ci: bump taiki-e/install-action in /.github/actions/setup

Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.75.23 to 2.75.25.
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](481c34c1cf...1329c298aa)

---
updated-dependencies:
- dependency-name: taiki-e/install-action
  dependency-version: 2.75.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/actions/setup/action.yml

@@ -64,7 +64,7 @@ runs:
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2
+      uses: taiki-e/install-action@1329c298aa20c3257846c9b2e0e55967df3e3c37 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)
@@ -104,7 +104,7 @@ runs:
       working-directory: ${{ inputs.working-directory }}
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/compose.yml up -d
+        docker compose -f .github/actions/setup/compose.yml up -d --wait
         cd web && npm ci
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}

.github/actions/setup/compose.yml

@@ -8,8 +8,14 @@ services:
       POSTGRES_USER: authentik
       POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
       POSTGRES_DB: authentik
+      PGDATA: /var/lib/postgresql/data/pgdata
     ports:
       - 5432:5432
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB} -h 127.0.0.1"]
+      interval: 1s
+      timeout: 5s
+      retries: 60
     restart: always
   s3:
     container_name: s3

authentik/api/tests/test_viewsets.py

@@ -1,31 +1,73 @@
 """authentik API Modelviewset tests"""
 
 from collections.abc import Callable
+from urllib.parse import urlencode
 
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
+from authentik.core.tests.utils import RequestFactory, create_test_admin_user
+from authentik.lib.generators import generate_id
+from authentik.tenants.api.domains import DomainViewSet
+from authentik.tenants.api.tenants import TenantViewSet
+from authentik.tenants.utils import get_current_tenant
 
 
 class TestModelViewSets(TestCase):
     """Test Viewset"""
 
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.factory = RequestFactory()
 
-def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
+
+def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
     """Test Viewset"""
 
-    def tester(self: TestModelViewSets):
-        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+    def test_attrs(self: TestModelViewSets) -> None:
+        """Test attributes we require on all viewsets"""
         self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
         filterset_class = getattr(test_viewset, "filterset_class", None)
         if not filterset_class:
             self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
 
-    return tester
+    def test_ordering(self: TestModelViewSets) -> None:
+        """Test that all ordering fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        for ordering_field in test_viewset.ordering:
+            with self.subTest(ordering_field):
+                req = self.factory.get(
+                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
+                )
+                req.tenant = get_current_tenant()
+                res = view(req)
+                self.assertEqual(res.status_code, 200)
+
+    def test_search(self: TestModelViewSets) -> None:
+        """Test that search fields are correct"""
+        view = test_viewset.as_view({"get": "list"})
+        req = self.factory.get(
+            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
+        )
+        req.tenant = get_current_tenant()
+        res = view(req)
+        self.assertEqual(res.status_code, 200)
+
+    cases = {
+        "attrs": test_attrs,
+    }
+    if full:
+        cases["ordering"] = test_ordering
+        cases["search"] = test_search
+    return cases
 
 
 for _, viewset, _ in router.registry:
     if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
         continue
-    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))
+    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
+    for test, case in viewset_tester_factory(viewset, full=full).items():
+        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)

authentik/blueprints/api.py

@@ -126,7 +126,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
 
 def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
     """Check for individual permissions for each model in a blueprint"""
-    for entry in blueprint.entries:
+    for entry in blueprint.iter_entries():
         full_model = entry.get_model(blueprint)
         app, __, model = full_model.partition(".")
         perms = [

authentik/blueprints/tests/test_v1_conditions.py

@@ -1,8 +1,11 @@
 """Test blueprints v1"""
 
+from unittest.mock import patch
+
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
+from authentik.enterprise.license import LicenseKey
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
@@ -42,3 +45,45 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
         # Ensure objects do not exist
         self.assertFalse(Flow.objects.filter(slug=flow_slug1))
         self.assertFalse(Flow.objects.filter(slug=flow_slug2))
+
+    def test_enterprise_license_context_unlicensed(self):
+        """Test enterprise license context defaults to a false boolean when unlicensed."""
+        license_key = LicenseKey("test", 0, "Test license", 0, 0)
+
+        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
+            importer = Importer.from_string("""
+version: 1
+entries:
+    - identifiers:
+          name: enterprise-test
+          slug: enterprise-test
+      model: authentik_flows.flow
+      conditions:
+          - !Context goauthentik.io/enterprise/licensed
+      attrs:
+          designation: stage_configuration
+          title: foo
+""")
+
+        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], False)
+
+    def test_enterprise_license_context_licensed(self):
+        """Test enterprise license context defaults to a true boolean when licensed."""
+        license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
+
+        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
+            importer = Importer.from_string("""
+version: 1
+entries:
+    - identifiers:
+          name: enterprise-test
+          slug: enterprise-test
+      model: authentik_flows.flow
+      conditions:
+          - !Context goauthentik.io/enterprise/licensed
+      attrs:
+          designation: stage_configuration
+          title: foo
+""")
+
+        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], True)

authentik/blueprints/v1/importer.py

@@ -146,9 +146,7 @@ class Importer:
         try:
             from authentik.enterprise.license import LicenseKey
 
-            context["goauthentik.io/enterprise/licensed"] = (
-                LicenseKey.get_total().status().is_valid,
-            )
+            context["goauthentik.io/enterprise/licensed"] = LicenseKey.get_total().status().is_valid
         except ModuleNotFoundError:
             pass
         return context

authentik/brands/api.py

@@ -64,6 +64,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "flow_lockdown",
             "default_application",
             "web_certificate",
             "client_certificates",
@@ -117,6 +118,7 @@ class CurrentBrandSerializer(PassiveSerializer):
     flow_unenrollment = CharField(source="flow_unenrollment.slug", required=False)
     flow_user_settings = CharField(source="flow_user_settings.slug", required=False)
     flow_device_code = CharField(source="flow_device_code.slug", required=False)
+    flow_lockdown = CharField(source="flow_lockdown.slug", required=False)
 
     default_locale = CharField(read_only=True)
     flags = SerializerMethodField()
@@ -154,6 +156,7 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "flow_unenrollment",
         "flow_user_settings",
         "flow_device_code",
+        "flow_lockdown",
         "web_certificate",
         "client_certificates",
     ]

authentik/brands/migrations/0012_brand_flow_lockdown.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.2.12 on 2026-03-14 02:58
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0011_alter_brand_branding_default_flow_background_and_more"),
+        ("authentik_flows", "0031_alter_flow_layout"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="flow_lockdown",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="brand_lockdown",
+                to="authentik_flows.flow",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -58,6 +58,9 @@ class Brand(SerializerModel):
     flow_device_code = models.ForeignKey(
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
+    flow_lockdown = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_lockdown"
+    )
 
     default_application = models.ForeignKey(
         "authentik_core.Application",

authentik/brands/tests.py

@@ -20,11 +20,16 @@ class TestBrands(APITestCase):
 
     def setUp(self):
         super().setUp()
-        self.default_flags = {}
-        for flag in Flag.available(visibility="public"):
-            self.default_flags[flag().key] = flag.get()
         Brand.objects.all().delete()
 
+    @property
+    def default_flags(self) -> dict[str, object]:
+        """Get current public flags.
+
+        Some tests define temporary Flag subclasses, so this can't be cached in setUp.
+        """
+        return {flag().key: flag.get() for flag in Flag.available(visibility="public")}
+
     def test_current_brand(self):
         """Test Current brand API"""
         brand = create_test_brand()

authentik/core/api/application_entitlements.py

@@ -47,7 +47,8 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
     search_fields = [
         "pbm_uuid",
         "name",
-        "app",
+        "app__name",
+        "app__slug",
         "attributes",
     ]
     filterset_fields = [

authentik/core/api/users.py

@@ -563,6 +563,9 @@ class UsersFilter(FilterSet):
 
 
 class UserViewSet(
+    ConditionalInheritance(
+        "authentik.enterprise.stages.account_lockdown.api.UserAccountLockdownMixin"
+    ),
     ConditionalInheritance("authentik.enterprise.reports.api.reports.ExportMixin"),
     UsedByMixin,
     ModelViewSet,

authentik/core/templates/login/base_full.html

@@ -12,7 +12,7 @@
 {% block head %}
 <style data-id="static-styles">
     :root {
-        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url|iriencode|safe }}");
     }
 </style>
 

authentik/enterprise/lifecycle/api/iterations.py

@@ -1,7 +1,6 @@
 from datetime import datetime
 
-from django.db.models import BooleanField as ModelBooleanField
-from django.db.models import Case, Q, Value, When
+from django.db.models import Exists, OuterRef, Q, Subquery
 from django_filters.rest_framework import BooleanFilter, FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
@@ -14,7 +13,7 @@ from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.lifecycle.api.reviews import ReviewSerializer
-from authentik.enterprise.lifecycle.models import LifecycleIteration, ReviewState
+from authentik.enterprise.lifecycle.models import LifecycleIteration, LifecycleRule, ReviewState
 from authentik.enterprise.lifecycle.utils import (
     ContentTypeField,
     ReviewerGroupSerializer,
@@ -26,20 +25,25 @@ from authentik.enterprise.lifecycle.utils import (
 from authentik.lib.utils.time import timedelta_from_string
 
 
+class RelatedRuleSerializer(EnterpriseRequiredMixin, ModelSerializer):
+    reviewer_groups = ReviewerGroupSerializer(many=True, read_only=True)
+    min_reviewers = IntegerField(read_only=True)
+    reviewers = ReviewerUserSerializer(many=True, read_only=True)
+
+    class Meta:
+        model = LifecycleRule
+        fields = ["id", "name", "reviewer_groups", "min_reviewers", "reviewers"]
+
+
 class LifecycleIterationSerializer(EnterpriseRequiredMixin, ModelSerializer):
     content_type = ContentTypeField()
     object_verbose = SerializerMethodField()
+    rule = RelatedRuleSerializer(read_only=True)
     object_admin_url = SerializerMethodField(read_only=True)
     grace_period_end = SerializerMethodField(read_only=True)
     reviews = ReviewSerializer(many=True, read_only=True, source="review_set.all")
     user_can_review = SerializerMethodField(read_only=True)
 
-    reviewer_groups = ReviewerGroupSerializer(
-        many=True, read_only=True, source="rule.reviewer_groups"
-    )
-    min_reviewers = IntegerField(read_only=True, source="rule.min_reviewers")
-    reviewers = ReviewerUserSerializer(many=True, read_only=True, source="rule.reviewers")
-
     next_review_date = SerializerMethodField(read_only=True)
 
     class Meta:
@@ -55,10 +59,8 @@ class LifecycleIterationSerializer(EnterpriseRequiredMixin, ModelSerializer):
             "grace_period_end",
             "next_review_date",
             "reviews",
+            "rule",
             "user_can_review",
-            "reviewer_groups",
-            "min_reviewers",
-            "reviewers",
         ]
         read_only_fields = fields
 
@@ -88,43 +90,55 @@ class IterationViewSet(EnterpriseRequiredMixin, CreateModelMixin, GenericViewSet
     queryset = LifecycleIteration.objects.all()
     serializer_class = LifecycleIterationSerializer
     ordering = ["-opened_on"]
-    ordering_fields = ["state", "content_type__model", "opened_on", "grace_period_end"]
+    ordering_fields = [
+        "state",
+        "content_type__model",
+        "rule__name",
+        "opened_on",
+        "grace_period_end",
+    ]
     filterset_class = LifecycleIterationFilterSet
 
     def get_queryset(self):
         user = self.request.user
         return self.queryset.annotate(
-            user_is_reviewer=Case(
-                When(
-                    Q(rule__reviewers=user)
-                    | Q(rule__reviewer_groups__in=user.groups.all().with_ancestors()),
-                    then=Value(True),
-                ),
-                default=Value(False),
-                output_field=ModelBooleanField(),
+            user_is_reviewer=Exists(
+                LifecycleRule.objects.filter(
+                    pk=OuterRef("rule_id"),
+                ).filter(
+                    Q(reviewers=user) | Q(reviewer_groups__in=user.groups.all().with_ancestors())
+                )
             )
-        ).distinct()
+        )
 
+    @extend_schema(
+        operation_id="lifecycle_iterations_list_latest",
+        responses={200: LifecycleIterationSerializer(many=True)},
+    )
     @action(
         detail=False,
+        pagination_class=None,
         methods=["get"],
         url_path=r"latest/(?P<content_type>[^/]+)/(?P<object_id>[^/]+)",
     )
-    def latest_iteration(self, request: Request, content_type: str, object_id: str) -> Response:
+    def latest_iterations(self, request: Request, content_type: str, object_id: str) -> Response:
         ct = parse_content_type(content_type)
-        try:
-            obj = (
-                self.get_queryset()
-                .filter(
-                    content_type__app_label=ct["app_label"],
-                    content_type__model=ct["model"],
-                    object_id=object_id,
-                )
-                .latest("opened_on")
+        latest_ids_subquery = (
+            LifecycleIteration.objects.filter(
+                rule=OuterRef("rule"),
+                content_type__app_label=ct["app_label"],
+                content_type__model=ct["model"],
+                object_id=object_id,
             )
-        except LifecycleIteration.DoesNotExist:
-            return Response(status=404)
-        serializer = self.get_serializer(obj)
+            .order_by("-opened_on")
+            .values("id")[:1]
+        )
+        latest_per_rule = LifecycleIteration.objects.filter(
+            content_type__app_label=ct["app_label"],
+            content_type__model=ct["model"],
+            object_id=object_id,
+        ).filter(id=Subquery(latest_ids_subquery))
+        serializer = self.get_serializer(latest_per_rule, many=True)
         return Response(serializer.data)
 
     @extend_schema(

authentik/enterprise/lifecycle/api/rules.py

@@ -84,23 +84,6 @@ class LifecycleRuleSerializer(EnterpriseRequiredMixin, ModelSerializer):
                 raise ValidationError(
                     {"grace_period": _("Grace period must be shorter than the interval.")}
                 )
-        if "content_type" in attrs or "object_id" in attrs:
-            content_type = attrs.get("content_type", getattr(self.instance, "content_type", None))
-            object_id = attrs.get("object_id", getattr(self.instance, "object_id", None))
-            if content_type is not None and object_id is None:
-                existing = LifecycleRule.objects.filter(
-                    content_type=content_type, object_id__isnull=True
-                )
-                if self.instance:
-                    existing = existing.exclude(pk=self.instance.pk)
-                if existing.exists():
-                    raise ValidationError(
-                        {
-                            "content_type": _(
-                                "Only one type-wide rule for each object type is allowed."
-                            )
-                        }
-                    )
         return attrs
 
 

authentik/enterprise/lifecycle/migrations/0003_remove_lifecyclerule_uniq_lifecycle_rule_ct_null_object_and_more.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.2.11 on 2026-03-05 11:27
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_lifecycle", "0002_alter_lifecycleiteration_opened_on"),
+    ]
+
+    operations = [
+        migrations.RemoveConstraint(
+            model_name="lifecyclerule",
+            name="uniq_lifecycle_rule_ct_null_object",
+        ),
+        migrations.AlterUniqueTogether(
+            name="lifecyclerule",
+            unique_together=set(),
+        ),
+    ]

authentik/enterprise/lifecycle/models.py

@@ -56,14 +56,6 @@ class LifecycleRule(SerializerModel):
 
     class Meta:
         indexes = [models.Index(fields=["content_type"])]
-        unique_together = [["content_type", "object_id"]]
-        constraints = [
-            models.UniqueConstraint(
-                fields=["content_type"],
-                condition=Q(object_id__isnull=True),
-                name="uniq_lifecycle_rule_ct_null_object",
-            )
-        ]
 
     @property
     def serializer(self) -> type[BaseSerializer]:
@@ -82,12 +74,6 @@ class LifecycleRule(SerializerModel):
         qs = self.content_type.get_all_objects_for_this_type()
         if self.object_id:
             qs = qs.filter(pk=self.object_id)
-        else:
-            qs = qs.exclude(
-                pk__in=LifecycleRule.objects.filter(
-                    content_type=self.content_type, object_id__isnull=False
-                ).values_list(Cast("object_id", output_field=self._get_pk_field()), flat=True)
-            )
         return qs
 
     def _get_stale_iterations(self) -> QuerySet[LifecycleIteration]:
@@ -107,8 +93,7 @@ class LifecycleRule(SerializerModel):
 
     def _get_newly_due_objects(self) -> QuerySet:
         recent_iteration_ids = LifecycleIteration.objects.filter(
-            content_type=self.content_type,
-            object_id__isnull=False,
+            rule=self,
             opened_on__gte=start_of_day(
                 timezone.now() + timedelta(days=1) - timedelta_from_string(self.interval)
             ),
@@ -214,9 +199,15 @@ class LifecycleIteration(SerializerModel, ManagedModel):
         }
 
     def initialize(self):
+        if (self.content_type.app_label, self.content_type.model) == ("authentik_core", "group"):
+            object_label = self.object.name
+        elif (self.content_type.app_label, self.content_type.model) == ("authentik_rbac", "role"):
+            object_label = self.object.name
+        else:
+            object_label = str(self.object)
         event = Event.new(
             EventAction.REVIEW_INITIATED,
-            message=_(f"Access review is due for {self.content_type.name} {str(self.object)}"),
+            message=_(f"Access review is due for {self.content_type.name.lower()} {object_label}"),
             **self._get_event_args(),
         )
         event.save()

authentik/enterprise/lifecycle/signals.py

@@ -3,6 +3,7 @@ from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 
 from authentik.enterprise.lifecycle.models import LifecycleRule, ReviewState
+from authentik.tasks.schedules.models import Schedule
 
 
 @receiver(post_save, sender=LifecycleRule)
@@ -11,7 +12,9 @@ def post_rule_save(sender, instance: LifecycleRule, created: bool, **_):
 
     apply_lifecycle_rule.send_with_options(
         args=(instance.id,),
-        rel_obj=instance,
+        rel_obj=Schedule.objects.get(
+            actor_name="authentik.enterprise.lifecycle.tasks.apply_lifecycle_rules"
+        ),
     )
 
 

authentik/enterprise/lifecycle/tasks.py

@@ -4,14 +4,17 @@ from dramatiq import actor
 from authentik.core.models import User
 from authentik.enterprise.lifecycle.models import LifecycleRule
 from authentik.events.models import Event, Notification, NotificationTransport
+from authentik.tasks.schedules.models import Schedule
 
 
-@actor(description=_("Dispatch tasks to validate lifecycle rules."))
+@actor(description=_("Dispatch tasks to apply lifecycle rules."))
 def apply_lifecycle_rules():
     for rule in LifecycleRule.objects.all():
         apply_lifecycle_rule.send_with_options(
             args=(rule.id,),
-            rel_obj=rule,
+            rel_obj=Schedule.objects.get(
+                actor_name="authentik.enterprise.lifecycle.tasks.apply_lifecycle_rules"
+            ),
         )
 
 

authentik/enterprise/lifecycle/tests/test_api.py

@@ -1,3 +1,4 @@
+from django.apps import apps
 from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse
 from rest_framework.test import APITestCase
@@ -19,6 +20,11 @@ class TestLifecycleRuleAPI(APITestCase):
         self.content_type = ContentType.objects.get_for_model(Application)
         self.reviewer_group = Group.objects.create(name=generate_id())
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def test_list_rules(self):
         rule = LifecycleRule.objects.create(
             name=generate_id(),
@@ -190,6 +196,11 @@ class TestIterationAPI(APITestCase):
         self.reviewer_group = Group.objects.create(name=generate_id())
         self.reviewer_group.users.add(self.user)
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def test_open_iterations(self):
         rule = LifecycleRule.objects.create(
             name=generate_id(),
@@ -231,7 +242,7 @@ class TestIterationAPI(APITestCase):
 
         response = self.client.get(
             reverse(
-                "authentik_api:lifecycleiteration-latest-iteration",
+                "authentik_api:lifecycleiteration-latest-iterations",
                 kwargs={
                     "content_type": f"{self.content_type.app_label}.{self.content_type.model}",
                     "object_id": str(self.app.pk),
@@ -239,19 +250,20 @@ class TestIterationAPI(APITestCase):
             )
         )
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(response.data["object_id"], str(self.app.pk))
+        self.assertEqual(len(response.data), 1)
+        self.assertEqual(response.data[0]["object_id"], str(self.app.pk))
 
     def test_latest_iteration_not_found(self):
         response = self.client.get(
             reverse(
-                "authentik_api:lifecycleiteration-latest-iteration",
+                "authentik_api:lifecycleiteration-latest-iterations",
                 kwargs={
                     "content_type": f"{self.content_type.app_label}.{self.content_type.model}",
                     "object_id": "00000000-0000-0000-0000-000000000000",
                 },
             )
         )
-        self.assertEqual(response.status_code, 404)
+        self.assertEqual(response.data, [])
 
     def test_iteration_includes_user_can_review(self):
         rule = LifecycleRule.objects.create(
@@ -279,6 +291,11 @@ class TestReviewAPI(APITestCase):
         self.reviewer_group = Group.objects.create(name=generate_id())
         self.reviewer_group.users.add(self.user)
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def test_create_review(self):
         rule = LifecycleRule.objects.create(
             name=generate_id(),

authentik/enterprise/lifecycle/tests/test_models.py

@@ -2,6 +2,7 @@ import datetime as dt
 from datetime import timedelta
 from unittest.mock import patch
 
