form with user */
+.form-control-static {
+    margin-top: var(--pf-global--spacer--sm);
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+}
+.form-control-static .avatar {
+    display: flex;
+    align-items: center;
+}
+.form-control-static img {
+    margin-right: var(--pf-global--spacer--xs);
+}
+.form-control-static a {
+    padding-top: var(--pf-global--spacer--xs);
+    padding-bottom: var(--pf-global--spacer--xs);
+    line-height: var(--pf-global--spacer--xl);
+}
 </style>
-
-<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}
 
 {% block body %}
+<div class="pf-c-background-image">
+</div>
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-
-<div class="pf-c-page__drawer">
-    <div class="pf-c-drawer pf-m-collapsed">
-        <div class="pf-c-drawer__main">
-            <div class="pf-c-drawer__content">
-                <div class="pf-c-drawer__body">
-                    <div class="pf-c-login" data-layout="stacked">
-                        <main class="pf-c-login__main" aria-label="Authentication form">
-                            <div class="pf-c-login__main-header pf-c-brand">
-                                <img class="branding-logo" src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
-                            </div>
-                            <div class="pf-c-login__main-header">
-                                <h1 class="pf-c-title pf-m-3xl" data-test-id="card-title">
-                                    {% block card_title %}
-                                    {% endblock %}
-                                </h1>
-                            </div>
-                            <div class="pf-c-login__main-body">
-                                {% block card %}
-                                {% endblock %}
-                            </div>
-                        </main>
-                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
-                            <ul class="pf-c-list pf-m-inline">
-                                {% for link in footer_links %}
-                                <li>
-                                    <a href="{{ link.href }}">{{ link.name }}</a>
-                                </li>
-                                {% endfor %}
-                                <li>
-                                    <span>
-                                        {% trans 'Powered by authentik' %}
-                                    </span>
-                                </li>
-                            </ul>
-                        </footer>
-                    </div>
-                </div>
+<div class="pf-c-login stacked">
+    <div class="ak-login-container">
+        <main class="pf-c-login__main">
+            <div class="pf-c-login__main-header pf-c-brand ak-brand">
+                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
             </div>
-        </div>
+            <header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    {% block card_title %}
+                    {% endblock %}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                {% block card %}
+                {% endblock %}
+            </div>
+        </main>
+        <footer class="pf-c-login__footer">
+            <ul class="pf-c-list pf-m-inline">
+                {% for link in footer_links %}
+                <li>
+                    <a href="{{ link.href }}">{{ link.name }}</a>
+                </li>
+                {% endfor %}
+                <li>
+                    <span>
+                        {% trans 'Powered by authentik' %}
+                    </span>
+                </li>
+            </ul>
+        </footer>
     </div>
 </div>
 {% endblock %}

authentik/crypto/api.py

@@ -9,14 +9,9 @@ from django.http.response import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django_filters import FilterSet
-from django_filters.filters import BooleanFilter, MultipleChoiceFilter
+from django_filters.filters import BooleanFilter
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
-    OpenApiParameter,
-    OpenApiResponse,
-    extend_schema,
-    extend_schema_field,
-)
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
@@ -38,7 +33,7 @@ from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
-from authentik.crypto.models import CertificateKeyPair, KeyType
+from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
@@ -55,7 +50,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
     cert_expiry = SerializerMethodField()
     cert_subject = SerializerMethodField()
     private_key_available = SerializerMethodField()
-    key_type = SerializerMethodField()
+    private_key_type = SerializerMethodField()
 
     certificate_download_url = SerializerMethodField()
     private_key_download_url = SerializerMethodField()
@@ -95,12 +90,14 @@ class CertificateKeyPairSerializer(ModelSerializer):
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
-    @extend_schema_field(ChoiceField(choices=KeyType.choices, allow_null=True))
-    def get_key_type(self, instance: CertificateKeyPair) -> str | None:
-        """Get the key algorithm type from the certificate's public key"""
+    def get_private_key_type(self, instance: CertificateKeyPair) -> str | None:
+        """Get the private key's type, if set"""
         if not self._should_include_details:
             return None
-        return instance.key_type
+        key = instance.private_key
+        if key:
+            return key.__class__.__name__.replace("_", "").lower().replace("privatekey", "")
+        return None
 
     def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
         """Get URL to download certificate"""
@@ -164,7 +161,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
             "cert_expiry",
             "cert_subject",
             "private_key_available",
-            "key_type",
+            "private_key_type",
             "certificate_download_url",
             "private_key_download_url",
             "managed",
@@ -201,31 +198,12 @@ class CertificateKeyPairFilter(FilterSet):
         label="Only return certificate-key pairs with keys", method="filter_has_key"
     )
 
-    key_type = MultipleChoiceFilter(
-        choices=KeyType.choices,
-        label="Filter by key algorithm type",
-        method="filter_key_type",
-    )
-
     def filter_has_key(self, queryset, name, value):  # pragma: no cover
         """Only return certificate-key pairs with keys"""
         if not value:
             return queryset
         return queryset.exclude(key_data__exact="")
 
-    def filter_key_type(self, queryset, name, value):  # pragma: no cover
-        """Filter certificates by key type using the public key from the certificate"""
-        if not value:
-            return queryset
-
-        # value is a list of KeyType enum values from MultipleChoiceFilter
-        filtered_pks = []
-        for cert in queryset:
-            if cert.key_type in value:
-                filtered_pks.append(cert.pk)
-
-        return queryset.filter(pk__in=filtered_pks)
-
     class Meta:
         model = CertificateKeyPair
         fields = ["name", "managed"]
@@ -250,17 +228,6 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
                 required=False,
                 description="Only return certificate-key pairs with keys",
             ),
-            OpenApiParameter(
-                "key_type",
-                OpenApiTypes.STR,
-                required=False,
-                many=True,
-                enum=[choice[0] for choice in KeyType.choices],
-                description=(
-                    "Filter by key algorithm type (RSA, EC, DSA, etc). "
-                    "Can be specified multiple times (e.g. '?key_type=rsa&key_type=ec')"
-                ),
-            ),
             OpenApiParameter("include_details", bool, default=True),
         ]
     )

authentik/crypto/apps.py

@@ -2,8 +2,6 @@
 
 from datetime import UTC, datetime
 
-from dramatiq.broker import get_broker
-
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import fqdn_rand
@@ -72,12 +70,6 @@ class AuthentikCryptoConfig(ManagedAppConfig):
             },
         )
 
-    @ManagedAppConfig.reconcile_global
-    def tasks_middlewares(self):
-        from authentik.crypto.tasks import CertificateWatcherMiddleware
-
-        get_broker().add_middleware(CertificateWatcherMiddleware())
-
     @property
     def tenant_schedule_specs(self) -> list[ScheduleSpec]:
         from authentik.crypto.tasks import certificate_discovery

authentik/crypto/models.py

@@ -6,11 +6,6 @@ from uuid import uuid4
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
-from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
-from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey
-from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
-from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import Certificate, load_pem_x509_certificate
@@ -25,16 +20,6 @@ from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 LOGGER = get_logger()
 
 
-class KeyType(models.TextChoices):
-    """Cryptographic key algorithm types"""
-
-    RSA = "rsa", _("RSA")
-    EC = "ec", _("Elliptic Curve")
-    DSA = "dsa", _("DSA")
-    ED25519 = "ed25519", _("Ed25519")
-    ED448 = "ed448", _("Ed448")
-
-
 def fingerprint_sha256(cert: Certificate) -> str:
     """Get SHA256 Fingerprint of certificate"""
     return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")
@@ -118,22 +103,6 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
             else ""
         )  # nosec
 
-    @property
-    def key_type(self) -> str | None:
-        """Get the key algorithm type from the certificate's public key"""
-        public_key = self.certificate.public_key()
-        if isinstance(public_key, RSAPublicKey):
-            return KeyType.RSA
-        if isinstance(public_key, EllipticCurvePublicKey):
-            return KeyType.EC
-        if isinstance(public_key, DSAPublicKey):
-            return KeyType.DSA
-        if isinstance(public_key, Ed25519PublicKey):
-            return KeyType.ED25519
-        if isinstance(public_key, Ed448PublicKey):
-            return KeyType.ED448
-        return None
-
     def __str__(self) -> str:
         return f"Certificate-Key Pair {self.name}"
 

authentik/crypto/tasks.py

@@ -2,29 +2,17 @@
 
 from glob import glob
 from pathlib import Path
-from sys import platform
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509.base import load_pem_x509_certificate
-from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import actor
-from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
-from watchdog.events import (
-    FileCreatedEvent,
-    FileModifiedEvent,
-    FileSystemEvent,
-    FileSystemEventHandler,
-)
-from watchdog.observers import Observer
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
 from authentik.tasks.middleware import CurrentTask
-from authentik.tasks.schedules.models import Schedule
-from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
 
