web: Make viewing the in-page documentation optional

After talking with @GirlBossRush, I realized that my architecture would be simplified by separating
the style controller from the renderer.  Lit uses Controllers just for that purpose, so:

1. A renderer that either puts down the button or puts down the documentation

2. A controller that monitors the button for its state and, when that state changes, updates the
   host's CSS to fit within the page correctly when the button is rotated.

3. Some helper styles the container needs to help the button display correctly.

Run the thing and click on the button.

This changes the look and feel of the application to a small degree. Screenshots may need to be
updated.

None.

\# What

\# Why

\# How

\# Designs

\# Test Steps

\# Other Notes

.bumpversion.cfg

@@ -0,0 +1,34 @@
+[bumpversion]
+current_version = 2024.12.2
+tag = True
+commit = True
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
+serialize =
+	{major}.{minor}.{patch}-{rc_t}{rc_n}
+	{major}.{minor}.{patch}
+message = release: {new_version}
+tag_name = version/{new_version}
+
+[bumpversion:part:rc_t]
+values =
+	rc
+	final
+optional_value = final
+
+[bumpversion:file:pyproject.toml]
+
+[bumpversion:file:package.json]
+
+[bumpversion:file:docker-compose.yml]
+
+[bumpversion:file:schema.yml]
+
+[bumpversion:file:blueprints/schema.json]
+
+[bumpversion:file:authentik/__init__.py]
+
+[bumpversion:file:internal/constants/constants.go]
+
+[bumpversion:file:web/src/common/constants.ts]
+
+[bumpversion:file:lifecycle/aws/template.yaml]

.dockerignore

@@ -1,15 +1,12 @@
 htmlcov
 *.env.yml
-node_modules
 **/node_modules
 dist/**
 build/**
 build_docs/**
 *Dockerfile
-**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
-.venv

.editorconfig

@@ -7,9 +7,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[*.toml]
-indent_size = 2
-
 [*.html]
 indent_size = 2
 

.github/ISSUE_TEMPLATE/bug_report.md

@@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
--   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/ISSUE_TEMPLATE/docs_issue.md

@@ -1,22 +0,0 @@
----
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
----
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

.github/ISSUE_TEMPLATE/question.md

@@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
-
--   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/actions/docker-push-variables/action.yml

@@ -54,10 +54,6 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Setup authentik env
-      uses: ./.github/actions/setup
-      with:
-        dependencies: "python"
     - name: Generate config
       id: ev
       shell: bash
@@ -68,4 +64,4 @@ runs:
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         REF: ${{ github.ref }}
       run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -1,10 +1,12 @@
 """Helper script to get the actual branch name, docker safe"""
 
+import configparser
 import os
 from json import dumps
 from time import time
 
-from authentik import authentik_version
+parser = configparser.ConfigParser()
+parser.read(".bumpversion.cfg")
 
 # Decide if we should push the image or not
 should_push = True
@@ -29,7 +31,7 @@ is_release = "dev" not in image_names[0]
 sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
 
 # 2042.1.0 or 2042.1.0-rc1
-version = authentik_version()
+version = parser.get("bumpversion", "current_version")
 # 2042.1
 version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
 prerelease = "-" in version
@@ -42,6 +44,7 @@ if is_release:
         ]
         if not prerelease:
             image_tags += [
+                f"{name}:latest",
                 f"{name}:{version_family}",
             ]
 else:

.github/actions/docker-push-variables/test.sh

@@ -4,7 +4,7 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,authentik/server \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
     GITHUB_REPOSITORY=goauthentik/authentik \
     python $SCRIPT_DIR/push_vars.py
 
@@ -12,7 +12,7 @@ GITHUB_OUTPUT=/dev/stdout \
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,authentik/server \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
     GITHUB_REPOSITORY=goauthentik/authentik \
     DOCKER_USERNAME=foo \
     python $SCRIPT_DIR/push_vars.py

.github/actions/setup/action.yml

@@ -2,9 +2,6 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  dependencies:
-    description: "List of dependencies to setup"
-    default: "system,python,node,go,runtime"
   postgresql_version:
     description: "Optional postgresql image tag"
     default: "16"
@@ -12,54 +9,36 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+    - name: Install poetry & deps
       shell: bash
       run: |
-        sudo apt-get remove --purge man-db
+        pipx install poetry || true
         sudo apt-get update
         sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@v5
-      with:
-        enable-cache: true
-    - name: Setup python
-      if: ${{ contains(inputs.dependencies, 'python') }}
+    - name: Setup python and restore poetry
       uses: actions/setup-python@v5
       with:
         python-version-file: "pyproject.toml"
-    - name: Install Python deps
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      shell: bash
-      run: uv sync --all-extras --dev --frozen
+        cache: "poetry"
     - name: Setup node
-      if: ${{ contains(inputs.dependencies, 'node') }}
       uses: actions/setup-node@v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
     - name: Setup go
-      if: ${{ contains(inputs.dependencies, 'go') }}
       uses: actions/setup-go@v5
       with:
         go-version-file: "go.mod"
-    - name: Setup docker cache
-      if: ${{ contains(inputs.dependencies, 'runtime') }}
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
-      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
-      if: ${{ contains(inputs.dependencies, 'runtime') }}
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry install --sync
         cd web && npm ci
     - name: Generate config
-      if: ${{ contains(inputs.dependencies, 'python') }}
-      shell: uv run python {0}
+      shell: poetry run python {0}
       run: |
         from authentik.lib.generators import generate_id
         from yaml import safe_dump

.github/actions/setup/docker-compose.yml

@@ -11,7 +11,7 @@ services:
       - 5432:5432
     restart: always
   redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
     ports:
       - 6379:6379
     restart: always

.github/codespell-words.txt

@@ -1,32 +1,7 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
 keypair
 keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
+hass
 warmup
-webauthn
+ontext
+singed
+assertIn

.github/dependabot.yml

@@ -23,13 +23,7 @@ updates:
   - package-ecosystem: npm
     directories:
       - "/web"
-      - "/web/packages/sfe"
-      - "/web/packages/core"
-      - "/packages/esbuild-plugin-live-reload"
-      - "/packages/prettier-config"
-      - "/packages/tsconfig"
-      - "/packages/docusaurus-config"
-      - "/packages/eslint-config"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -74,9 +68,6 @@ updates:
       wdio:
         patterns:
           - "@wdio/*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
   - package-ecosystem: npm
     directory: "/website"
     schedule:
@@ -91,22 +82,6 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
-      build:
-        patterns:
-          - "@swc/*"
-          - "swc-*"
-          - "lightningcss*"
-          - "@rspack/binding*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
-      eslint:
-        patterns:
-          - "@eslint/*"
-          - "@typescript-eslint/*"
-          - "eslint-*"
-          - "eslint"
-          - "typescript-eslint"
   - package-ecosystem: npm
     directory: "/lifecycle/aws"
     schedule:
@@ -117,7 +92,7 @@ updates:
       prefix: "lifecycle/aws:"
     labels:
       - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
     directory: "/"
     schedule:
       interval: daily
@@ -137,15 +112,3 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies

.github/pull_request_template.md

@@ -31,4 +31,4 @@ If changes to the frontend have been made
 If applicable
 
 -   [ ] The documentation has been updated
--   [ ] The documentation has been formatted (`make docs`)
+-   [ ] The documentation has been formatted (`make website`)

.github/workflows/_reusable-docker-build-single.yaml

@@ -1,6 +1,5 @@
----
 # Re-usable workflow for a single-architecture build
-name: Reusable - Single-arch Container build
+name: Single-arch Container build
 
 on:
   workflow_call:
@@ -39,17 +38,15 @@ jobs:
       # Needed for attestation
       id-token: write
       attestations: write
-      # Needed for checkout
-      contents: read
     steps:
-      - uses: actions/checkout@v5
-      - uses: docker/setup-qemu-action@v3.6.0
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.3.0
       - uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
           image-arch: ${{ inputs.image_arch }}
@@ -58,8 +55,8 @@ jobs:
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
         uses: docker/login-action@v3
@@ -80,7 +77,7 @@ jobs:
         id: push
         with:
           context: .
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: true
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
@@ -92,7 +89,6 @@ jobs:
           cache-to: ${{ steps.ev.outputs.cacheTo }}
       - uses: actions/attest-build-provenance@v2
         id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}

.github/workflows/_reusable-docker-build.yaml

@@ -1,6 +1,5 @@
----
 # Re-usable workflow for a multi-architecture build
-name: Reusable - Multi-arch container build
+name: Multi-arch container build
 
 on:
   workflow_call:
@@ -47,19 +46,17 @@ jobs:
       - build-server-arm64
     outputs:
       tags: ${{ steps.ev.outputs.imageTagsJSON }}
-      shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
   merge-server:
     runs-on: ubuntu-latest
-    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
     needs:
       - get-tags
       - build-server-amd64
@@ -69,20 +66,20 @@ jobs:
       matrix:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
         uses: docker/login-action@v3

.github/workflows/api-py-publish.yml

@@ -1,13 +1,10 @@
----
-name: API - Publish Python client
-
+name: authentik-api-py-publish
 on:
   push:
     branches: [main]
     paths:
       - "schema.yml"
   workflow_dispatch:
-
 jobs:
   build:
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
@@ -20,7 +17,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Install poetry & deps
@@ -33,6 +30,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version-file: "pyproject.toml"
+          cache: "poetry"
       - name: Generate API Client
         run: make gen-client-py
       - name: Publish package

.github/workflows/api-ts-publish.yml

@@ -1,13 +1,10 @@
----
-name: API - Publish Typescript client
-
+name: authentik-api-ts-publish
 on:
   push:
     branches: [main]
     paths:
       - "schema.yml"
   workflow_dispatch:
-
 jobs:
   build:
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
@@ -18,7 +15,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
@@ -30,8 +27,8 @@ jobs:
       - name: Publish package
         working-directory: gen-ts-api/
         run: |
-          npm i
-          npm publish --tag generated
+          npm ci
+          npm publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
@@ -56,7 +53,6 @@ jobs:
           signoff: true
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-api-docs.yml

@@ -1,95 +0,0 @@
----
-name: CI - API Docs
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - prettier-check
-    steps:
-      - uses: actions/checkout@v5
-      - name: Install Dependencies
-        working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ${{ github.workspace }}/website/api/.docusaurus
-            ${{ github.workspace }}/website/api/**/.cache
-          key: |
-            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
-          restore-keys: |
-            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}
-      - name: Build API Docs via Docusaurus
-        working-directory: website
-        env:
-          NODE_ENV: production
-        run: npm run build -w api
-      - uses: actions/upload-artifact@v4
-        with:
-          name: api-docs
-          path: website/api/build
-          retention-days: 7
-  deploy:
-    runs-on: ubuntu-latest
-    needs:
-      - lint
-      - build
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/download-artifact@v5
-        with:
-          name: api-docs
-          path: website/api/build
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - name: Deploy Netlify (Production)
-        working-directory: website/api
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        env:
-          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: npx netlify deploy --no-build --prod
-      - name: Deploy Netlify (Preview)
-        if: github.event_name == 'pull_request' || github.ref != 'refs/heads/main'
-        working-directory: website/api
-        env:
-          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: |
-          if [ -n "${VAR}" ]; then
-            npx netlify deploy --no-build --alias=deploy-preview-${{ github.event.number }}
-          fi

.github/workflows/ci-aws-cfn.yml

@@ -1,5 +1,4 @@
----
-name: CI - AWS cfn
+name: authentik-ci-aws-cfn
 
 on:
   push:
@@ -21,7 +20,7 @@ jobs:
   check-changes-applied:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - uses: actions/setup-node@v4
@@ -34,7 +33,7 @@ jobs:
           npm ci
       - name: Check changes have been applied
         run: |
-          uv run make aws-cfn
+          poetry run make aws-cfn
           git diff --exit-code
   ci-aws-cfn-mark:
     if: always()

.github/workflows/ci-docs.yml

@@ -1,124 +0,0 @@
----
-name: CI - Docs
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - prettier-check
-    steps:
-      - uses: actions/checkout@v5
-      - name: Install dependencies
-        working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
-  build-docs:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - name: Build Documentation via Docusaurus
-        working-directory: website/
-        run: npm run build
-  build-integrations:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - name: Build Integrations via Docusaurus
-        working-directory: website/
-        run: npm run build -w integrations
-  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-docs
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          platforms: linux/amd64,linux/arm64
-          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
-  ci-website-mark:
-    if: always()
-    needs:
-      - lint
-      - build-docs
-      - build-integrations
-      - build-container
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}