+from django.apps import apps
 from django.contrib.contenttypes.models import ContentType
 from django.test import RequestFactory, TestCase
 from django.utils import timezone
@@ -29,6 +30,11 @@ class TestLifecycleModels(TestCase):
     def setUp(self):
         self.factory = RequestFactory()
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def _get_request(self):
         return self.factory.get("/")
 
@@ -438,31 +444,6 @@ class TestLifecycleModels(TestCase):
         self.assertIn(app_one, objects)
         self.assertIn(app_two, objects)
 
-    def test_rule_type_excludes_objects_with_specific_rules(self):
-        app_with_rule = Application.objects.create(name=generate_id(), slug=generate_id())
-        app_without_rule = Application.objects.create(name=generate_id(), slug=generate_id())
-        content_type = ContentType.objects.get_for_model(Application)
-
-        # Create a specific rule for app_with_rule
-        LifecycleRule.objects.create(
-            name=generate_id(),
-            content_type=content_type,
-            object_id=str(app_with_rule.pk),
-            interval="days=30",
-        )
-
-        # Create a type-level rule
-        type_rule = LifecycleRule.objects.create(
-            name=generate_id(),
-            content_type=content_type,
-            object_id=None,
-            interval="days=60",
-        )
-
-        objects = list(type_rule.get_objects())
-        self.assertNotIn(app_with_rule, objects)
-        self.assertIn(app_without_rule, objects)
-
     def test_rule_type_apply_creates_iterations_for_all_objects(self):
         app_one = Application.objects.create(name=generate_id(), slug=generate_id())
         app_two = Application.objects.create(name=generate_id(), slug=generate_id())
@@ -669,6 +650,73 @@ class TestLifecycleModels(TestCase):
         self.assertIn(explicit_reviewer, reviewers)
         self.assertIn(group_member, reviewers)
 
+    def test_multiple_rules_same_object_create_separate_iterations(self):
+        """Two rules targeting the same object each create their own iteration."""
+        obj = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(obj)
+
+        rule_one = self._create_rule_for_object(obj, interval="days=30", grace_period="days=10")
+        rule_two = self._create_rule_for_object(obj, interval="days=60", grace_period="days=20")
+
+        iterations = LifecycleIteration.objects.filter(
+            content_type=content_type, object_id=str(obj.pk)
+        )
+        self.assertEqual(iterations.count(), 2)
+
+        iter_one = iterations.get(rule=rule_one)
+        iter_two = iterations.get(rule=rule_two)
+        self.assertEqual(iter_one.state, ReviewState.PENDING)
+        self.assertEqual(iter_two.state, ReviewState.PENDING)
+        self.assertNotEqual(iter_one.pk, iter_two.pk)
+
+    def test_multiple_rules_same_object_reviewed_independently(self):
+        """Reviewing one rule's iteration does not affect the other rule's iteration."""
+        obj = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(obj)
+
+        reviewer = create_test_user()
+
+        rule_one = self._create_rule_for_object(obj, min_reviewers=1)
+        rule_two = self._create_rule_for_object(obj, min_reviewers=1)
+
+        group = Group.objects.create(name=generate_id())
+        group.users.add(reviewer)
+        rule_one.reviewer_groups.add(group)
+        rule_two.reviewer_groups.add(group)
+
+        iter_one = LifecycleIteration.objects.get(
+            content_type=content_type, object_id=str(obj.pk), rule=rule_one
+        )
+        iter_two = LifecycleIteration.objects.get(
+            content_type=content_type, object_id=str(obj.pk), rule=rule_two
+        )
+
+        request = self._get_request()
+
+        # Review only rule_one's iteration
+        Review.objects.create(iteration=iter_one, reviewer=reviewer)
+        iter_one.on_review(request)
+
+        iter_one.refresh_from_db()
+        iter_two.refresh_from_db()
+        self.assertEqual(iter_one.state, ReviewState.REVIEWED)
+        self.assertEqual(iter_two.state, ReviewState.PENDING)
+
+    def test_type_rule_and_object_rule_both_create_iterations(self):
+        """A type-level rule and an object-level rule both create iterations for the same object."""
+        obj = Application.objects.create(name=generate_id(), slug=generate_id())
+        content_type = ContentType.objects.get_for_model(obj)
+
+        object_rule = self._create_rule_for_object(obj, interval="days=30")
+        type_rule = self._create_rule_for_type(Application, interval="days=60")
+
+        iterations = LifecycleIteration.objects.filter(
+            content_type=content_type, object_id=str(obj.pk)
+        )
+        self.assertEqual(iterations.count(), 2)
+        self.assertTrue(iterations.filter(rule=object_rule).exists())
+        self.assertTrue(iterations.filter(rule=type_rule).exists())
+
 
 class TestLifecycleDateBoundaries(TestCase):
     """Verify that start_of_day normalization ensures correct overdue/due
@@ -679,6 +727,11 @@ class TestLifecycleDateBoundaries(TestCase):
     ensures that the boundary is always at midnight, so millisecond variations
     in task execution time do not affect results."""
 
+    @classmethod
+    def setUpTestData(cls):
+        config = apps.get_app_config("authentik_tasks_schedules")
+        config._on_startup_callback(None)
+
     def _create_rule_and_iteration(self, grace_period="days=1", interval="days=365"):
         app = Application.objects.create(name=generate_id(), slug=generate_id())
         content_type = ContentType.objects.get_for_model(Application)

authentik/enterprise/settings.py

@@ -14,6 +14,7 @@ TENANT_APPS = [
     "authentik.enterprise.providers.ssf",
     "authentik.enterprise.providers.ws_federation",
     "authentik.enterprise.reports",
+    "authentik.enterprise.stages.account_lockdown",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.mtls",
     "authentik.enterprise.stages.source",

authentik/enterprise/stages/account_lockdown/api.py

@@ -0,0 +1,141 @@
+"""Account Lockdown Stage API Views"""
+
+from django.utils.translation import gettext as _
+from drf_spectacular.utils import OpenApiExample, OpenApiResponse, extend_schema
+from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import PrimaryKeyRelatedField
+from rest_framework.viewsets import ModelViewSet
+from structlog.stdlib import get_logger
+
+from authentik.api.validation import validate
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import LinkSerializer, PassiveSerializer
+from authentik.core.models import (
+    User,
+)
+from authentik.enterprise.api import EnterpriseRequiredMixin, enterprise_action
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.enterprise.stages.account_lockdown.stage import (
+    can_lock_user,
+    get_lockdown_target_users,
+)
+from authentik.flows.api.stages import StageSerializer
+from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
+
+LOGGER = get_logger()
+
+
+class AccountLockdownStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """AccountLockdownStage Serializer"""
+
+    class Meta:
+        model = AccountLockdownStage
+        fields = StageSerializer.Meta.fields + [
+            "deactivate_user",
+            "set_unusable_password",
+            "delete_sessions",
+            "revoke_tokens",
+            "self_service_completion_flow",
+        ]
+
+
+class AccountLockdownStageViewSet(UsedByMixin, ModelViewSet):
+    """AccountLockdownStage Viewset"""
+
+    queryset = AccountLockdownStage.objects.all()
+    serializer_class = AccountLockdownStageSerializer
+    filterset_fields = "__all__"
+    ordering = ["name"]
+    search_fields = ["name"]
+
+
+class UserAccountLockdownSerializer(PassiveSerializer):
+    """Choose the target account before starting the lockdown flow."""
+
+    user = PrimaryKeyRelatedField(
+        queryset=get_lockdown_target_users(),
+        required=False,
+        allow_null=True,
+        help_text=_("User to lock. If omitted, locks the current user (self-service)."),
+    )
+
+
+class UserAccountLockdownMixin:
+    """Enterprise account-lockdown API actions for UserViewSet."""
+
+    def _create_lockdown_flow_url(self, request: Request, user: User) -> str:
+        """Create a flow URL for account lockdown.
+
+        The request body selects the target before the flow starts. The API
+        pre-plans the lockdown flow with the target as the pending user, so the
+        account lockdown stage can use the normal flow context.
+        """
+        flow = request._request.brand.flow_lockdown
+        if flow is None:
+            raise ValidationError({"non_field_errors": [_("No lockdown flow configured.")]})
+        planner = FlowPlanner(flow)
+        planner.use_cache = False
+        try:
+            plan = planner.plan(request._request, {PLAN_CONTEXT_PENDING_USER: user})
+        except EmptyFlowException, FlowNonApplicableException:
+            raise ValidationError(
+                {"non_field_errors": [_("Lockdown flow is not applicable.")]}
+            ) from None
+        return plan.to_redirect(request._request, flow).url
+
+    @extend_schema(
+        description=_("Choose the target account, then return a flow link."),
+        request=UserAccountLockdownSerializer,
+        responses={
+            "200": OpenApiResponse(
+                response=LinkSerializer,
+                examples=[
+                    OpenApiExample(
+                        "Lockdown flow URL",
+                        value={
+                            "link": "https://example.invalid/if/flow/default-account-lockdown/",
+                        },
+                        response_only=True,
+                        status_codes=["200"],
+                    )
+                ],
+            ),
+            "400": OpenApiResponse(
+                description=_("No lockdown flow configured or the flow is not applicable")
+            ),
+            "403": OpenApiResponse(
+                description=_("Permission denied (when targeting another user)")
+            ),
+        },
+    )
+    @action(
+        detail=False,
+        methods=["POST"],
+        permission_classes=[IsAuthenticated],
+        url_path="account_lockdown",
+    )
+    @validate(UserAccountLockdownSerializer)
+    @enterprise_action
+    def account_lockdown(self, request: Request, body: UserAccountLockdownSerializer) -> Response:
+        """Trigger account lockdown for a user.
+
+        If no user is specified, locks the current user (self-service).
+        When targeting another user, admin permissions are required.
+
+        Returns a flow link for the frontend to follow. The flow is pre-planned
+        with the target user as pending user for the lockdown stage.
+        """
+        user = body.validated_data.get("user") or request.user
+
+        if not can_lock_user(request.user, user):
+            LOGGER.debug("Permission denied for account lockdown", user=request.user)
+            self.permission_denied(request)
+
+        flow_url = self._create_lockdown_flow_url(request, user)
+        LOGGER.debug("Returning lockdown flow URL", flow_url=flow_url, user=user.username)
+        return Response({"link": flow_url})

authentik/enterprise/stages/account_lockdown/apps.py

@@ -0,0 +1,12 @@
+"""authentik account lockdown stage app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseStageAccountLockdownConfig(EnterpriseConfig):
+    """authentik account lockdown stage config"""
+
+    name = "authentik.enterprise.stages.account_lockdown"
+    label = "authentik_stages_account_lockdown"
+    verbose_name = "authentik Enterprise.Stages.Account Lockdown"
+    default = True

authentik/enterprise/stages/account_lockdown/migrations/0001_initial.py

@@ -0,0 +1,74 @@
+# Generated by Django 5.2.13 on 2026-04-19 21:56
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0031_alter_flow_layout"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AccountLockdownStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                (
+                    "deactivate_user",
+                    models.BooleanField(
+                        default=True,
+                        help_text="Deactivate the user account (set is_active to False)",
+                    ),
+                ),
+                (
+                    "set_unusable_password",
+                    models.BooleanField(
+                        default=True, help_text="Set an unusable password for the user"
+                    ),
+                ),
+                (
+                    "delete_sessions",
+                    models.BooleanField(
+                        default=True, help_text="Delete all active sessions for the user"
+                    ),
+                ),
+                (
+                    "revoke_tokens",
+                    models.BooleanField(
+                        default=True,
+                        help_text="Revoke all tokens for the user (API, app password, recovery, verification, OAuth)",
+                    ),
+                ),
+                (
+                    "self_service_completion_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="account_lockdown_stages",
+                        to="authentik_flows.flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Account Lockdown Stage",
+                "verbose_name_plural": "Account Lockdown Stages",
+            },
+            bases=("authentik_flows.stage",),
+        ),
+    ]

authentik/enterprise/stages/account_lockdown/models.py

@@ -0,0 +1,62 @@
+"""Account lockdown stage models"""
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from django.views import View
+from rest_framework.serializers import BaseSerializer
+
+from authentik.flows.models import Stage
+
+
+class AccountLockdownStage(Stage):
+    """Lock down a target user account."""
+
+    deactivate_user = models.BooleanField(
+        default=True,
+        help_text=_("Deactivate the user account (set is_active to False)"),
+    )
+    set_unusable_password = models.BooleanField(
+        default=True,
+        help_text=_("Set an unusable password for the user"),
+    )
+    delete_sessions = models.BooleanField(
+        default=True,
+        help_text=_("Delete all active sessions for the user"),
+    )
+    revoke_tokens = models.BooleanField(
+        default=True,
+        help_text=_(
+            "Revoke all tokens for the user (API, app password, recovery, verification, OAuth)"
+        ),
+    )
+    self_service_completion_flow = models.ForeignKey(
+        "authentik_flows.Flow",
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="account_lockdown_stages",
+        help_text=_(
+            "Flow to redirect users to after self-service lockdown. "
+            "This flow should not require authentication since the user's session is deleted."
+        ),
+    )
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.stages.account_lockdown.api import AccountLockdownStageSerializer
+
+        return AccountLockdownStageSerializer
+
+    @property
+    def view(self) -> type[View]:
+        from authentik.enterprise.stages.account_lockdown.stage import AccountLockdownStageView
+
+        return AccountLockdownStageView
+
+    @property
+    def component(self) -> str:
+        return "ak-stage-account-lockdown-form"
+
+    class Meta:
+        verbose_name = _("Account Lockdown Stage")
+        verbose_name_plural = _("Account Lockdown Stages")