@@ -47,65 +35,6 @@ def ensure_certificate_valid(body: str):
     return body
 
 
-class CertificateWatcherMiddleware(Middleware):
-    """Middleware to start certificate file watcher"""
-
-    def start_certificate_watcher(self):
-        """Start certificate file watcher"""
-        observer = Observer()
-        kwargs = {}
-        if platform.startswith("linux"):
-            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
-        observer.schedule(
-            CertificateEventHandler(),
-            CONFIG.get("cert_discovery_dir"),
-            recursive=True,
-            **kwargs,
-        )
-        observer.start()
-
-    def after_worker_boot(self, broker, worker):
-        if not settings.TEST:
-            self.start_certificate_watcher()
-
-
-class CertificateEventHandler(FileSystemEventHandler):
-    """Event handler for certificate file events"""
-
-    # We only ever get creation and modification events.
-    # See the creation of the Observer instance above for the event filtering.
-
-    # Even though we filter to only get file events, we might still get
-    # directory events as some implementations such as inotify do not support
-    # filtering on file/directory.
-
-    def dispatch(self, event: FileSystemEvent) -> None:
-        """Call specific event handler method. Ignores directory changes."""
-        if event.is_directory:
-            return None
-        return super().dispatch(event)
-
-    def on_created(self, event: FileSystemEvent):
-        """Process certificate file creation"""
-        LOGGER.debug(
-            "Certificate file created, triggering discovery",
-            file=event.src_path,
-        )
-        for tenant in Tenant.objects.filter(ready=True):
-            with tenant:
-                Schedule.dispatch_by_actor(certificate_discovery)
-
-    def on_modified(self, event: FileSystemEvent):
-        """Process certificate file modification"""
-        LOGGER.debug(
-            "Certificate file modified, triggering discovery",
-            file=event.src_path,
-        )
-        for tenant in Tenant.objects.filter(ready=True):
-            with tenant:
-                Schedule.dispatch_by_actor(certificate_discovery)
-
-
 @actor(description=_("Discover, import and update certificates from the filesystem."))
 def certificate_discovery():
     self = CurrentTask.get_task()
@@ -137,35 +66,12 @@ def certificate_discovery():
         except (OSError, ValueError) as exc:
             LOGGER.warning("Failed to open file or invalid format", exc=exc, file=path)
     for name, cert_data in certs.items():
-        # First, try to find by filename-based managed field
         cert = CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % name).first()
-
-        # If not found by filename and we have a private key, check for existing key match
-        if not cert and name in private_keys:
-            existing_with_key = (
-                CertificateKeyPair.objects.filter(
-                    managed__startswith="goauthentik.io/crypto/discovered/",
-                    key_data=private_keys[name],
-                )
-                .exclude(key_data="")
-                .first()
-            )
-            if existing_with_key:
-                cert = existing_with_key
-                # Update name and managed field to reflect the new filename
-                if cert.name != name:
-                    cert.name = name
-                    cert.managed = MANAGED_DISCOVERED % name
-                    cert.save()
-
-        # Create new certificate if not found
         if not cert:
             cert = CertificateKeyPair(
                 name=name,
                 managed=MANAGED_DISCOVERED % name,
             )
-
-        # Update certificate data if changed
         dirty = False
         if cert.certificate_data != cert_data:
             cert.certificate_data = cert_data

authentik/crypto/tests.py

@@ -2,7 +2,6 @@
 
 from json import loads
 from os import makedirs
-from pathlib import Path
 from tempfile import TemporaryDirectory
 
 from cryptography.x509.extensions import SubjectAlternativeName
@@ -320,8 +319,6 @@ class TestCrypto(APITestCase):
 
     def test_discovery(self):
         """Test certificate discovery"""
-        # This test generates 2 separate cert/key combinations
-        # and verifies they both import properly
         name = generate_id()
         builder = CertificateBuilder(name)
         with self.assertRaises(ValueError):
@@ -330,15 +327,6 @@ class TestCrypto(APITestCase):
             subject_alt_names=[],
             validity_days=3,
         )
-
-        name2 = generate_id()
-        builder2 = CertificateBuilder(name2)
-        with self.assertRaises(ValueError):
-            builder2.save()
-        builder2.build(
-            subject_alt_names=[],
-            validity_days=3,
-        )
         with TemporaryDirectory() as temp_dir:
             with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
                 _cert.write(builder.certificate)
@@ -346,9 +334,9 @@ class TestCrypto(APITestCase):
                 _key.write(builder.private_key)
             makedirs(f"{temp_dir}/foo.bar", exist_ok=True)
             with open(f"{temp_dir}/foo.bar/fullchain.pem", "w+", encoding="utf-8") as _cert:
-                _cert.write(builder2.certificate)
+                _cert.write(builder.certificate)
             with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
-                _key.write(builder2.private_key)
+                _key.write(builder.private_key)
             with CONFIG.patch("cert_discovery_dir", temp_dir):
                 certificate_discovery.send()
         keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
@@ -360,58 +348,3 @@ class TestCrypto(APITestCase):
         self.assertTrue(
             CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
         )
-
-    def test_discovery_updating_same_private_key(self):
-        """Test certificate discovery updating certs with matching private keys"""
-        name = generate_id()
-        builder = CertificateBuilder(name)
-        builder.build(
-            subject_alt_names=[],
-            validity_days=3,
-        )
-
-        with TemporaryDirectory() as temp_dir:
-            # First discovery: write cert as "original"
-            with open(f"{temp_dir}/original.pem", "w+", encoding="utf-8") as _cert:
-                _cert.write(builder.certificate)
-            with open(f"{temp_dir}/original.key", "w+", encoding="utf-8") as _key:
-                _key.write(builder.private_key)
-
-            with CONFIG.patch("cert_discovery_dir", temp_dir):
-                certificate_discovery.send()
-
-            # Verify "original" cert was created
-            original = CertificateKeyPair.objects.filter(
-                managed=MANAGED_DISCOVERED % "original"
-            ).first()
-            self.assertIsNotNone(original)
-            self.assertEqual(original.name, "original")
-            self.assertIsNotNone(original.private_key)
-
-            # Second discovery: write same cert/key as "renamed"
-            Path(f"{temp_dir}/original.pem").unlink()
-            Path(f"{temp_dir}/original.key").unlink()
-
-            with open(f"{temp_dir}/renamed.pem", "w+", encoding="utf-8") as _cert:
-                _cert.write(builder.certificate)
-            with open(f"{temp_dir}/renamed.key", "w+", encoding="utf-8") as _key:
-                _key.write(builder.private_key)
-
-            with CONFIG.patch("cert_discovery_dir", temp_dir):
-                certificate_discovery.send()
-
-            # Verify the cert was updated
-            renamed = CertificateKeyPair.objects.filter(
-                managed=MANAGED_DISCOVERED % "renamed"
-            ).first()
-            self.assertIsNotNone(renamed, "Renamed certificate should exist")
-            self.assertEqual(renamed.name, "renamed")
-            self.assertEqual(renamed.pk, original.pk, "Should be same database object")
-
-            # Verify no new cert was created
-            final_count = CertificateKeyPair.objects.filter(
-                managed__startswith="goauthentik.io/crypto/discovered/"
-            ).count()
-            self.assertEqual(
-                1, final_count, "Should not create duplicate cert for same private key"
-            )

authentik/enterprise/providers/google_workspace/api/providers.py

@@ -37,8 +37,6 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
             "user_delete_action",
             "group_delete_action",
             "default_group_email_domain",
-            "sync_page_size",
-            "sync_page_timeout",
             "dry_run",
         ]
         extra_kwargs = {}