.github/workflows/ci-main-daily.yml

@@ -1,29 +0,0 @@
----
-name: CI - Main daily
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Every night at 3am
-    - cron: "0 3 * * *"
-
-jobs:
-  test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-          - docs
-          - version-2025-4
-          - version-2025-2
-    steps:
-      - uses: actions/checkout@v5
-      - run: |
-          current="$(pwd)"
-          dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p $dir
-          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
-          ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -1,5 +1,5 @@
 ---
-name: CI - Main
+name: authentik-ci-main
 
 on:
   push:
@@ -17,12 +17,6 @@ env:
   POSTGRES_USER: authentik
   POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
-permissions:
-  # Needed for checkout
-  contents: read
-  # Needed for codecov OIDC token
-  id-token: write
-
 jobs:
   lint:
     strategy:
@@ -36,46 +30,36 @@ jobs:
           - ruff
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
-        run: uv run python -m lifecycle.migrate
-  test-make-seed:
-    runs-on: ubuntu-latest
-    steps:
-      - id: seed
-        run: |
-          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
-    outputs:
-      seed: ${{ steps.seed.outputs.seed }}
+        run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-    needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
           - 15-alpine
           - 16-alpine
-          - 17-alpine
-        run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
@@ -88,7 +72,7 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
@@ -96,83 +80,76 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
       - name: run tests
         env:
           # Test in the main database that we just migrated from the previous stable version
           AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
         run: |
-          uv run make ci-test
+          poetry run make test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-    needs: test-make-seed
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         psql:
           - 15-alpine
           - 16-alpine
-          - 17-alpine
-        run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run unittest
-        env:
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
         run: |
-          uv run make ci-test
+          poetry run make test
+          poetry run coverage xml
       - if: ${{ always() }}
         uses: codecov/codecov-action@v5
         with:
           flags: unit
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
       - if: ${{ !cancelled() }}
         uses: codecov/test-results-action@v1
         with:
           flags: unit
           file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@v1.12.0
       - name: run integration
         run: |
-          uv run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage run manage.py test tests/integration
+          poetry run coverage xml
       - if: ${{ always() }}
         uses: codecov/codecov-action@v5
         with:
           flags: integration
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
       - if: ${{ !cancelled() }}
         uses: codecov/test-results-action@v1
         with:
           flags: integration
           file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -198,7 +175,7 @@ jobs:
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
@@ -208,7 +185,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
         working-directory: web
@@ -216,22 +193,21 @@ jobs:
           npm ci
           make -C .. gen-client-ts
           npm run build
-          npm run build:sfe
       - name: run e2e
         run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage xml
       - if: ${{ always() }}
         uses: codecov/codecov-action@v5
         with:
           flags: e2e
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
       - if: ${{ !cancelled() }}
         uses: codecov/test-results-action@v1
         with:
           flags: e2e
           file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
     if: always()
     needs:
@@ -253,13 +229,11 @@ jobs:
       # Needed for attestation
       id-token: write
       attestations: write
-      # Needed for checkout
-      contents: read
     needs: ci-core-mark
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
     with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
+      image_name: ghcr.io/goauthentik/dev-server
       release: false
   pr-comment:
     needs:
@@ -271,14 +245,14 @@ jobs:
       pull-requests: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR

.github/workflows/ci-outpost.yml

@@ -1,5 +1,5 @@
 ---
-name: CI - Outpost
+name: authentik-ci-outpost
 
 on:
   push:
@@ -16,7 +16,7 @@ jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout 5000s --verbose
@@ -37,7 +37,7 @@ jobs:
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
@@ -59,7 +59,6 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -79,18 +78,18 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
@@ -138,7 +137,7 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - uses: actions/setup-go@v5

.github/workflows/ci-web.yml

@@ -1,5 +1,4 @@
----
-name: CI - Web
+name: authentik-ci-web
 
 on:
   push:
@@ -31,7 +30,7 @@ jobs:
           - command: lit-analyse
             project: web
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version-file: ${{ matrix.project }}/package.json
@@ -48,7 +47,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version-file: web/package.json
@@ -76,7 +75,7 @@ jobs:
       - ci-web-mark
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version-file: web/package.json

.github/workflows/ci-website.yml

@@ -0,0 +1,74 @@
+name: authentik-ci-website
+
+on:
+  push:
+    branches:
+      - main
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - main
+      - version-*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        command:
+          - lint:lockfile
+          - prettier-check
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: website/
+        run: npm ci
+      - name: Lint
+        working-directory: website/
+        run: npm run ${{ matrix.command }}
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: test
+        working-directory: website/
+        run: npm test
+  build:
+    runs-on: ubuntu-latest
+    name: ${{ matrix.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: build
+        working-directory: website/
+        run: npm run ${{ matrix.job }}
+  ci-website-mark:
+    if: always()
+    needs:
+      - lint
+      - test
+      - build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/codeql-analysis.yml

@@ -1,9 +1,8 @@
----
-name: QA - CodeQL
+name: "CodeQL"
 
 on:
   push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
   pull_request:
     branches: [main]
   schedule:
@@ -24,7 +23,7 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL

.github/workflows/gen-update-webauthn-mds.yml

@@ -1,10 +1,8 @@
----
-name: Gen - Webauthn MDS
-
+name: authentik-gen-update-webauthn-mds
 on:
   workflow_dispatch:
   schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'
 
 env:
   POSTGRES_DB: authentik
@@ -21,12 +19,12 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
+      - run: poetry run ak update_webauthn_mds
       - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
@@ -39,7 +37,6 @@ jobs:
           signoff: true
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gha-cache-cleanup.yml

@@ -1,7 +1,6 @@
 ---
 # See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-name: GH - Cleanup actions cache after PR is closed
-
+name: Cleanup cache after PR is closed
 on:
   pull_request:
     types:
@@ -16,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Cleanup
         run: |

.github/workflows/ghcr-retention.yml

@@ -1,5 +1,4 @@
----
-name: GH - GHCR retention
+name: ghcr-retention
 
 on:
   # schedule:

.github/workflows/image-compress.yml

@@ -1,5 +1,5 @@
 ---
-name: Gen - Compress images
+name: authentik-compress-images
 
 on:
   push:
@@ -33,7 +33,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
@@ -53,7 +53,6 @@ jobs:
           body: ${{ steps.compress.outputs.markdown }}
           delete-branch: true
           signoff: true
-          labels: dependencies
       - uses: peter-evans/enable-pull-request-automerge@v3
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         with:

.github/workflows/packages-npm-publish.yml

@@ -1,50 +0,0 @@
----
-name: Packages - Publish NPM packages
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - packages/docusaurus-config/**
-      - packages/eslint-config/**
-      - packages/prettier-config/**
-      - packages/tsconfig/**
-      - packages/esbuild-plugin-live-reload/**
-  workflow_dispatch:
-
-jobs:
-  publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        package:
-          - packages/docusaurus-config
-          - packages/eslint-config
-          - packages/prettier-config
-          - packages/tsconfig
-          - packages/esbuild-plugin-live-reload
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: ${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
-        with:
-          files: |
-            ${{ matrix.package }}/package.json
-      - name: Publish package
-        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: ${{ matrix.package }}
-        run: |
-          npm ci
-          npm run build
-          npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/publish-source-docs.yml

@@ -1,5 +1,4 @@
----
-name: CI - Source code docs
+name: authentik-publish-source-docs
 
 on:
   push:
@@ -17,13 +16,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs
         run: |
-          uv run make migrate
-          uv run ak build_source_docs
+          poetry run make migrate
+          poetry run ak build_source_docs
       - name: Publish
         uses: netlify/actions/cli@master
         with:

.github/workflows/qa-semgrep.yml

@@ -1,30 +0,0 @@
----
-name: QA - Semgrep
-
-on:
-  workflow_dispatch: {}
-  pull_request: {}
-  push:
-    branches:
-      - main
-      - master
-    paths:
-      - .github/workflows/qa-semgrep.yml
-  schedule:
-    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-    - cron: '12 15 * * *'
-
-jobs:
-  semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-    container:
-      image: semgrep/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@v5
-      - run: semgrep ci

.github/workflows/release-branch-off.yml

@@ -1,83 +0,0 @@
----
-name: Release - Branch-off
-
-on:
-  workflow_dispatch:
-    inputs:
-      next_version:
-        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
-        required: true
-        type: string
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-inputs:
-    name: Check inputs validity
-    runs-on: ubuntu-latest
-    steps:
-      - run: |
-          echo "${{ inputs.next_version }}" | grep -E "^[0-9]{4}\.[0-9]{1,2}$"
-  branch-off:
-    name: Branch-off
-    needs:
-      - check-inputs
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Checkout main
-        uses: actions/checkout@v5
-        with:
-          ref: main
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: python
-      - name: Create version branch
-        run: |
-          current_major_version="$(uv version --short | grep -oE "^[0-9]{4}\.[0-9]{1,2}")"
-          git checkout -b "version-${current_major_version}"
-          git push origin "version-${current_major_version}"
-  bump-version-pr:
-    name: Open version bump PR
-    needs:
-      - branch-off
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Checkout main
-        uses: actions/checkout@v5
-        with:
-          ref: main
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: release-bump-${{ inputs.next_version }}
-          commit-message: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          title: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          body: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>

.github/workflows/release-next-branch.yml

@@ -1,5 +1,4 @@
----
-name: Release - Update next branch
+name: authentik-on-release-next-branch
 
 on:
   schedule:
@@ -16,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           ref: main
       - run: |

.github/workflows/release-publish.yml

@@ -1,5 +1,5 @@
 ---
-name: Release - On publish
+name: authentik-on-release
 
 on:
   release:
@@ -9,66 +9,12 @@ jobs:
   build-server:
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
-    permissions:
-      contents: read
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     with:
-      image_name: ghcr.io/goauthentik/server,authentik/server
+      image_name: ghcr.io/goauthentik/server,beryju/authentik
       release: true
-      registry_dockerhub: true
-      registry_ghcr: true
-  build-docs:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v5
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/docs
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
-          context: .
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: true
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
@@ -83,21 +29,21 @@ jobs:
           - radius
           - rac
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.3.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
-          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
+          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
       - name: make empty clients
         run: |
           mkdir -p ./gen-ts-api
@@ -105,8 +51,8 @@ jobs:
       - name: Docker Login Registry
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -146,7 +92,7 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
@@ -186,7 +132,7 @@ jobs:
       AWS_REGION: eu-central-1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
@@ -202,7 +148,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
@@ -218,12 +164,12 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
@@ -232,13 +178,13 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@v1
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: authentik-security-inc
           SENTRY_PROJECT: authentik
         with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
           sourcemaps: "./web/dist"
           url_prefix: "~/static/dist"

.github/workflows/release-tag.yml

@@ -1,195 +1,48 @@
 ---
-name: Release - Tag new version
+name: authentik-on-tag
 
 on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: Version
-        required: true
-        type: string
-      release_reason:
-        description: Release reason
-        required: true
-        type: choice
-        options:
-          - bugfix
-          - feature
-          - security
-          - other
-          - prerelease
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  push:
+    tags:
+      - "version/*"
 
 jobs:
-  check-inputs:
-    name: Check inputs validity
+  build:
+    name: Create Release from Tag
     runs-on: ubuntu-latest
     steps:
-      - id: check
+      - uses: actions/checkout@v4
+      - name: Pre-release test
         run: |
-          echo "${{ inputs.version }}" | grep -E '^[0-9]{4}\.(0?[1-9]|1[0-2])\.[0-9]+(-rc[0-9]+)?$'
-          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
-      - id: changelog-url
-        run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
-          else
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
-          fi
-          echo "changelog_url=${changelog_url}" >> "$GITHUB_OUTPUT"
-    outputs:
-      major_version: "${{ steps.check.outputs.major_version }}"
-      changelog_url: "${{ steps.changelog-url.outputs.changelog_url }}"
-  test:
-    name: Pre-release test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - run: make test-docker
-  bump-authentik:
-    name: Bump authentik version
-    needs:
-      - check-inputs
-      - test
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          docker buildx install
+          mkdir -p ./gen-ts-api
+          docker build -t testing:latest .
+          echo "AUTHENTIK_IMAGE=testing" >> .env
+          echo "AUTHENTIK_TAG=latest" >> .env
+          docker compose up --no-start
+          docker compose start postgresql redis
+          docker compose run -u root server test-all
+      - id: generate_token
+        uses: tibdex/github-app-token@v2
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
         env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
-          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.version }}"
-      - name: Commit and push
-        run: |
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
-          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
-          git push --follow-tags
+          image-name: ghcr.io/goauthentik/server
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         with:
-          token: "${{ steps.app-token.outputs.token }}"
-          tag_name: "version/${{ inputs.version }}"
-          name: Release ${{ inputs.version }}
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ steps.ev.outputs.version }}
           draft: true
-          prerelease: ${{ inputs.release_reason == 'prerelease' }}
-          generate_release_notes: true
-          body: |
-            See ${{ needs.check-inputs.outputs.changelog_url }}
-  bump-helm:
-    name: Bump Helm version
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: helm
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/helm"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        run: |
-          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
-          ./scripts/helm-docs.sh
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
-          title: "charts/authentik: bump to ${{ inputs.version }}"
-          body: "charts/authentik: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
-  bump-version:
-    name: Bump version repository
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - check-inputs
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: version
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/version"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        if: "${{ inputs.release_reason == 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Bump version
-        if: "${{ inputs.release_reason != 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "version: bump to ${{ inputs.version }}"
-          title: "version: bump to ${{ inputs.version }}"
-          body: "version: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
+          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}

.github/workflows/repo-mirror-cleanup.yml

@@ -1,22 +0,0 @@
----
-name: Repo - Cleanup internal mirror
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-mirror.yml

@@ -1,5 +1,4 @@
----
-name: Repo - Mirror to internal
+name: "authentik-repo-mirror"
 
 on: [push, delete]
 
@@ -8,14 +7,15 @@ jobs:
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        uses: pixta-dev/repository-mirroring-action@v1
         with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
+          target_repo_url:
+            git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key:
+            ${{ secrets.GH_MIRROR_KEY }}
         env:
           MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -1,9 +1,8 @@
----
-name: Repo - Mark and close stale issues
+name: 'authentik-repo-stale'
 
 on:
   schedule:
-    - cron: "30 1 * * *"
+    - cron: '30 1 * * *'
   workflow_dispatch:
 
 permissions:
@@ -26,7 +25,7 @@ jobs:
           days-before-stale: 60
           days-before-close: 7
           exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: status/stale
+          stale-issue-label: wontfix
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had
             recent activity. It will be closed if no further activity occurs. Thank you