authentik/enterprise/stages/account_lockdown/stage.py

@@ -0,0 +1,345 @@
+"""Account lockdown stage logic"""
+
+from django.apps import apps
+from django.core.exceptions import FieldDoesNotExist
+from django.db.models import Model, QuerySet
+from django.db.models.query_utils import Q
+from django.db.transaction import atomic
+from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
+from django.urls import reverse
+from django.utils.translation import gettext_lazy as _
+from dramatiq.actor import Actor
+from dramatiq.composition import group
+from dramatiq.results.errors import ResultTimeout
+
+from authentik.core.models import (
+    AuthenticatedSession,
+    ExpiringModel,
+    Session,
+    Token,
+    User,
+    UserTypes,
+)
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.events.models import Event, EventAction
+from authentik.flows.stage import StageView
+from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
+from authentik.lib.sync.outgoing.signals import sync_outgoing_inhibit_dispatch
+from authentik.lib.utils.reflection import class_to_path
+from authentik.lib.utils.time import timedelta_from_string
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+PLAN_CONTEXT_LOCKDOWN_REASON = "lockdown_reason"
+LOCKDOWN_EVENT_ACTION_ID = "account_lockdown"
+
+TARGET_REQUIRED_MESSAGE = _("No target user specified for account lockdown")
+PERMISSION_DENIED_MESSAGE = _("You do not have permission to lock down this account.")
+ACCOUNT_LOCKDOWN_FAILED_MESSAGE = _("Account lockdown failed for this account.")
+SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE = _(
+    "Self-service account lockdown requires a completion flow."
+)
+
+
+def get_lockdown_target_users() -> QuerySet[User]:
+    """Return users that can be targeted by account lockdown."""
+    return User.objects.exclude_anonymous().exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
+
+def _get_model_field(model: type[Model], field_name: str):
+    """Get a model field by name, if present."""
+    try:
+        return model._meta.get_field(field_name)
+    except FieldDoesNotExist:
+        return None
+
+
+def _has_user_field(model: type[Model]) -> bool:
+    """Check if a model has a direct user foreign key."""
+    field = _get_model_field(model, "user")
+    return bool(field and getattr(field, "remote_field", None) and field.remote_field.model is User)
+
+
+def _has_authenticated_session_field(model: type[Model]) -> bool:
+    """Check if a model is linked to an authenticated session."""
+    field = _get_model_field(model, "session")
+    return bool(
+        field
+        and getattr(field, "remote_field", None)
+        and field.remote_field.model is AuthenticatedSession
+    )
+
+
+def _has_provider_field(model: type[Model]) -> bool:
+    """Check if a model is linked to a provider."""
+    return _get_model_field(model, "provider") is not None
+
+
+def get_lockdown_token_models() -> tuple[type[Model], ...]:
+    """Return token, grant, and provider session models removed by account lockdown."""
+    token_models: list[type[Model]] = []
+    for model in apps.get_models():
+        if model._meta.abstract or not issubclass(model, ExpiringModel):
+            continue
+        if model is Token:
+            token_models.append(model)
+        elif _has_user_field(model) and (
+            _has_provider_field(model) or _has_authenticated_session_field(model)
+        ):
+            token_models.append(model)
+        elif _has_authenticated_session_field(model):
+            token_models.append(model)
+    return tuple(token_models)
+
+
+def get_lockdown_token_queryset(model: type[Model], user: User) -> QuerySet:
+    """Return account lockdown artifacts for a model and user."""
+    manager = model.objects.including_expired()
+    if _has_user_field(model):
+        return manager.filter(user=user)
+    return manager.filter(session__user=user)
+
+
+def can_lock_user(actor, user: User) -> bool:
+    """Check whether the actor may lock the target user."""
+    if not actor.is_authenticated:
+        return False
+    if user.pk == actor.pk:
+        return True
+    return actor.has_perm("authentik_core.change_user", user)
+
+
+def get_outgoing_sync_tasks() -> tuple[tuple[type[OutgoingSyncProvider], Actor], ...]:
+    """Return outgoing sync provider types and their direct sync tasks."""
+    from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
+    from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync_direct
+    from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
+    from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync_direct
+    from authentik.providers.scim.models import SCIMProvider
+    from authentik.providers.scim.tasks import scim_sync_direct
+
+    return (
+        (SCIMProvider, scim_sync_direct),
+        (GoogleWorkspaceProvider, google_workspace_sync_direct),
+        (MicrosoftEntraProvider, microsoft_entra_sync_direct),
+    )
+
+
+class AccountLockdownStageView(StageView):
+    """Execute account lockdown actions on the target user."""
+
+    def is_self_service(self, request: HttpRequest, user: User) -> bool:
+        """Check whether the currently authenticated user is locking their own account."""
+        return request.user.is_authenticated and user.pk == request.user.pk
+
+    def get_reason(self) -> str:
+        """Get the lockdown reason from the plan context.
+
+        Priority:
+        1. prompt_data[PLAN_CONTEXT_LOCKDOWN_REASON]
+        2. PLAN_CONTEXT_LOCKDOWN_REASON (explicitly set)
+        3. Empty string as fallback
+        """
+        prompt_data = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {})
+        if PLAN_CONTEXT_LOCKDOWN_REASON in prompt_data:
+            return prompt_data[PLAN_CONTEXT_LOCKDOWN_REASON]
+        return self.executor.plan.context.get(PLAN_CONTEXT_LOCKDOWN_REASON, "")
+
+    def _apply_lockdown_actions(self, stage: AccountLockdownStage, user: User) -> None:
+        """Apply the configured account changes to the target user."""
+        if stage.deactivate_user:
+            user.is_active = False
+        if stage.set_unusable_password:
+            user.set_unusable_password()
+        if stage.deactivate_user:
+            with sync_outgoing_inhibit_dispatch():
+                user.save()
+            return
+        user.save()
+
+    def _sync_deactivated_user_to_outgoing_providers(self, user: User) -> None:
+        """Synchronize a deactivated user to outgoing sync providers."""
+        messages = []
+        wait_timeout = 0
+        model = class_to_path(User)
+        provider_filter = Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+
+        for provider_model, task_sync_direct in get_outgoing_sync_tasks():
+            for provider in provider_model.objects.filter(provider_filter):
+                time_limit = int(
+                    timedelta_from_string(provider.sync_page_timeout).total_seconds() * 1000
+                )
+                messages.append(
+                    task_sync_direct.message_with_options(
+                        args=(model, user.pk, provider.pk),
+                        rel_obj=provider,
+                        time_limit=time_limit,
+                        uid=f"{provider.name}:user:{user.pk}:direct",
+                    )
+                )
+                wait_timeout += time_limit
+
+        if not messages:
+            return
+        try:
+            group(messages).run().wait(timeout=wait_timeout)
+        except ResultTimeout:
+            self.logger.warning(
+                "Timed out waiting for outgoing sync tasks; tasks remain queued",
+                user=user.username,
+                timeout=wait_timeout,
+            )
+
+    def _get_lockdown_artifact_querysets(
+        self, stage: AccountLockdownStage, user: User
+    ) -> tuple[QuerySet, ...]:
+        """Return the configured sessions and tokens targeted by lockdown."""
+        querysets: list[QuerySet] = []
+        if stage.delete_sessions:
+            querysets.append(Session.objects.filter(authenticatedsession__user=user))
+        if stage.revoke_tokens:
+            querysets.extend(
+                get_lockdown_token_queryset(model, user) for model in get_lockdown_token_models()
+            )
+        return tuple(querysets)
+
+    def _delete_lockdown_artifacts(self, stage: AccountLockdownStage, user: User) -> None:
+        """Delete sessions and tokens selected by the lockdown configuration."""
+        for queryset in self._get_lockdown_artifact_querysets(stage, user):
+            queryset.delete()
+
+    def _has_lockdown_artifacts(self, stage: AccountLockdownStage, user: User) -> bool:
+        """Check whether there are still sessions or tokens to remove."""
+        return any(
+            queryset.exists() for queryset in self._get_lockdown_artifact_querysets(stage, user)
+        )
+
+    def _emit_lockdown_event(self, request: HttpRequest, user: User, reason: str) -> None:
+        """Emit the audit event for a completed lockdown."""
+        # Emit the audit event after the transaction commits. If event creation
+        # fails here, dispatch() would otherwise treat the whole lockdown as
+        # failed even though the account changes have already been committed.
+        try:
+            Event.new(
+                EventAction.USER_WRITE,
+                action_id=LOCKDOWN_EVENT_ACTION_ID,
+                reason=reason,
+                affected_user=user.username,
+            ).from_http(request)
+        except Exception as exc:  # noqa: BLE001
+            # Event emission should not make the lockdown itself fail.
+            self.logger.warning(
+                "Failed to emit account lockdown event",
+                user=user.username,
+                exc=exc,
+            )
+
+    def _lockdown_user(
+        self,
+        request: HttpRequest,
+        stage: AccountLockdownStage,
+        user: User,
+        reason: str,
+    ) -> None:
+        """Execute lockdown actions on a single user."""
+        with atomic():
+            user = User.objects.get(pk=user.pk)
+            self._apply_lockdown_actions(stage, user)
+            self._delete_lockdown_artifacts(stage, user)
+
+        # These additional checks/deletes are done to prevent a timing attack that creates tokens
+        # with a compromised token that is simultaneously being deleted.
+        while self._has_lockdown_artifacts(stage, user):
+            with atomic():
+                self._delete_lockdown_artifacts(stage, user)
+
+        if stage.deactivate_user:
+            try:
+                self._sync_deactivated_user_to_outgoing_providers(user)
+            except Exception as exc:  # noqa: BLE001
+                # Local lockdown has already committed. Provider sync failures
+                # must not reopen access or mark the lockdown itself as failed.
+                self.logger.warning(
+                    "Failed to sync account lockdown deactivation to outgoing providers",
+                    user=user.username,
+                    exc=exc,
+                )
+        self._emit_lockdown_event(request, user, reason)
+
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
+        """Execute account lockdown actions."""
+        self.request = request
+        stage: AccountLockdownStage = self.executor.current_stage
+
+        pending_user = self.get_pending_user()
+        if not pending_user.is_authenticated:
+            self.logger.warning("No target user found for account lockdown")
+            return self.executor.stage_invalid(TARGET_REQUIRED_MESSAGE)
+        user = get_lockdown_target_users().filter(pk=pending_user.pk).first()
+        if user is None:
+            self.logger.warning("Target user is not eligible for account lockdown")
+            return self.executor.stage_invalid(TARGET_REQUIRED_MESSAGE)
+        if not can_lock_user(request.user, user):
+            self.logger.warning(
+                "Permission denied for account lockdown",
+                actor=getattr(request.user, "username", None),
+                target=user.username,
+            )
+            return self.executor.stage_invalid(PERMISSION_DENIED_MESSAGE)
+
+        reason = self.get_reason()
+        self_service = self.is_self_service(request, user)
+        if self_service and stage.delete_sessions and not stage.self_service_completion_flow:
+            self.logger.warning("No completion flow configured for self-service account lockdown")
+            return self.executor.stage_invalid(SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE)
+
+        self.logger.info(
+            "Executing account lockdown",
+            user=user.username,
+            reason=reason,
+            self_service=self_service,
+            deactivate_user=stage.deactivate_user,
+            set_unusable_password=stage.set_unusable_password,
+            delete_sessions=stage.delete_sessions,
+            revoke_tokens=stage.revoke_tokens,
+        )
+
+        try:
+            self._lockdown_user(request, stage, user, reason)
+            self.logger.info("Account lockdown completed", user=user.username)
+        except Exception as exc:  # noqa: BLE001
+            # Convert unexpected lockdown errors to a flow-stage failure instead
+            # of leaking an exception through the flow executor.
+            self.logger.warning("Account lockdown failed", user=user.username, exc=exc)
+            return self.executor.stage_invalid(ACCOUNT_LOCKDOWN_FAILED_MESSAGE)
+
+        if self_service:
+            if stage.delete_sessions:
+                return self._self_service_completion_response(request)
+            return self.executor.stage_ok()
+
+        return self.executor.stage_ok()
+
+    def _self_service_completion_response(self, request: HttpRequest) -> HttpResponse:
+        """Redirect to completion flow after self-service lockdown.
+
+        Since all sessions are deleted, the user cannot continue in the flow.
+        Redirect them to an unauthenticated completion flow that shows the
+        lockdown message.
+
+        We use a direct HTTP redirect instead of a challenge because the
+        flow executor's challenge handling may try to access the session
+        which we just deleted.
+        """
+        stage: AccountLockdownStage = self.executor.current_stage
+        completion_flow = stage.self_service_completion_flow
+        if completion_flow:
+            # Flush the current request's session to prevent Django's session
+            # middleware from trying to save a deleted session
+            if hasattr(request, "session"):
+                request.session.flush()
+            redirect_to = reverse(
+                "authentik_core:if-flow",
+                kwargs={"flow_slug": completion_flow.slug},
+            )
+            return HttpResponseRedirect(redirect_to)
+        return self.executor.stage_invalid(SELF_SERVICE_COMPLETION_FLOW_REQUIRED_MESSAGE)

authentik/enterprise/stages/account_lockdown/tests/test_api.py

@@ -0,0 +1,148 @@
+"""Test Users Account Lockdown API"""
+
+from json import loads
+from unittest.mock import MagicMock, patch
+from urllib.parse import urlparse
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import (
+    create_test_brand,
+    create_test_flow,
+    create_test_user,
+)
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
+
+# Patch for enterprise license check
+patch_license = patch(
+    "authentik.enterprise.models.LicenseUsageStatus.is_valid",
+    MagicMock(return_value=True),
+)
+
+
+@patch_license
+class AccountLockdownAPITestCase(APITestCase):
+    """Shared helpers for account lockdown API tests."""
+
+    def setUp(self) -> None:
+        self.lockdown_flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
+        self.lockdown_stage = AccountLockdownStage.objects.create(name=generate_id())
+        FlowStageBinding.objects.create(
+            target=self.lockdown_flow,
+            stage=self.lockdown_stage,
+            order=0,
+        )
+        self.brand = create_test_brand()
+        self.brand.flow_lockdown = self.lockdown_flow
+        self.brand.save()
+
+    def create_user_with_email(self):
+        """Create a regular user with a unique email address."""
+        user = create_test_user()
+        user.email = f"{generate_id()}@test.com"
+        user.save()
+        return user
+
+    def assert_redirect_targets(self, response, user):
+        """Assert that a response contains a pre-planned lockdown flow link for a user."""
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertIn(self.lockdown_flow.slug, body["link"])
+        self.assertEqual(urlparse(body["link"]).query, "")
+        plan = self.client.session[SESSION_KEY_PLAN]
+        self.assertEqual(plan.context[PLAN_CONTEXT_PENDING_USER].pk, user.pk)
+
+    def assert_no_flow_configured(self, response):
+        """Assert that the API reports a missing lockdown flow."""
+        self.assertEqual(response.status_code, 400)
+        body = loads(response.content)
+        self.assertIn("No lockdown flow configured", body["non_field_errors"][0])
+
+
+@patch_license
+class TestUsersAccountLockdownAPI(AccountLockdownAPITestCase):
+    """Test Users Account Lockdown API"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.actor = create_test_user()
+        self.user = self.create_user_with_email()
+
+    def test_account_lockdown_with_change_user_returns_redirect(self):
+        """Test that account lockdown allows users with change_user permission."""
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.user)
+        self.client.force_login(self.actor)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assert_redirect_targets(response, self.user)
+
+    def test_account_lockdown_no_flow_configured(self):
+        """Test account lockdown when no flow is configured"""
+        self.brand.flow_lockdown = None
+        self.brand.save()
+        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.user)
+        self.client.force_login(self.actor)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assert_no_flow_configured(response)
+
+    def test_account_lockdown_unauthenticated(self):
+        """Test account lockdown requires authentication"""
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, 403)
+
+    def test_account_lockdown_without_change_user_denied(self):
+        """Test account lockdown denies users without change_user permission."""
+        self.client.force_login(self.actor)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, 403)
+
+    def test_account_lockdown_self_returns_redirect(self):
+        """Test successful self-service account lockdown returns a direct redirect."""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={},
+            format="json",
+        )
+
+        self.assert_redirect_targets(response, self.user)
+
+    def test_account_lockdown_self_target_without_change_user_returns_redirect(self):
+        """Test self-service does not require change_user permission."""
+        self.client.force_login(self.user)
+
+        response = self.client.post(
+            reverse("authentik_api:user-account-lockdown"),
+            data={"user": self.user.pk},
+            format="json",
+        )
+
+        self.assert_redirect_targets(response, self.user)

authentik/enterprise/stages/account_lockdown/tests/test_blueprint.py

@@ -0,0 +1,46 @@
+"""Tests for the packaged account-lockdown blueprint."""
+
+from unittest.mock import patch
+
+from django.test import TransactionTestCase
+
+from authentik.blueprints.models import BlueprintInstance
+from authentik.blueprints.v1.importer import Importer
+from authentik.blueprints.v1.tasks import blueprints_find, check_blueprint_v1_file
+from authentik.enterprise.license import LicenseKey
+from authentik.flows.models import Flow
+
+BLUEPRINT_PATH = "example/flow-default-account-lockdown.yaml"
+
+
+class TestAccountLockdownBlueprint(TransactionTestCase):
+    """Test the packaged account-lockdown blueprint behavior."""
+
+    def test_blueprint_is_not_auto_instantiated(self):
+        """Test the packaged blueprint is opt-in and skipped by discovery."""
+        BlueprintInstance.objects.filter(path=BLUEPRINT_PATH).delete()
+        blueprint = next(item for item in blueprints_find() if item.path == BLUEPRINT_PATH)
+
+        check_blueprint_v1_file(blueprint)
+
+        self.assertFalse(BlueprintInstance.objects.filter(path=BLUEPRINT_PATH).exists())
+
+    def test_blueprint_requires_licensed_context(self):
+        """Test manual import only creates flows when enterprise is licensed."""
+        content = BlueprintInstance(path=BLUEPRINT_PATH).retrieve()
+        license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
+
+        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
+            importer = Importer.from_string(content, {"goauthentik.io/enterprise/licensed": False})
+            valid, logs = importer.validate()
+            self.assertTrue(valid, logs)
+            self.assertTrue(importer.apply())
+            self.assertFalse(Flow.objects.filter(slug="default-account-lockdown").exists())
+            self.assertFalse(Flow.objects.filter(slug="default-account-lockdown-complete").exists())
+
+            importer = Importer.from_string(content, {"goauthentik.io/enterprise/licensed": True})
+            valid, logs = importer.validate()
+            self.assertTrue(valid, logs)
+            self.assertTrue(importer.apply())
+            self.assertTrue(Flow.objects.filter(slug="default-account-lockdown").exists())
+            self.assertTrue(Flow.objects.filter(slug="default-account-lockdown-complete").exists())