authentik/enterprise/providers/google_workspace/migrations/0005_googleworkspaceprovider_sync_page_size_and_more.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.7 on 2025-10-21 12:35
-
-import authentik.lib.utils.time
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_google_workspace", "0004_googleworkspaceprovider_dry_run"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="googleworkspaceprovider",
-            name="sync_page_size",
-            field=models.PositiveIntegerField(
-                default=100,
-                help_text="Controls the number of objects synced in a single task",
-                validators=[django.core.validators.MinValueValidator(1)],
-            ),
-        ),
-        migrations.AddField(
-            model_name="googleworkspaceprovider",
-            name="sync_page_timeout",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Timeout for synchronization of a single page",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-    ]

authentik/enterprise/providers/microsoft_entra/api/providers.py

@@ -36,8 +36,6 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
             "filter_group",
             "user_delete_action",
             "group_delete_action",
-            "sync_page_size",
-            "sync_page_timeout",
             "dry_run",
         ]
         extra_kwargs = {}

authentik/enterprise/providers/microsoft_entra/migrations/0004_microsoftentraprovider_sync_page_size_and_more.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.7 on 2025-10-21 12:35
-
-import authentik.lib.utils.time
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_microsoft_entra", "0003_microsoftentraprovider_dry_run"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="microsoftentraprovider",
-            name="sync_page_size",
-            field=models.PositiveIntegerField(
-                default=100,
-                help_text="Controls the number of objects synced in a single task",
-                validators=[django.core.validators.MinValueValidator(1)],
-            ),
-        ),
-        migrations.AddField(
-            model_name="microsoftentraprovider",
-            name="sync_page_timeout",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Timeout for synchronization of a single page",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-    ]

authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py

@@ -16,7 +16,7 @@ from authentik.stages.authenticator.models import Device
 
 
 class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Verify Google Chrome Device Trust connection for the user's browser."""
+    """Setup Google Chrome Device Trust connection"""
 
     credentials = models.JSONField()
 

authentik/enterprise/stages/source/models.py

@@ -10,7 +10,7 @@ from authentik.lib.utils.time import timedelta_string_validator
 
 
 class SourceStage(Stage):
-    """Suspend the current flow execution and send the user to a federated source,
+    """Suspend the current flow execution and send the user to a source,
     after which this flow execution is resumed."""
 
     source = models.ForeignKey("authentik_core.Source", on_delete=models.CASCADE)

authentik/flows/templates/if/flow-sfe.html

@@ -17,7 +17,7 @@
         <meta name="sentry-trace" content="{{ sentry_trace }}" />
         <link rel="prefetch" href="{{ flow_background_url }}" />
         {% include "base/header_js.html" %}
-        <style data-id="flow-sfe">
+        <style>
           html,
           body {
             height: 100%;

authentik/flows/templates/if/flow.html

@@ -1,74 +1,35 @@
 {% extends "base/skeleton.html" %}
 
-{% load i18n %}
 {% load static %}
 {% load authentik_core %}
 
-
 {% block head_before %}
 {{ block.super }}
 <link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script data-id="shady-dom">ShadyDOM = { force: true };</script>
+<script>ShadyDOM = { force: true };</script>
 {% endif %}
 {% include "base/header_js.html" %}
-<script data-id="flow-config">
-    "use strict";
-
-    window.authentik.flow = {
-        "layout": "{{ flow.layout }}",
-    };
+<script>
+window.authentik.flow = {
+    "layout": "{{ flow.layout }}",
+};
 </script>
-
-<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}
 
 {% block head %}
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
-<style data-id="flow-css">
-  :root {
-      --ak-global--background-image: url("{{ flow_background_url }}");
-  }
+<style>
+:root {
+    --ak-flow-background: url("{{ flow_background_url }}");
+}
 </style>
 {% endblock %}
 
 {% block body %}
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-
-<ak-locale-context>
-    <div class="pf-c-page__drawer">
-        <div class="pf-c-drawer pf-m-collapsed" id="flow-drawer">
-            <div class="pf-c-drawer__main">
-                <div class="pf-c-drawer__content">
-                    <div class="pf-c-drawer__body">
-                            <ak-flow-executor
-                                slug="{{ flow.slug }}"
-                                class="pf-c-login"
-                                data-layout="{{ flow.layout|default:'stacked' }}"
-                            >
-                                {% include "base/placeholder.html" %}
-
-                                <ak-brand-links
-                                    slot="footer"
-                                    exportparts="list:brand-links-list, list-item:brand-links-list-item"
-                                    role="contentinfo"
-                                    aria-label="{% trans 'Site footer' %}"
-                                    class="pf-c-login__footer {% if flow.layout == 'stacked' %}pf-m-dark{% endif %}"
-                                ></ak-brand-links>
-                            </ak-flow-executor>
-                        </div>
-                    </div>
-
-                    <ak-flow-inspector
-                        id="flow-inspector"
-                        data-registration="lazy"
-                        class="pf-c-drawer__panel pf-m-width-33"
-                        slug="{{ flow.slug }}"
-                    ></ak-flow-inspector>
-                </div>
-            </div>
-        </div>
-    </div>
-</ak-locale-context>
+<ak-flow-executor flowSlug="{{ flow.slug }}">
+    <ak-loading></ak-loading>
+</ak-flow-executor>
 {% endblock %}

authentik/lib/sync/outgoing/__init__.py

@@ -1,5 +1,7 @@
 """Sync constants"""
 
+PAGE_SIZE = 100
+PAGE_TIMEOUT_MS = 60 * 60 * 0.5 * 1000  # Half an hour
 HTTP_CONFLICT = 409
 HTTP_NO_CONTENT = 204
 HTTP_SERVICE_UNAVAILABLE = 503

authentik/lib/sync/outgoing/models.py

@@ -2,15 +2,15 @@ from typing import Any, Self
 
 import pglock
 from django.core.paginator import Paginator
-from django.core.validators import MinValueValidator
 from django.db import connection, models
 from django.db.models import Model, QuerySet, TextChoices
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import Actor
 
 from authentik.core.models import Group, User
+from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT_MS
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
-from authentik.lib.utils.time import fqdn_rand, timedelta_from_string, timedelta_string_validator
+from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 from authentik.tasks.schedules.models import ScheduledModel
 
@@ -27,17 +27,6 @@ class OutgoingSyncDeleteAction(TextChoices):
 class OutgoingSyncProvider(ScheduledModel, Model):
     """Base abstract models for providers implementing outgoing sync"""
 
-    sync_page_size = models.PositiveIntegerField(
-        help_text=_("Controls the number of objects synced in a single task"),
-        default=100,
-        validators=[MinValueValidator(1)],
-    )
-    sync_page_timeout = models.TextField(
-        help_text=_("Timeout for synchronization of a single page"),
-        default="minutes=30",
-        validators=[timedelta_string_validator],
-    )
-
     dry_run = models.BooleanField(
         default=False,
         help_text=_(
@@ -57,12 +46,11 @@ class OutgoingSyncProvider(ScheduledModel, Model):
         raise NotImplementedError
 
     def get_paginator[T: User | Group](self, type: type[T]) -> Paginator:
-        return Paginator(self.get_object_qs(type), self.sync_page_size)
+        return Paginator(self.get_object_qs(type), PAGE_SIZE)
 
     def get_object_sync_time_limit_ms[T: User | Group](self, type: type[T]) -> int:
         num_pages: int = self.get_paginator(type).num_pages
-        page_timeout_ms = timedelta_from_string(self.sync_page_timeout).total_seconds() * 1000
-        return int(num_pages * page_timeout_ms * 1.5)
+        return int(num_pages * PAGE_TIMEOUT_MS * 1.5)
 
     def get_sync_time_limit_ms(self) -> int:
         return int(

authentik/lib/sync/outgoing/tasks.py

@@ -9,6 +9,7 @@ from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.expression.exceptions import SkipObjectException
 from authentik.core.models import Group, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT_MS
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
@@ -19,7 +20,6 @@ from authentik.lib.sync.outgoing.exceptions import (
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
 from authentik.lib.utils.errors import exception_to_dict
 from authentik.lib.utils.reflection import class_to_path, path_to_class
-from authentik.lib.utils.time import timedelta_from_string
 from authentik.tasks.middleware import CurrentTask
 from authentik.tasks.models import Task
 