.github/workflows/translation-advice.yml

@@ -1,5 +1,4 @@
----
-name: Translation - Post advice
+name: authentik-translation-advice
 
 on:
   pull_request:

.github/workflows/translation-extract-compile.yml

@@ -1,14 +1,9 @@
 ---
-name: Translation - Extract and compile
-
+name: authentik-backend-translate-extract-compile
 on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -17,34 +12,26 @@ env:
 
 jobs:
   compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        if: ${{ github.event_name != 'pull_request' }}
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
-        if: ${{ github.event_name != 'pull_request' }}
+      - uses: actions/checkout@v4
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v5
-        if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
       - name: run extract
         run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
       - name: run compile
         run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
-        if: ${{ github.event_name != 'pull_request' }}
         uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -54,6 +41,3 @@ jobs:
           body: "core, web: update translations"
           delete-branch: true
           signoff: true
-          labels: dependencies
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>

.github/workflows/translation-rename.yml

@@ -1,7 +1,6 @@
----
 # Rename transifex pull requests to have a correct naming
 # Also enables auto squash-merge
-name: Translation - Auto-rename Transifex PRs
+name: authentik-translation-transifex-rename
 
 on:
   pull_request:
@@ -16,7 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:
-      - uses: actions/checkout@v5
       - id: generate_token
         uses: tibdex/github-app-token@v2
         with:
@@ -27,13 +25,23 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
           echo "title=${title}" >> "$GITHUB_OUTPUT"
       - name: Rename
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
+          curl -L \
+            -X PATCH \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
+            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}

.gitignore

@@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media
 
-# Node
-
-node_modules
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
-out/
 sdist/
 var/
 wheels/
@@ -100,6 +95,9 @@ ipython_config.py
 # pyenv
 .python-version
 
+# celery beat schedule file
+celerybeat-schedule
+
 # SageMath parsed files
 *.sage.py
 
@@ -163,6 +161,8 @@ dmypy.json
 
 # pyenv
 
+# celery beat schedule file
+
 # SageMath parsed files
 
 # Environments
@@ -209,6 +209,3 @@ source_docs/
 
 ### Golang ###
 /vendor/
-
-### Docker ###
-docker-compose.override.yml

.prettierignore

@@ -1,48 +0,0 @@
-# Prettier Ignorefile
-
-## Static Files
-**/LICENSE
-
-authentik/stages/**/*
-
-## Build asset directories
-coverage
-dist
-out
-.docusaurus
-# TODO Replace after moving website to docs
-website/api/reference
-
-## Environment
-*.env
-
-## Secrets
-*.secrets
-
-## Yarn
-.yarn/**/*
-
-## Node
-node_modules
-coverage
-
-## Configs
-*.log
-*.yaml
-*.yml
-
-# Templates
-# TODO: Rename affected files to *.template.* or similar.
-*.html
-*.mdx
-*.md
-
-## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-
-# Storybook
-storybook-static/
-.storybook/css-import-maps*
-

.vscode/extensions.json

@@ -2,7 +2,6 @@
     "recommendations": [
         "bashmish.es6-string-css",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
-        "charliermarsh.ruff",
         "dbaeumer.vscode-eslint",
         "EditorConfig.EditorConfig",
         "esbenp.prettier-vscode",
@@ -11,12 +10,12 @@
         "Gruntfuggly.todo-tree",
         "mechatroner.rainbow-csv",
         "ms-python.black-formatter",
-        "ms-python.black-formatter",
-        "ms-python.debugpy",
+        "charliermarsh.ruff",
         "ms-python.python",
         "ms-python.vscode-pylance",
+        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/launch.json

@@ -2,76 +2,26 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Debug: Attach Server Core",
-            "type": "debugpy",
+            "name": "Python: PDB attach Server",
+            "type": "python",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 9901
+                "port": 6800
             },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
             "django": true
         },
         {
-            "name": "Debug: Attach Worker",
-            "type": "debugpy",
+            "name": "Python: PDB attach Worker",
+            "type": "python",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 9901
+                "port": 6900
             },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
             "django": true
-        },
-        {
-            "name": "Debug: Start Server Router",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/server",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start LDAP Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/ldap",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Proxy Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/proxy",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start RAC Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/rac",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Radius Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/radius",
-            "cwd": "${workspaceFolder}"
         }
     ]
 }

.vscode/settings.json

@@ -1,4 +1,26 @@
 {
+    "cSpell.words": [
+        "akadmin",
+        "asgi",
+        "authentik",
+        "authn",
+        "entra",
+        "goauthentik",
+        "jwe",
+        "jwks",
+        "kubernetes",
+        "oidc",
+        "openid",
+        "passwordless",
+        "plex",
+        "saml",
+        "scim",
+        "slo",
+        "sso",
+        "totp",
+        "traefik",
+        "webauthn"
+    ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
@@ -6,22 +28,17 @@
         "!Context scalar",
         "!Enumerate sequence",
         "!Env scalar",
-        "!Env sequence",
-        "!File scalar",
-        "!File sequence",
         "!Find sequence",
-        "!FindObject sequence",
         "!Format sequence",
         "!If sequence",
         "!Index scalar",
         "!KeyOf scalar",
         "!Value scalar",
-        "!AtIndex scalar",
-        "!ParseJSON scalar"
+        "!AtIndex scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
     "typescript.enablePromptUseWorkspaceTsdk": true,
     "yaml.schemas": {
         "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -34,9 +51,7 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -3,7 +3,7 @@
     "tasks": [
         {
             "label": "authentik/core: make",
-            "command": "uv",
+            "command": "poetry",
             "args": ["run", "make", "lint-fix", "lint"],
             "presentation": {
                 "panel": "new"
@@ -12,7 +12,7 @@
         },
         {
             "label": "authentik/core: run",
-            "command": "uv",
+            "command": "poetry",
             "args": ["run", "ak", "server"],
             "group": "build",
             "presentation": {
@@ -43,15 +43,15 @@
             "group": "build"
         },
         {
-            "label": "authentik/docs: make",
+            "label": "authentik/website: make",
             "command": "make",
-            "args": ["docs"],
+            "args": ["website"],
             "group": "build"
         },
         {
-            "label": "authentik/docs: watch",
+            "label": "authentik/website: watch",
             "command": "make",
-            "args": ["docs-watch"],
+            "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
@@ -60,7 +60,7 @@
         },
         {
             "label": "authentik/api: generate",
-            "command": "uv",
+            "command": "poetry",
             "args": ["run", "make", "gen"],
             "group": "build"
         }

CODEOWNERS

@@ -1,49 +1,37 @@
 # Fallback
-*                                       @goauthentik/backend @goauthentik/frontend
+*                               @goauthentik/backend @goauthentik/frontend
 # Backend
-authentik/                              @goauthentik/backend
-blueprints/                             @goauthentik/backend
-cmd/                                    @goauthentik/backend
-internal/                               @goauthentik/backend
-lifecycle/                              @goauthentik/backend
-schemas/                                @goauthentik/backend
-scripts/                                @goauthentik/backend
-tests/                                  @goauthentik/backend
-pyproject.toml                          @goauthentik/backend
-uv.lock                                 @goauthentik/backend
-go.mod                                  @goauthentik/backend
-go.sum                                  @goauthentik/backend
+authentik/                      @goauthentik/backend
+blueprints/                     @goauthentik/backend
+cmd/                            @goauthentik/backend
+internal/                       @goauthentik/backend
+lifecycle/                      @goauthentik/backend
+schemas/                        @goauthentik/backend
+scripts/                        @goauthentik/backend
+tests/                          @goauthentik/backend
+pyproject.toml                  @goauthentik/backend
+poetry.lock                     @goauthentik/backend
+go.mod                          @goauthentik/backend
+go.sum                          @goauthentik/backend
 # Infrastructure
-.github/                                @goauthentik/infrastructure
-lifecycle/aws/                          @goauthentik/infrastructure
-Dockerfile                              @goauthentik/infrastructure
-*Dockerfile                             @goauthentik/infrastructure
-.dockerignore                           @goauthentik/infrastructure
-docker-compose.yml                      @goauthentik/infrastructure
-Makefile                                @goauthentik/infrastructure
-.editorconfig                           @goauthentik/infrastructure
-CODEOWNERS                              @goauthentik/infrastructure
-# Backend packages
-packages/django-dramatiq-postgres       @goauthentik/backend
-# Web packages
-packages/docusaurus-config              @goauthentik/frontend
-packages/esbuild-plugin-live-reload     @goauthentik/frontend
-packages/eslint-config                  @goauthentik/frontend
-packages/prettier-config                @goauthentik/frontend
-packages/tsconfig                       @goauthentik/frontend
+.github/                        @goauthentik/infrastructure
+lifecycle/aws/                  @goauthentik/infrastructure
+Dockerfile                      @goauthentik/infrastructure
+*Dockerfile                     @goauthentik/infrastructure
+.dockerignore                   @goauthentik/infrastructure
+docker-compose.yml              @goauthentik/infrastructure
+Makefile                        @goauthentik/infrastructure
+.editorconfig                   @goauthentik/infrastructure
+CODEOWNERS                      @goauthentik/infrastructure
 # Web
-web/                                    @goauthentik/frontend
-tests/wdio/                             @goauthentik/frontend
+web/                            @goauthentik/frontend
+tests/wdio/                     @goauthentik/frontend
 # Locale
-locale/                                 @goauthentik/backend @goauthentik/frontend
-web/xliff/                              @goauthentik/backend @goauthentik/frontend
+locale/                         @goauthentik/backend @goauthentik/frontend
+web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
-docs/                                   @goauthentik/docs
-# TODO Remove after moving website to docs
-website/                                @goauthentik/docs
-CODE_OF_CONDUCT.md                      @goauthentik/docs
+website/                        @goauthentik/docs
+CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                             @goauthentik/security @goauthentik/docs
-# TODO Remove after moving website to docs
-website/security/                       @goauthentik/security @goauthentik/docs
-docs/security/                          @goauthentik/security @goauthentik/docs
+SECURITY.md                     @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security @goauthentik/docs

CODE_OF_CONDUCT.md

@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
 

Dockerfile

@@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+# Stage 1: Build website
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/website
+
+RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
+    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    npm ci --include=dev
+
+COPY ./website /work/website/
+COPY ./blueprints /work/blueprints/
+COPY ./schema.yml /work/
+COPY ./SECURITY.md /work/
+
+RUN npm run build-bundled
+
+# Stage 2: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -13,20 +32,18 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
-    npm ci
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    npm ci --include=dev
 
 COPY ./package.json /work
 COPY ./web /work/web/
-# TODO: Update this after moving website to docs
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build && \
-    npm run build:sfe
+RUN npm run build
 
-# Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25-bookworm AS go-builder
+# Stage 3: Build go proxy
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -50,8 +67,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -59,91 +76,82 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
     if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
     go build -o /go/authentik ./cmd/server
 
-# Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+# Stage 4: MaxMind GeoIP
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
+ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
     mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.11 AS uv
-# Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.6-slim-bookworm-fips AS python-base
-
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/ak-root/lifecycle:/ak-root/venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
-
-WORKDIR /ak-root/
-
-COPY --from=uv /uv /uvx /bin/
-
-# Stage 6: Python dependencies
-FROM python-base AS python-deps
+# Stage 5: Python dependencies
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
 
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry
 
-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
     apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs
-    clang libkrb5-dev sccache \
-    # xmlsec
-    libltdl-dev && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
+    python -m venv /ak-root/venv/ && \
+    bash -c "source ${VENV_PATH}/bin/activate && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"
 
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
-
-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
-    --mount=type=bind,target=uv.lock,src=uv.lock \
-    --mount=type=bind,target=packages,src=packages \
-    --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-install-project --no-dev
-
-# Stage 7: Run
-FROM python-base AS final-image
+# Stage 6: Run
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.authors="Authentik Security Inc." \
-    org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
-    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
-    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
-    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
-    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
-    org.opencontainers.image.title="authentik server image" \
-    org.opencontainers.image.url="https://goauthentik.io" \
-    org.opencontainers.image.vendor="Authentik Security Inc." \
-    org.opencontainers.image.version=${VERSION}
+LABEL org.opencontainers.image.url=https://goauthentik.io
+LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
+LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
+LABEL org.opencontainers.image.version=${VERSION}
+LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+
+WORKDIR /
 
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
@@ -155,26 +163,27 @@ RUN apt-get update && \
     pip3 install --no-cache-dir --upgrade pip && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
-    adduser --system --no-create-home --uid 1000 --group --home /ak-root authentik && \
+    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
     mkdir -p /certs /media /blueprints && \
-    mkdir -p /ak-root/authentik/.ssh && \
-    chown authentik:authentik /certs /media /ak-root/authentik/.ssh /ak-root
+    mkdir -p /authentik/.ssh && \
+    mkdir -p /ak-root && \
+    chown authentik:authentik /certs /media /authentik/.ssh /ak-root
 
-COPY ./authentik/ /ak-root/authentik
-COPY ./pyproject.toml /ak-root/
-COPY ./uv.lock /ak-root/
-COPY ./schemas /ak-root/schemas
-COPY ./locale /ak-root/locale
-COPY ./tests /ak-root/tests
-COPY ./manage.py /ak-root/
+COPY ./authentik/ /authentik
+COPY ./pyproject.toml /
+COPY ./poetry.lock /
+COPY ./schemas /schemas
+COPY ./locale /locale
+COPY ./tests /tests
+COPY ./manage.py /
 COPY ./blueprints /blueprints
-COPY ./lifecycle/ /ak-root/lifecycle
+COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY ./packages/ /ak-root/packages
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /ak-root/web/dist/
-COPY --from=node-builder /work/web/authentik/ /ak-root/web/authentik/
+COPY --from=python-deps /ak-root/venv /ak-root/venv
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000
@@ -182,10 +191,11 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
     PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
     GOFIPS=1
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 
-WORKDIR /ak-root
-
 ENTRYPOINT [ "dumb-init", "--", "ak" ]

Makefile

@@ -1,22 +1,34 @@
-.PHONY: gen dev-reset all clean test web docs
+.PHONY: gen dev-reset all clean test web website
 
-SHELL := /usr/bin/env bash
-.SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
+.SHELLFLAGS += ${SHELLFLAGS} -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
-PY_SOURCES = authentik packages tests scripts lifecycle .github
+NPM_VERSION = $(shell python -m scripts.npm_version)
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 
-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
+GEN_API_TS = "gen-ts-api"
+GEN_API_PY = "gen-py-api"
+GEN_API_GO = "gen-go-api"
 
-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
-redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
+
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
+		-I .github/codespell-words.txt \
+		-S 'web/src/locales/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
+		authentik \
+		internal \
+		cmd \
+		web/src \
+		website/src \
+		website/blog \
+		website/docs \
+		website/integrations \
+		website/src
 
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 
@@ -33,41 +45,44 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...
 