authentik/enterprise/stages/account_lockdown/tests/test_stage.py

@@ -0,0 +1,627 @@
+"""Account lockdown stage tests"""
+
+import json
+from dataclasses import asdict
+from threading import Event as ThreadEvent
+from threading import Thread
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+from django.db import connection
+from django.http import HttpResponse
+from django.test import TransactionTestCase
+from django.urls import reverse
+from django.utils import timezone
+from dramatiq.results.errors import ResultTimeout
+
+from authentik.core.models import AuthenticatedSession, Session, Token, TokenIntents
+from authentik.core.tests.utils import (
+    RequestFactory,
+    create_test_admin_user,
+    create_test_cert,
+    create_test_flow,
+    create_test_user,
+)
+from authentik.enterprise.stages.account_lockdown.models import AccountLockdownStage
+from authentik.enterprise.stages.account_lockdown.stage import (
+    LOCKDOWN_EVENT_ACTION_ID,
+    PLAN_CONTEXT_LOCKDOWN_REASON,
+    AccountLockdownStageView,
+    can_lock_user,
+)
+from authentik.events.models import Event, EventAction
+from authentik.flows.markers import StageMarker
+from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.lib.generators import generate_id
+from authentik.lib.utils.reflection import class_to_path
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    AuthorizationCode,
+    DeviceToken,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    RefreshToken,
+)
+from authentik.providers.saml.models import SAMLProvider, SAMLSession
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+patch_enterprise_enabled = patch(
+    "authentik.enterprise.apps.AuthentikEnterpriseConfig.check_enabled",
+    return_value=True,
+)
+
+
+class AccountLockdownStageTestMixin:
+    """Shared setup helpers for account lockdown stage tests."""
+
+    @classmethod
+    def setUpClass(cls):
+        cls.patch_enterprise_enabled = patch_enterprise_enabled.start()
+        cls.patch_event_dispatch = patch("authentik.events.tasks.event_trigger_dispatch.send")
+        cls.patch_event_dispatch.start()
+        super().setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        cls.patch_event_dispatch.stop()
+        patch_enterprise_enabled.stop()
+        super().tearDownClass()
+
+    def setUp(self):
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.target_user = create_test_admin_user()
+        self.flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
+        self.stage = AccountLockdownStage.objects.create(
+            name="lockdown",
+        )
+        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=0)
+        self.request_factory = RequestFactory()
+
+    def make_stage_view(self, plan: FlowPlan):
+        def _stage_ok():
+            return HttpResponse(status=204)
+
+        def _stage_invalid(_error_message=None):
+            return HttpResponse(status=400)
+
+        return AccountLockdownStageView(
+            SimpleNamespace(
+                plan=plan,
+                current_stage=self.stage,
+                current_binding=self.binding,
+                flow=self.flow,
+                stage_ok=_stage_ok,
+                stage_invalid=_stage_invalid,
+            )
+        )
+
+    def make_request(self, *, user=None, query=None):
+        return self.request_factory.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            query_params=query or {},
+            user=user,
+        )
+
+    def get_lockdown_event(self):
+        """Return the account-lockdown user-write event."""
+        return Event.objects.filter(
+            action=EventAction.USER_WRITE,
+            context__action_id=LOCKDOWN_EVENT_ACTION_ID,
+        ).first()
+
+
+class TestAccountLockdownStage(AccountLockdownStageTestMixin, FlowTestCase):
+    """Account lockdown stage tests"""
+
+    def test_lockdown_no_target(self):
+        """Test lockdown stage with no pending user fails"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+
+        response = view.dispatch(self.make_request())
+
+        self.assertEqual(response.status_code, 400)
+
+    def test_lockdown_with_pending_user(self):
+        """Test lockdown stage with a pending target user."""
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_LOCKDOWN_REASON] = "Security incident"
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.user)
+
+        self.assertTrue(can_lock_user(request.user, self.target_user))
+        response = view.dispatch(request)
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        self.assertFalse(self.target_user.has_usable_password())
+        self.assertEqual(response.status_code, 204)
+
+        # Check event was created
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.context["action_id"], LOCKDOWN_EVENT_ACTION_ID)
+        self.assertEqual(event.context["reason"], "Security incident")
+        self.assertEqual(event.context["affected_user"], self.target_user.username)
+
+    def test_lockdown_with_pending_user_reason(self):
+        """Test lockdown stage with a pending target and explicit reason."""
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_LOCKDOWN_REASON] = "Compromised account"
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.user)
+
+        self.assertTrue(can_lock_user(request.user, self.target_user))
+        response = view.dispatch(request)
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        self.assertEqual(response.status_code, 204)
+
+    def test_lockdown_reason_from_prompt(self):
+        """Test lockdown stage reads the reason from prompt data."""
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PROMPT] = {
+            PLAN_CONTEXT_LOCKDOWN_REASON: "User requested lockdown",
+        }
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.user)
+        view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
+
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.context["reason"], "User requested lockdown")
+
+    def test_lockdown_event_failure_does_not_fail_self_service(self):
+        """Test lockdown still succeeds when event emission fails."""
+        self.stage.delete_sessions = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.target_user)
+
+        original_event_new = Event.new
+
+        def _event_new_side_effect(action, *args, **kwargs):
+            if (
+                action == EventAction.USER_WRITE
+                and kwargs.get("action_id") == LOCKDOWN_EVENT_ACTION_ID
+            ):
+                raise RuntimeError("simulated event failure")
+            return original_event_new(action, *args, **kwargs)
+
+        with patch(
+            "authentik.enterprise.stages.account_lockdown.stage.Event.new",
+            side_effect=_event_new_side_effect,
+        ):
+            view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+
+    def test_dispatch_records_success_when_event_emission_fails(self):
+        """Test dispatch still completes if event emission fails."""
+        self.stage.delete_sessions = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(
+            user=self.target_user,
+        )
+
+        original_event_new = Event.new
+
+        def _event_new_side_effect(action, *args, **kwargs):
+            if (
+                action == EventAction.USER_WRITE
+                and kwargs.get("action_id") == LOCKDOWN_EVENT_ACTION_ID
+            ):
+                raise RuntimeError("simulated event failure")
+            return original_event_new(action, *args, **kwargs)
+
+        with patch(
+            "authentik.enterprise.stages.account_lockdown.stage.Event.new",
+            side_effect=_event_new_side_effect,
+        ):
+            response = view.dispatch(request)
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        self.assertEqual(response.status_code, 204)
+
+    def test_lockdown_self_service_redirects_to_completion_flow(self):
+        """Test self-service lockdown redirects to completion flow when sessions are deleted."""
+        completion_flow = create_test_flow(FlowDesignation.STAGE_CONFIGURATION)
+        self.stage.self_service_completion_flow = completion_flow
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.target_user)
+        view._lockdown_user(request, self.stage, self.target_user, view.get_reason())
+        response = view._self_service_completion_response(request)
+
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(
+            response.url,
+            reverse("authentik_core:if-flow", kwargs={"flow_slug": completion_flow.slug}),
+        )
+
+    def test_lockdown_self_service_requires_completion_flow(self):
+        """Test self-service lockdown fails before deleting sessions without a completion flow."""
+        self.stage.self_service_completion_flow = None
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=self.target_user)
+
+        response = view.dispatch(request)
+
+        self.assertEqual(response.status_code, 400)
+        self.target_user.refresh_from_db()
+        self.assertTrue(self.target_user.is_active)
+
+    def test_lockdown_denies_other_user_without_permission(self):
+        """Test lockdown stage rejects non-self requests without change_user permission."""
+        actor = create_test_user()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.target_user
+        view = self.make_stage_view(plan)
+        request = self.make_request(user=actor)
+
+        self.assertFalse(can_lock_user(request.user, self.target_user))
+        response = view.dispatch(request)
+        self.assertEqual(response.status_code, 400)
+
+    def test_lockdown_revokes_tokens(self):
+        """Test lockdown stage revokes tokens"""
+        Token.objects.create(
+            user=self.target_user,
+            identifier="test-token",
+            intent=TokenIntents.INTENT_API,
+            key=generate_id(),
+            expiring=False,
+        )
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 1)
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 0)
+
+    def test_lockdown_revokes_provider_tokens(self):
+        """Test lockdown stage revokes provider tokens and sessions."""
+        oauth_provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[
+                RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver/callback")
+            ],
+            signing_key=create_test_cert(),
+        )
+        saml_provider = SAMLProvider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            acs_url="https://sp.example.com/acs",
+            issuer_override="https://idp.example.com",
+        )
+        session = Session.objects.create(
+            session_key=generate_id(),
+            expires=timezone.now() + timezone.timedelta(hours=1),
+            last_ip="127.0.0.1",
+        )
+        auth_session = AuthenticatedSession.objects.create(
+            session=session,
+            user=self.target_user,
+        )
+        grant_kwargs = {
+            "provider": oauth_provider,
+            "user": self.target_user,
+            "auth_time": timezone.now(),
+            "_scope": "openid profile",
+            "expiring": False,
+        }
+        token_kwargs = grant_kwargs | {"_id_token": json.dumps(asdict(IDToken("foo", "bar")))}
+        AuthorizationCode.objects.create(
+            code=generate_id(),
+            session=auth_session,
+            **grant_kwargs,
+        )
+        AccessToken.objects.create(
+            token=generate_id(),
+            session=auth_session,
+            **token_kwargs,
+        )
+        RefreshToken.objects.create(
+            token=generate_id(),
+            session=auth_session,
+            **token_kwargs,
+        )
+        DeviceToken.objects.create(
+            provider=oauth_provider,
+            user=self.target_user,
+            session=auth_session,
+            _scope="openid profile",
+            expiring=False,
+        )
+        SAMLSession.objects.create(
+            provider=saml_provider,
+            user=self.target_user,
+            session=auth_session,
+            session_index=generate_id(),
+            name_id=self.target_user.email,
+            expires=timezone.now() + timezone.timedelta(hours=1),
+            expiring=True,
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.assertEqual(AuthorizationCode.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(AccessToken.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(RefreshToken.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(DeviceToken.objects.filter(user=self.target_user).count(), 0)
+        self.assertEqual(SAMLSession.objects.filter(user=self.target_user).count(), 0)
+
+    def test_lockdown_selective_actions(self):
+        """Test lockdown stage with selective actions"""
+        self.stage.deactivate_user = True
+        self.stage.set_unusable_password = False
+        self.stage.delete_sessions = False
+        self.stage.revoke_tokens = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.set_password("testpassword")
+        self.target_user.save()
+
+        Token.objects.create(
+            user=self.target_user,
+            identifier="test-token",
+            intent=TokenIntents.INTENT_API,
+            key=generate_id(),
+            expiring=False,
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.target_user.refresh_from_db()
+        # User should be deactivated
+        self.assertFalse(self.target_user.is_active)
+        # Password should still be usable
+        self.assertTrue(self.target_user.has_usable_password())
+        # Token should still exist
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 1)
+
+    def test_lockdown_no_actions(self):
+        """Test lockdown stage with all actions disabled"""
+        self.stage.deactivate_user = False
+        self.stage.set_unusable_password = False
+        self.stage.delete_sessions = False
+        self.stage.revoke_tokens = False
+        self.stage.save()
+
+        self.target_user.is_active = True
+        self.target_user.set_password("testpassword")
+        self.target_user.save()
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.target_user.refresh_from_db()
+        # User should still be active
+        self.assertTrue(self.target_user.is_active)
+        # Password should still be usable
+        self.assertTrue(self.target_user.has_usable_password())
+        # Event should still be created
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+
+    def test_lockdown_deactivation_inhibits_signal_dispatch_until_after_commit(self):
+        """Test lockdown queues explicit outgoing syncs after the deactivation transaction."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+
+        with (
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.sync_outgoing_inhibit_dispatch"
+            ) as inhibit,
+            patch.object(view, "_sync_deactivated_user_to_outgoing_providers") as sync_outgoing,
+        ):
+            view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        inhibit.assert_called_once()
+        sync_outgoing.assert_called_once()
+        synced_user = sync_outgoing.call_args.args[0]
+        self.assertEqual(synced_user.pk, self.target_user.pk)
+        self.assertFalse(synced_user.is_active)
+
+    def test_lockdown_waits_for_direct_outgoing_provider_syncs(self):
+        """Test direct outgoing sync tasks are enqueued and waited on."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        provider = SimpleNamespace(name="outgoing", pk=1, sync_page_timeout="seconds=5")
+        task_sync_direct = MagicMock()
+        task_sync_direct.message_with_options.return_value = "direct-message"
+        provider_model = SimpleNamespace(
+            objects=SimpleNamespace(filter=MagicMock(return_value=[provider]))
+        )
+        task_group = MagicMock()
+
+        with (
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.get_outgoing_sync_tasks",
+                return_value=((provider_model, task_sync_direct),),
+            ),
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.group",
+                return_value=task_group,
+            ) as task_group_cls,
+        ):
+            view._sync_deactivated_user_to_outgoing_providers(self.target_user)
+
+        task_sync_direct.message_with_options.assert_called_once_with(
+            args=(class_to_path(type(self.target_user)), self.target_user.pk, provider.pk),
+            rel_obj=provider,
+            time_limit=5000,
+            uid=f"{provider.name}:user:{self.target_user.pk}:direct",
+        )
+        task_group_cls.assert_called_once_with(["direct-message"])
+        task_group.run.return_value.wait.assert_called_once_with(timeout=5000)
+
+    def test_lockdown_outgoing_provider_sync_timeout_leaves_tasks_running(self):
+        """Test timeout while waiting for direct outgoing syncs does not fail lockdown."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        provider = SimpleNamespace(name="outgoing", pk=1, sync_page_timeout="seconds=5")
+        task_sync_direct = MagicMock()
+        task_sync_direct.message_with_options.return_value = "direct-message"
+        provider_model = SimpleNamespace(
+            objects=SimpleNamespace(filter=MagicMock(return_value=[provider]))
+        )
+        task_group = MagicMock()
+        task_group.run.return_value.wait.side_effect = ResultTimeout("timed out")
+
+        with (
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.get_outgoing_sync_tasks",
+                return_value=((provider_model, task_sync_direct),),
+            ),
+            patch(
+                "authentik.enterprise.stages.account_lockdown.stage.group",
+                return_value=task_group,
+            ),
+        ):
+            view._sync_deactivated_user_to_outgoing_providers(self.target_user)
+
+        task_group.run.assert_called_once_with()
+        task_group.run.return_value.wait.assert_called_once_with(timeout=5000)
+
+    def test_lockdown_outgoing_provider_sync_failure_does_not_fail_lockdown(self):
+        """Test completed local lockdown still emits an event if outgoing sync fails."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+
+        with patch.object(
+            view,
+            "_sync_deactivated_user_to_outgoing_providers",
+            side_effect=ValueError("sync failed"),
+        ):
+            view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+
+        self.target_user.refresh_from_db()
+        self.assertFalse(self.target_user.is_active)
+        event = self.get_lockdown_event()
+        self.assertIsNotNone(event)
+
+
+class TestAccountLockdownStageConcurrency(AccountLockdownStageTestMixin, TransactionTestCase):
+    """Account lockdown concurrency tests."""
+
+    def test_lockdown_retries_when_another_transaction_recreates_a_token(self):
+        """Lockdown should remove a token recreated before the retry check runs."""
+        Token.objects.create(
+            user=self.target_user,
+            identifier=f"initial-token-{generate_id()}",
+            intent=TokenIntents.INTENT_API,
+            key=generate_id(),
+            expiring=False,
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        view = self.make_stage_view(plan)
+        original_has_artifacts = view._has_lockdown_artifacts
+        target_user = self.target_user
+        thread_ready = ThreadEvent()
+        start_create = ThreadEvent()
+        thread_done = ThreadEvent()
+        thread_errors = []
+
+        class TokenCreatorThread(Thread):
+            __test__ = False
+
+            def run(self):
+                try:
+                    thread_ready.set()
+                    if not start_create.wait(timeout=5):
+                        thread_errors.append("timed out waiting to recreate token")
+                        return
+                    Token.objects.create(
+                        user=target_user,
+                        identifier=f"concurrent-token-{generate_id()}",
+                        intent=TokenIntents.INTENT_API,
+                        key=generate_id(),
+                        expiring=False,
+                    )
+                except Exception as exc:  # noqa: BLE001
+                    thread_errors.append(exc)
+                finally:
+                    thread_done.set()
+                    connection.close()
+
+        def has_artifacts_after_concurrent_create(stage, user):
+            if not start_create.is_set():
+                start_create.set()
+                self.assertTrue(
+                    thread_done.wait(timeout=30),
+                    (
+                        "Concurrent token creation did not complete "
+                        f"before retry check: {thread_errors}"
+                    ),
+                )
+            return original_has_artifacts(stage, user)
+
+        creator = TokenCreatorThread()
+        with patch.object(
+            view, "_has_lockdown_artifacts", side_effect=has_artifacts_after_concurrent_create
+        ):
+            creator.start()
+            self.assertTrue(
+                thread_ready.wait(timeout=5),
+                "Concurrent token creation thread did not start",
+            )
+            view._lockdown_user(self.make_request(user=self.user), self.stage, self.target_user, "")
+            creator.join()
+
+        self.assertEqual(thread_errors, [])
+        self.assertEqual(Token.objects.filter(user=self.target_user).count(), 0)

authentik/enterprise/stages/account_lockdown/urls.py

@@ -0,0 +1,5 @@
+"""API URLs"""
+
+from authentik.enterprise.stages.account_lockdown.api import AccountLockdownStageViewSet
+
+api_urlpatterns = [("stages/account_lockdown", AccountLockdownStageViewSet)]

authentik/flows/templates/if/flow-sfe.html

@@ -23,7 +23,7 @@
             height: 100%;
           }
           body {
-            background-image: url("{{ flow_background_url }}");
+            background-image: url("{{ flow_background_url|iriencode|safe }}");
             background-repeat: no-repeat;
             background-size: cover;
           }

authentik/flows/templates/if/flow.html

@@ -39,7 +39,7 @@
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style data-id="flow-css">
   :root {
-      --ak-global--background-image: url("{{ flow_background_url }}");
+      --ak-global--background-image: url("{{ flow_background_url|iriencode|safe }}");
   }
 </style>
 {% endblock %}

authentik/flows/tests/test_stage_views.py

@@ -1,12 +1,14 @@
 """stage view tests"""
 
 from collections.abc import Callable
+from unittest.mock import patch
 
 from django.test import RequestFactory, TestCase
+from django.urls import reverse
 
 from authentik.core.tests.utils import RequestFactory as AuthentikRequestFactory
 from authentik.core.tests.utils import create_test_flow
-from authentik.flows.models import FlowStageBinding
+from authentik.flows.models import Flow, FlowStageBinding
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.utils.reflection import all_subclasses
@@ -42,6 +44,46 @@ class TestViews(TestCase):
             "/static/dist/assets/images/flow_background.jpg",
         )
 
+    def test_flow_interface_css_background_preserves_presigned_url_query(self):
+        """Test flow CSS keeps signed URL query separators intact."""
+        flow = create_test_flow()
+        background_url = (
+            "https://s3.ca-central-1.amazonaws.com/example/media/public/background.png"
+            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=credential"
+            "&X-Amz-Signature=signature"
+        )
+
+        with patch.object(Flow, "background_url", return_value=background_url):
+            response = self.client.get(
+                reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+            )
+
+        self.assertContains(
+            response,
+            f'--ak-global--background-image: url("{background_url}");',
+            html=False,
+        )
+
+    def test_flow_sfe_css_background_preserves_presigned_url_query(self):
+        """Test SFE flow CSS keeps signed URL query separators intact."""
+        flow = create_test_flow()
+        background_url = (
+            "https://s3.ca-central-1.amazonaws.com/example/media/public/background.png"
+            "?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=credential"
+            "&X-Amz-Signature=signature"
+        )
+
+        with patch.object(Flow, "background_url", return_value=background_url):
+            response = self.client.get(
+                reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug}) + "?sfe"
+            )
+
+        self.assertContains(
+            response,
+            f'background-image: url("{background_url}");',
+            html=False,
+        )
+
 
 def view_tester_factory(view_class: type[StageView]) -> Callable:
     """Test a form"""

authentik/root/settings.py

@@ -172,6 +172,7 @@ SPECTACULAR_SETTINGS = {
     },
     "ENUM_NAME_OVERRIDES": {
         "AppEnum": "authentik.lib.api.Apps",
+        "AuthenticationEnum": "authentik.flows.models.FlowAuthenticationRequirement",
         "ConsentModeEnum": "authentik.stages.consent.models.ConsentMode",
         "CountryCodeEnum": "django_countries.countries",
         "DeviceClassesEnum": "authentik.stages.authenticator_validate.models.DeviceClasses",

authentik/stages/prompt/migrations/0012_alter_prompt_type.py

@@ -0,0 +1,64 @@
+# Generated by Django 5.2.12 on 2026-03-14 02:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_prompt",
+            "0011_prompt_initial_value_prompt_initial_value_expression_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="prompt",
+            name="type",
+            field=models.CharField(
+                choices=[
+                    ("text", "Text: Simple Text input"),
+                    ("text_area", "Text area: Multiline Text Input."),
+                    (
+                        "text_read_only",
+                        "Text (read-only): Simple Text input, but cannot be edited.",
+                    ),
+                    (
+                        "text_area_read_only",
+                        "Text area (read-only): Multiline Text input, but cannot be edited.",
+                    ),
+                    (
+                        "username",
+                        "Username: Same as Text input, but checks for and prevents duplicate usernames.",
+                    ),
+                    ("email", "Email: Text field with Email type."),
+                    (
+                        "password",
+                        "Password: Masked input, multiple inputs of this type on the same prompt need to be identical.",
+                    ),
+                    ("number", "Number"),
+                    ("checkbox", "Checkbox"),
+                    (
+                        "radio-button-group",
+                        "Fixed choice field rendered as a group of radio buttons.",
+                    ),
+                    ("dropdown", "Fixed choice field rendered as a dropdown."),
+                    ("date", "Date"),
+                    ("date-time", "Date Time"),
+                    (
+                        "file",
+                        "File: File upload for arbitrary files. File content will be available in flow context as data-URI",
+                    ),
+                    ("separator", "Separator: Static Separator Line"),
+                    ("hidden", "Hidden: Hidden field, can be used to insert data into form."),
+                    ("static", "Static: Static value, displayed as-is."),
+                    ("alert_info", "Alert (Info): Static alert box with info styling"),
+                    ("alert_warning", "Alert (Warning): Static alert box with warning styling"),
+                    ("alert_danger", "Alert (Danger): Static alert box with danger styling"),
+                    ("ak-locale", "authentik: Selection of locales authentik supports"),
+                ],
+                max_length=100,
+            ),
+        ),
+    ]

authentik/stages/prompt/models.py

@@ -87,6 +87,11 @@ class FieldTypes(models.TextChoices):
     HIDDEN = "hidden", _("Hidden: Hidden field, can be used to insert data into form.")
     STATIC = "static", _("Static: Static value, displayed as-is.")
 
+    # Alert box types for displaying styled messages
+    ALERT_INFO = "alert_info", _("Alert (Info): Static alert box with info styling")
+    ALERT_WARNING = "alert_warning", _("Alert (Warning): Static alert box with warning styling")
+    ALERT_DANGER = "alert_danger", _("Alert (Danger): Static alert box with danger styling")
+
     AK_LOCALE = "ak-locale", _("authentik: Selection of locales authentik supports")
 
 
@@ -299,7 +304,12 @@ class Prompt(SerializerModel):
                 field_class = HiddenField
                 kwargs["required"] = False
                 kwargs["default"] = self.placeholder
-            case FieldTypes.STATIC:
+            case (
+                FieldTypes.STATIC
+                | FieldTypes.ALERT_INFO
+                | FieldTypes.ALERT_WARNING
+                | FieldTypes.ALERT_DANGER
+            ):
                 kwargs["default"] = self.placeholder
                 kwargs["required"] = False
                 kwargs["label"] = ""

authentik/stages/prompt/stage.py

@@ -124,6 +124,9 @@ class PromptChallengeResponse(ChallengeResponse):
             type__in=[
                 FieldTypes.HIDDEN,
                 FieldTypes.STATIC,
+                FieldTypes.ALERT_INFO,
+                FieldTypes.ALERT_WARNING,
+                FieldTypes.ALERT_DANGER,
                 FieldTypes.TEXT_READ_ONLY,
                 FieldTypes.TEXT_AREA_READ_ONLY,
             ]

authentik/stages/prompt/tests.py

@@ -330,10 +330,20 @@ class TestPromptStage(FlowTestCase):
 
     def test_static_hidden_overwrite(self):
         """Test that static and hidden fields ignore any value sent to them"""
+        alert_prompt = Prompt.objects.create(
+            name=generate_id(),
+            field_key="alert_prompt",
+            type=FieldTypes.ALERT_INFO,
+            required=True,
+            placeholder="alert fallback",
+            initial_value="alert content",
+        )
+        self.stage.fields.add(alert_prompt)
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
         plan.context[PLAN_CONTEXT_PROMPT] = {"hidden_prompt": "hidden"}
         self.prompt_data["hidden_prompt"] = "foo"
         self.prompt_data["static_prompt"] = "foo"
+        self.prompt_data["alert_prompt"] = "foo"
         challenge_response = PromptChallengeResponse(
             None, stage_instance=self.stage, plan=plan, data=self.prompt_data, stage=self.stage_view
         )
@@ -341,6 +351,7 @@ class TestPromptStage(FlowTestCase):
         self.assertNotEqual(challenge_response.validated_data["hidden_prompt"], "foo")
         self.assertEqual(challenge_response.validated_data["hidden_prompt"], "hidden")
         self.assertNotEqual(challenge_response.validated_data["static_prompt"], "foo")
+        self.assertEqual(challenge_response.validated_data["alert_prompt"], "alert content")
 
     def test_prompt_placeholder(self):
         """Test placeholder and expression"""