@@ -44,11 +44,10 @@ class SyncTasks:
         **options,
     ):
         tasks = []
-        time_limit = timedelta_from_string(provider.sync_page_timeout).total_seconds() * 1000
         for page in paginator.page_range:
             page_sync = sync_objects.message_with_options(
                 args=(class_to_path(object_type), page, provider.pk),
-                time_limit=time_limit,
+                time_limit=PAGE_TIMEOUT_MS,
                 # Assign tasks to the same schedule as the current one
                 rel_obj=current_task.rel_obj,
                 uid=f"{provider.name}:{object_type._meta.model_name}:{page}",
@@ -140,10 +139,7 @@ class SyncTasks:
             client = provider.client_for_model(_object_type)
         except TransientSyncException:
             return
-        paginator = Paginator(
-            provider.get_object_qs(_object_type).filter(**filter),
-            provider.sync_page_size,
-        )
+        paginator = Paginator(provider.get_object_qs(_object_type).filter(**filter), PAGE_SIZE)
         if client.can_discover:
             self.logger.debug("starting discover")
             client.discover()

authentik/policies/templates/policies/denied.html

@@ -12,7 +12,8 @@
 {% endblock %}
 
 {% block card %}
-<div class="pf-c-form">
+<form class="pf-c-form">
+    {% csrf_token %}
     {% if user.is_authenticated %}
         <div class="pf-c-form__group">
             <div class="form-control-static">
@@ -28,7 +29,7 @@
     {% endif %}
     <div class="pf-c-form__group">
         <p>
-            <i class="pf-icon pf-icon-error-circle-o pf-u-font-size-2xl" role="img" aria-label="{% trans 'Error' %}"></i>
+            <i class="pf-icon pf-icon-error-circle-o"></i>
             {% trans 'Request has been denied.' %}
         </p>
         {% if error %}
@@ -70,11 +71,5 @@
             {% endif %}
         {% endif %}
     </div>
-
-    <div class="pf-c-form__group">
-        <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary pf-m-block">
-            {% trans 'Go home' %}
-        </a>
-    </div>
-</div>
+</form>
 {% endblock %}

authentik/providers/oauth2/tests/test_token_cc_user_pw.py

@@ -126,6 +126,30 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
             },
         )
 
+    def test_deactivate(self):
+        """test deactivated user"""
+        self.user.is_active = False
+        self.user.save()
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": SCOPE_OPENID,
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "error": "invalid_grant",
+                "error_description": TokenError.errors["invalid_grant"],
+                "request_id": response.headers["X-authentik-id"],
+            },
+        )
+
     def test_permission_denied(self):
         """test permission denied"""
         group = Group.objects.create(name="foo")

authentik/providers/oauth2/views/token.py

@@ -336,7 +336,7 @@ class TokenParams:
         self, request: HttpRequest, username: str, password: str
     ):
         # Authenticate user based on credentials
-        user = User.objects.filter(username=username).first()
+        user = User.objects.filter(username=username, is_active=True).first()
         if not user:
             raise TokenError("invalid_grant")
         token: Token = Token.filter_not_expired(

authentik/providers/rac/templates/if/rac.html

@@ -11,6 +11,6 @@
 
 {% block body %}
 <ak-rac token="{{ url_kwargs.token }}" endpointName="{{ token.endpoint.name }}">
-    {% include "base/placeholder.html" %}
+  <ak-loading></ak-loading>
 </ak-rac>
 {% endblock %}

authentik/providers/saml/models.py

@@ -61,14 +61,6 @@ class SAMLProvider(Provider):
     acs_url = models.TextField(
         validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL")
     )
-    sp_binding = models.TextField(
-        choices=SAMLBindings.choices,
-        default=SAMLBindings.REDIRECT,
-        verbose_name=_("Service Provider Binding"),
-        help_text=_(
-            "This determines how authentik sends the response back to the Service Provider."
-        ),
-    )
     audience = models.TextField(
         default="",
         blank=True,
@@ -78,6 +70,14 @@ class SAMLProvider(Provider):
         ),
     )
     issuer = models.TextField(help_text=_("Also known as EntityID"), default="authentik")
+    sp_binding = models.TextField(
+        choices=SAMLBindings.choices,
+        default=SAMLBindings.REDIRECT,
+        verbose_name=_("Service Provider Binding"),
+        help_text=_(
+            "This determines how authentik sends the response back to the Service Provider."
+        ),
+    )
     sls_url = models.TextField(
         blank=True,
         validators=[DomainlessURLValidator(schemes=("http", "https"))],

authentik/providers/scim/api/providers.py

@@ -38,8 +38,6 @@ class SCIMProviderSerializer(
             "compatibility_mode",
             "exclude_users_service_account",
             "filter_group",
-            "sync_page_size",
-            "sync_page_timeout",
             "dry_run",
         ]
         extra_kwargs = {}

authentik/providers/scim/migrations/0016_scimprovider_sync_page_size_and_more.py

@@ -1,33 +0,0 @@
-# Generated by Django 5.2.7 on 2025-10-21 12:35
-
-import authentik.lib.utils.time
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_scim", "0015_alter_scimprovider_compatibility_mode"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimprovider",
-            name="sync_page_size",
-            field=models.PositiveIntegerField(
-                default=100,
-                help_text="Controls the number of objects synced in a single task",
-                validators=[django.core.validators.MinValueValidator(1)],
-            ),
-        ),
-        migrations.AddField(
-            model_name="scimprovider",
-            name="sync_page_timeout",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Timeout for synchronization of a single page",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-    ]

authentik/root/settings.py

@@ -471,9 +471,9 @@ STORAGES = {
 }
 
 # Django 5.2.8 and CVE-2025-64458 added a strong enforcement of 2048 characters
-# as the maximum for a URL to redirect to, mostly for running on Windows.
-# However, our URLs can easily exceed that with OAuth/SAML Query parameters or hash values.
-# 8192 should cover most cases.
+# as the maximum for a URL to redirect to, mostly for running on windows.
+# However our URLs can easily exceed that with OAuth/SAML Query parameters or hash values
+# 8192 should cover most cases..
 http_response.MAX_URL_LENGTH = http_response.MAX_URL_LENGTH * 4
 
 

authentik/stages/authenticator_duo/models.py

@@ -16,7 +16,7 @@ from authentik.stages.authenticator.models import Device
 
 
 class AuthenticatorDuoStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup Duo authentication for the user."""
+    """Setup Duo authenticator devices"""
 
     api_hostname = models.TextField()
 

authentik/stages/authenticator_email/models.py

@@ -20,7 +20,7 @@ from authentik.stages.email.utils import TemplateEmailMessage
 
 
 class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup Email-based authentication for the user."""
+    """Use Email-based authentication instead of authenticator-based."""
 
     use_global_settings = models.BooleanField(
         default=False,

authentik/stages/authenticator_static/models.py

@@ -16,7 +16,7 @@ from authentik.stages.authenticator.models import Device, ThrottlingMixin
 
 
 class AuthenticatorStaticStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup static token based authentication for the user."""
+    """Generate static tokens for the user as a backup."""
 
     token_count = models.PositiveIntegerField(default=6)
     token_length = models.PositiveIntegerField(default=12)

authentik/stages/authenticator_totp/models.py

@@ -27,7 +27,7 @@ class TOTPDigits(models.TextChoices):
 
 
 class AuthenticatorTOTPStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup Time-based OTP authentication for the user."""
+    """Enroll a user's device into Time-based OTP."""
 
     digits = models.IntegerField(choices=TOTPDigits.choices)
 

authentik/stages/authenticator_validate/models.py

@@ -36,7 +36,7 @@ def default_device_classes() -> list:
 
 
 class AuthenticatorValidateStage(Stage):
-    """Validate user's configured Multi Factor Authentication."""
+    """Validate user's configured OTP Device."""
 
     not_configured_action = models.TextField(
         choices=NotConfiguredAction.choices, default=NotConfiguredAction.SKIP

authentik/stages/authenticator_webauthn/models.py

@@ -68,7 +68,7 @@ class AuthenticatorAttachment(models.TextChoices):
 
 
 class AuthenticatorWebAuthnStage(ConfigurableStage, FriendlyNamedStage, Stage):
-    """Setup WebAuthn-based authentication for the user."""
+    """Stage to enroll WebAuthn-based authenticators."""
 