+test-docker:  ## Run all tests in a docker-compose
+	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	docker compose pull -q
+	docker compose up --no-start
+	docker compose start postgresql redis
+	docker compose run -u root server test-all
+	rm -f .env
+
 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage html
-	uv run coverage report
+	coverage run manage.py test --keepdb authentik
+	coverage html
+	coverage report
 
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	black $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)
 
 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
 	golangci-lint run -v
 
 core-install:
-	uv sync --frozen
+	poetry install
 
 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	python -m lifecycle.migrate
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
 aws-cfn:
-	cd lifecycle/aws && npm i && uv run npm run aws-cfn
-
-run-server:  ## Run the main authentik server process
-	uv run ak server
-
-run-worker:  ## Run the main authentik worker process
-	uv run ak worker
+	cd lifecycle/aws && npm run aws-cfn
 
 core-i18n-extract:
-	uv run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -77,34 +92,19 @@ core-i18n-extract:
 		--ignore website \
 		-l en
 
-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
 
 dev-drop-db:
-	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
+	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
-	redis-cli -n ${redis_db} flushall
+	redis-cli -n 0 flushall
 
 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
 
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 
-update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
-
-bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
-ifndef version
-	$(error Usage: make bump version=20xx.xx.xx )
-endif
-	sed -i 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	sed -i 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
-	$(MAKE) gen-build gen-compose aws-cfn
-	npm version --no-git-tag-version --allow-same-version $(version)
-	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
-	echo -n $(version) > ${PWD}/internal/constants/VERSION
-
 #########################
 ## API Schema
 #########################
@@ -113,14 +113,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
-
-gen-compose:
-	uv run scripts/generate_docker_compose.py
+		ak spectacular --file schema.yml
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -139,20 +136,15 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
-gen-clean-ts:  ## Remove generated API client for TypeScript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+gen-clean-ts:  ## Remove generated API client for Typescript
+	rm -rf ./${GEN_API_TS}/
+	rm -rf ./web/node_modules/@goauthentik/api/
 
 gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	make -C ${PWD}/${GEN_API_GO} clean
-else
-	rm -rf ${PWD}/${GEN_API_GO}
-endif
+	rm -rf ./${GEN_API_GO}/
 
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ./${GEN_API_PY}/
 
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
@@ -168,15 +160,15 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
+	mkdir -p web/node_modules/@goauthentik/api
+	cd ./${GEN_API_TS} && npm i
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@@ -184,40 +176,42 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
+	pip install ./${GEN_API_PY}
 
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-else
-	cd ${PWD}/${GEN_API_GO} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+	cp schema.yml ./${GEN_API_GO}/
+	docker run \
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/ \
+		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	python -m scripts.generate_config
 
 gen: gen-build gen-client-ts
 
-#########################
-## Node.js
-#########################
-
-node-install:  ## Install the necessary libraries to build Node.js packages
-	npm ci
-	npm ci --prefix web
-
 #########################
 ## Web
 #########################
 
-web-build: node-install  ## Build the Authentik UI
+web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
+web-install:  ## Install the necessary libraries to build the Authentik UI
+	cd web && npm ci
+
 web-test: ## Run tests for the Authentik UI
 	cd web && npm run test
 
@@ -244,40 +238,22 @@ web-i18n-extract:
 	cd web && npm run extract-locales
 
 #########################
-## Docs
+## Website
 #########################
 
-docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
+website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it
 
-docs-install:
-	npm ci --prefix website
+website-install:
+	cd website && npm ci
 
-docs-lint-fix: lint-codespell
-	npm run prettier --prefix website
+website-lint-fix: lint-codespell
+	cd website && npm run prettier
 
-docs-build:
-	npm run build --prefix website
+website-build:
+	cd website && npm run build
 
-docs-watch:  ## Build and watch the topics documentation
-	npm run start --prefix website
-
-integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
-
-integrations-build:
-	npm run build --prefix website -w integrations
-
-integrations-watch:  ## Build and watch the Integrations documentation
-	npm run start --prefix website -w integrations
-
-docs-api-build:
-	npm run build --prefix website -w api
-
-docs-api-watch:  ## Build and watch the API documentation
-	npm run build:api --prefix website -w api
-	npm run start --prefix website -w api
-
-docs-api-clean: ## Clean generated API documentation
-	npm run build:api:clean --prefix website -w api
+website-watch:  ## Build and watch the documentation website, updating automatically
+	cd website && npm run watch
 
 #########################
 ## Docker
@@ -287,9 +263,6 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
-test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
-
 #########################
 ## CI
 #########################
@@ -301,21 +274,16 @@ ci--meta-debug:
 	node --version
 
 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)
 
 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)
 
 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	codespell $(CODESPELL_ARGS) -s
 
 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES)
 
 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
-
-ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	uv run coverage report
-	uv run coverage xml
+	ak makemigrations --check

README.md

@@ -9,8 +9,8 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-![Docker pulls](https://img.shields.io/docker/pulls/authentik/server.svg?style=for-the-badge)
-![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
+![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
+![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
 
 ## What is authentik?
@@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 
 ## Adoption and Contributions
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
 
 ## What authentik classifies as a CVE
 
@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2025.4.x  | ✅        |
-| 2025.6.x  | ✅        |
+| 2024.10.x | ✅        |
+| 2024.12.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -1,28 +1,20 @@
 """authentik root module"""
 
-from functools import lru_cache
 from os import environ
 
-VERSION = "2025.10.0-rc1"
+__version__ = "2024.12.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 
-@lru_cache
-def authentik_version() -> str:
-    return VERSION
-
-
-@lru_cache
-def authentik_build_hash(fallback: str | None = None) -> str:
+def get_build_hash(fallback: str | None = None) -> str:
     """Get build hash"""
     build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
     return fallback if build_hash == "" and fallback else build_hash
 
 
-@lru_cache
-def authentik_full_version() -> str:
+def get_full_version() -> str:
     """Get full version, with build hash appended"""
-    version = authentik_version()
-    if (build_hash := authentik_build_hash()) != "":
+    version = __version__
+    if (build_hash := get_build_hash()) != "":
         return f"{version}+{build_hash}"
     return version

authentik/admin/api/metrics.py

@@ -0,0 +1,79 @@
+"""authentik administration metrics"""
+
+from datetime import timedelta
+
+from django.db.models.functions import ExtractHour
+from drf_spectacular.utils import extend_schema, extend_schema_field
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.fields import IntegerField, SerializerMethodField
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.models import EventAction
+
+
+class CoordinateSerializer(PassiveSerializer):
+    """Coordinates for diagrams"""
+
+    x_cord = IntegerField(read_only=True)
+    y_cord = IntegerField(read_only=True)
+
+
+class LoginMetricsSerializer(PassiveSerializer):
+    """Login Metrics per 1h"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get successful authorizations per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
+class AdministrationMetricsViewSet(APIView):
+    """Login Metrics per 1h"""
+
+    permission_classes = [IsAuthenticated]
+
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Login Metrics per 1h"""
+        serializer = LoginMetricsSerializer(True)
+        serializer.context["user"] = request.user
+        return Response(serializer.data)

authentik/admin/api/system.py

@@ -16,7 +16,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
@@ -59,7 +59,7 @@ class SystemInfoSerializer(PassiveSerializer):
             if not isinstance(value, str):
                 continue
             actual_value = value
-            if raw_session is not None and raw_session in actual_value:
+            if raw_session in actual_value:
                 actual_value = actual_value.replace(
                     raw_session, SafeExceptionReporterFilter.cleansed_substitute
                 )
@@ -78,7 +78,7 @@ class SystemInfoSerializer(PassiveSerializer):
         """Get versions"""
         return {
             "architecture": platform.machine(),
-            "authentik_version": authentik_full_version(),
+            "authentik_version": get_full_version(),
             "environment": get_env(),
             "openssl_fips_enabled": (
                 backend._fips_enabled if LicenseKey.get_total().status().is_valid else None

authentik/admin/api/version.py

@@ -1,7 +1,6 @@
 """authentik administration overview"""
 
 from django.core.cache import cache
-from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -10,11 +9,10 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
-from authentik.tenants.utils import get_current_tenant
 
 
 class VersionSerializer(PassiveSerializer):
@@ -29,20 +27,18 @@ class VersionSerializer(PassiveSerializer):
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
-        return authentik_build_hash()
+        return get_build_hash()
 
     def get_version_current(self, _) -> str:
         """Get current version"""
-        return authentik_version()
+        return __version__
 
     def get_version_latest(self, _) -> str:
         """Get latest version from cache"""
-        if get_current_tenant().schema_name == get_public_schema_name():
-            return authentik_version()
         version_in_cache = cache.get(VERSION_CACHE_KEY)
         if not version_in_cache:  # pragma: no cover
-            update_latest_version.send()
-            return authentik_version()
+            update_latest_version.delay()
+            return __version__
         return version_in_cache
 
     def get_version_latest_valid(self, _) -> bool:

authentik/admin/api/workers.py

@@ -0,0 +1,57 @@
+"""authentik administration overview"""
+
+from socket import gethostname
+
+from django.conf import settings
+from drf_spectacular.utils import extend_schema, inline_serializer
+from packaging.version import parse
+from rest_framework.fields import BooleanField, CharField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik import get_full_version
+from authentik.rbac.permissions import HasPermission
+from authentik.root.celery import CELERY_APP
+
+
+class WorkerView(APIView):
+    """Get currently connected worker count."""
+
+    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
+
+    @extend_schema(
+        responses=inline_serializer(
+            "Worker",
+            fields={
+                "worker_id": CharField(),
+                "version": CharField(),
+                "version_matching": BooleanField(),
+            },
+            many=True,
+        )
+    )
+    def get(self, request: Request) -> Response:
+        """Get currently connected worker count."""
+        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+        our_version = parse(get_full_version())
+        response = []
+        for worker in raw:
+            key = list(worker.keys())[0]
+            version = worker[key].get("version")
+            version_matching = False
+            if version:
+                version_matching = parse(version) == our_version
+            response.append(
+                {"worker_id": key, "version": version, "version_matching": version_matching}
+            )
+        # In debug we run with `task_always_eager`, so tasks are ran on the main process
+        if settings.DEBUG:  # pragma: no cover
+            response.append(
+                {
+                    "worker_id": f"authentik-debug@{gethostname()}",
+                    "version": get_full_version(),
+                    "version_matching": True,
+                }
+            )
+        return Response(response)

authentik/admin/apps.py

@@ -3,9 +3,6 @@
 from prometheus_client import Info
 
 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.lib.config import CONFIG
-from authentik.lib.utils.time import fqdn_rand
-from authentik.tasks.schedules.common import ScheduleSpec
 
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 
@@ -17,31 +14,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
     label = "authentik_admin"
     verbose_name = "authentik Admin"
     default = True
-
-    @ManagedAppConfig.reconcile_global
-    def clear_update_notifications(self):
-        """Clear update notifications on startup if the notification was for the version
-        we're running now."""
-        from packaging.version import parse
-
-        from authentik.admin.tasks import LOCAL_VERSION
-        from authentik.events.models import EventAction, Notification
-
-        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-            if "new_version" not in notification.event.context:
-                continue
-            notification_version = notification.event.context["new_version"]
-            if LOCAL_VERSION >= parse(notification_version):
-                notification.delete()
-
-    @property
-    def global_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.admin.tasks import update_latest_version
-
-        return [
-            ScheduleSpec(
-                actor=update_latest_version,
-                crontab=f"{fqdn_rand('admin_latest_version')} * * * *",
-                paused=CONFIG.get_bool("disable_update_check"),
-            ),
-        ]

authentik/admin/settings.py

@@ -0,0 +1,13 @@
+"""authentik admin settings"""
+
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "admin_latest_version": {
+        "task": "authentik.admin.tasks.update_latest_version",
+        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    }
+}

authentik/admin/signals.py

@@ -0,0 +1,35 @@
+"""admin signals"""
+
+from django.dispatch import receiver
+from packaging.version import parse
+from prometheus_client import Gauge
+
+from authentik import get_full_version
+from authentik.root.celery import CELERY_APP
+from authentik.root.monitoring import monitoring_set
+
+GAUGE_WORKERS = Gauge(
+    "authentik_admin_workers",
+    "Currently connected workers, their versions and if they are the same version as authentik",
+    ["version", "version_matched"],
+)
+
+
+_version = parse(get_full_version())
+
+
+@receiver(monitoring_set)
+def monitoring_set_workers(sender, **kwargs):
+    """Set worker gauge"""
+    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+    worker_version_count = {}
+    for worker in raw:
+        key = list(worker.keys())[0]
+        version = worker[key].get("version")
+        version_matching = False
+        if version:
+            version_matching = parse(version) == _version
+        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
+        worker_version_count[version]["count"] += 1
+    for version, stats in worker_version_count.items():
+        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])

authentik/admin/tasks.py

@@ -1,44 +1,59 @@
 """authentik admin tasks"""
 
 from django.core.cache import cache
+from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask
-from dramatiq import actor
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
 