blueprints/example/flow-default-account-lockdown.yaml

@@ -0,0 +1,306 @@
+version: 1
+metadata:
+  name: Example - Account lockdown flow
+  labels:
+    blueprints.goauthentik.io/instantiate: "false"
+entries:
+  flows:
+    # Main lockdown flow - requires authentication
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        designation: stage_configuration
+        name: Account Lockdown
+        title: Lock Account
+        authentication: require_authenticated
+      identifiers:
+        slug: default-account-lockdown
+      model: authentik_flows.flow
+      id: flow
+    # Self-service completion flow - no authentication required
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        designation: stage_configuration
+        name: Account Lockdown Complete
+        title: Account Locked
+        authentication: none
+      identifiers:
+        slug: default-account-lockdown-complete
+      model: authentik_flows.flow
+      id: completion-flow
+  prompt_fields:
+    # Warning field - danger alert box (content varies based on self-service vs admin)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 50
+        initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          pending_user = None
+          if target_uuid and not is_self_service:
+              from authentik.core.models import User
+
+              pending_user = User.objects.filter(pk=target_uuid).first()
+          if is_self_service:
+              return (
+                  "<p><strong>You are about to lock down your own account.</strong></p>"
+                  "<p>This is an emergency action for cutting off access to your account right away.</p>"
+                  "<p><strong>This will immediately:</strong></p>"
+                  "<ul>"
+                  "<li><strong>Invalidate your password</strong> - Your password will be set to a random value "
+                  "and cannot be recovered</li>"
+                  "<li><strong>Deactivate your account</strong> - Your account will be disabled</li>"
+                  "<li><strong>Terminate all your sessions</strong> - You will be logged out everywhere</li>"
+                  "<li><strong>Revoke all your tokens</strong> - All your API, app password, recovery, "
+                  "verification, and OAuth2 tokens and grants will be revoked</li>"
+                  "</ul>"
+                  "<p><strong>This action cannot be easily undone.</strong></p>"
+              )
+
+          from django.utils.html import escape
+
+          if pending_user:
+              email = escape(pending_user.email or pending_user.name or "No email")
+              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
+          else:
+              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
+
+          return (
+              "<p><strong>You are about to lock down the following account:</strong></p>"
+              f"{user_html}"
+              "<p>This is an emergency action for cutting off access to the account right away. "
+              "It does not lock the administrator who opened this page.</p>"
+              "<p><strong>This will immediately:</strong></p>"
+              "<ul>"
+              "<li>Invalidate the user's password</li>"
+              "<li>Deactivate the user</li>"
+              "<li>Terminate all sessions - All active sessions will be ended</li>"
+              "<li>Revoke all tokens - All API, app password, recovery, verification, and OAuth2 "
+              "tokens and grants will be revoked</li>"
+              "</ul>"
+              "<p><strong>This action cannot be easily undone.</strong></p>"
+          )
+        initial_value_expression: true
+        required: false
+        type: alert_danger
+        field_key: lockdown_warning
+        label: Warning
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-field-warning
+      id: prompt-field-warning
+      model: authentik_stages_prompt.prompt
+    # Info field - when to use lockdown (content varies based on self-service vs admin)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 100
+        initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          if is_self_service:
+              info = (
+                  "Use this if you no longer trust your current password or sessions. "
+                  "After lockdown, you will need help from your administrator or security team to regain access."
+              )
+          else:
+              info = (
+                  "Use this for incident response on the listed account, for example after a compromise report "
+                  "or suspicious activity. The reason you enter below will be recorded in the audit log."
+              )
+          return (
+              f"<p>{info}</p>"
+              '<p><a href="https://docs.goauthentik.io/docs/security/'
+              'account-lockdown?utm_source=authentik" '
+              'target="_blank" rel="noopener noreferrer">Learn more about account lockdown</a></p>'
+          )
+        initial_value_expression: true
+        required: false
+        type: alert_info
+        field_key: lockdown_info
+        label: Information
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-field-info
+      id: prompt-field-info
+      model: authentik_stages_prompt.prompt
+    # Reason field - text area for lockdown reason
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 200
+        placeholder: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          if is_self_service:
+              return "Describe why you are locking your account..."
+          return "Describe why this account is being locked down..."
+        placeholder_expression: true
+        required: true
+        type: text_area
+        field_key: lockdown_reason
+        label: Reason
+        sub_text: This explanation will be recorded in the audit log.
+      identifiers:
+        name: default-account-lockdown-field-reason
+      id: prompt-field-reason
+      model: authentik_stages_prompt.prompt
+  prompt_stages:
+    # Prompt stage for warnings and reason input
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        fields:
+        - !KeyOf prompt-field-warning
+        - !KeyOf prompt-field-info
+        - !KeyOf prompt-field-reason
+      identifiers:
+        name: default-account-lockdown-prompt
+      id: default-account-lockdown-prompt
+      model: authentik_stages_prompt.promptstage
+  lockdown_stage:
+    # Account lockdown stage - performs the actual lockdown
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        name: default-account-lockdown-stage
+      id: default-account-lockdown-stage
+      model: authentik_stages_account_lockdown.accountlockdownstage
+      attrs:
+        deactivate_user: true
+        set_unusable_password: true
+        delete_sessions: true
+        revoke_tokens: true
+        self_service_completion_flow: !Find [authentik_flows.flow, [slug, default-account-lockdown-complete]]
+  completion_prompt:
+    # Completion message field - confirmation shown after an admin-triggered lockdown
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 300
+        initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          from django.utils.html import escape
+          from authentik.core.models import User
+
+          if target_uuid:
+              target = User.objects.filter(pk=target_uuid).first()
+              if target:
+                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
+
+          return "<p>The selected account has been locked down.</p>"
+        initial_value_expression: true
+        required: false
+        type: alert_info
+        field_key: lockdown_complete
+        label: Result
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-field-complete
+      id: prompt-field-complete
+      model: authentik_stages_prompt.prompt
+    # Prompt stage for admin completion message
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        fields:
+        - !KeyOf prompt-field-complete
+      identifiers:
+        name: default-account-lockdown-complete-prompt
+      id: default-account-lockdown-complete-prompt
+      model: authentik_stages_prompt.promptstage
+  policies:
+    # Expression policy to check if this is NOT a self-service lockdown (admin)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        name: default-account-lockdown-admin-policy
+        expression: |
+          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != current_user_uuid
+      identifiers:
+        name: default-account-lockdown-admin-policy
+      id: admin-policy
+      model: authentik_policies_expression.expressionpolicy
+  bindings:
+    # Stage bindings
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 0
+        stage: !KeyOf default-account-lockdown-prompt
+        target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 10
+        stage: !KeyOf default-account-lockdown-stage
+        target: !KeyOf flow
+      model: authentik_flows.flowstagebinding
+    # Admin completion stage binding - shown for admin lockdown only
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 20
+        stage: !KeyOf default-account-lockdown-complete-prompt
+        target: !KeyOf flow
+      id: admin-completion-binding
+      model: authentik_flows.flowstagebinding
+    # Bind the admin policy to the admin completion stage
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        enabled: true
+        negate: false
+        order: 0
+      identifiers:
+        policy: !KeyOf admin-policy
+        target: !KeyOf admin-completion-binding
+      model: authentik_policies.policybinding
+  self_service_completion:
+    # Self-service completion message field (for the unauthenticated completion flow)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        order: 100
+        initial_value: |
+          return (
+              "<h1>Your account has been locked</h1>"
+              "<p>You have been logged out of all sessions and your password has been invalidated.</p>"
+              "<p>To regain access to your account, please contact your IT administrator or security team.</p>"
+          )
+        initial_value_expression: true
+        required: false
+        type: alert_warning
+        field_key: self_lockdown_complete
+        label: Account locked
+        sub_text: ""
+      identifiers:
+        name: default-account-lockdown-self-field-complete
+      id: self-prompt-field-complete
+      model: authentik_stages_prompt.prompt
+    # Prompt stage for self-service completion (unauthenticated)
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      attrs:
+        fields:
+        - !KeyOf self-prompt-field-complete
+      identifiers:
+        name: default-account-lockdown-self-complete-prompt
+      id: default-account-lockdown-self-complete-prompt
+      model: authentik_stages_prompt.promptstage
+    # Bind self-service completion stage to the completion flow
+    - conditions:
+      - !Context goauthentik.io/enterprise/licensed
+      identifiers:
+        order: 0
+        stage: !KeyOf default-account-lockdown-self-complete-prompt
+        target: !Find [authentik_flows.flow, [slug, default-account-lockdown-complete]]
+      model: authentik_flows.flowstagebinding

blueprints/schema.json

@@ -1216,6 +1216,46 @@
                         }
                     }
                 },
+                {
+                    "type": "object",
+                    "required": [
+                        "model",
+                        "identifiers"
+                    ],
+                    "properties": {
+                        "model": {
+                            "const": "authentik_stages_account_lockdown.accountlockdownstage"
+                        },
+                        "id": {
+                            "type": "string"
+                        },
+                        "state": {
+                            "type": "string",
+                            "enum": [
+                                "absent",
+                                "created",
+                                "must_created",
+                                "present"
+                            ],
+                            "default": "present"
+                        },
+                        "conditions": {
+                            "type": "array",
+                            "items": {
+                                "type": "boolean"
+                            }
+                        },
+                        "permissions": {
+                            "$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage_permissions"
+                        },
+                        "attrs": {
+                            "$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage"
+                        },
+                        "identifiers": {
+                            "$ref": "#/$defs/model_authentik_stages_account_lockdown.accountlockdownstage"
+                        }
+                    }
+                },
                 {
                     "type": "object",
                     "required": [
@@ -5100,6 +5140,11 @@
                     "format": "uuid",
                     "title": "Flow device code"
                 },
+                "flow_lockdown": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Flow lockdown"
+                },
                 "default_application": {
                     "type": "string",
                     "format": "uuid",
@@ -6094,6 +6139,10 @@
                             "authentik_sources_telegram.view_telegramsource",
                             "authentik_sources_telegram.view_telegramsourcepropertymapping",
                             "authentik_sources_telegram.view_usertelegramsourceconnection",
+                            "authentik_stages_account_lockdown.add_accountlockdownstage",
+                            "authentik_stages_account_lockdown.change_accountlockdownstage",
+                            "authentik_stages_account_lockdown.delete_accountlockdownstage",
+                            "authentik_stages_account_lockdown.view_accountlockdownstage",
                             "authentik_stages_authenticator_duo.add_authenticatorduostage",
                             "authentik_stages_authenticator_duo.add_duodevice",
                             "authentik_stages_authenticator_duo.change_authenticatorduostage",
@@ -7757,6 +7806,69 @@
                 }
             }
         },
+        "model_authentik_stages_account_lockdown.accountlockdownstage": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "deactivate_user": {
+                    "type": "boolean",
+                    "title": "Deactivate user",
+                    "description": "Deactivate the user account (set is_active to False)"
+                },
+                "set_unusable_password": {
+                    "type": "boolean",
+                    "title": "Set unusable password",
+                    "description": "Set an unusable password for the user"
+                },
+                "delete_sessions": {
+                    "type": "boolean",
+                    "title": "Delete sessions",
+                    "description": "Delete all active sessions for the user"
+                },
+                "revoke_tokens": {
+                    "type": "boolean",
+                    "title": "Revoke tokens",
+                    "description": "Revoke all tokens for the user (API, app password, recovery, verification, OAuth)"
+                },
+                "self_service_completion_flow": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Self service completion flow",
+                    "description": "Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted."
+                }
+            },
+            "required": []
+        },
+        "model_authentik_stages_account_lockdown.accountlockdownstage_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_accountlockdownstage",
+                            "change_accountlockdownstage",
+                            "delete_accountlockdownstage",
+                            "view_accountlockdownstage"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
         "model_authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage": {
             "type": "object",
             "properties": {
@@ -8952,6 +9064,7 @@
                         "authentik.enterprise.providers.ssf",
                         "authentik.enterprise.providers.ws_federation",
                         "authentik.enterprise.reports",
+                        "authentik.enterprise.stages.account_lockdown",
                         "authentik.enterprise.stages.authenticator_endpoint_gdtc",
                         "authentik.enterprise.stages.mtls",
                         "authentik.enterprise.stages.source"
@@ -9084,6 +9197,7 @@
                         "authentik_providers_ssf.ssfprovider",
                         "authentik_providers_ws_federation.wsfederationprovider",
                         "authentik_reports.dataexport",
+                        "authentik_stages_account_lockdown.accountlockdownstage",
                         "authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
                         "authentik_stages_mtls.mutualtlsstage",
                         "authentik_stages_source.sourcestage"
@@ -11791,6 +11905,10 @@
                             "authentik_sources_telegram.view_telegramsource",
                             "authentik_sources_telegram.view_telegramsourcepropertymapping",
                             "authentik_sources_telegram.view_usertelegramsourceconnection",
+                            "authentik_stages_account_lockdown.add_accountlockdownstage",
+                            "authentik_stages_account_lockdown.change_accountlockdownstage",
+                            "authentik_stages_account_lockdown.delete_accountlockdownstage",
+                            "authentik_stages_account_lockdown.view_accountlockdownstage",
                             "authentik_stages_authenticator_duo.add_authenticatorduostage",
                             "authentik_stages_authenticator_duo.add_duodevice",
                             "authentik_stages_authenticator_duo.change_authenticatorduostage",
@@ -15657,6 +15775,9 @@
                         "separator",
                         "hidden",
                         "static",
+                        "alert_info",
+                        "alert_warning",
+                        "alert_danger",
                         "ak-locale"
                     ],
                     "title": "Type"

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-29 00:28+0000\n"
+"POT-Creation-Date: 2026-04-30 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -224,6 +224,14 @@ msgid ""
 "providers are returned. When set to false, backchannel providers are excluded"
 msgstr ""
 
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
+
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr ""

locale/en/dictionaries/integrations.txt

@@ -19,6 +19,7 @@ Forti
 Fortigate
 Gatus
 Gestionnaire
+ghec
 Gitea
 Gravitee
 Homarr

packages/ak-common/src/tracing.rs

@@ -100,6 +100,7 @@ mod json {
         );
 
         let mut json_layer = json_subscriber::fmt::layer()
+            .with_level(false)
             .with_timer(LocalTime::new(time_format))
             .with_file(true)
             .with_line_number(true)
@@ -109,6 +110,11 @@ mod json {
         let inner_layer = json_layer.inner_layer_mut();
         inner_layer.with_thread_ids("thread_id");
         inner_layer.with_thread_names("thread_name");
+        inner_layer.add_dynamic_field("level", |event, _| {
+            Some(serde_json::Value::String(
+                event.metadata().level().as_str().to_lowercase(),
+            ))
+        });
         inner_layer.add_dynamic_field("pid", |_, _| {
             Some(serde_json::Value::Number(serde_json::Number::from(
                 std::process::id(),

packages/client-go/api_core.go

@@ -39,6 +39,7 @@ type ApiCoreBrandsListRequest struct {
 	flowAuthentication            *string
 	flowDeviceCode                *string
 	flowInvalidation              *string
+	flowLockdown                  *string
 	flowRecovery                  *string
 	flowUnenrollment              *string
 	flowUserSettings              *string
@@ -104,6 +105,11 @@ func (r ApiCoreBrandsListRequest) FlowInvalidation(flowInvalidation string) ApiC
 	return r
 }
 
+func (r ApiCoreBrandsListRequest) FlowLockdown(flowLockdown string) ApiCoreBrandsListRequest {
+	r.flowLockdown = &flowLockdown
+	return r
+}
+
 func (r ApiCoreBrandsListRequest) FlowRecovery(flowRecovery string) ApiCoreBrandsListRequest {
 	r.flowRecovery = &flowRecovery
 	return r
@@ -230,6 +236,9 @@ func (a *CoreAPIService) CoreBrandsListExecute(r ApiCoreBrandsListRequest) (*Pag
 	if r.flowInvalidation != nil {
 		parameterAddToHeaderOrQuery(localVarQueryParams, "flow_invalidation", r.flowInvalidation, "form", "")
 	}
+	if r.flowLockdown != nil {
+		parameterAddToHeaderOrQuery(localVarQueryParams, "flow_lockdown", r.flowLockdown, "form", "")
+	}
 	if r.flowRecovery != nil {
 		parameterAddToHeaderOrQuery(localVarQueryParams, "flow_recovery", r.flowRecovery, "form", "")
 	}

packages/client-go/model_brand.go

@@ -36,6 +36,7 @@ type Brand struct {
 	FlowUnenrollment              NullableString `json:"flow_unenrollment,omitempty"`
 	FlowUserSettings              NullableString `json:"flow_user_settings,omitempty"`
 	FlowDeviceCode                NullableString `json:"flow_device_code,omitempty"`
+	FlowLockdown                  NullableString `json:"flow_lockdown,omitempty"`
 	// When set, external users will be redirected to this application after authenticating.
 	DefaultApplication NullableString `json:"default_application,omitempty"`
 	// Web Certificate used by the authentik Core webserver.
@@ -565,6 +566,49 @@ func (o *Brand) UnsetFlowDeviceCode() {
 	o.FlowDeviceCode.Unset()
 }
 
+// GetFlowLockdown returns the FlowLockdown field value if set, zero value otherwise (both if not set or set to explicit null).
+func (o *Brand) GetFlowLockdown() string {
+	if o == nil || IsNil(o.FlowLockdown.Get()) {
+		var ret string
+		return ret
+	}
+	return *o.FlowLockdown.Get()
+}
+
+// GetFlowLockdownOk returns a tuple with the FlowLockdown field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+// NOTE: If the value is an explicit nil, `nil, true` will be returned
+func (o *Brand) GetFlowLockdownOk() (*string, bool) {
+	if o == nil {
+		return nil, false
+	}
+	return o.FlowLockdown.Get(), o.FlowLockdown.IsSet()
+}
+
+// HasFlowLockdown returns a boolean if a field has been set.
+func (o *Brand) HasFlowLockdown() bool {
+	if o != nil && o.FlowLockdown.IsSet() {
+		return true
+	}
+
+	return false
+}
+
+// SetFlowLockdown gets a reference to the given NullableString and assigns it to the FlowLockdown field.
+func (o *Brand) SetFlowLockdown(v string) {
+	o.FlowLockdown.Set(&v)
+}
+
+// SetFlowLockdownNil sets the value for FlowLockdown to be an explicit nil
+func (o *Brand) SetFlowLockdownNil() {
+	o.FlowLockdown.Set(nil)
+}
+
+// UnsetFlowLockdown ensures that no value is present for FlowLockdown, not even an explicit nil
+func (o *Brand) UnsetFlowLockdown() {
+	o.FlowLockdown.Unset()
+}
+
 // GetDefaultApplication returns the DefaultApplication field value if set, zero value otherwise (both if not set or set to explicit null).
 func (o *Brand) GetDefaultApplication() string {
 	if o == nil || IsNil(o.DefaultApplication.Get()) {
@@ -763,6 +807,9 @@ func (o Brand) ToMap() (map[string]interface{}, error) {
 	if o.FlowDeviceCode.IsSet() {
 		toSerialize["flow_device_code"] = o.FlowDeviceCode.Get()
 	}
+	if o.FlowLockdown.IsSet() {
+		toSerialize["flow_lockdown"] = o.FlowLockdown.Get()
+	}
 	if o.DefaultApplication.IsSet() {
 		toSerialize["default_application"] = o.DefaultApplication.Get()
 	}
@@ -833,6 +880,7 @@ func (o *Brand) UnmarshalJSON(data []byte) (err error) {
 		delete(additionalProperties, "flow_unenrollment")
 		delete(additionalProperties, "flow_user_settings")
 		delete(additionalProperties, "flow_device_code")
+		delete(additionalProperties, "flow_lockdown")
 		delete(additionalProperties, "default_application")
 		delete(additionalProperties, "web_certificate")
 		delete(additionalProperties, "client_certificates")

packages/client-go/model_prompt_type_enum.go

@@ -38,6 +38,9 @@ const (
 	PROMPTTYPEENUM_SEPARATOR           PromptTypeEnum = "separator"
 	PROMPTTYPEENUM_HIDDEN              PromptTypeEnum = "hidden"
 	PROMPTTYPEENUM_STATIC              PromptTypeEnum = "static"
+	PROMPTTYPEENUM_ALERT_INFO          PromptTypeEnum = "alert_info"
+	PROMPTTYPEENUM_ALERT_WARNING       PromptTypeEnum = "alert_warning"
+	PROMPTTYPEENUM_ALERT_DANGER        PromptTypeEnum = "alert_danger"
 	PROMPTTYPEENUM_AK_LOCALE           PromptTypeEnum = "ak-locale"
 )
 
@@ -60,6 +63,9 @@ var AllowedPromptTypeEnumEnumValues = []PromptTypeEnum{
 	"separator",
 	"hidden",
 	"static",
+	"alert_info",
+	"alert_warning",
+	"alert_danger",
 	"ak-locale",
 }
 

packages/client-rust/src/apis/core_api.rs

@@ -71,6 +71,7 @@ pub async fn core_brands_list(
     flow_authentication: Option<&str>,
     flow_device_code: Option<&str>,
     flow_invalidation: Option<&str>,
+    flow_lockdown: Option<&str>,
     flow_recovery: Option<&str>,
     flow_unenrollment: Option<&str>,
     flow_user_settings: Option<&str>,
@@ -92,6 +93,7 @@ pub async fn core_brands_list(
     let p_query_flow_authentication = flow_authentication;
     let p_query_flow_device_code = flow_device_code;
     let p_query_flow_invalidation = flow_invalidation;
+    let p_query_flow_lockdown = flow_lockdown;
     let p_query_flow_recovery = flow_recovery;
     let p_query_flow_unenrollment = flow_unenrollment;
     let p_query_flow_user_settings = flow_user_settings;
@@ -154,6 +156,9 @@ pub async fn core_brands_list(
     if let Some(ref param_value) = p_query_flow_invalidation {
         req_builder = req_builder.query(&[("flow_invalidation", &param_value.to_string())]);
     }
+    if let Some(ref param_value) = p_query_flow_lockdown {
+        req_builder = req_builder.query(&[("flow_lockdown", &param_value.to_string())]);
+    }
     if let Some(ref param_value) = p_query_flow_recovery {
         req_builder = req_builder.query(&[("flow_recovery", &param_value.to_string())]);
     }

packages/client-rust/src/models/brand.rs

@@ -78,6 +78,13 @@ pub struct Brand {
         skip_serializing_if = "Option::is_none"
     )]
     pub flow_device_code: Option<Option<uuid::Uuid>>,
+    #[serde(
+        rename = "flow_lockdown",
+        default,
+        with = "::serde_with::rust::double_option",
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub flow_lockdown: Option<Option<uuid::Uuid>>,
     /// When set, external users will be redirected to this application after authenticating.
     #[serde(
         rename = "default_application",
@@ -122,6 +129,7 @@ impl Brand {
             flow_unenrollment: None,
             flow_user_settings: None,
             flow_device_code: None,
+            flow_lockdown: None,
             default_application: None,
             web_certificate: None,
             client_certificates: None,

packages/client-rust/src/models/prompt_type_enum.rs

@@ -47,6 +47,12 @@ pub enum PromptTypeEnum {
     Hidden,
     #[serde(rename = "static")]
     Static,
+    #[serde(rename = "alert_info")]
+    AlertInfo,
+    #[serde(rename = "alert_warning")]
+    AlertWarning,
+    #[serde(rename = "alert_danger")]
+    AlertDanger,
     #[serde(rename = "ak-locale")]
     AkLocale,
 }
@@ -71,6 +77,9 @@ impl std::fmt::Display for PromptTypeEnum {
             Self::Separator => write!(f, "separator"),
             Self::Hidden => write!(f, "hidden"),
             Self::Static => write!(f, "static"),
+            Self::AlertInfo => write!(f, "alert_info"),
+            Self::AlertWarning => write!(f, "alert_warning"),
+            Self::AlertDanger => write!(f, "alert_danger"),
             Self::AkLocale => write!(f, "ak-locale"),
         }
     }

packages/client-ts/src/apis/CoreApi.ts

@@ -52,6 +52,7 @@ import type {
     TransactionApplicationResponse,
     UsedBy,
     User,
+    UserAccountLockdownRequest,
     UserAccountRequest,
     UserConsent,
     UserPasswordHashSetRequest,
@@ -102,6 +103,7 @@ import {
     TransactionApplicationRequestToJSON,
     TransactionApplicationResponseFromJSON,
     UsedByFromJSON,
+    UserAccountLockdownRequestToJSON,
     UserAccountRequestToJSON,
     UserConsentFromJSON,
     UserFromJSON,
@@ -245,6 +247,7 @@ export interface CoreBrandsListRequest {
     flowAuthentication?: string;
     flowDeviceCode?: string;
     flowInvalidation?: string;
+    flowLockdown?: string;
     flowRecovery?: string;
     flowUnenrollment?: string;
     flowUserSettings?: string;
@@ -403,6 +406,10 @@ export interface CoreUserConsentUsedByListRequest {
     id: number;
 }
 