     user_verification = models.TextField(
         choices=UserVerification.choices,

authentik/stages/email/models.py

@@ -62,7 +62,7 @@ def get_template_choices():
 
 
 class EmailStage(Stage):
-    """Send an Email to the user with a token to confirm their Email address."""
+    """Sends an Email to the user with a token to confirm their Email address."""
 
     use_global_settings = models.BooleanField(
         default=False,

authentik/stages/identification/models.py

@@ -21,7 +21,7 @@ class UserFields(models.TextChoices):
 
 
 class IdentificationStage(Stage):
-    """Identify the user for authentication."""
+    """Allows the user to identify themselves for authentication."""
 
     user_fields = ArrayField(
         models.CharField(max_length=100, choices=UserFields.choices),

authentik/stages/invitation/api.py

@@ -2,15 +2,11 @@
 
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
-from guardian.shortcuts import get_anonymous_user
-from rest_framework.serializers import PrimaryKeyRelatedField
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.groups import PartialUserSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer
-from authentik.core.models import User
 from authentik.flows.api.flows import FlowSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.invitation.models import Invitation, InvitationStage
@@ -53,16 +49,6 @@ class InvitationSerializer(ModelSerializer):
     fixed_data = JSONDictField(required=False)
     flow_obj = FlowSerializer(read_only=True, required=False, source="flow")
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            self.fields["created_by"] = PrimaryKeyRelatedField(
-                queryset=User.objects.all(),
-                required=False,
-                allow_null=True,
-                default=get_anonymous_user(),
-            )
-
     class Meta:
         model = Invitation
         fields = [
@@ -87,7 +73,4 @@ class InvitationViewSet(UsedByMixin, ModelViewSet):
     filterset_fields = ["name", "created_by__username", "expires", "flow__slug"]
 
     def perform_create(self, serializer: InvitationSerializer):
-        kwargs = {}
-        if SERIALIZER_CONTEXT_BLUEPRINT not in serializer.context:
-            kwargs["created_by"] = self.request.user
-        serializer.save(**kwargs)
+        serializer.save(created_by=self.request.user)

authentik/stages/invitation/stage.py

@@ -38,7 +38,7 @@ class InvitationStageView(StageView):
         if not token:
             return None
         try:
-            invite: Invitation = Invitation.objects.filter(pk=token).first()
+            invite: Invitation | None = Invitation.filter_not_expired(pk=token).first()
         except ValidationError:
             self.logger.debug("invalid invitation", token=token)
             return None

authentik/stages/invitation/tests.py

@@ -1,13 +1,14 @@
 """invitation tests"""
 
+from datetime import timedelta
 from unittest.mock import MagicMock, patch
 
 from django.urls import reverse
 from django.utils.http import urlencode
+from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase
 
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
@@ -15,7 +16,6 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.stages.invitation.api import InvitationSerializer
 from authentik.stages.invitation.models import Invitation, InvitationStage
 from authentik.stages.invitation.stage import (
     PLAN_CONTEXT_INVITATION_TOKEN,
@@ -79,6 +79,31 @@ class TestInvitationStage(FlowTestCase):
         self.stage.continue_flow_without_invitation = False
         self.stage.save()
 
+    def test_with_invitation_expired(self):
+        """Test with invitation, expired"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        data = {"foo": "bar"}
+        invite = Invitation.objects.create(
+            created_by=get_anonymous_user(),
+            fixed_data=data,
+            expires=now() - timedelta(hours=1),
+        )
+
+        base_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        args = urlencode({QS_INVITATION_TOKEN_KEY: invite.pk.hex})
+        response = self.client.get(base_url + f"?query={args}")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(
+            response,
+            flow=self.flow,
+            component="ak-stage-access-denied",
+        )
+
     def test_with_invitation_get(self):
         """Test with invitation, check data in session"""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
@@ -173,20 +198,3 @@ class TestInvitationsAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 201)
         self.assertEqual(Invitation.objects.first().created_by, self.user)
-
-    def test_invite_create_blueprint_context(self):
-        """Test Invitations creation via blueprint context"""
-
-        flow = create_test_flow(FlowDesignation.ENROLLMENT)
-        data = {
-            "name": "test-blueprint-invitation",
-            "flow": flow.pk.hex,
-            "single_use": True,
-            "fixed_data": {"email": "test@example.com"},
-        }
-        serializer = InvitationSerializer(data=data, context={SERIALIZER_CONTEXT_BLUEPRINT: True})
-        self.assertTrue(serializer.is_valid())
-        invitation = serializer.save()
-        self.assertEqual(invitation.created_by, get_anonymous_user())
-        self.assertEqual(invitation.name, "test-blueprint-invitation")
-        self.assertEqual(invitation.fixed_data, {"email": "test@example.com"})

authentik/stages/password/models.py

@@ -39,7 +39,7 @@ def get_authentication_backends():
 
 
 class PasswordStage(ConfigurableStage, Stage):
-    """Prompt the user for their password, and validate it against the configured backends."""
+    """Prompts the user for their password, and validates it against the configured backends."""
 
     backends = ArrayField(
         models.TextField(choices=get_authentication_backends()),

authentik/stages/prompt/models.py

@@ -336,7 +336,7 @@ class Prompt(SerializerModel):
 
 
 class PromptStage(Stage):
-    """Prompt the user to enter information."""
+    """Define arbitrary prompts for the user."""
 
     fields = models.ManyToManyField(Prompt)
 

authentik/stages/redirect/models.py

@@ -16,7 +16,7 @@ class RedirectMode(models.TextChoices):
 
 
 class RedirectStage(Stage):
-    """Redirect the user to another flow, potentially with all gathered context."""
+    """Redirect the user to another flow, potentially with all gathered context"""
 
     keep_context = models.BooleanField(default=True)
     mode = models.TextField(choices=RedirectMode.choices)

authentik/stages/user_delete/models.py

@@ -8,7 +8,7 @@ from authentik.flows.models import Stage
 
 
 class UserDeleteStage(Stage):
-    """Delete the pending user without confirmation.
+    """Deletes the currently pending user without confirmation.
     Use with caution."""
 
     @property

authentik/stages/user_login/models.py

@@ -30,7 +30,7 @@ class GeoIPBinding(models.TextChoices):
 
 
 class UserLoginStage(Stage):
-    """Attach the pending user to the current session."""
+    """Attaches the currently pending user to the current session."""
 
     session_duration = models.TextField(
         default="seconds=0",

authentik/stages/user_logout/models.py

@@ -8,7 +8,7 @@ from authentik.flows.models import Stage
 
 
 class UserLogoutStage(Stage):
-    """Ends the user's session."""
+    """Resets the users current session."""
 
     @property
     def serializer(self) -> type[BaseSerializer]:

authentik/stages/user_write/models.py

@@ -18,8 +18,8 @@ class UserCreationMode(models.TextChoices):
 
 
 class UserWriteStage(Stage):
-    """Write pending data into the pending user, or if no user exists,
-    create a new user with the data."""
+    """Writes currently pending data into the pending user, or if no user exists,
+    creates a new user with the data."""
 