-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
+from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
-from authentik.tasks.models import Task
+from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-LOCAL_VERSION = parse(authentik_version())
+LOCAL_VERSION = parse(__version__)
 
 
 def _set_prom_info():
     """Set prometheus info for version"""
     PROM_INFO.info(
         {
-            "version": authentik_version(),
+            "version": __version__,
             "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": authentik_build_hash(),
+            "build_hash": get_build_hash(),
         }
     )
 
 
-@actor(description=_("Update latest version info."))
-def update_latest_version():
-    self: Task = CurrentTask.get_task()
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
+def clear_update_notifications():
+    """Clear update notifications on startup if the notification was for the version
+    we're running now."""
+    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+        if "new_version" not in notification.event.context:
+            continue
+        notification_version = notification.event.context["new_version"]
+        if LOCAL_VERSION >= parse(notification_version):
+            notification.delete()
+
+
+@CELERY_APP.task(bind=True, base=SystemTask)
+@prefill_task
+def update_latest_version(self: SystemTask):
+    """Update latest version info"""
     if CONFIG.get_bool("disable_update_check"):
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        self.info("Version check disabled.")
+        self.set_status(TaskStatus.WARNING, "Version check disabled.")
         return
     try:
         response = get_http_session().get(
@@ -48,7 +63,7 @@ def update_latest_version():
         data = response.json()
         upstream_version = data.get("stable", {}).get("version")
         cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
-        self.info("Successfully updated latest Version")
+        self.set_status(TaskStatus.SUCCESSFUL, "Successfully updated latest Version")
         _set_prom_info()
         # Check if upstream version is newer than what we're running,
         # and if no event exists yet, create one.
@@ -71,7 +86,7 @@ def update_latest_version():
             ).save()
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        raise exc
+        self.set_error(exc)
 
 
 _set_prom_info()

authentik/admin/tests/test_api.py

@@ -5,7 +5,7 @@ from json import loads
 from django.test import TestCase
 from django.urls import reverse
 
-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
 from authentik.lib.generators import generate_id
@@ -27,7 +27,19 @@ class TestAdminAPI(TestCase):
         response = self.client.get(reverse("authentik_api:admin_version"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(body["version_current"], authentik_version())
+        self.assertEqual(body["version_current"], __version__)
+
+    def test_workers(self):
+        """Test Workers API"""
+        response = self.client.get(reverse("authentik_api:admin_workers"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(len(body), 0)
+
+    def test_metrics(self):
+        """Test metrics API"""
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
+        self.assertEqual(response.status_code, 200)
 
     def test_apps(self):
         """Test apps API"""

authentik/admin/tests/test_tasks.py

@@ -1,12 +1,12 @@
 """test admin tasks"""
 
-from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 
 from authentik.admin.tasks import (
     VERSION_CACHE_KEY,
+    clear_update_notifications,
     update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@@ -30,7 +30,7 @@ class TestAdminTasks(TestCase):
         """Test Update checker with valid response"""
         with Mocker() as mocker, CONFIG.patch("disable_update_check", False):
             mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
-            update_latest_version.send()
+            update_latest_version.delay().get()
             self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
             self.assertTrue(
                 Event.objects.filter(
@@ -40,7 +40,7 @@ class TestAdminTasks(TestCase):
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
-            update_latest_version.send()
+            update_latest_version.delay().get()
             self.assertEqual(
                 len(
                     Event.objects.filter(
@@ -56,7 +56,7 @@ class TestAdminTasks(TestCase):
         """Test Update checker with invalid response"""
         with Mocker() as mocker:
             mocker.get("https://version.goauthentik.io/version.json", status_code=400)
-            update_latest_version.send()
+            update_latest_version.delay().get()
             self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
             self.assertFalse(
                 Event.objects.filter(
@@ -67,19 +67,17 @@ class TestAdminTasks(TestCase):
     def test_version_disabled(self):
         """Test Update checker while its disabled"""
         with CONFIG.patch("disable_update_check", True):
-            update_latest_version.send()
+            update_latest_version.delay().get()
             self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
 
     def test_clear_update_notifications(self):
         """Test clear of previous notification"""
-        admin_config = apps.get_app_config("authentik_admin")
         Event.objects.create(
-            action=EventAction.UPDATE_AVAILABLE,
-            context={"new_version": "99999999.9999999.9999999"},
+            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
         )
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
         self.assertFalse(
             Event.objects.filter(
                 action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"

authentik/admin/urls.py

@@ -3,14 +3,22 @@
 from django.urls import path
 
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
+from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
+from authentik.admin.api.workers import WorkerView
 
 api_urlpatterns = [
     ("admin/apps", AppsViewSet, "apps"),
     ("admin/models", ModelViewSet, "models"),
+    path(
+        "admin/metrics/",
+        AdministrationMetricsViewSet.as_view(),
+        name="admin_metrics",
+    ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
     ("admin/version/history", VersionHistoryViewSet, "version_history"),
+    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
     path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]

authentik/api/apps.py

@@ -1,13 +1,12 @@
 """authentik API AppConfig"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
     """authentik API Config"""
 
     name = "authentik.api"
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
-    default = True

authentik/api/authentication.py

@@ -1,12 +1,9 @@
 """API Authentication"""
 
 from hmac import compare_digest
-from pathlib import Path
-from tempfile import gettempdir
 from typing import Any
 
 from django.conf import settings
-from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@@ -14,17 +11,11 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 
 LOGGER = get_logger()
-_tmp = Path(gettempdir())
-try:
-    with open(_tmp / "authentik-core-ipc.key") as _f:
-        ipc_key = _f.read()
-except OSError:
-    ipc_key = None
 
 
 def validate_auth(header: bytes) -> str | None:
@@ -82,11 +73,6 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
     if user:
         CTX_AUTH_VIA.set("secret_key")
         return user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_ipc(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("ipc")
-        return user
     raise AuthenticationFailed("Token invalid/expired")
 
 
@@ -104,43 +90,6 @@ def token_secret_key(value: str) -> User | None:
     return outpost.user
 
 
-class IPCUser(AnonymousUser):
-    """'Virtual' user for IPC communication between authentik core and the authentik router"""
-
-    username = "authentik:system"
-    is_active = True
-    is_superuser = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    def has_perm(self, perm, obj=None):
-        return True
-
-    def has_perms(self, perm_list, obj=None):
-        return True
-
-    def has_module_perms(self, module):
-        return True
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-
-def token_ipc(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    if not ipc_key or not compare_digest(value, ipc_key):
-        return None
-    return IPCUser()
-
-
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""
 

authentik/api/schema.py

@@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
     return component
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
     """Workaround to set a default response for endpoints.
     Workaround suggested at
     <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>

authentik/api/templates/api/browser.html

@@ -8,6 +8,8 @@ API Browser - {{ brand.branding_title }}
 
 {% block head %}
 <script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
 
 {% block body %}

authentik/blueprints/api.py

@@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.blueprints.models import BlueprintInstance
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required
 
 
@@ -39,7 +39,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
         """Ensure the path (if set) specified is retrievable"""
         if path == "" or path.startswith(OCI_PREFIX):
             return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
         if path not in [file["path"] for file in files]:
             raise ValidationError(_("Blueprint file does not exist"))
         return path
@@ -115,7 +115,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     @action(detail=False, pagination_class=None, filter_backends=[])
     def available(self, request: Request) -> Response:
         """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
         return Response(files)
 
     @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -129,5 +129,5 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
     def apply(self, request: Request, *args, **kwargs) -> Response:
         """Apply a blueprint"""
         blueprint = self.get_object()
-        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
+        apply_blueprint.delay(str(blueprint.pk)).get()
         return self.retrieve(request, *args, **kwargs)

authentik/blueprints/apps.py

@@ -6,12 +6,9 @@ from inspect import ismethod
 
 from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
-from dramatiq.broker import get_broker
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.lib.utils.time import fqdn_rand
 from authentik.root.signals import startup
-from authentik.tasks.schedules.common import ScheduleSpec
 
 
 class ManagedAppConfig(AppConfig):
@@ -37,7 +34,7 @@ class ManagedAppConfig(AppConfig):
 
     def import_related(self):
         """Automatically import related modules which rely on just being imported
-        to register themselves (mainly django signals and tasks)"""
+        to register themselves (mainly django signals and celery tasks)"""
 
         def import_relative(rel_module: str):
             try:
@@ -83,16 +80,6 @@ class ManagedAppConfig(AppConfig):
         func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_GLOBAL_CATEGORY
         return func
 
-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        """Get a list of schedule specs that must exist in each tenant"""
-        return []
-
-    @property
-    def global_schedule_specs(self) -> list[ScheduleSpec]:
-        """Get a list of schedule specs that must exist in the default tenant"""
-        return []
-
     def _reconcile_tenant(self) -> None:
         """reconcile ourselves for tenanted methods"""
         from authentik.tenants.models import Tenant
@@ -113,12 +100,8 @@ class ManagedAppConfig(AppConfig):
         """
         from django_tenants.utils import get_public_schema_name, schema_context
 
-        try:
-            with schema_context(get_public_schema_name()):
-                self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
-        except (DatabaseError, ProgrammingError, InternalError) as exc:
-            self.logger.debug("Failed to access database to run reconcile", exc=exc)
-            return
+        with schema_context(get_public_schema_name()):
+            self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
 
 
 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -129,29 +112,19 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
     verbose_name = "authentik Blueprints"
     default = True
 
+    @ManagedAppConfig.reconcile_global
+    def load_blueprints_v1_tasks(self):
+        """Load v1 tasks"""
+        self.import_module("authentik.blueprints.v1.tasks")
+
+    @ManagedAppConfig.reconcile_tenant
+    def blueprints_discovery(self):
+        """Run blueprint discovery"""
+        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
+
+        blueprints_discovery.delay()
+        clear_failed_blueprints.delay()
+
     def import_models(self):
         super().import_models()
         self.import_module("authentik.blueprints.v1.meta.apply_blueprint")
-
-    @ManagedAppConfig.reconcile_global
-    def tasks_middlewares(self):
-        from authentik.blueprints.v1.tasks import BlueprintWatcherMiddleware
-
-        get_broker().add_middleware(BlueprintWatcherMiddleware())
-
-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
-
-        return [
-            ScheduleSpec(
-                actor=blueprints_discovery,
-                crontab=f"{fqdn_rand('blueprints_v1_discover')} * * * *",
-                send_on_startup=True,
-            ),
-            ScheduleSpec(
-                actor=clear_failed_blueprints,
-                crontab=f"{fqdn_rand('blueprints_v1_cleanup')} * * * *",
-                send_on_startup=True,
-            ),
-        ]

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -11,7 +11,7 @@ from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -48,7 +48,7 @@ class Command(BaseCommand):
             "$schema": "http://json-schema.org/draft-07/schema",
             "$id": "https://goauthentik.io/blueprints/schema.json",
             "type": "object",
-            "title": f"authentik {authentik_version()} Blueprint schema",
+            "title": f"authentik {__version__} Blueprint schema",
             "required": ["version", "entries"],
             "properties": {
                 "version": {
@@ -72,33 +72,20 @@ class Command(BaseCommand):
                     "additionalProperties": True,
                 },
                 "entries": {
-                    "anyOf": [
-                        {
-                            "type": "array",
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
-                        },
-                        {
-                            "type": "object",
-                            "additionalProperties": {
-                                "type": "array",
-                                "items": {"$ref": "#/$defs/blueprint_entry"},
-                            },
-                        },
-                    ],
+                    "type": "array",
+                    "items": {
+                        "oneOf": [],
+                    },
                 },
             },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
         }
 
-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
     @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
         """Generate JSON Schema for blueprints"""
         self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
 
     @staticmethod
     def json_default(value: Any) -> Any:
@@ -125,7 +112,7 @@ class Command(BaseCommand):
                 }
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                 self.template_entry(model_path, model, serializer)
             )
 
@@ -147,7 +134,7 @@ class Command(BaseCommand):
                 "id": {"type": "string"},
                 "state": {
                     "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
@@ -218,7 +205,7 @@ class Command(BaseCommand):
                 "type": "object",
                 "required": ["permission"],
                 "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                     "user": {"type": "integer"},
                     "role": {"type": "string"},
                 },

authentik/blueprints/models.py

@@ -3,7 +3,6 @@
 from pathlib import Path
 from uuid import uuid4
 
-from django.contrib.contenttypes.fields import GenericRelation
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -72,13 +71,6 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
     enabled = models.BooleanField(default=True)
     managed_models = ArrayField(models.TextField(), default=list)
 