+export interface CoreUsersAccountLockdownCreateRequest {
+    userAccountLockdownRequest?: UserAccountLockdownRequest;
+}
+
 export interface CoreUsersCreateRequest {
     userRequest: UserRequest;
 }
@@ -2214,6 +2221,10 @@ export class CoreApi extends runtime.BaseAPI {
             queryParameters["flow_invalidation"] = requestParameters["flowInvalidation"];
         }
 
+        if (requestParameters["flowLockdown"] != null) {
+            queryParameters["flow_lockdown"] = requestParameters["flowLockdown"];
+        }
+
         if (requestParameters["flowRecovery"] != null) {
             queryParameters["flow_recovery"] = requestParameters["flowRecovery"];
         }
@@ -4189,6 +4200,66 @@ export class CoreApi extends runtime.BaseAPI {
         return await response.value();
     }
 
+    /**
+     * Creates request options for coreUsersAccountLockdownCreate without sending the request
+     */
+    async coreUsersAccountLockdownCreateRequestOpts(
+        requestParameters: CoreUsersAccountLockdownCreateRequest,
+    ): Promise<runtime.RequestOpts> {
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/core/users/account_lockdown/`;
+
+        return {
+            path: urlPath,
+            method: "POST",
+            headers: headerParameters,
+            query: queryParameters,
+            body: UserAccountLockdownRequestToJSON(requestParameters["userAccountLockdownRequest"]),
+        };
+    }
+
+    /**
+     * Choose the target account, then return a flow link.
+     */
+    async coreUsersAccountLockdownCreateRaw(
+        requestParameters: CoreUsersAccountLockdownCreateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<Link>> {
+        const requestOptions =
+            await this.coreUsersAccountLockdownCreateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => LinkFromJSON(jsonValue));
+    }
+
+    /**
+     * Choose the target account, then return a flow link.
+     */
+    async coreUsersAccountLockdownCreate(
+        requestParameters: CoreUsersAccountLockdownCreateRequest = {},
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<Link> {
+        const response = await this.coreUsersAccountLockdownCreateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
     /**
      * Creates request options for coreUsersCreate without sending the request
      */

packages/client-ts/src/apis/LifecycleApi.ts

@@ -40,9 +40,12 @@ export interface LifecycleIterationsCreateRequest {
     lifecycleIterationRequest: LifecycleIterationRequest;
 }
 
-export interface LifecycleIterationsLatestRetrieveRequest {
+export interface LifecycleIterationsListLatestRequest {
     contentType: string;
     objectId: string;
+    ordering?: string;
+    search?: string;
+    userIsReviewer?: boolean;
 }
 
 export interface LifecycleIterationsListOpenRequest {
@@ -157,27 +160,39 @@ export class LifecycleApi extends runtime.BaseAPI {
     }
 
     /**
-     * Creates request options for lifecycleIterationsLatestRetrieve without sending the request
+     * Creates request options for lifecycleIterationsListLatest without sending the request
      */
-    async lifecycleIterationsLatestRetrieveRequestOpts(
-        requestParameters: LifecycleIterationsLatestRetrieveRequest,
+    async lifecycleIterationsListLatestRequestOpts(
+        requestParameters: LifecycleIterationsListLatestRequest,
     ): Promise<runtime.RequestOpts> {
         if (requestParameters["contentType"] == null) {
             throw new runtime.RequiredError(
                 "contentType",
-                'Required parameter "contentType" was null or undefined when calling lifecycleIterationsLatestRetrieve().',
+                'Required parameter "contentType" was null or undefined when calling lifecycleIterationsListLatest().',
             );
         }
 
         if (requestParameters["objectId"] == null) {
             throw new runtime.RequiredError(
                 "objectId",
-                'Required parameter "objectId" was null or undefined when calling lifecycleIterationsLatestRetrieve().',
+                'Required parameter "objectId" was null or undefined when calling lifecycleIterationsListLatest().',
             );
         }
 
         const queryParameters: any = {};
 
+        if (requestParameters["ordering"] != null) {
+            queryParameters["ordering"] = requestParameters["ordering"];
+        }
+
+        if (requestParameters["search"] != null) {
+            queryParameters["search"] = requestParameters["search"];
+        }
+
+        if (requestParameters["userIsReviewer"] != null) {
+            queryParameters["user_is_reviewer"] = requestParameters["userIsReviewer"];
+        }
+
         const headerParameters: runtime.HTTPHeaders = {};
 
         if (this.configuration && this.configuration.accessToken) {
@@ -210,27 +225,27 @@ export class LifecycleApi extends runtime.BaseAPI {
     /**
      * Mixin to validate that a valid enterprise license exists before allowing to save the object
      */
-    async lifecycleIterationsLatestRetrieveRaw(
-        requestParameters: LifecycleIterationsLatestRetrieveRequest,
+    async lifecycleIterationsListLatestRaw(
+        requestParameters: LifecycleIterationsListLatestRequest,
         initOverrides?: RequestInit | runtime.InitOverrideFunction,
-    ): Promise<runtime.ApiResponse<LifecycleIteration>> {
+    ): Promise<runtime.ApiResponse<Array<LifecycleIteration>>> {
         const requestOptions =
-            await this.lifecycleIterationsLatestRetrieveRequestOpts(requestParameters);
+            await this.lifecycleIterationsListLatestRequestOpts(requestParameters);
         const response = await this.request(requestOptions, initOverrides);
 
         return new runtime.JSONApiResponse(response, (jsonValue) =>
-            LifecycleIterationFromJSON(jsonValue),
+            jsonValue.map(LifecycleIterationFromJSON),
         );
     }
 
     /**
      * Mixin to validate that a valid enterprise license exists before allowing to save the object
      */
-    async lifecycleIterationsLatestRetrieve(
-        requestParameters: LifecycleIterationsLatestRetrieveRequest,
+    async lifecycleIterationsListLatest(
+        requestParameters: LifecycleIterationsListLatestRequest,
         initOverrides?: RequestInit | runtime.InitOverrideFunction,
-    ): Promise<LifecycleIteration> {
-        const response = await this.lifecycleIterationsLatestRetrieveRaw(
+    ): Promise<Array<LifecycleIteration>> {
+        const response = await this.lifecycleIterationsListLatestRaw(
             requestParameters,
             initOverrides,
         );

packages/client-ts/src/apis/StagesApi.ts

@@ -13,6 +13,8 @@
  */
 
 import type {
+    AccountLockdownStage,
+    AccountLockdownStageRequest,
     AuthenticatorAttachmentEnum,
     AuthenticatorDuoStage,
     AuthenticatorDuoStageDeviceImportResponse,
@@ -61,6 +63,7 @@ import type {
     MutualTLSStageRequest,
     NetworkBindingEnum,
     NotConfiguredActionEnum,
+    PaginatedAccountLockdownStageList,
     PaginatedAuthenticatorDuoStageList,
     PaginatedAuthenticatorEmailStageList,
     PaginatedAuthenticatorEndpointGDTCStageList,
@@ -92,6 +95,7 @@ import type {
     PaginatedWebAuthnDeviceTypeList,
     PasswordStage,
     PasswordStageRequest,
+    PatchedAccountLockdownStageRequest,
     PatchedAuthenticatorDuoStageRequest,
     PatchedAuthenticatorEmailStageRequest,
     PatchedAuthenticatorEndpointGDTCStageRequest,
@@ -150,6 +154,8 @@ import type {
     WebAuthnDeviceType,
 } from "../models/index";
 import {
+    AccountLockdownStageFromJSON,
+    AccountLockdownStageRequestToJSON,
     AuthenticatorDuoStageDeviceImportResponseFromJSON,
     AuthenticatorDuoStageFromJSON,
     AuthenticatorDuoStageManualDeviceImportRequestToJSON,
@@ -190,6 +196,7 @@ import {
     InvitationStageRequestToJSON,
     MutualTLSStageFromJSON,
     MutualTLSStageRequestToJSON,
+    PaginatedAccountLockdownStageListFromJSON,
     PaginatedAuthenticatorDuoStageListFromJSON,
     PaginatedAuthenticatorEmailStageListFromJSON,
     PaginatedAuthenticatorEndpointGDTCStageListFromJSON,
@@ -221,6 +228,7 @@ import {
     PaginatedWebAuthnDeviceTypeListFromJSON,
     PasswordStageFromJSON,
     PasswordStageRequestToJSON,
+    PatchedAccountLockdownStageRequestToJSON,
     PatchedAuthenticatorDuoStageRequestToJSON,
     PatchedAuthenticatorEmailStageRequestToJSON,
     PatchedAuthenticatorEndpointGDTCStageRequestToJSON,
@@ -273,6 +281,46 @@ import {
 } from "../models/index";
 import * as runtime from "../runtime";
 
+export interface StagesAccountLockdownCreateRequest {
+    accountLockdownStageRequest: AccountLockdownStageRequest;
+}
+
+export interface StagesAccountLockdownDestroyRequest {
+    stageUuid: string;
+}
+
+export interface StagesAccountLockdownListRequest {
+    deactivateUser?: boolean;
+    deleteSessions?: boolean;
+    name?: string;
+    ordering?: string;
+    page?: number;
+    pageSize?: number;
+    revokeTokens?: boolean;
+    search?: string;
+    selfServiceCompletionFlow?: string;
+    setUnusablePassword?: boolean;
+    stageUuid?: string;
+}
+
+export interface StagesAccountLockdownPartialUpdateRequest {
+    stageUuid: string;
+    patchedAccountLockdownStageRequest?: PatchedAccountLockdownStageRequest;
+}
+
+export interface StagesAccountLockdownRetrieveRequest {
+    stageUuid: string;
+}
+
+export interface StagesAccountLockdownUpdateRequest {
+    stageUuid: string;
+    accountLockdownStageRequest: AccountLockdownStageRequest;
+}
+
+export interface StagesAccountLockdownUsedByListRequest {
+    stageUuid: string;
+}
+
 export interface StagesAllDestroyRequest {
     stageUuid: string;
 }
@@ -1366,6 +1414,534 @@ export interface StagesUserWriteUsedByListRequest {
  *
  */
 export class StagesApi extends runtime.BaseAPI {
+    /**
+     * Creates request options for stagesAccountLockdownCreate without sending the request
+     */
+    async stagesAccountLockdownCreateRequestOpts(
+        requestParameters: StagesAccountLockdownCreateRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["accountLockdownStageRequest"] == null) {
+            throw new runtime.RequiredError(
+                "accountLockdownStageRequest",
+                'Required parameter "accountLockdownStageRequest" was null or undefined when calling stagesAccountLockdownCreate().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/`;
+
+        return {
+            path: urlPath,
+            method: "POST",
+            headers: headerParameters,
+            query: queryParameters,
+            body: AccountLockdownStageRequestToJSON(
+                requestParameters["accountLockdownStageRequest"],
+            ),
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownCreateRaw(
+        requestParameters: StagesAccountLockdownCreateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions = await this.stagesAccountLockdownCreateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownCreate(
+        requestParameters: StagesAccountLockdownCreateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownCreateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownDestroy without sending the request
+     */
+    async stagesAccountLockdownDestroyRequestOpts(
+        requestParameters: StagesAccountLockdownDestroyRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownDestroy().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "DELETE",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownDestroyRaw(
+        requestParameters: StagesAccountLockdownDestroyRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<void>> {
+        const requestOptions =
+            await this.stagesAccountLockdownDestroyRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.VoidApiResponse(response);
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownDestroy(
+        requestParameters: StagesAccountLockdownDestroyRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<void> {
+        await this.stagesAccountLockdownDestroyRaw(requestParameters, initOverrides);
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownList without sending the request
+     */
+    async stagesAccountLockdownListRequestOpts(
+        requestParameters: StagesAccountLockdownListRequest,
+    ): Promise<runtime.RequestOpts> {
+        const queryParameters: any = {};
+
+        if (requestParameters["deactivateUser"] != null) {
+            queryParameters["deactivate_user"] = requestParameters["deactivateUser"];
+        }
+
+        if (requestParameters["deleteSessions"] != null) {
+            queryParameters["delete_sessions"] = requestParameters["deleteSessions"];
+        }
+
+        if (requestParameters["name"] != null) {
+            queryParameters["name"] = requestParameters["name"];
+        }
+
+        if (requestParameters["ordering"] != null) {
+            queryParameters["ordering"] = requestParameters["ordering"];
+        }
+
+        if (requestParameters["page"] != null) {
+            queryParameters["page"] = requestParameters["page"];
+        }
+
+        if (requestParameters["pageSize"] != null) {
+            queryParameters["page_size"] = requestParameters["pageSize"];
+        }
+
+        if (requestParameters["revokeTokens"] != null) {
+            queryParameters["revoke_tokens"] = requestParameters["revokeTokens"];
+        }
+
+        if (requestParameters["search"] != null) {
+            queryParameters["search"] = requestParameters["search"];
+        }
+
+        if (requestParameters["selfServiceCompletionFlow"] != null) {
+            queryParameters["self_service_completion_flow"] =
+                requestParameters["selfServiceCompletionFlow"];
+        }
+
+        if (requestParameters["setUnusablePassword"] != null) {
+            queryParameters["set_unusable_password"] = requestParameters["setUnusablePassword"];
+        }
+
+        if (requestParameters["stageUuid"] != null) {
+            queryParameters["stage_uuid"] = requestParameters["stageUuid"];
+        }
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/`;
+
+        return {
+            path: urlPath,
+            method: "GET",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownListRaw(
+        requestParameters: StagesAccountLockdownListRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<PaginatedAccountLockdownStageList>> {
+        const requestOptions = await this.stagesAccountLockdownListRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            PaginatedAccountLockdownStageListFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownList(
+        requestParameters: StagesAccountLockdownListRequest = {},
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<PaginatedAccountLockdownStageList> {
+        const response = await this.stagesAccountLockdownListRaw(requestParameters, initOverrides);
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownPartialUpdate without sending the request
+     */
+    async stagesAccountLockdownPartialUpdateRequestOpts(
+        requestParameters: StagesAccountLockdownPartialUpdateRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownPartialUpdate().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "PATCH",
+            headers: headerParameters,
+            query: queryParameters,
+            body: PatchedAccountLockdownStageRequestToJSON(
+                requestParameters["patchedAccountLockdownStageRequest"],
+            ),
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownPartialUpdateRaw(
+        requestParameters: StagesAccountLockdownPartialUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions =
+            await this.stagesAccountLockdownPartialUpdateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownPartialUpdate(
+        requestParameters: StagesAccountLockdownPartialUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownPartialUpdateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownRetrieve without sending the request
+     */
+    async stagesAccountLockdownRetrieveRequestOpts(
+        requestParameters: StagesAccountLockdownRetrieveRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownRetrieve().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "GET",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownRetrieveRaw(
+        requestParameters: StagesAccountLockdownRetrieveRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions =
+            await this.stagesAccountLockdownRetrieveRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownRetrieve(
+        requestParameters: StagesAccountLockdownRetrieveRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownRetrieveRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownUpdate without sending the request
+     */
+    async stagesAccountLockdownUpdateRequestOpts(
+        requestParameters: StagesAccountLockdownUpdateRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownUpdate().',
+            );
+        }
+
+        if (requestParameters["accountLockdownStageRequest"] == null) {
+            throw new runtime.RequiredError(
+                "accountLockdownStageRequest",
+                'Required parameter "accountLockdownStageRequest" was null or undefined when calling stagesAccountLockdownUpdate().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        headerParameters["Content-Type"] = "application/json";
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "PUT",
+            headers: headerParameters,
+            query: queryParameters,
+            body: AccountLockdownStageRequestToJSON(
+                requestParameters["accountLockdownStageRequest"],
+            ),
+        };
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownUpdateRaw(
+        requestParameters: StagesAccountLockdownUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<AccountLockdownStage>> {
+        const requestOptions = await this.stagesAccountLockdownUpdateRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) =>
+            AccountLockdownStageFromJSON(jsonValue),
+        );
+    }
+
+    /**
+     * AccountLockdownStage Viewset
+     */
+    async stagesAccountLockdownUpdate(
+        requestParameters: StagesAccountLockdownUpdateRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<AccountLockdownStage> {
+        const response = await this.stagesAccountLockdownUpdateRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
+    /**
+     * Creates request options for stagesAccountLockdownUsedByList without sending the request
+     */
+    async stagesAccountLockdownUsedByListRequestOpts(
+        requestParameters: StagesAccountLockdownUsedByListRequest,
+    ): Promise<runtime.RequestOpts> {
+        if (requestParameters["stageUuid"] == null) {
+            throw new runtime.RequiredError(
+                "stageUuid",
+                'Required parameter "stageUuid" was null or undefined when calling stagesAccountLockdownUsedByList().',
+            );
+        }
+
+        const queryParameters: any = {};
+
+        const headerParameters: runtime.HTTPHeaders = {};
+
+        if (this.configuration && this.configuration.accessToken) {
+            const token = this.configuration.accessToken;
+            const tokenString = await token("authentik", []);
+
+            if (tokenString) {
+                headerParameters["Authorization"] = `Bearer ${tokenString}`;
+            }
+        }
+
+        let urlPath = `/stages/account_lockdown/{stage_uuid}/used_by/`;
+        urlPath = urlPath.replace(
+            `{${"stage_uuid"}}`,
+            encodeURIComponent(String(requestParameters["stageUuid"])),
+        );
+
+        return {
+            path: urlPath,
+            method: "GET",
+            headers: headerParameters,
+            query: queryParameters,
+        };
+    }
+
+    /**
+     * Get a list of all objects that use this object
+     */
+    async stagesAccountLockdownUsedByListRaw(
+        requestParameters: StagesAccountLockdownUsedByListRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<runtime.ApiResponse<Array<UsedBy>>> {
+        const requestOptions =
+            await this.stagesAccountLockdownUsedByListRequestOpts(requestParameters);
+        const response = await this.request(requestOptions, initOverrides);
+
+        return new runtime.JSONApiResponse(response, (jsonValue) => jsonValue.map(UsedByFromJSON));
+    }
+
+    /**
+     * Get a list of all objects that use this object
+     */
+    async stagesAccountLockdownUsedByList(
+        requestParameters: StagesAccountLockdownUsedByListRequest,
+        initOverrides?: RequestInit | runtime.InitOverrideFunction,
+    ): Promise<Array<UsedBy>> {
+        const response = await this.stagesAccountLockdownUsedByListRaw(
+            requestParameters,
+            initOverrides,
+        );
+        return await response.value();
+    }
+
     /**
      * Creates request options for stagesAllDestroy without sending the request
      */