     user_creation_mode = models.TextField(
         choices=UserCreationMode.choices,

blueprints/example/flows-invitation-enrollment.yaml

@@ -1,396 +0,0 @@
-# Example - Invitation-based Enrollment Blueprint
-#
-# This blueprint demonstrates invitation-based user enrollment with support for
-# internal and external user types, automatic group assignment, and user path organization.
-#
-# What this blueprint creates:
-# - 3 enrollment flows:
-#   * External users flow (invitation-enrollment-flow-external)
-#   * Internal users flow (invitation-enrollment-flow-internal)
-#   * Internal users flow with automatic group assignment (invitation-enrollment-flow-internal-engineering)
-# - 3 invitation stages (one for each flow)
-# - Prompt fields for collecting user credentials and details (username, password, name, email)
-# - 2 prompt stages (credentials and user details)
-# - 3 user write stages configured for different user types and paths:
-#   * External users: user_type=external, path=users/external
-#   * Internal users: user_type=internal, path=users/internal
-#   * Engineering team: user_type=internal, path=users/internal/engineering, auto-assigned to engineering-team group
-# - 1 user login stage
-# - 1 example group (engineering-team)
-# - 5 example invitations demonstrating different use cases
-#
-# For detailed documentation, see:
-# https://docs.goauthentik.io/users-sources/user/invitations/
-#
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "false"
-  name: Example - Invitation-based Enrollment
-entries:
-  # Flow definition for external users
-  - identifiers:
-      slug: invitation-enrollment-flow-external
-    model: authentik_flows.flow
-    id: flow-external
-    attrs:
-      name: Invitation Enrollment Flow (External Users)
-      title: Welcome! Complete your enrollment
-      designation: enrollment
-      authentication: require_unauthenticated
-
-  # Flow definition for internal users
-  - identifiers:
-      slug: invitation-enrollment-flow-internal
-    model: authentik_flows.flow
-    id: flow-internal
-    attrs:
-      name: Invitation Enrollment Flow (Internal Users)
-      title: Welcome! Complete your enrollment
-      designation: enrollment
-      authentication: require_unauthenticated
-
-  # Flow definition for internal users with group assignment
-  - identifiers:
-      slug: invitation-enrollment-flow-internal-engineering
-    model: authentik_flows.flow
-    id: flow-internal-engineering
-    attrs:
-      name: Invitation Enrollment Flow (Internal - Engineering Team)
-      title: Welcome to the Engineering Team!
-      designation: enrollment
-      authentication: require_unauthenticated
-
-  # Invitation Stage for external users
-  - identifiers:
-      name: invitation-enrollment-invitation-external
-    id: invitation-stage-external
-    model: authentik_stages_invitation.invitationstage
-    attrs:
-      continue_flow_without_invitation: false
-
-  # Invitation Stage for internal users
-  - identifiers:
-      name: invitation-enrollment-invitation-internal
-    id: invitation-stage-internal
-    model: authentik_stages_invitation.invitationstage
-    attrs:
-      continue_flow_without_invitation: false
-
-  # Invitation Stage for internal engineering users
-  - identifiers:
-      name: invitation-enrollment-invitation-internal-engineering
-    id: invitation-stage-internal-engineering
-    model: authentik_stages_invitation.invitationstage
-    attrs:
-      continue_flow_without_invitation: false
-
-  # Prompt fields for user information
-  - id: prompt-field-username
-    model: authentik_stages_prompt.prompt
-    identifiers:
-      name: invitation-enrollment-field-username
-    attrs:
-      field_key: username
-      label: Username
-      type: username
-      required: true
-      placeholder: Username
-      placeholder_expression: false
-      order: 0
-
-  - identifiers:
-      name: invitation-enrollment-field-password
-    id: prompt-field-password
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: password
-      label: Password
-      type: password
-      required: true
-      placeholder: Password
-      placeholder_expression: false
-      order: 1
-
-  - identifiers:
-      name: invitation-enrollment-field-password-repeat
-    id: prompt-field-password-repeat
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: password_repeat
-      label: Password (repeat)
-      type: password
-      required: true
-      placeholder: Password (repeat)
-      placeholder_expression: false
-      order: 2
-
-  - identifiers:
-      name: invitation-enrollment-field-name
-    id: prompt-field-name
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: name
-      label: Name
-      type: text
-      required: true
-      placeholder: Name
-      placeholder_expression: false
-      order: 0
-
-  - identifiers:
-      name: invitation-enrollment-field-email
-    id: prompt-field-email
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: email
-      label: Email
-      type: email
-      required: true
-      placeholder: Email
-      placeholder_expression: false
-      order: 1
-
-  # Prompt stage for credentials
-  - identifiers:
-      name: invitation-enrollment-prompt-credentials
-    id: prompt-stage-credentials
-    model: authentik_stages_prompt.promptstage
-    attrs:
-      fields:
-        - !KeyOf prompt-field-username
-        - !KeyOf prompt-field-password
-        - !KeyOf prompt-field-password-repeat
-
-  # Prompt stage for user details
-  - identifiers:
-      name: invitation-enrollment-prompt-details
-    id: prompt-stage-details
-    model: authentik_stages_prompt.promptstage
-    attrs:
-      fields:
-        - !KeyOf prompt-field-name
-        - !KeyOf prompt-field-email
-
-  # User write stage for external users
-  - identifiers:
-      name: invitation-enrollment-user-write-external
-    id: user-write-stage-external
-    model: authentik_stages_user_write.userwritestage
-    attrs:
-      user_creation_mode: always_create
-      user_type: external
-      user_path_template: users/external
-
-  # User write stage for internal users
-  - identifiers:
-      name: invitation-enrollment-user-write-internal
-    id: user-write-stage-internal
-    model: authentik_stages_user_write.userwritestage
-    attrs:
-      user_creation_mode: always_create
-      user_type: internal
-      user_path_template: users/internal
-
-  # Example group for demonstrating group assignment
-  - identifiers:
-      name: engineering-team
-    id: group-engineering
-    model: authentik_core.group
-    attrs:
-      is_superuser: false
-
-  # User write stage for internal users with group assignment
-  - identifiers:
-      name: invitation-enrollment-user-write-internal-engineering
-    id: user-write-stage-internal-engineering
-    model: authentik_stages_user_write.userwritestage
-    attrs:
-      user_creation_mode: always_create
-      user_type: internal
-      user_path_template: users/internal/engineering
-      create_users_group: !KeyOf group-engineering
-
-  # User login stage
-  - identifiers:
-      name: invitation-enrollment-user-login
-    id: user-login-stage
-    model: authentik_stages_user_login.userloginstage
-
-  # Flow stage bindings for EXTERNAL users flow
-  - identifiers:
-      target: !KeyOf flow-external
-      stage: !KeyOf invitation-stage-external
-      order: 5
-    model: authentik_flows.flowstagebinding
-    attrs:
-      evaluate_on_plan: true
-      re_evaluate_policies: true
-
-  - identifiers:
-      target: !KeyOf flow-external
-      stage: !KeyOf prompt-stage-credentials
-      order: 10
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-external
-      stage: !KeyOf prompt-stage-details
-      order: 15
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-external
-      stage: !KeyOf user-write-stage-external
-      order: 20
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-external
-      stage: !KeyOf user-login-stage
-      order: 100
-    model: authentik_flows.flowstagebinding
-
-  # Flow stage bindings for INTERNAL users flow
-  - identifiers:
-      target: !KeyOf flow-internal
-      stage: !KeyOf invitation-stage-internal
-      order: 5
-    model: authentik_flows.flowstagebinding
-    attrs:
-      evaluate_on_plan: true
-      re_evaluate_policies: true
-
-  - identifiers:
-      target: !KeyOf flow-internal
-      stage: !KeyOf prompt-stage-credentials
-      order: 10
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-internal
-      stage: !KeyOf prompt-stage-details
-      order: 15
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-internal
-      stage: !KeyOf user-write-stage-internal
-      order: 20
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-internal
-      stage: !KeyOf user-login-stage
-      order: 100
-    model: authentik_flows.flowstagebinding
-
-  # Flow stage bindings for INTERNAL ENGINEERING users flow (with group assignment)
-  - identifiers:
-      target: !KeyOf flow-internal-engineering
-      stage: !KeyOf invitation-stage-internal-engineering
-      order: 5
-    model: authentik_flows.flowstagebinding
-    attrs:
-      evaluate_on_plan: true
-      re_evaluate_policies: true
-
-  - identifiers:
-      target: !KeyOf flow-internal-engineering
-      stage: !KeyOf prompt-stage-credentials
-      order: 10
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-internal-engineering
-      stage: !KeyOf prompt-stage-details
-      order: 15
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-internal-engineering
-      stage: !KeyOf user-write-stage-internal-engineering
-      order: 20
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow-internal-engineering
-      stage: !KeyOf user-login-stage
-      order: 100
-    model: authentik_flows.flowstagebinding
-
-  # Example invitations
-
-  # EXTERNAL USER INVITATIONS
-
-  # Example 1: Basic single-use invitation for external user
-  - identifiers:
-      name: example-external-basic-invitation
-    model: authentik_stages_invitation.invitation
-    id: invitation-external-basic
-    attrs:
-      flow: !KeyOf flow-external
-      single_use: false
-      fixed_data: {}
-
-  # Example 2: Multi-use invitation for external users with pre-filled email
-  - identifiers:
-      name: example-external-prefilled-email-invitation
-    model: authentik_stages_invitation.invitation
-    id: invitation-external-prefilled-email
-    attrs:
-      flow: !KeyOf flow-external
-      single_use: true
-      expires: "2028-12-31T23:59:59Z"
-      fixed_data:
-        email: "external@example.com"
-
-  # INTERNAL USER INVITATIONS
-
-  # Example 3: Single-use invitation for internal user with pre-filled fields
-  - identifiers:
-      name: example-internal-prefilled-invitation
-    model: authentik_stages_invitation.invitation
-    id: invitation-internal-prefilled
-    attrs:
-      flow: !KeyOf flow-internal
-      single_use: true
-      expires: "2028-12-31T23:59:59Z"
-      fixed_data:
-        name: "Jane Smith"
-        email: "jane.smith@company.com"
-
-  # Example 4: Long-term multi-use invitation for internal department
-  - identifiers:
-      name: example-internal-department-invitation
-    model: authentik_stages_invitation.invitation
-    id: invitation-internal-department
-    attrs:
-      flow: !KeyOf flow-internal
-      single_use: false
-      expires:  "2028-12-31T23:59:59Z"
-      fixed_data:
-        attributes:
-          department: "Engineering"
-          team: "Backend"
-
-  # Example 5: Invitation with automatic group assignment
-  - identifiers:
-      name: example-engineering-team-invitation
-    model: authentik_stages_invitation.invitation
-    id: invitation-engineering-team
-    attrs:
-      flow: !KeyOf flow-internal-engineering
-      single_use: false
-      expires: "2028-12-31T23:59:59Z"
-      fixed_data:
-        attributes:
-          department: "Engineering"
-
-  # Note: Group assignment works by using a flow with a UserWriteStage that has
-  # 'create_users_group' configured. See example 5 above - users enrolling via
-  # the 'invitation-enrollment-flow-internal-engineering' flow will automatically
-  # be added to the 'engineering-team' group.
-  #
-  # Groups cannot be set directly in invitation fixed_data because they require
-  # database relationships that must be established after user creation.