-    # Manual link to tasks instead of using TasksModel because of loop imports
-    tasks = GenericRelation(
-        "authentik_tasks.Task",
-        content_type_field="rel_obj_content_type",
-        object_id_field="rel_obj_id",
-    )
-
     class Meta:
         verbose_name = _("Blueprint Instance")
         verbose_name_plural = _("Blueprint Instances")

authentik/blueprints/settings.py

@@ -0,0 +1,18 @@
+"""blueprint Settings"""
+
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "blueprints_v1_discover": {
+        "task": "authentik.blueprints.v1.tasks.blueprints_discovery",
+        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+    "blueprints_v1_cleanup": {
+        "task": "authentik.blueprints.v1.tasks.clear_failed_blueprints",
+        "schedule": crontab(minute=fqdn_rand("blueprints_v1_cleanup"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+}

authentik/blueprints/tasks.py

@@ -1,2 +0,0 @@
-# Import all v1 tasks for auto task discovery
-from authentik.blueprints.v1.tasks import *  # noqa: F403

authentik/blueprints/tests/fixtures/state_present.yaml

@@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
-      - identifiers:
-            name: "%(id)s"
-            slug: "%(id)s"
-        model: authentik_flows.flow
-        state: present
-        attrs:
-            designation: stage_configuration
-            title: foo
+    - identifiers:
+          name: "%(id)s"
+          slug: "%(id)s"
+      model: authentik_flows.flow
+      state: present
+      attrs:
+          designation: stage_configuration
+          title: foo

authentik/blueprints/tests/fixtures/tags.yaml

@@ -12,8 +12,8 @@ context:
     context1: context-nested-value
     context2: !Context context1
 entries:
-    - model: !Format ["%%s", authentik_sources_oauth.oauthsource]
-      state: !Format ["%%s", present]
+    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
+      state: !Format ["%s", present]
       identifiers:
           slug: test
       attrs:
@@ -27,23 +27,19 @@ entries:
                   [slug, default-source-authentication],
               ]
           enrollment_flow:
-              !Find [!Format  ["%%s", authentik_flows.Flow], [slug, default-source-enrollment]]
+              !Find [!Format  ["%s", authentik_flows.Flow], [slug, default-source-enrollment]]
     - attrs:
           expression: return True
       identifiers:
-          name: !Format [foo-%%s-%%s-%%s, !Context foo, !Context bar, qux]
+          name: !Format [foo-%s-%s-%s, !Context foo, !Context bar, qux]
       id: policy
       model: authentik_policies_expression.expressionpolicy
     - attrs:
           attributes:
               env_null: !Env [bar-baz, null]
-              file_content: !File '%(file_name)s'
-              file_default: !File ['%(file_default_name)s', 'default']
-              file_non_existent: !File '/does-not-exist'
-              json_parse: !ParseJSON '{"foo": "bar"}'
               policy_pk1:
                   !Format [
-                      "%%s-%%s",
+                      "%s-%s",
                       !Find [
                           authentik_policies_expression.expressionpolicy,
                           [
@@ -54,29 +50,29 @@ entries:
                       ],
                       suffix,
                   ]
-              policy_pk2: !Format ["%%s-%%s", !KeyOf policy, suffix]
+              policy_pk2: !Format ["%s-%s", !KeyOf policy, suffix]
               boolAnd:
-                  !Condition [AND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [AND, !Context foo, !Format ["%s", "a_string"], 1]
               boolNand:
-                  !Condition [NAND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [NAND, !Context foo, !Format ["%s", "a_string"], 1]
               boolOr:
                   !Condition [
                       OR,
                       !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                       null,
                   ]
               boolNor:
                   !Condition [
                       NOR,
                       !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                       null,
                   ]
               boolXor:
-                  !Condition [XOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XOR, !Context foo, !Format ["%s", "a_string"], 1]
               boolXnor:
-                  !Condition [XNOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XNOR, !Context foo, !Format ["%s", "a_string"], 1]
               boolComplex:
                   !Condition [
                       XNOR,
@@ -92,7 +88,7 @@ entries:
                               {
                                   with: { keys: "and_values" },
                                   and_nested_custom_tags:
-                                      !Format ["foo-%%s", !Context foo],
+                                      !Format ["foo-%s", !Context foo],
                               },
                       },
                       null,
@@ -101,7 +97,7 @@ entries:
                   !If [
                       !Condition [AND, false],
                       null,
-                      [list, with, items, !Format ["foo-%%s", !Context foo]],
+                      [list, with, items, !Format ["foo-%s", !Context foo]],
                   ]
               if_true_simple: !If [!Context foo, true, text]
               if_short: !If [!Context foo]
@@ -109,22 +105,22 @@ entries:
               enumerate_mapping_to_mapping: !Enumerate [
                   !Context mapping,
                   MAP,
-                  [!Format ["prefix-%%s", !Index 0], !Format ["other-prefix-%%s", !Value 0]]
+                  [!Format ["prefix-%s", !Index 0], !Format ["other-prefix-%s", !Value 0]]
               ]
               enumerate_mapping_to_sequence: !Enumerate [
                   !Context mapping,
                   SEQ,
-                  !Format ["prefixed-pair-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-pair-%s-%s", !Index 0, !Value 0]
               ]
               enumerate_sequence_to_sequence: !Enumerate [
                   !Context sequence,
                   SEQ,
-                  !Format ["prefixed-items-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-items-%s-%s", !Index 0, !Value 0]
               ]
               enumerate_sequence_to_mapping: !Enumerate [
                   !Context sequence,
                   MAP,
-                  [!Format ["index: %%d", !Index 0], !Value 0]
+                  [!Format ["index: %d", !Index 0], !Value 0]
               ]
               nested_complex_enumeration: !Enumerate [
                   !Context sequence,
@@ -135,9 +131,9 @@ entries:
                           !Context mapping,
                           MAP,
                           [
-                              !Format ["%%s", !Index 0],
+                              !Format ["%s", !Index 0],
                               [
-                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%%s", !Value 0]],
+                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%s", !Value 0]],
                                   {
                                     outer_value: !Value 1,
                                     outer_index: !Index 1,
@@ -154,7 +150,6 @@ entries:
               at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
               at_index_mapping: !AtIndex [!Context mapping, "key2"]
               at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
-              find_object: !AtIndex [!FindObject [authentik_providers_oauth2.scopemapping, [scope_name, openid]], managed]
       identifiers:
           name: test
       conditions:

authentik/blueprints/tests/test_managed_app_config.py

@@ -1,14 +0,0 @@
-from django.test import TestCase
-
-from authentik.blueprints.apps import ManagedAppConfig
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestManagedAppConfig(TestCase):
-    def test_apps_use_managed_app_config(self):
-        for app in get_apps():
-            if app.name.startswith("authentik.enterprise"):
-                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
-            else:
-                self.assertIn(ManagedAppConfig, app.__class__.__bases__)

authentik/blueprints/tests/test_packaged.py

@@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:
 
 
 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
+    if "local" in str(blueprint_file):
         continue
     setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))

authentik/blueprints/tests/test_serializer_models.py

@@ -5,6 +5,7 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase
 
+from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken
 
@@ -21,13 +22,10 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
             return
         model_class = test_model()
         self.assertTrue(isinstance(model_class, SerializerModel))
-        # Models that have subclasses don't have to have a serializer
-        if len(test_model.__subclasses__()) > 0:
-            return
         self.assertIsNotNone(model_class.serializer)
         if model_class.serializer.Meta().model == RefreshToken:
             return
-        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))
+        self.assertEqual(model_class.serializer.Meta().model, test_model)
 
     return tester
 
@@ -36,6 +34,6 @@ for app in apps.get_app_configs():
     if not app.label.startswith("authentik"):
         continue
     for model in app.get_models():
-        if not issubclass(model, SerializerModel):
+        if not is_model_allowed(model):
             continue
         setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))

authentik/blueprints/tests/test_v1.py

@@ -1,11 +1,9 @@
 """Test blueprints v1"""
 
-from os import chmod, environ, unlink, write
-from tempfile import mkstemp
+from os import environ
 
 from django.test import TransactionTestCase
 
-from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.core.models import Group
@@ -128,119 +126,101 @@ class TestBlueprintsV1(TransactionTestCase):
 
         self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
 
-    @apply_blueprint("system/providers-oauth2.yaml")
     def test_import_yaml_tags(self):
         """Test some yaml tags"""
         ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
         Group.objects.filter(name="test").delete()
         environ["foo"] = generate_id()
-        file, file_name = mkstemp()
-        write(file, b"foo")
-        _, file_default_name = mkstemp()
-        chmod(file_default_name, 0o000)  # Remove all permissions so we can't read the file
-        importer = Importer.from_string(
-            load_fixture(
-                "fixtures/tags.yaml",
-                file_name=file_name,
-                file_default_name=file_default_name,
-            ),
-            {"bar": "baz"},
-        )
+        importer = Importer.from_string(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
         self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
         policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
         self.assertTrue(policy)
-        group = Group.objects.filter(name="test").first()
-        self.assertIsNotNone(group)
-        self.assertEqual(
-            group.attributes,
-            {
-                "policy_pk1": str(policy.pk) + "-suffix",
-                "policy_pk2": str(policy.pk) + "-suffix",
-                "boolAnd": True,
-                "boolNand": False,
-                "boolOr": True,
-                "boolNor": False,
-                "boolXor": True,
-                "boolXnor": False,
-                "boolComplex": True,
-                "if_true_complex": {
-                    "dictionary": {
-                        "with": {"keys": "and_values"},
-                        "and_nested_custom_tags": "foo-bar",
-                    }
-                },
-                "if_false_complex": ["list", "with", "items", "foo-bar"],
-                "if_true_simple": True,
-                "if_short": True,
-                "if_false_simple": 2,
-                "enumerate_mapping_to_mapping": {
-                    "prefix-key1": "other-prefix-value",
-                    "prefix-key2": "other-prefix-2",
-                },
-                "enumerate_mapping_to_sequence": [
-                    "prefixed-pair-key1-value",
-                    "prefixed-pair-key2-2",
-                ],
-                "enumerate_sequence_to_sequence": [
-                    "prefixed-items-0-foo",
-                    "prefixed-items-1-bar",
-                ],
-                "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
-                "nested_complex_enumeration": {
-                    "0": {
-                        "key1": [
-                            ["prefixed-f", "prefixed-o", "prefixed-o"],
-                            {
-                                "outer_value": "foo",
-                                "outer_index": 0,
-                                "middle_value": "value",
-                                "middle_index": "key1",
-                            },
-                        ],
-                        "key2": [
-                            ["prefixed-f", "prefixed-o", "prefixed-o"],
-                            {
-                                "outer_value": "foo",
-                                "outer_index": 0,
-                                "middle_value": 2,
-                                "middle_index": "key2",
-                            },
-                        ],
+        self.assertTrue(
+            Group.objects.filter(
+                attributes={
+                    "policy_pk1": str(policy.pk) + "-suffix",
+                    "policy_pk2": str(policy.pk) + "-suffix",
+                    "boolAnd": True,
+                    "boolNand": False,
+                    "boolOr": True,
+                    "boolNor": False,
+                    "boolXor": True,
+                    "boolXnor": False,
+                    "boolComplex": True,
+                    "if_true_complex": {
+                        "dictionary": {
+                            "with": {"keys": "and_values"},
+                            "and_nested_custom_tags": "foo-bar",
+                        }
                     },
-                    "1": {
-                        "key1": [
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
-                            {
-                                "outer_value": "bar",
-                                "outer_index": 1,
-                                "middle_value": "value",
-                                "middle_index": "key1",
-                            },
-                        ],
-                        "key2": [
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
-                            {
-                                "outer_value": "bar",
-                                "outer_index": 1,
-                                "middle_value": 2,
-                                "middle_index": "key2",
-                            },
-                        ],
+                    "if_false_complex": ["list", "with", "items", "foo-bar"],
+                    "if_true_simple": True,
+                    "if_short": True,
+                    "if_false_simple": 2,
+                    "enumerate_mapping_to_mapping": {
+                        "prefix-key1": "other-prefix-value",
+                        "prefix-key2": "other-prefix-2",
                     },
-                },
-                "nested_context": "context-nested-value",
-                "env_null": None,
-                "file_content": "foo",
-                "file_default": "default",
-                "file_non_existent": None,
-                "json_parse": {"foo": "bar"},
-                "at_index_sequence": "foo",
-                "at_index_sequence_default": "non existent",
-                "at_index_mapping": 2,
-                "at_index_mapping_default": "non existent",
-                "find_object": "goauthentik.io/providers/oauth2/scope-openid",
-            },
+                    "enumerate_mapping_to_sequence": [
+                        "prefixed-pair-key1-value",
+                        "prefixed-pair-key2-2",
+                    ],
+                    "enumerate_sequence_to_sequence": [
+                        "prefixed-items-0-foo",
+                        "prefixed-items-1-bar",
+                    ],
+                    "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
+                    "nested_complex_enumeration": {
+                        "0": {
+                            "key1": [
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
+                                {
+                                    "outer_value": "foo",
+                                    "outer_index": 0,
+                                    "middle_value": "value",
+                                    "middle_index": "key1",
+                                },
+                            ],
+                            "key2": [
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
+                                {
+                                    "outer_value": "foo",
+                                    "outer_index": 0,
+                                    "middle_value": 2,
+                                    "middle_index": "key2",
+                                },
+                            ],
+                        },
+                        "1": {
+                            "key1": [
+                                ["prefixed-b", "prefixed-a", "prefixed-r"],
+                                {
+                                    "outer_value": "bar",
+                                    "outer_index": 1,
+                                    "middle_value": "value",
+                                    "middle_index": "key1",
+                                },
+                            ],
+                            "key2": [
+                                ["prefixed-b", "prefixed-a", "prefixed-r"],
+                                {
+                                    "outer_value": "bar",
+                                    "outer_index": 1,
+                                    "middle_value": 2,
+                                    "middle_index": "key2",
+                                },
+                            ],
+                        },
+                    },
+                    "nested_context": "context-nested-value",
+                    "env_null": None,
+                    "at_index_sequence": "foo",
+                    "at_index_sequence_default": "non existent",
+                    "at_index_mapping": 2,
+                    "at_index_mapping_default": "non existent",
+                }
+            ).exists()
         )
         self.assertTrue(
             OAuthSource.objects.filter(
@@ -248,8 +228,6 @@ class TestBlueprintsV1(TransactionTestCase):
                 consumer_key=environ["foo"],
             )
         )
-        unlink(file_name)
-        unlink(file_default_name)
 
     def test_export_validate_import_policies(self):
         """Test export and validate it"""

authentik/blueprints/tests/test_v1_tasks.py

@@ -54,7 +54,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
             file.seek(0)
             file_hash = sha512(file.read().encode()).hexdigest()
             file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
             instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
             self.assertEqual(instance.last_applied_hash, file_hash)
             self.assertEqual(
@@ -82,7 +82,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                 )
             )
             file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
             blueprint = BlueprintInstance.objects.filter(name="foo").first()
             self.assertEqual(
                 blueprint.last_applied_hash,
@@ -107,7 +107,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                 )
             )
             file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
             blueprint.refresh_from_db()
             self.assertEqual(
                 blueprint.last_applied_hash,

authentik/blueprints/v1/common.py

@@ -6,7 +6,6 @@ from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
-from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
 from typing import Any, Literal, Union
@@ -18,15 +17,12 @@ from django.db.models import Model, Q
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
-from structlog.stdlib import get_logger
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode
 