packages/client-ts/src/models/AccountLockdownStage.ts

@@ -0,0 +1,166 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { FlowSet } from "./FlowSet";
+import { FlowSetFromJSON } from "./FlowSet";
+
+/**
+ * AccountLockdownStage Serializer
+ * @export
+ * @interface AccountLockdownStage
+ */
+export interface AccountLockdownStage {
+    /**
+     *
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly pk: string;
+    /**
+     *
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    name: string;
+    /**
+     * Get object type so that we know how to edit the object
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly component: string;
+    /**
+     * Return object's verbose_name
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly verboseName: string;
+    /**
+     * Return object's plural verbose_name
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly verboseNamePlural: string;
+    /**
+     * Return internal model name
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    readonly metaModelName: string;
+    /**
+     *
+     * @type {Array<FlowSet>}
+     * @memberof AccountLockdownStage
+     */
+    readonly flowSet: Array<FlowSet>;
+    /**
+     * Deactivate the user account (set is_active to False)
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    deactivateUser?: boolean;
+    /**
+     * Set an unusable password for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    setUnusablePassword?: boolean;
+    /**
+     * Delete all active sessions for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    deleteSessions?: boolean;
+    /**
+     * Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
+     * @type {boolean}
+     * @memberof AccountLockdownStage
+     */
+    revokeTokens?: boolean;
+    /**
+     * Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
+     * @type {string}
+     * @memberof AccountLockdownStage
+     */
+    selfServiceCompletionFlow?: string | null;
+}
+
+/**
+ * Check if a given object implements the AccountLockdownStage interface.
+ */
+export function instanceOfAccountLockdownStage(value: object): value is AccountLockdownStage {
+    if (!("pk" in value) || value["pk"] === undefined) return false;
+    if (!("name" in value) || value["name"] === undefined) return false;
+    if (!("component" in value) || value["component"] === undefined) return false;
+    if (!("verboseName" in value) || value["verboseName"] === undefined) return false;
+    if (!("verboseNamePlural" in value) || value["verboseNamePlural"] === undefined) return false;
+    if (!("metaModelName" in value) || value["metaModelName"] === undefined) return false;
+    if (!("flowSet" in value) || value["flowSet"] === undefined) return false;
+    return true;
+}
+
+export function AccountLockdownStageFromJSON(json: any): AccountLockdownStage {
+    return AccountLockdownStageFromJSONTyped(json, false);
+}
+
+export function AccountLockdownStageFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): AccountLockdownStage {
+    if (json == null) {
+        return json;
+    }
+    return {
+        pk: json["pk"],
+        name: json["name"],
+        component: json["component"],
+        verboseName: json["verbose_name"],
+        verboseNamePlural: json["verbose_name_plural"],
+        metaModelName: json["meta_model_name"],
+        flowSet: (json["flow_set"] as Array<any>).map(FlowSetFromJSON),
+        deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
+        setUnusablePassword:
+            json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
+        deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
+        revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
+        selfServiceCompletionFlow:
+            json["self_service_completion_flow"] == null
+                ? undefined
+                : json["self_service_completion_flow"],
+    };
+}
+
+export function AccountLockdownStageToJSON(json: any): AccountLockdownStage {
+    return AccountLockdownStageToJSONTyped(json, false);
+}
+
+export function AccountLockdownStageToJSONTyped(
+    value?: Omit<
+        AccountLockdownStage,
+        "pk" | "component" | "verbose_name" | "verbose_name_plural" | "meta_model_name" | "flow_set"
+    > | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        name: value["name"],
+        deactivate_user: value["deactivateUser"],
+        set_unusable_password: value["setUnusablePassword"],
+        delete_sessions: value["deleteSessions"],
+        revoke_tokens: value["revokeTokens"],
+        self_service_completion_flow: value["selfServiceCompletionFlow"],
+    };
+}

packages/client-ts/src/models/AccountLockdownStageRequest.ts

@@ -0,0 +1,114 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ * AccountLockdownStage Serializer
+ * @export
+ * @interface AccountLockdownStageRequest
+ */
+export interface AccountLockdownStageRequest {
+    /**
+     *
+     * @type {string}
+     * @memberof AccountLockdownStageRequest
+     */
+    name: string;
+    /**
+     * Deactivate the user account (set is_active to False)
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    deactivateUser?: boolean;
+    /**
+     * Set an unusable password for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    setUnusablePassword?: boolean;
+    /**
+     * Delete all active sessions for the user
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    deleteSessions?: boolean;
+    /**
+     * Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
+     * @type {boolean}
+     * @memberof AccountLockdownStageRequest
+     */
+    revokeTokens?: boolean;
+    /**
+     * Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
+     * @type {string}
+     * @memberof AccountLockdownStageRequest
+     */
+    selfServiceCompletionFlow?: string | null;
+}
+
+/**
+ * Check if a given object implements the AccountLockdownStageRequest interface.
+ */
+export function instanceOfAccountLockdownStageRequest(
+    value: object,
+): value is AccountLockdownStageRequest {
+    if (!("name" in value) || value["name"] === undefined) return false;
+    return true;
+}
+
+export function AccountLockdownStageRequestFromJSON(json: any): AccountLockdownStageRequest {
+    return AccountLockdownStageRequestFromJSONTyped(json, false);
+}
+
+export function AccountLockdownStageRequestFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): AccountLockdownStageRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        name: json["name"],
+        deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
+        setUnusablePassword:
+            json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
+        deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
+        revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
+        selfServiceCompletionFlow:
+            json["self_service_completion_flow"] == null
+                ? undefined
+                : json["self_service_completion_flow"],
+    };
+}
+
+export function AccountLockdownStageRequestToJSON(json: any): AccountLockdownStageRequest {
+    return AccountLockdownStageRequestToJSONTyped(json, false);
+}
+
+export function AccountLockdownStageRequestToJSONTyped(
+    value?: AccountLockdownStageRequest | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        name: value["name"],
+        deactivate_user: value["deactivateUser"],
+        set_unusable_password: value["setUnusablePassword"],
+        delete_sessions: value["deleteSessions"],
+        revoke_tokens: value["revokeTokens"],
+        self_service_completion_flow: value["selfServiceCompletionFlow"],
+    };
+}

packages/client-ts/src/models/AppEnum.ts

@@ -94,6 +94,7 @@ export const AppEnum = {
     AuthentikEnterpriseProvidersSsf: "authentik.enterprise.providers.ssf",
     AuthentikEnterpriseProvidersWsFederation: "authentik.enterprise.providers.ws_federation",
     AuthentikEnterpriseReports: "authentik.enterprise.reports",
+    AuthentikEnterpriseStagesAccountLockdown: "authentik.enterprise.stages.account_lockdown",
     AuthentikEnterpriseStagesAuthenticatorEndpointGdtc:
         "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     AuthentikEnterpriseStagesMtls: "authentik.enterprise.stages.mtls",

packages/client-ts/src/models/Brand.ts

@@ -102,6 +102,12 @@ export interface Brand {
      * @memberof Brand
      */
     flowDeviceCode?: string | null;
+    /**
+     *
+     * @type {string}
+     * @memberof Brand
+     */
+    flowLockdown?: string | null;
     /**
      * When set, external users will be redirected to this application after authenticating.
      * @type {string}
@@ -166,6 +172,7 @@ export function BrandFromJSONTyped(json: any, ignoreDiscriminator: boolean): Bra
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultApplication:
             json["default_application"] == null ? undefined : json["default_application"],
         webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -201,6 +208,7 @@ export function BrandToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         default_application: value["defaultApplication"],
         web_certificate: value["webCertificate"],
         client_certificates: value["clientCertificates"],

packages/client-ts/src/models/BrandRequest.ts

@@ -96,6 +96,12 @@ export interface BrandRequest {
      * @memberof BrandRequest
      */
     flowDeviceCode?: string | null;
+    /**
+     *
+     * @type {string}
+     * @memberof BrandRequest
+     */
+    flowLockdown?: string | null;
     /**
      * When set, external users will be redirected to this application after authenticating.
      * @type {string}
@@ -158,6 +164,7 @@ export function BrandRequestFromJSONTyped(json: any, ignoreDiscriminator: boolea
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultApplication:
             json["default_application"] == null ? undefined : json["default_application"],
         webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -193,6 +200,7 @@ export function BrandRequestToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         default_application: value["defaultApplication"],
         web_certificate: value["webCertificate"],
         client_certificates: value["clientCertificates"],

packages/client-ts/src/models/CurrentBrand.ts

@@ -117,6 +117,12 @@ export interface CurrentBrand {
      * @memberof CurrentBrand
      */
     flowDeviceCode?: string;
+    /**
+     *
+     * @type {string}
+     * @memberof CurrentBrand
+     */
+    flowLockdown?: string;
     /**
      *
      * @type {string}
@@ -177,6 +183,7 @@ export function CurrentBrandFromJSONTyped(json: any, ignoreDiscriminator: boolea
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultLocale: json["default_locale"],
         flags: CurrentBrandFlagsFromJSON(json["flags"]),
     };
@@ -213,6 +220,7 @@ export function CurrentBrandToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         flags: CurrentBrandFlagsToJSON(value["flags"]),
     };
 }

packages/client-ts/src/models/LifecycleIteration.ts

@@ -16,12 +16,10 @@ import type { ContentTypeEnum } from "./ContentTypeEnum";
 import { ContentTypeEnumFromJSON, ContentTypeEnumToJSON } from "./ContentTypeEnum";
 import type { LifecycleIterationStateEnum } from "./LifecycleIterationStateEnum";
 import { LifecycleIterationStateEnumFromJSON } from "./LifecycleIterationStateEnum";
+import type { RelatedRule } from "./RelatedRule";
+import { RelatedRuleFromJSON } from "./RelatedRule";
 import type { Review } from "./Review";
 import { ReviewFromJSON } from "./Review";
-import type { ReviewerGroup } from "./ReviewerGroup";
-import { ReviewerGroupFromJSON } from "./ReviewerGroup";
-import type { ReviewerUser } from "./ReviewerUser";
-import { ReviewerUserFromJSON } from "./ReviewerUser";
 
 /**
  * Mixin to validate that a valid enterprise license
@@ -90,30 +88,18 @@ export interface LifecycleIteration {
      * @memberof LifecycleIteration
      */
     readonly reviews: Array<Review>;
+    /**
+     *
+     * @type {RelatedRule}
+     * @memberof LifecycleIteration
+     */
+    readonly rule: RelatedRule;
     /**
      *
      * @type {boolean}
      * @memberof LifecycleIteration
      */
     readonly userCanReview: boolean;
-    /**
-     *
-     * @type {Array<ReviewerGroup>}
-     * @memberof LifecycleIteration
-     */
-    readonly reviewerGroups: Array<ReviewerGroup>;
-    /**
-     *
-     * @type {number}
-     * @memberof LifecycleIteration
-     */
-    readonly minReviewers: number;
-    /**
-     *
-     * @type {Array<ReviewerUser>}
-     * @memberof LifecycleIteration
-     */
-    readonly reviewers: Array<ReviewerUser>;
 }
 
 /**
@@ -130,10 +116,8 @@ export function instanceOfLifecycleIteration(value: object): value is LifecycleI
     if (!("gracePeriodEnd" in value) || value["gracePeriodEnd"] === undefined) return false;
     if (!("nextReviewDate" in value) || value["nextReviewDate"] === undefined) return false;
     if (!("reviews" in value) || value["reviews"] === undefined) return false;
+    if (!("rule" in value) || value["rule"] === undefined) return false;
     if (!("userCanReview" in value) || value["userCanReview"] === undefined) return false;
-    if (!("reviewerGroups" in value) || value["reviewerGroups"] === undefined) return false;
-    if (!("minReviewers" in value) || value["minReviewers"] === undefined) return false;
-    if (!("reviewers" in value) || value["reviewers"] === undefined) return false;
     return true;
 }
 
@@ -159,10 +143,8 @@ export function LifecycleIterationFromJSONTyped(
         gracePeriodEnd: new Date(json["grace_period_end"]),
         nextReviewDate: new Date(json["next_review_date"]),
         reviews: (json["reviews"] as Array<any>).map(ReviewFromJSON),
+        rule: RelatedRuleFromJSON(json["rule"]),
         userCanReview: json["user_can_review"],
-        reviewerGroups: (json["reviewer_groups"] as Array<any>).map(ReviewerGroupFromJSON),
-        minReviewers: json["min_reviewers"],
-        reviewers: (json["reviewers"] as Array<any>).map(ReviewerUserFromJSON),
     };
 }
 
@@ -182,10 +164,8 @@ export function LifecycleIterationToJSONTyped(
         | "grace_period_end"
         | "next_review_date"
         | "reviews"
+        | "rule"
         | "user_can_review"
-        | "reviewer_groups"
-        | "min_reviewers"
-        | "reviewers"
     > | null,
     ignoreDiscriminator: boolean = false,
 ): any {

packages/client-ts/src/models/ModelEnum.ts

@@ -175,6 +175,8 @@ export const ModelEnum = {
     AuthentikProvidersWsFederationWsfederationprovider:
         "authentik_providers_ws_federation.wsfederationprovider",
     AuthentikReportsDataexport: "authentik_reports.dataexport",
+    AuthentikStagesAccountLockdownAccountlockdownstage:
+        "authentik_stages_account_lockdown.accountlockdownstage",
     AuthentikStagesAuthenticatorEndpointGdtcAuthenticatorendpointgdtcstage:
         "authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
     AuthentikStagesMtlsMutualtlsstage: "authentik_stages_mtls.mutualtlsstage",

packages/client-ts/src/models/PaginatedAccountLockdownStageList.ts

@@ -0,0 +1,97 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { AccountLockdownStage } from "./AccountLockdownStage";
+import { AccountLockdownStageFromJSON, AccountLockdownStageToJSON } from "./AccountLockdownStage";
+import type { Pagination } from "./Pagination";
+import { PaginationFromJSON, PaginationToJSON } from "./Pagination";
+
+/**
+ *
+ * @export
+ * @interface PaginatedAccountLockdownStageList
+ */
+export interface PaginatedAccountLockdownStageList {
+    /**
+     *
+     * @type {Pagination}
+     * @memberof PaginatedAccountLockdownStageList
+     */
+    pagination: Pagination;
+    /**
+     *
+     * @type {Array<AccountLockdownStage>}
+     * @memberof PaginatedAccountLockdownStageList
+     */
+    results: Array<AccountLockdownStage>;
+    /**
+     *
+     * @type {{ [key: string]: any; }}
+     * @memberof PaginatedAccountLockdownStageList
+     */
+    autocomplete: { [key: string]: any };
+}
+
+/**
+ * Check if a given object implements the PaginatedAccountLockdownStageList interface.
+ */
+export function instanceOfPaginatedAccountLockdownStageList(
+    value: object,
+): value is PaginatedAccountLockdownStageList {
+    if (!("pagination" in value) || value["pagination"] === undefined) return false;
+    if (!("results" in value) || value["results"] === undefined) return false;
+    if (!("autocomplete" in value) || value["autocomplete"] === undefined) return false;
+    return true;
+}
+
+export function PaginatedAccountLockdownStageListFromJSON(
+    json: any,
+): PaginatedAccountLockdownStageList {
+    return PaginatedAccountLockdownStageListFromJSONTyped(json, false);
+}
+
+export function PaginatedAccountLockdownStageListFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): PaginatedAccountLockdownStageList {
+    if (json == null) {
+        return json;
+    }
+    return {
+        pagination: PaginationFromJSON(json["pagination"]),
+        results: (json["results"] as Array<any>).map(AccountLockdownStageFromJSON),
+        autocomplete: json["autocomplete"],
+    };
+}
+
+export function PaginatedAccountLockdownStageListToJSON(
+    json: any,
+): PaginatedAccountLockdownStageList {
+    return PaginatedAccountLockdownStageListToJSONTyped(json, false);
+}
+
+export function PaginatedAccountLockdownStageListToJSONTyped(
+    value?: PaginatedAccountLockdownStageList | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        pagination: PaginationToJSON(value["pagination"]),
+        results: (value["results"] as Array<any>).map(AccountLockdownStageToJSON),
+        autocomplete: value["autocomplete"],
+    };
+}

packages/client-ts/src/models/PatchedAccountLockdownStageRequest.ts

@@ -0,0 +1,117 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ * AccountLockdownStage Serializer
+ * @export
+ * @interface PatchedAccountLockdownStageRequest
+ */
+export interface PatchedAccountLockdownStageRequest {
+    /**
+     *
+     * @type {string}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    name?: string;
+    /**
+     * Deactivate the user account (set is_active to False)
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    deactivateUser?: boolean;
+    /**
+     * Set an unusable password for the user
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    setUnusablePassword?: boolean;
+    /**
+     * Delete all active sessions for the user
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    deleteSessions?: boolean;
+    /**
+     * Revoke all tokens for the user (API, app password, recovery, verification, OAuth)
+     * @type {boolean}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    revokeTokens?: boolean;
+    /**
+     * Flow to redirect users to after self-service lockdown. This flow should not require authentication since the user's session is deleted.
+     * @type {string}
+     * @memberof PatchedAccountLockdownStageRequest
+     */
+    selfServiceCompletionFlow?: string | null;
+}
+
+/**
+ * Check if a given object implements the PatchedAccountLockdownStageRequest interface.
+ */
+export function instanceOfPatchedAccountLockdownStageRequest(
+    value: object,
+): value is PatchedAccountLockdownStageRequest {
+    return true;
+}
+
+export function PatchedAccountLockdownStageRequestFromJSON(
+    json: any,
+): PatchedAccountLockdownStageRequest {
+    return PatchedAccountLockdownStageRequestFromJSONTyped(json, false);
+}
+
+export function PatchedAccountLockdownStageRequestFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): PatchedAccountLockdownStageRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        name: json["name"] == null ? undefined : json["name"],
+        deactivateUser: json["deactivate_user"] == null ? undefined : json["deactivate_user"],
+        setUnusablePassword:
+            json["set_unusable_password"] == null ? undefined : json["set_unusable_password"],
+        deleteSessions: json["delete_sessions"] == null ? undefined : json["delete_sessions"],
+        revokeTokens: json["revoke_tokens"] == null ? undefined : json["revoke_tokens"],
+        selfServiceCompletionFlow:
+            json["self_service_completion_flow"] == null
+                ? undefined
+                : json["self_service_completion_flow"],
+    };
+}
+
+export function PatchedAccountLockdownStageRequestToJSON(
+    json: any,
+): PatchedAccountLockdownStageRequest {
+    return PatchedAccountLockdownStageRequestToJSONTyped(json, false);
+}
+
+export function PatchedAccountLockdownStageRequestToJSONTyped(
+    value?: PatchedAccountLockdownStageRequest | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        name: value["name"],
+        deactivate_user: value["deactivateUser"],
+        set_unusable_password: value["setUnusablePassword"],
+        delete_sessions: value["deleteSessions"],
+        revoke_tokens: value["revokeTokens"],
+        self_service_completion_flow: value["selfServiceCompletionFlow"],
+    };
+}

packages/client-ts/src/models/PatchedBrandRequest.ts

@@ -96,6 +96,12 @@ export interface PatchedBrandRequest {
      * @memberof PatchedBrandRequest
      */
     flowDeviceCode?: string | null;
+    /**
+     *
+     * @type {string}
+     * @memberof PatchedBrandRequest
+     */
+    flowLockdown?: string | null;
     /**
      * When set, external users will be redirected to this application after authenticating.
      * @type {string}
@@ -160,6 +166,7 @@ export function PatchedBrandRequestFromJSONTyped(
         flowUserSettings:
             json["flow_user_settings"] == null ? undefined : json["flow_user_settings"],
         flowDeviceCode: json["flow_device_code"] == null ? undefined : json["flow_device_code"],
+        flowLockdown: json["flow_lockdown"] == null ? undefined : json["flow_lockdown"],
         defaultApplication:
             json["default_application"] == null ? undefined : json["default_application"],
         webCertificate: json["web_certificate"] == null ? undefined : json["web_certificate"],
@@ -195,6 +202,7 @@ export function PatchedBrandRequestToJSONTyped(
         flow_unenrollment: value["flowUnenrollment"],
         flow_user_settings: value["flowUserSettings"],
         flow_device_code: value["flowDeviceCode"],
+        flow_lockdown: value["flowLockdown"],
         default_application: value["defaultApplication"],
         web_certificate: value["webCertificate"],
         client_certificates: value["clientCertificates"],

packages/client-ts/src/models/PromptTypeEnum.ts

@@ -34,6 +34,9 @@ export const PromptTypeEnum = {
     Separator: "separator",
     Hidden: "hidden",
     Static: "static",
+    AlertInfo: "alert_info",
+    AlertWarning: "alert_warning",
+    AlertDanger: "alert_danger",
     AkLocale: "ak-locale",
     UnknownDefaultOpenApi: "11184809",
 } as const;