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.12.0-rc1 Blueprint schema",
+    "title": "authentik 2025.10.2 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -5871,19 +5871,6 @@
                     "minLength": 1,
                     "title": "Default group email domain"
                 },
-                "sync_page_size": {
-                    "type": "integer",
-                    "minimum": 1,
-                    "maximum": 2147483647,
-                    "title": "Sync page size",
-                    "description": "Controls the number of objects synced in a single task"
-                },
-                "sync_page_timeout": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Sync page timeout",
-                    "description": "Timeout for synchronization of a single page"
-                },
                 "dry_run": {
                     "type": "boolean",
                     "title": "Dry run",
@@ -6037,19 +6024,6 @@
                     ],
                     "title": "Group delete action"
                 },
-                "sync_page_size": {
-                    "type": "integer",
-                    "minimum": 1,
-                    "maximum": 2147483647,
-                    "title": "Sync page size",
-                    "description": "Controls the number of objects synced in a single task"
-                },
-                "sync_page_timeout": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Sync page timeout",
-                    "description": "Timeout for synchronization of a single page"
-                },
                 "dry_run": {
                     "type": "boolean",
                     "title": "Dry run",
@@ -9702,19 +9676,6 @@
                     "format": "uuid",
                     "title": "Filter group"
                 },
-                "sync_page_size": {
-                    "type": "integer",
-                    "minimum": 1,
-                    "maximum": 2147483647,
-                    "title": "Sync page size",
-                    "description": "Controls the number of objects synced in a single task"
-                },
-                "sync_page_timeout": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Sync page timeout",
-                    "description": "Timeout for synchronization of a single page"
-                },
                 "dry_run": {
                     "type": "boolean",
                     "title": "Dry run",
@@ -14981,10 +14942,6 @@
                     "additionalProperties": true,
                     "title": "Fixed data"
                 },
-                "created_by": {
-                    "type": "integer",
-                    "title": "Created by"
-                },
                 "single_use": {
                     "type": "boolean",
                     "title": "Single use",

docker-compose.yml

@@ -31,7 +31,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.2}
     ports:
     - ${COMPOSE_PORT_HTTP:-9000}:9000
     - ${COMPOSE_PORT_HTTPS:-9443}:9443
@@ -52,7 +52,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.2}
     restart: unless-stopped
     user: root
     volumes:

go.mod

@@ -9,10 +9,10 @@ require (
 	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/coreos/go-oidc/v3 v3.16.0
-	github.com/getsentry/sentry-go v0.38.0
+	github.com/getsentry/sentry-go v0.36.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.12
-	github.com/go-openapi/runtime v0.29.2
+	github.com/go-openapi/runtime v0.29.0
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -32,18 +32,19 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025120.3
+	goauthentik.io/api/v3 v3.2025100.25
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.33.0
-	golang.org/x/sync v0.18.0
+	golang.org/x/oauth2 v0.32.0
+	golang.org/x/sync v0.17.0
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/driver/postgres v1.6.0
-	gorm.io/gorm v1.31.1
+	gorm.io/gorm v1.31.0
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -54,13 +55,13 @@ require (
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.24.1 // indirect
-	github.com/go-openapi/errors v0.22.4 // indirect
+	github.com/go-openapi/analysis v0.24.0 // indirect
+	github.com/go-openapi/errors v0.22.3 // indirect
 	github.com/go-openapi/jsonpointer v0.22.1 // indirect
-	github.com/go-openapi/jsonreference v0.21.3 // indirect
-	github.com/go-openapi/loads v0.23.2 // indirect
-	github.com/go-openapi/spec v0.22.1 // indirect
-	github.com/go-openapi/strfmt v0.25.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.2 // indirect
+	github.com/go-openapi/loads v0.23.1 // indirect
+	github.com/go-openapi/spec v0.22.0 // indirect
+	github.com/go-openapi/strfmt v0.24.0 // indirect
 	github.com/go-openapi/swag/conv v0.25.1 // indirect
 	github.com/go-openapi/swag/fileutils v0.25.1 // indirect
 	github.com/go-openapi/swag/jsonname v0.25.1 // indirect
@@ -70,7 +71,7 @@ require (
 	github.com/go-openapi/swag/stringutils v0.25.1 // indirect
 	github.com/go-openapi/swag/typeutils v0.25.1 // indirect
 	github.com/go-openapi/swag/yamlutils v0.25.1 // indirect
-	github.com/go-openapi/validate v0.25.1 // indirect
+	github.com/go-openapi/validate v0.25.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -87,17 +88,17 @@ require (
 	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
-	go.mongodb.org/mongo-driver v1.17.6 // indirect
+	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -6,6 +6,8 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/avast/retry-go/v4 v4.7.0 h1:yjDs35SlGvKwRNSykujfjdMxMhMQQM0TnIjJaHB+Zio=
 github.com/avast/retry-go/v4 v4.7.0/go.mod h1:ZMPDa3sY2bKgpLtap9JRUgk2yTAba7cgiFhqxY2Sg6Q=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -20,8 +22,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.38.0 h1:S8Xui7gLeAvXINVLMOaX94HnsDf1GexnfXGSNC4+KQs=
-github.com/getsentry/sentry-go v0.38.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
+github.com/getsentry/sentry-go v0.36.0 h1:UkCk0zV28PiGf+2YIONSSYiYhxwlERE5Li3JPpZqEns=
+github.com/getsentry/sentry-go v0.36.0/go.mod h1:p5Im24mJBeruET8Q4bbcMfCQ+F+Iadc4L48tB1apo2c=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -41,22 +43,22 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/analysis v0.24.1 h1:Xp+7Yn/KOnVWYG8d+hPksOYnCYImE3TieBa7rBOesYM=
-github.com/go-openapi/analysis v0.24.1/go.mod h1:dU+qxX7QGU1rl7IYhBC8bIfmWQdX4Buoea4TGtxXY84=
-github.com/go-openapi/errors v0.22.4 h1:oi2K9mHTOb5DPW2Zjdzs/NIvwi2N3fARKaTJLdNabaM=
-github.com/go-openapi/errors v0.22.4/go.mod h1:z9S8ASTUqx7+CP1Q8dD8ewGH/1JWFFLX/2PmAYNQLgk=
+github.com/go-openapi/analysis v0.24.0 h1:vE/VFFkICKyYuTWYnplQ+aVr45vlG6NcZKC7BdIXhsA=
+github.com/go-openapi/analysis v0.24.0/go.mod h1:GLyoJA+bvmGGaHgpfeDh8ldpGo69fAJg7eeMDMRCIrw=
+github.com/go-openapi/errors v0.22.3 h1:k6Hxa5Jg1TUyZnOwV2Lh81j8ayNw5VVYLvKrp4zFKFs=
+github.com/go-openapi/errors v0.22.3/go.mod h1:+WvbaBBULWCOna//9B9TbLNGSFOfF8lY9dw4hGiEiKQ=
 github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk=
 github.com/go-openapi/jsonpointer v0.22.1/go.mod h1:pQT9OsLkfz1yWoMgYFy4x3U5GY5nUlsOn1qSBH5MkCM=
-github.com/go-openapi/jsonreference v0.21.3 h1:96Dn+MRPa0nYAR8DR1E03SblB5FJvh7W6krPI0Z7qMc=
-github.com/go-openapi/jsonreference v0.21.3/go.mod h1:RqkUP0MrLf37HqxZxrIAtTWW4ZJIK1VzduhXYBEeGc4=
-github.com/go-openapi/loads v0.23.2 h1:rJXAcP7g1+lWyBHC7iTY+WAF0rprtM+pm8Jxv1uQJp4=
-github.com/go-openapi/loads v0.23.2/go.mod h1:IEVw1GfRt/P2Pplkelxzj9BYFajiWOtY2nHZNj4UnWY=
-github.com/go-openapi/runtime v0.29.2 h1:UmwSGWNmWQqKm1c2MGgXVpC2FTGwPDQeUsBMufc5Yj0=
-github.com/go-openapi/runtime v0.29.2/go.mod h1:biq5kJXRJKBJxTDJXAa00DOTa/anflQPhT0/wmjuy+0=
-github.com/go-openapi/spec v0.22.1 h1:beZMa5AVQzRspNjvhe5aG1/XyBSMeX1eEOs7dMoXh/k=
-github.com/go-openapi/spec v0.22.1/go.mod h1:c7aeIQT175dVowfp7FeCvXXnjN/MrpaONStibD2WtDA=
-github.com/go-openapi/strfmt v0.25.0 h1:7R0RX7mbKLa9EYCTHRcCuIPcaqlyQiWNPTXwClK0saQ=
-github.com/go-openapi/strfmt v0.25.0/go.mod h1:nNXct7OzbwrMY9+5tLX4I21pzcmE6ccMGXl3jFdPfn8=
+github.com/go-openapi/jsonreference v0.21.2 h1:Wxjda4M/BBQllegefXrY/9aq1fxBA8sI5M/lFU6tSWU=
+github.com/go-openapi/jsonreference v0.21.2/go.mod h1:pp3PEjIsJ9CZDGCNOyXIQxsNuroxm8FAJ/+quA0yKzQ=
+github.com/go-openapi/loads v0.23.1 h1:H8A0dX2KDHxDzc797h0+uiCZ5kwE2+VojaQVaTlXvS0=
+github.com/go-openapi/loads v0.23.1/go.mod h1:hZSXkyACCWzWPQqizAv/Ye0yhi2zzHwMmoXQ6YQml44=
+github.com/go-openapi/runtime v0.29.0 h1:Y7iDTFarS9XaFQ+fA+lBLngMwH6nYfqig1G+pHxMRO0=
+github.com/go-openapi/runtime v0.29.0/go.mod h1:52HOkEmLL/fE4Pg3Kf9nxc9fYQn0UsIWyGjGIJE9dkg=
+github.com/go-openapi/spec v0.22.0 h1:xT/EsX4frL3U09QviRIZXvkh80yibxQmtoEvyqug0Tw=
+github.com/go-openapi/spec v0.22.0/go.mod h1:K0FhKxkez8YNS94XzF8YKEMULbFrRw4m15i2YUht4L0=
+github.com/go-openapi/strfmt v0.24.0 h1:dDsopqbI3wrrlIzeXRbqMihRNnjzGC+ez4NQaAAJLuc=
+github.com/go-openapi/strfmt v0.24.0/go.mod h1:Lnn1Bk9rZjXxU9VMADbEEOo7D7CDyKGLsSKekhFr7s4=
 github.com/go-openapi/swag/conv v0.25.1 h1:+9o8YUg6QuqqBM5X6rYL/p1dpWeZRhoIt9x7CCP+he0=
 github.com/go-openapi/swag/conv v0.25.1/go.mod h1:Z1mFEGPfyIKPu0806khI3zF+/EUXde+fdeksUl2NiDs=
 github.com/go-openapi/swag/fileutils v0.25.1 h1:rSRXapjQequt7kqalKXdcpIegIShhTPXx7yw0kek2uU=
@@ -77,12 +79,8 @@ github.com/go-openapi/swag/typeutils v0.25.1 h1:rD/9HsEQieewNt6/k+JBwkxuAHktFtH3
 github.com/go-openapi/swag/typeutils v0.25.1/go.mod h1:9McMC/oCdS4BKwk2shEB7x17P6HmMmA6dQRtAkSnNb8=
 github.com/go-openapi/swag/yamlutils v0.25.1 h1:mry5ez8joJwzvMbaTGLhw8pXUnhDK91oSJLDPF1bmGk=
 github.com/go-openapi/swag/yamlutils v0.25.1/go.mod h1:cm9ywbzncy3y6uPm/97ysW8+wZ09qsks+9RS8fLWKqg=
-github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4=
-github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg=
-github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
-github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
-github.com/go-openapi/validate v0.25.1 h1:sSACUI6Jcnbo5IWqbYHgjibrhhmt3vR6lCzKZnmAgBw=
-github.com/go-openapi/validate v0.25.1/go.mod h1:RMVyVFYte0gbSTaZ0N4KmTn6u/kClvAFp+mAVfS/DQc=
+github.com/go-openapi/validate v0.25.0 h1:JD9eGX81hDTjoY3WOzh6WqxVBVl7xjsLnvDo1GL5WPU=
+github.com/go-openapi/validate v0.25.0/go.mod h1:SUY7vKrN5FiwK6LyvSwKjDfLNirSfWwHNgxd2l29Mmw=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
@@ -196,8 +194,8 @@ github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD
 github.com/wwt/guac v1.3.2 h1:sH6OFGa/1tBs7ieWBVlZe7t6F5JAOWBry/tqQL/Vup4=
 github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss=
-go.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
+go.mongodb.org/mongo-driver v1.17.4 h1:jUorfmVzljjr0FLzYQsGP8cgN/qzzxlY9Vh0C9KFXVw=
+go.mongodb.org/mongo-driver v1.17.4/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
@@ -214,13 +212,13 @@ go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-goauthentik.io/api/v3 v3.2025120.3 h1:a/azcVyRED1sCfp2sbtv8Bl9ChR6BHRsb5rQHc449xQ=
-goauthentik.io/api/v3 v3.2025120.3/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
+goauthentik.io/api/v3 v3.2025100.25 h1:NC82Q8CbmD6T8s1AblPjwJl/lUZBEOmNrKZHBTnxGiY=
+goauthentik.io/api/v3 v3.2025100.25/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -230,15 +228,15 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
-golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
-golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -249,8 +247,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -262,8 +260,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -281,7 +279,7 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
-gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
+gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 layeh.com/radius v0.0.0-20231213012653-1006025d24f8 h1:orYXpi6BJZdvgytfHH4ybOe4wHnLbbS71Cmd8mWdZjs=
 layeh.com/radius v0.0.0-20231213012653-1006025d24f8/go.mod h1:QRf+8aRqXc019kHkpcs/CTgyWXFzf+bxlsyuo2nAl1o=

internal/constants/VERSION

@@ -1 +1 @@
-2025.12.0-rc1
+2025.10.2

internal/outpost/proxyv2/application/session.go

@@ -34,7 +34,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	switch sessionBackend {
 	case "postgres":
 		// New PostgreSQL store
-		ps, err := postgresstore.NewPostgresStore(a.log)
+		ps, err := postgresstore.NewPostgresStore()
 		if err != nil {
 			return nil, err
 		}