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 
-LOGGER = get_logger()
-
 
 class UNSET:
     """Used to test whether a key has not been set."""
@@ -168,7 +164,9 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
         """Get permissions of this entry, with all yaml tags resolved"""
         for perm in self.permissions:
             yield BlueprintEntryPermission(
@@ -195,18 +193,11 @@ class Blueprint:
     """Dataclass used for a full export"""
 
     version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
     context: dict = field(default_factory=dict)
 
     metadata: BlueprintMetadata | None = field(default=None)
 
-    def iter_entries(self) -> Iterable[BlueprintEntry]:
-        if isinstance(self.entries, dict):
-            for _section, entries in self.entries.items():
-                yield from entries
-        else:
-            yield from self.entries
-
 
 class YAMLTag:
     """Base class for all YAML Tags"""
@@ -237,7 +228,7 @@ class KeyOf(YAMLTag):
         self.id_from = node.value
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
             if _entry.id == self.id_from and _entry._state.instance:
                 # Special handling for PolicyBindingModels, as they'll have a different PK
                 # which is used when creating policy bindings
@@ -271,34 +262,6 @@ class Env(YAMLTag):
         return getenv(self.key) or self.default
 
 
-class File(YAMLTag):
-    """Lookup file with optional default"""
-
-    path: str
-    default: Any | None
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
-        super().__init__()
-        self.default = None
-        if isinstance(node, ScalarNode):
-            self.path = node.value
-        if isinstance(node, SequenceNode):
-            self.path = loader.construct_object(node.value[0])
-            self.default = loader.construct_object(node.value[1])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        try:
-            with open(self.path, encoding="utf8") as _file:
-                return _file.read().strip()
-        except OSError as exc:
-            LOGGER.warning(
-                "Failed to read file. Falling back to default value",
-                path=self.path,
-                exc=exc,
-            )
-            return self.default
-
-
 class Context(YAMLTag):
     """Lookup key from instance context"""
 
@@ -323,22 +286,6 @@ class Context(YAMLTag):
         return value
 
 
-class ParseJSON(YAMLTag):
-    """Parse JSON from context/env/etc value"""
-
-    raw: str
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
-        super().__init__()
-        self.raw = node.value
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        try:
-            return loads(self.raw)
-        except JSONDecodeError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
-
-
 class Format(YAMLTag):
     """Format a string"""
 
@@ -367,7 +314,7 @@ class Format(YAMLTag):
 
 
 class Find(YAMLTag):
-    """Find any object primary key"""
+    """Find any object"""
 
     model_name: str | YAMLTag
     conditions: list[list]
@@ -382,7 +329,7 @@ class Find(YAMLTag):
                 values.append(loader.construct_object(node_values))
             self.conditions.append(values)
 
-    def _get_instance(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         if isinstance(self.model_name, YAMLTag):
             model_name = self.model_name.resolve(entry, blueprint)
         else:
@@ -404,29 +351,12 @@ class Find(YAMLTag):
             else:
                 query_value = cond[1]
             query &= Q(**{query_key: query_value})
-        return model_class.objects.filter(query).first()
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        instance = self._get_instance(entry, blueprint)
+        instance = model_class.objects.filter(query).first()
         if instance:
             return instance.pk
         return None
 
 
-class FindObject(Find):
-    """Find any object"""
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        instance = self._get_instance(entry, blueprint)
-        if not instance:
-            return None
-        if not isinstance(instance, SerializerModel):
-            raise EntryInvalidError.from_entry(
-                f"Model {self.model_name} is not resolvable through FindObject", entry
-            )
-        return instance.serializer(instance=instance).data
-
-
 class Condition(YAMLTag):
     """Convert all values to a single boolean"""
 
@@ -722,18 +652,15 @@ class BlueprintLoader(SafeLoader):
         super().__init__(*args, **kwargs)
         self.add_constructor("!KeyOf", KeyOf)
         self.add_constructor("!Find", Find)
-        self.add_constructor("!FindObject", FindObject)
         self.add_constructor("!Context", Context)
         self.add_constructor("!Format", Format)
         self.add_constructor("!Condition", Condition)
         self.add_constructor("!If", If)
         self.add_constructor("!Env", Env)
-        self.add_constructor("!File", File)
         self.add_constructor("!Enumerate", Enumerate)
         self.add_constructor("!Value", Value)
         self.add_constructor("!Index", Index)
         self.add_constructor("!AtIndex", AtIndex)
-        self.add_constructor("!ParseJSON", ParseJSON)
 
 
 class EntryInvalidError(SentryIgnoredException):

authentik/blueprints/v1/importer.py

@@ -36,7 +36,6 @@ from authentik.core.models import (
     GroupSourceConnection,
     PropertyMapping,
     Provider,
-    Session,
     Source,
     User,
     UserSourceConnection,
@@ -51,12 +50,13 @@ from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProviderGroup,
     MicrosoftEntraProviderUser,
 )
-from authentik.enterprise.providers.ssf.models import StreamEvent
+from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     EndpointDevice,
     EndpointDeviceConnection,
 )
 from authentik.events.logs import LogEvent, capture_logs
+from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
@@ -71,12 +71,10 @@ from authentik.providers.oauth2.models import (
     DeviceToken,
     RefreshToken,
 )
-from authentik.providers.rac.models import ConnectionToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
-from authentik.tasks.models import Task
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
@@ -109,7 +107,6 @@ def excluded_models() -> list[type[Model]]:
         Policy,
         PolicyBindingModel,
         # Classes that have other dependencies
-        Session,
         AuthenticatedSession,
         # Classes which are only internally managed
         # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
@@ -118,7 +115,7 @@ def excluded_models() -> list[type[Model]]:
         SCIMProviderGroup,
         SCIMProviderUser,
         Tenant,
-        Task,
+        SystemTask,
         ConnectionToken,
         AuthorizationCode,
         AccessToken,
@@ -134,7 +131,6 @@ def excluded_models() -> list[type[Model]]:
         EndpointDevice,
         EndpointDeviceConnection,
         DeviceToken,
-        StreamEvent,
     )
 
 
@@ -384,7 +380,7 @@ class Importer:
     def _apply_models(self, raise_errors=False) -> bool:
         """Apply (create/update) models yaml"""
         self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
             model_app_label, model_name = entry.get_model(self._import).split(".")
             try:
                 model: type[SerializerModel] = registry.get_model(model_app_label, model_name)

authentik/blueprints/v1/meta/apply_blueprint.py

@@ -44,7 +44,7 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):
             return MetaResult()
         LOGGER.debug("Applying blueprint from meta model", blueprint=self.blueprint_instance)
 
-        apply_blueprint(self.blueprint_instance.pk)
+        apply_blueprint(str(self.blueprint_instance.pk))
         return MetaResult()
 
 

authentik/blueprints/v1/meta/registry.py

@@ -47,7 +47,7 @@ class MetaModelRegistry:
         models = apps.get_models()
         for _, value in self.models.items():
             models.append(value)
-        return sorted(models, key=str)
+        return models
 
     def get_model(self, app_label: str, model_id: str) -> type[Model]:
         """Get model checks if any virtual models are registered, and falls back

authentik/blueprints/v1/tasks.py

@@ -4,17 +4,12 @@ from dataclasses import asdict, dataclass, field
 from hashlib import sha512
 from pathlib import Path
 from sys import platform
-from uuid import UUID
 
 from dacite.core import from_dict
-from django.conf import settings
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask, CurrentTaskNotFound
-from dramatiq.actor import actor
-from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
 from watchdog.events import (
     FileCreatedEvent,
@@ -36,13 +31,15 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.events.logs import capture_logs
+from authentik.events.models import TaskStatus
+from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
-from authentik.tasks.models import Task
-from authentik.tasks.schedules.models import Schedule
+from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant
 
 LOGGER = get_logger()
+_file_watcher_started = False
 
 
 @dataclass
@@ -56,21 +53,22 @@ class BlueprintFile:
     meta: BlueprintMetadata | None = field(default=None)
 
 
-class BlueprintWatcherMiddleware(Middleware):
-    def start_blueprint_watcher(self):
-        """Start blueprint watcher"""
-        observer = Observer()
-        kwargs = {}
-        if platform.startswith("linux"):
-            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
-        observer.schedule(
-            BlueprintEventHandler(), CONFIG.get("blueprints_dir"), recursive=True, **kwargs
-        )
-        observer.start()
+def start_blueprint_watcher():
+    """Start blueprint watcher, if it's not running already."""
+    # This function might be called twice since it's called on celery startup
 
-    def after_worker_boot(self, broker, worker):
-        if not settings.TEST:
-            self.start_blueprint_watcher()
+    global _file_watcher_started  # noqa: PLW0603
+    if _file_watcher_started:
+        return
+    observer = Observer()
+    kwargs = {}
+    if platform.startswith("linux"):
+        kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
+    observer.schedule(
+        BlueprintEventHandler(), CONFIG.get("blueprints_dir"), recursive=True, **kwargs
+    )
+    observer.start()
+    _file_watcher_started = True
 
 
 class BlueprintEventHandler(FileSystemEventHandler):
@@ -94,7 +92,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
         LOGGER.debug("new blueprint file created, starting discovery")
         for tenant in Tenant.objects.filter(ready=True):
             with tenant:
-                Schedule.dispatch_by_actor(blueprints_discovery)
+                blueprints_discovery.delay()
 
     def on_modified(self, event: FileSystemEvent):
         """Process file modification"""
@@ -105,14 +103,14 @@ class BlueprintEventHandler(FileSystemEventHandler):
             with tenant:
                 for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                     LOGGER.debug("modified blueprint file, starting apply", instance=instance)
-                    apply_blueprint.send_with_options(args=(instance.pk,), rel_obj=instance)
+                    apply_blueprint.delay(instance.pk.hex)
 
 
-@actor(
-    description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
+@CELERY_APP.task(
     throws=(DatabaseError, ProgrammingError, InternalError),
 )
 def blueprints_find_dict():
+    """Find blueprints as `blueprints_find` does, but return a safe dict"""
     blueprints = []
     for blueprint in blueprints_find():
         blueprints.append(sanitize_dict(asdict(blueprint)))
@@ -148,19 +146,21 @@ def blueprints_find() -> list[BlueprintFile]:
     return blueprints
 
 
-@actor(
-    description=_("Find blueprints and check if they need to be created in the database."),
-    throws=(DatabaseError, ProgrammingError, InternalError),
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError), base=SystemTask, bind=True
 )
-def blueprints_discovery(path: str | None = None):
-    self: Task = CurrentTask.get_task()
+@prefill_task
+def blueprints_discovery(self: SystemTask, path: str | None = None):
+    """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
         if path and blueprint.path != path:
             continue
         check_blueprint_v1_file(blueprint)
         count += 1
-    self.info(f"Successfully imported {count} files.")
+    self.set_status(
+        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+    )
 
 
 def check_blueprint_v1_file(blueprint: BlueprintFile):
@@ -187,26 +187,22 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
         )
     if instance.last_applied_hash != blueprint.hash:
         LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
-        apply_blueprint.send_with_options(args=(instance.pk,), rel_obj=instance)
+        apply_blueprint.delay(str(instance.pk))
 
 
-@actor(description=_("Apply single blueprint."))
-def apply_blueprint(instance_pk: UUID):
-    try:
-        self: Task = CurrentTask.get_task()
-    except CurrentTaskNotFound:
-        self = Task()
-    self.set_uid(str(instance_pk))
+@CELERY_APP.task(
+    bind=True,
+    base=SystemTask,
+)
+def apply_blueprint(self: SystemTask, instance_pk: str):
+    """Apply single blueprint"""
+    self.save_on_success = False
     instance: BlueprintInstance | None = None
     try:
         instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
-        if not instance:
-            self.warning(f"Could not find blueprint {instance_pk}, skipping")
+        if not instance or not instance.enabled:
             return
         self.set_uid(slugify(instance.name))
-        if not instance.enabled:
-            self.info(f"Blueprint {instance.name} is disabled, skipping")
-            return
         blueprint_content = instance.retrieve()
         file_hash = sha512(blueprint_content.encode()).hexdigest()
         importer = Importer.from_string(blueprint_content, instance.context)
@@ -216,18 +212,19 @@ def apply_blueprint(instance_pk: UUID):
         if not valid:
             instance.status = BlueprintInstanceStatus.ERROR
             instance.save()
-            self.logs(logs)
+            self.set_status(TaskStatus.ERROR, *logs)
             return
         with capture_logs() as logs:
             applied = importer.apply()
             if not applied:
                 instance.status = BlueprintInstanceStatus.ERROR
                 instance.save()
-                self.logs(logs)
+                self.set_status(TaskStatus.ERROR, *logs)
                 return
         instance.status = BlueprintInstanceStatus.SUCCESSFUL
         instance.last_applied_hash = file_hash
         instance.last_applied = now()
+        self.set_status(TaskStatus.SUCCESSFUL)
     except (
         OSError,
         DatabaseError,
@@ -238,14 +235,15 @@ def apply_blueprint(instance_pk: UUID):
     ) as exc:
         if instance:
             instance.status = BlueprintInstanceStatus.ERROR
-        self.error(exc)
+        self.set_error(exc)
     finally:
         if instance:
             instance.save()
 
 
-@actor(description=_("Remove blueprints which couldn't be fetched."))
+@CELERY_APP.task()
 def clear_failed_blueprints():
+    """Remove blueprints which couldn't be fetched"""
     # Exclude OCI blueprints as those might be temporarily unavailable
     for blueprint in BlueprintInstance.objects.exclude(path__startswith=OCI_PREFIX):
         try:

authentik/brands/api.py

@@ -3,10 +3,10 @@
 from typing import Any
 
 from django.db import models
-from drf_spectacular.utils import extend_schema, extend_schema_field
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
+from rest_framework.fields import CharField, ChoiceField, ListField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
@@ -18,8 +18,6 @@ from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.rbac.filters import SecretKeyFilter
-from authentik.tenants.api.settings import FlagJSONField
-from authentik.tenants.flags import Flag
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -51,8 +49,6 @@ class BrandSerializer(ModelSerializer):
             "branding_title",
             "branding_logo",
             "branding_favicon",
-            "branding_custom_css",
-            "branding_default_flow_background",
             "flow_authentication",
             "flow_invalidation",
             "flow_recovery",
@@ -61,7 +57,6 @@ class BrandSerializer(ModelSerializer):
             "flow_device_code",
             "default_application",
             "web_certificate",
-            "client_certificates",
             "attributes",
         ]
         extra_kwargs = {
@@ -91,7 +86,6 @@ class CurrentBrandSerializer(PassiveSerializer):
     branding_title = CharField()
     branding_logo = CharField(source="branding_logo_url")
     branding_favicon = CharField(source="branding_favicon_url")
-    branding_custom_css = CharField()
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,
@@ -112,16 +106,6 @@ class CurrentBrandSerializer(PassiveSerializer):
     flow_device_code = CharField(source="flow_device_code.slug", required=False)
 
     default_locale = CharField(read_only=True)
-    flags = SerializerMethodField()
-
-    @extend_schema_field(field=FlagJSONField)
-    def get_flags(self, _):
-        values = {}
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.visibility == "public":
-                values[_flag.key] = _flag.get()
-        return values
 
 
 class BrandViewSet(UsedByMixin, ModelViewSet):
@@ -133,7 +117,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "domain",
         "branding_title",
         "web_certificate__name",
-        "client_certificates__name",
     ]
     filterset_fields = [
         "brand_uuid",
@@ -142,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "branding_title",
         "branding_logo",
         "branding_favicon",
-        "branding_default_flow_background",
         "flow_authentication",
         "flow_invalidation",
         "flow_recovery",
@@ -150,7 +132,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "flow_user_settings",
         "flow_device_code",
         "web_certificate",
-        "client_certificates",
     ]
     ordering = ["domain"]
 

authentik/brands/apps.py

@@ -1,16 +1,14 @@
 """authentik brands app"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
     """authentik Brand app"""
 
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
-    default = True
     mountpoints = {
         "authentik.brands.urls_root": "",
     }
-    default = True

authentik/brands/migrations/0008_brand_branding_custom_css.py

@@ -1,35 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-22 01:51
-
-from pathlib import Path
-from django.db import migrations, models
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    Brand = apps.get_model("authentik_brands", "brand")
-
-    db_alias = schema_editor.connection.alias
-
-    path = Path("/web/dist/custom.css")
-    if not path.exists():
-        return
-    css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0007_brand_default_application"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_custom_css",
-            field=models.TextField(blank=True, default=""),
-        ),
-        migrations.RunPython(migrate_custom_css),
-    ]

authentik/brands/migrations/0009_brand_branding_default_flow_background.py

@@ -1,18 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-19 22:54
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0008_brand_branding_custom_css"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_default_flow_background",
-            field=models.TextField(default="/static/dist/assets/images/flow_background.jpg"),
-        ),
-    ]

authentik/brands/migrations/0010_brand_client_certificates_and_more.py

@@ -1,37 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-19 15:09
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0009_brand_branding_default_flow_background"),
-        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="client_certificates",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                help_text="Certificates used for client authentication.",
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="brand",
-            name="web_certificate",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Web Certificate used by the authentik Core webserver.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="+",
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-    ]

authentik/brands/models.py

@@ -33,10 +33,6 @@ class Brand(SerializerModel):
 
     branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
     branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
-    branding_custom_css = models.TextField(default="", blank=True)
-    branding_default_flow_background = models.TextField(
-        default="/static/dist/assets/images/flow_background.jpg"
-    )
 
     flow_authentication = models.ForeignKey(
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
@@ -73,13 +69,6 @@ class Brand(SerializerModel):
         default=None,
         on_delete=models.SET_DEFAULT,
         help_text=_("Web Certificate used by the authentik Core webserver."),
-        related_name="+",
-    )
-    client_certificates = models.ManyToManyField(
-        CertificateKeyPair,
-        default=None,
-        blank=True,
-        help_text=_("Certificates used for client authentication."),
     )
     attributes = models.JSONField(default=dict, blank=True)
 
@@ -95,12 +84,6 @@ class Brand(SerializerModel):
             return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
         return self.branding_favicon
 
-    def branding_default_flow_background_url(self) -> str:
-        """Get branding_default_flow_background with the correct prefix"""
-        if self.branding_default_flow_background.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_default_flow_background
-        return self.branding_default_flow_background
-
     @property
     def serializer(self) -> Serializer:
         from authentik.brands.api import BrandSerializer

authentik/brands/tests.py

@@ -10,20 +10,11 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_brand
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLProvider
-from authentik.tenants.flags import Flag
 
 
 class TestBrands(APITestCase):
     """Test brands"""
 
-    def setUp(self):
-        super().setUp()
-        self.default_flags = {}
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.visibility == "public":
-                self.default_flags[_flag.key] = _flag.get()
-
     def test_current_brand(self):
         """Test Current brand API"""
         brand = create_test_brand()
@@ -33,12 +24,10 @@ class TestBrands(APITestCase):
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
                 "branding_title": "authentik",
-                "branding_custom_css": "",
                 "matched_domain": brand.domain,
                 "ui_footer_links": [],
                 "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
-                "flags": self.default_flags,
             },
         )
 
@@ -54,12 +43,10 @@ class TestBrands(APITestCase):
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
                 "branding_title": "custom",
-                "branding_custom_css": "",
                 "matched_domain": "bar.baz",
                 "ui_footer_links": [],
                 "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
-                "flags": self.default_flags,
             },
         )
 
@@ -72,12 +59,10 @@ class TestBrands(APITestCase):
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
                 "branding_title": "authentik",
-                "branding_custom_css": "",
                 "matched_domain": "fallback",
                 "ui_footer_links": [],
                 "ui_theme": Themes.AUTOMATIC,
                 "default_locale": "",
-                "flags": self.default_flags,
             },
         )
 
@@ -136,39 +121,3 @@ class TestBrands(APITestCase):
                 "subject": None,
             },
         )
-
-    def test_branding_url(self):
-        """Test branding attributes return correct values"""
-        brand = create_test_brand()
-        brand.branding_default_flow_background = "https://goauthentik.io/img/icon.png"
-        brand.branding_favicon = "https://goauthentik.io/img/icon.png"
-        brand.branding_logo = "https://goauthentik.io/img/icon.png"
-        brand.save()
-        self.assertEqual(
-            brand.branding_default_flow_background_url(), "https://goauthentik.io/img/icon.png"
-        )
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
-            {
-                "branding_logo": "https://goauthentik.io/img/icon.png",
-                "branding_favicon": "https://goauthentik.io/img/icon.png",
-                "branding_title": "authentik",
-                "branding_custom_css": "",
-                "matched_domain": brand.domain,
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-                "flags": self.default_flags,
-            },
-        )
-
-    def test_custom_css(self):
-        """Test custom_css"""
-        brand = create_test_brand()
-        brand.branding_custom_css = """* {
-            font-family: "Foo bar";
-        }"""
-        brand.save()
-        res = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(brand.branding_custom_css, res.content.decode())

authentik/brands/utils.py

@@ -5,12 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
-from django.utils.safestring import mark_safe
+from sentry_sdk import get_current_span
 
-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.brands.models import Brand
-from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
 
 _q_default = Q(default=True)
@@ -34,14 +32,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     """Context Processor that injects brand object into every template"""
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
-    # only directly exposes this as a function that also wraps it in a <script> tag
-    # which we dont want for CSS
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
+    trace = ""
+    span = get_current_span()
+    if span:
+        trace = span.to_traceparent()
     return {
         "brand": brand,
-        "brand_css": brand_css,
         "footer_links": tenant.footer_links,
-        "html_meta": {**get_http_meta()},
-        "version": authentik_full_version(),
+        "sentry_trace": trace,
+        "version": get_full_version(),
     }

authentik/core/api/applications.py

@@ -2,11 +2,12 @@
 
 from collections.abc import Iterator
 from copy import copy
+from datetime import timedelta
 
 from django.core.cache import cache
 from django.db.models import QuerySet
+from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
-from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
@@ -19,6 +20,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@@ -26,6 +28,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
+from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
     FilePathSerializer,
     FileUploadSerializer,
@@ -43,7 +46,7 @@ LOGGER = get_logger()
 
 def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
     """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}app_access/{user_pk}"
+    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
     if page_number:
         key += f"/{page_number}"
     return key
@@ -67,15 +70,6 @@ class ApplicationSerializer(ModelSerializer):
             user = self.context["request"].user
         return app.get_launch_url(user)
 
-    def validate_slug(self, slug: str) -> str:
-        if slug in Application.reserved_slugs:
-            raise ValidationError(
-                _("The slug '{slug}' is reserved and cannot be used for applications.").format(
-                    slug=slug
-                )
-            )
-        return slug
-
     def __init__(self, *args, **kwargs) -> None:
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
@@ -159,10 +153,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return applications
 
     def _filter_applications_with_launch_url(
-        self, paginated_apps: Iterator[Application]
+        self, pagined_apps: Iterator[Application]
     ) -> list[Application]:
         applications = []
-        for app in paginated_apps:
+        for app in pagined_apps:
             if app.get_launch_url():
                 applications.append(app)
         return applications
@@ -327,3 +321,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         """Set application icon (as URL)"""
         app: Application = self.get_object()
         return set_file_url(request, app, "meta_icon")
+
+    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
+    @extend_schema(responses={200: CoordinateSerializer(many=True)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def metrics(self, request: Request, slug: str):
+        """Metrics for application logins"""
+        app = self.get_object()
+        return Response(
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION,
+                context__authorized_application__pk=app.pk.hex,
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )

authentik/core/api/authenticated_sessions.py

@@ -5,7 +5,6 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
-from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
@@ -55,11 +54,6 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
     """AuthenticatedSession Serializer"""
 
-    expires = DateTimeField(source="session.expires", read_only=True)
-    last_ip = IPAddressField(source="session.last_ip", read_only=True)
-    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
-    last_used = DateTimeField(source="session.last_used", read_only=True)
-
     current = SerializerMethodField()
     user_agent = SerializerMethodField()
     geo_ip = SerializerMethodField()
@@ -68,19 +62,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
     def get_current(self, instance: AuthenticatedSession) -> bool:
         """Check if session is currently active session"""
         request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session.session_key
+        return request._request.session.session_key == instance.session_key
 
     def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
         """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.session.last_user_agent)
+        return user_agent_parser.Parse(instance.last_user_agent)
 
     def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
         """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
 
     def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
         """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
 
     class Meta:
         model = AuthenticatedSession
@@ -96,7 +90,6 @@ class AuthenticatedSessionSerializer(ModelSerializer):
             "last_used",
             "expires",
         ]
-        extra_args = {"uuid": {"read_only": True}}
 
 
 class AuthenticatedSessionViewSet(
@@ -108,10 +101,9 @@ class AuthenticatedSessionViewSet(
 ):
     """AuthenticatedSession Viewset"""
 
-    lookup_field = "uuid"
-    queryset = AuthenticatedSession.objects.select_related("session").all()
+    queryset = AuthenticatedSession.objects.all()
     serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
-    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
     ordering = ["user__username"]
     owner_field = "user"