packages/client-ts/src/models/RelatedRule.ts

@@ -0,0 +1,103 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+import type { ReviewerGroup } from "./ReviewerGroup";
+import { ReviewerGroupFromJSON } from "./ReviewerGroup";
+import type { ReviewerUser } from "./ReviewerUser";
+import { ReviewerUserFromJSON } from "./ReviewerUser";
+
+/**
+ * Mixin to validate that a valid enterprise license
+ * exists before allowing to save the object
+ * @export
+ * @interface RelatedRule
+ */
+export interface RelatedRule {
+    /**
+     *
+     * @type {string}
+     * @memberof RelatedRule
+     */
+    id?: string;
+    /**
+     *
+     * @type {string}
+     * @memberof RelatedRule
+     */
+    name: string;
+    /**
+     *
+     * @type {Array<ReviewerGroup>}
+     * @memberof RelatedRule
+     */
+    readonly reviewerGroups: Array<ReviewerGroup>;
+    /**
+     *
+     * @type {number}
+     * @memberof RelatedRule
+     */
+    readonly minReviewers: number;
+    /**
+     *
+     * @type {Array<ReviewerUser>}
+     * @memberof RelatedRule
+     */
+    readonly reviewers: Array<ReviewerUser>;
+}
+
+/**
+ * Check if a given object implements the RelatedRule interface.
+ */
+export function instanceOfRelatedRule(value: object): value is RelatedRule {
+    if (!("name" in value) || value["name"] === undefined) return false;
+    if (!("reviewerGroups" in value) || value["reviewerGroups"] === undefined) return false;
+    if (!("minReviewers" in value) || value["minReviewers"] === undefined) return false;
+    if (!("reviewers" in value) || value["reviewers"] === undefined) return false;
+    return true;
+}
+
+export function RelatedRuleFromJSON(json: any): RelatedRule {
+    return RelatedRuleFromJSONTyped(json, false);
+}
+
+export function RelatedRuleFromJSONTyped(json: any, ignoreDiscriminator: boolean): RelatedRule {
+    if (json == null) {
+        return json;
+    }
+    return {
+        id: json["id"] == null ? undefined : json["id"],
+        name: json["name"],
+        reviewerGroups: (json["reviewer_groups"] as Array<any>).map(ReviewerGroupFromJSON),
+        minReviewers: json["min_reviewers"],
+        reviewers: (json["reviewers"] as Array<any>).map(ReviewerUserFromJSON),
+    };
+}
+
+export function RelatedRuleToJSON(json: any): RelatedRule {
+    return RelatedRuleToJSONTyped(json, false);
+}
+
+export function RelatedRuleToJSONTyped(
+    value?: Omit<RelatedRule, "reviewer_groups" | "min_reviewers" | "reviewers"> | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        id: value["id"],
+        name: value["name"],
+    };
+}

packages/client-ts/src/models/UserAccountLockdownRequest.ts

@@ -0,0 +1,69 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ * Choose the target account before starting the lockdown flow.
+ * @export
+ * @interface UserAccountLockdownRequest
+ */
+export interface UserAccountLockdownRequest {
+    /**
+     * User to lock. If omitted, locks the current user (self-service).
+     * @type {number}
+     * @memberof UserAccountLockdownRequest
+     */
+    user?: number | null;
+}
+
+/**
+ * Check if a given object implements the UserAccountLockdownRequest interface.
+ */
+export function instanceOfUserAccountLockdownRequest(
+    value: object,
+): value is UserAccountLockdownRequest {
+    return true;
+}
+
+export function UserAccountLockdownRequestFromJSON(json: any): UserAccountLockdownRequest {
+    return UserAccountLockdownRequestFromJSONTyped(json, false);
+}
+
+export function UserAccountLockdownRequestFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): UserAccountLockdownRequest {
+    if (json == null) {
+        return json;
+    }
+    return {
+        user: json["user"] == null ? undefined : json["user"],
+    };
+}
+
+export function UserAccountLockdownRequestToJSON(json: any): UserAccountLockdownRequest {
+    return UserAccountLockdownRequestToJSONTyped(json, false);
+}
+
+export function UserAccountLockdownRequestToJSONTyped(
+    value?: UserAccountLockdownRequest | null,
+    ignoreDiscriminator: boolean = false,
+): any {
+    if (value == null) {
+        return value;
+    }
+
+    return {
+        user: value["user"],
+    };
+}

packages/client-ts/src/models/index.ts

@@ -1,6 +1,8 @@
 /* tslint:disable */
 /* eslint-disable */
 export * from "./AccessDeniedChallenge";
+export * from "./AccountLockdownStage";
+export * from "./AccountLockdownStageRequest";
 export * from "./AgentAuthenticationResponse";
 export * from "./AgentConfig";
 export * from "./AgentConnector";
@@ -352,6 +354,7 @@ export * from "./OutpostHealth";
 export * from "./OutpostRequest";
 export * from "./OutpostTypeEnum";
 export * from "./PKCEMethodEnum";
+export * from "./PaginatedAccountLockdownStageList";
 export * from "./PaginatedAgentConnectorList";
 export * from "./PaginatedAppleIndependentSecureEnclaveList";
 export * from "./PaginatedApplicationEntitlementList";
@@ -518,6 +521,7 @@ export * from "./PasswordPolicy";
 export * from "./PasswordPolicyRequest";
 export * from "./PasswordStage";
 export * from "./PasswordStageRequest";
+export * from "./PatchedAccountLockdownStageRequest";
 export * from "./PatchedAgentConnectorRequest";
 export * from "./PatchedAppleIndependentSecureEnclaveRequest";
 export * from "./PatchedApplicationEntitlementRequest";
@@ -705,6 +709,7 @@ export * from "./RedirectURI";
 export * from "./RedirectURIRequest";
 export * from "./RedirectUriTypeEnum";
 export * from "./RelatedGroup";
+export * from "./RelatedRule";
 export * from "./Reputation";
 export * from "./ReputationPolicy";
 export * from "./ReputationPolicyRequest";
@@ -821,6 +826,7 @@ export * from "./UsageEnum";
 export * from "./UsedBy";
 export * from "./UsedByActionEnum";
 export * from "./User";
+export * from "./UserAccountLockdownRequest";
 export * from "./UserAccountRequest";
 export * from "./UserAccountSerializerForRoleRequest";
 export * from "./UserAttributeEnum";

schema.yml

@@ -3172,6 +3172,11 @@ paths:
         schema:
           type: string
           format: uuid
+      - in: query
+        name: flow_lockdown
+        schema:
+          type: string
+          format: uuid
       - in: query
         name: flow_recovery
         schema:
@@ -4585,6 +4590,35 @@ paths:
           $ref: '#/components/responses/ValidationErrorResponse'
         '403':
           $ref: '#/components/responses/GenericErrorResponse'
+  /core/users/account_lockdown/:
+    post:
+      operationId: core_users_account_lockdown_create
+      description: Choose the target account, then return a flow link.
+      tags:
+      - core
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UserAccountLockdownRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Link'
+              examples:
+                LockdownFlowURL:
+                  value:
+                    link: https://example.invalid/if/flow/default-account-lockdown/
+                  summary: Lockdown flow URL
+          description: ''
+        '400':
+          description: No lockdown flow configured or the flow is not applicable
+        '403':
+          description: Permission denied (when targeting another user)
   /core/users/export/:
     post:
       operationId: core_users_export_create
@@ -9132,7 +9166,7 @@ paths:
           $ref: '#/components/responses/GenericErrorResponse'
   /lifecycle/iterations/latest/{content_type}/{object_id}/:
     get:
-      operationId: lifecycle_iterations_latest_retrieve
+      operationId: lifecycle_iterations_list_latest
       description: |-
         Mixin to validate that a valid enterprise license
         exists before allowing to save the object
@@ -9149,6 +9183,12 @@ paths:
           type: string
           pattern: ^[^/]+$
         required: true
+      - $ref: '#/components/parameters/QueryPaginationOrdering'
+      - $ref: '#/components/parameters/QuerySearch'
+      - in: query
+        name: user_is_reviewer
+        schema:
+          type: boolean
       tags:
       - lifecycle
       security:
@@ -9158,7 +9198,9 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/LifecycleIteration'
+                type: array
+                items:
+                  $ref: '#/components/schemas/LifecycleIteration'
           description: ''
         '400':
           $ref: '#/components/responses/ValidationErrorResponse'
@@ -26893,6 +26935,222 @@ paths:
           $ref: '#/components/responses/ValidationErrorResponse'
         '403':
           $ref: '#/components/responses/GenericErrorResponse'
+  /stages/account_lockdown/:
+    get:
+      operationId: stages_account_lockdown_list
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: query
+        name: deactivate_user
+        schema:
+          type: boolean
+      - in: query
+        name: delete_sessions
+        schema:
+          type: boolean
+      - $ref: '#/components/parameters/QueryName'
+      - $ref: '#/components/parameters/QueryPaginationOrdering'
+      - $ref: '#/components/parameters/QueryPaginationPage'
+      - $ref: '#/components/parameters/QueryPaginationPageSize'
+      - in: query
+        name: revoke_tokens
+        schema:
+          type: boolean
+      - $ref: '#/components/parameters/QuerySearch'
+      - in: query
+        name: self_service_completion_flow
+        schema:
+          type: string
+          format: uuid
+      - in: query
+        name: set_unusable_password
+        schema:
+          type: boolean
+      - in: query
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PaginatedAccountLockdownStageList'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    post:
+      operationId: stages_account_lockdown_create
+      description: AccountLockdownStage Viewset
+      tags:
+      - stages
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AccountLockdownStageRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+  /stages/account_lockdown/{stage_uuid}/:
+    get:
+      operationId: stages_account_lockdown_retrieve
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    put:
+      operationId: stages_account_lockdown_update
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AccountLockdownStageRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    patch:
+      operationId: stages_account_lockdown_partial_update
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedAccountLockdownStageRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/AccountLockdownStage'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+    delete:
+      operationId: stages_account_lockdown_destroy
+      description: AccountLockdownStage Viewset
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
+  /stages/account_lockdown/{stage_uuid}/used_by/:
+    get:
+      operationId: stages_account_lockdown_used_by_list
+      description: Get a list of all objects that use this object
+      parameters:
+      - in: path
+        name: stage_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Account Lockdown Stage.
+        required: true
+      tags:
+      - stages
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/UsedBy'
+          description: ''
+        '400':
+          $ref: '#/components/responses/ValidationErrorResponse'
+        '403':
+          $ref: '#/components/responses/GenericErrorResponse'
   /stages/all/:
     get:
       operationId: stages_all_list
@@ -33661,6 +33919,93 @@ components:
       required:
       - pending_user
       - pending_user_avatar
+    AccountLockdownStage:
+      type: object
+      description: AccountLockdownStage Serializer
+      properties:
+        pk:
+          type: string
+          format: uuid
+          readOnly: true
+          title: Stage uuid
+        name:
+          type: string
+        component:
+          type: string
+          description: Get object type so that we know how to edit the object
+          readOnly: true
+        verbose_name:
+          type: string
+          description: Return object's verbose_name
+          readOnly: true
+        verbose_name_plural:
+          type: string
+          description: Return object's plural verbose_name
+          readOnly: true
+        meta_model_name:
+          type: string
+          description: Return internal model name
+          readOnly: true
+        flow_set:
+          type: array
+          items:
+            $ref: '#/components/schemas/FlowSet'
+          readOnly: true
+        deactivate_user:
+          type: boolean
+          description: Deactivate the user account (set is_active to False)
+        set_unusable_password:
+          type: boolean
+          description: Set an unusable password for the user
+        delete_sessions:
+          type: boolean
+          description: Delete all active sessions for the user
+        revoke_tokens:
+          type: boolean
+          description: Revoke all tokens for the user (API, app password, recovery,
+            verification, OAuth)
+        self_service_completion_flow:
+          type: string
+          format: uuid
+          nullable: true
+          description: Flow to redirect users to after self-service lockdown. This
+            flow should not require authentication since the user's session is deleted.
+      required:
+      - component
+      - flow_set
+      - meta_model_name
+      - name
+      - pk
+      - verbose_name
+      - verbose_name_plural
+    AccountLockdownStageRequest:
+      type: object
+      description: AccountLockdownStage Serializer
+      properties:
+        name:
+          type: string
+          minLength: 1
+        deactivate_user:
+          type: boolean
+          description: Deactivate the user account (set is_active to False)
+        set_unusable_password:
+          type: boolean
+          description: Set an unusable password for the user
+        delete_sessions:
+          type: boolean
+          description: Delete all active sessions for the user
+        revoke_tokens:
+          type: boolean
+          description: Revoke all tokens for the user (API, app password, recovery,
+            verification, OAuth)
+        self_service_completion_flow:
+          type: string
+          format: uuid
+          nullable: true
+          description: Flow to redirect users to after self-service lockdown. This
+            flow should not require authentication since the user's session is deleted.
+      required:
+      - name
     AgentAuthenticationResponse:
       type: object
       description: Base serializer class which doesn't implement create/update methods
@@ -33998,6 +34343,7 @@ components:
       - authentik.enterprise.providers.ssf
       - authentik.enterprise.providers.ws_federation
       - authentik.enterprise.reports
+      - authentik.enterprise.stages.account_lockdown
       - authentik.enterprise.stages.authenticator_endpoint_gdtc
       - authentik.enterprise.stages.mtls
       - authentik.enterprise.stages.source
@@ -35746,6 +36092,10 @@ components:
           type: string
           format: uuid
           nullable: true
+        flow_lockdown:
+          type: string
+          format: uuid
+          nullable: true
         default_application:
           type: string
           format: uuid
@@ -35818,6 +36168,10 @@ components:
           type: string
           format: uuid
           nullable: true
+        flow_lockdown:
+          type: string
+          format: uuid
+          nullable: true
         default_application:
           type: string
           format: uuid
@@ -36806,6 +37160,8 @@ components:
           type: string
         flow_device_code:
           type: string
+        flow_lockdown:
+          type: string
         default_locale:
           type: string
           readOnly: true
@@ -42426,35 +42782,24 @@ components:
           items:
             $ref: '#/components/schemas/Review'
           readOnly: true
+        rule:
+          allOf:
+          - $ref: '#/components/schemas/RelatedRule'
+          readOnly: true
         user_can_review:
           type: boolean
           readOnly: true
-        reviewer_groups:
-          type: array
-          items:
-            $ref: '#/components/schemas/ReviewerGroup'
-          readOnly: true
-        min_reviewers:
-          type: integer
-          readOnly: true
-        reviewers:
-          type: array
-          items:
-            $ref: '#/components/schemas/ReviewerUser'
-          readOnly: true
       required:
       - content_type
       - grace_period_end
       - id
-      - min_reviewers
       - next_review_date
       - object_admin_url
       - object_id
       - object_verbose
       - opened_on
-      - reviewer_groups
-      - reviewers
       - reviews
+      - rule
       - state
       - user_can_review
     LifecycleIterationRequest:
@@ -43145,6 +43490,7 @@ components:
       - authentik_providers_ssf.ssfprovider
       - authentik_providers_ws_federation.wsfederationprovider
       - authentik_reports.dataexport
+      - authentik_stages_account_lockdown.accountlockdownstage
       - authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage
       - authentik_stages_mtls.mutualtlsstage
       - authentik_stages_source.sourcestage
@@ -44587,6 +44933,21 @@ components:
       - plain
       - S256
       type: string
+    PaginatedAccountLockdownStageList:
+      type: object
+      properties:
+        pagination:
+          $ref: '#/components/schemas/Pagination'
+        results:
+          type: array
+          items:
+            $ref: '#/components/schemas/AccountLockdownStage'
+        autocomplete:
+          $ref: '#/components/schemas/Autocomplete'
+      required:
+      - autocomplete
+      - pagination
+      - results
     PaginatedAgentConnectorList:
       type: object
       properties:
@@ -47355,6 +47716,32 @@ components:
       required:
       - backends
       - name
+    PatchedAccountLockdownStageRequest:
+      type: object
+      description: AccountLockdownStage Serializer
+      properties:
+        name:
+          type: string
+          minLength: 1
+        deactivate_user:
+          type: boolean
+          description: Deactivate the user account (set is_active to False)
+        set_unusable_password:
+          type: boolean
+          description: Set an unusable password for the user
+        delete_sessions:
+          type: boolean
+          description: Delete all active sessions for the user
+        revoke_tokens:
+          type: boolean
+          description: Revoke all tokens for the user (API, app password, recovery,
+            verification, OAuth)
+        self_service_completion_flow:
+          type: string
+          format: uuid
+          nullable: true
+          description: Flow to redirect users to after self-service lockdown. This
+            flow should not require authentication since the user's session is deleted.
     PatchedAgentConnectorRequest:
       type: object
       properties:
@@ -47798,6 +48185,10 @@ components:
           type: string
           format: uuid
           nullable: true
+        flow_lockdown:
+          type: string
+          format: uuid
+          nullable: true
         default_application:
           type: string
           format: uuid
@@ -52084,6 +52475,9 @@ components:
       - separator
       - hidden
       - static
+      - alert_info
+      - alert_warning
+      - alert_danger
       - ak-locale
       type: string
     PropertyMapping:
@@ -53285,6 +53679,35 @@ components:
       - group_uuid
       - name
       - pk
+    RelatedRule:
+      type: object
+      description: |-
+        Mixin to validate that a valid enterprise license
+        exists before allowing to save the object
+      properties:
+        id:
+          type: string
+          format: uuid
+        name:
+          type: string
+        reviewer_groups:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReviewerGroup'
+          readOnly: true
+        min_reviewers:
+          type: integer
+          readOnly: true
+        reviewers:
+          type: array
+          items:
+            $ref: '#/components/schemas/ReviewerUser'
+          readOnly: true
+      required:
+      - min_reviewers
+      - name
+      - reviewer_groups
+      - reviewers
     Reputation:
       type: object
       description: Reputation Serializer
@@ -57153,6 +57576,14 @@ components:
       - uid
       - username
       - uuid
+    UserAccountLockdownRequest:
+      type: object
+      description: Choose the target account before starting the lockdown flow.
+      properties:
+        user:
+          type: integer
+          nullable: true
+          description: User to lock. If omitted, locks the current user (self-service).
     UserAccountRequest:
       type: object
       description: Account adding/removing operations

src/metrics/mod.rs

@@ -83,7 +83,8 @@ pub(crate) fn start(tasks: &mut Tasks) -> Result<Arc<Metrics>> {
             "metrics",
             router.clone(),
             addr,
-            true, // Allow failure in case the server is running on the same machine, like in dev
+            config::get().debug, /* Allow failure in case the server is running on the same
+                                  * machine, like in dev */
         )?;
     }
 
@@ -92,7 +93,8 @@ pub(crate) fn start(tasks: &mut Tasks) -> Result<Arc<Metrics>> {
         "metrics",
         router,
         unix::net::SocketAddr::from_pathname(socket_path())?,
-        true, // Allow failure in case the server is running on the same machine, like in dev
+        config::get().debug, /* Allow failure in case the server is running on the same machine,
+                              * like in dev */
     )?;
 
     Ok(metrics)

src/worker/mod.rs

@@ -328,8 +328,8 @@ pub(crate) fn start(_cli: Cli, tasks: &mut Tasks) -> Result<Arc<Workers>> {
                 "worker",
                 router.clone(),
                 addr,
-                true, /* Allow failure in case the server is running on the same machine, like
-                       * in dev. */
+                config::get().debug, /* Allow failure in case the server is running on the same
+                                      * machine, like in dev. */
             )?;
         }
 
@@ -338,7 +338,8 @@ pub(crate) fn start(_cli: Cli, tasks: &mut Tasks) -> Result<Arc<Workers>> {
             "worker",
             router,
             unix::net::SocketAddr::from_pathname(socket_path())?,
-            true, // Allow failure in case the server is running on the same machine, like in dev.
+            config::get().debug, /* Allow failure in case the server is running on the same
+                                  * machine, like in dev. */
         )?;
     }
 

web/e2e/fixtures/FormFixture.ts

@@ -77,6 +77,8 @@ export class FormFixture extends PageFixture {
 
     /**
      * Search for a row containing the given text.
+     *
+     * @returns A locator for the row entry matching the query.
      */
     public search = async (
         query: string,

web/e2e/fixtures/SessionFixture.ts

@@ -1,6 +1,8 @@
 import { NavigatorFixture } from "#e2e/fixtures/NavigatorFixture";
 import { PageFixture, PageFixtureInit } from "#e2e/fixtures/PageFixture";
 
+import { expect, Page } from "@playwright/test";
+
 export const GOOD_USERNAME = "test-admin@goauthentik.io";
 export const GOOD_PASSWORD = "test-runner";
 
@@ -11,6 +13,8 @@ export interface LoginInit {
     username?: string;
     password?: string;
     to?: URL | string;
+    rememberMe?: boolean;
+    page?: Page;
 }
 
 export interface SessionFixtureInit extends PageFixtureInit {
@@ -36,6 +40,10 @@ export class SessionFixture extends PageFixture {
     public $passwordStage = this.page.locator("ak-stage-password");
     public $passwordField = this.page.getByLabel("Password");
 
+    public $rememberMeCheckbox = this.page.getByRole("checkbox", {
+        name: "Remember me on this device",
+    });
+
     /**
      * The button to submit the the login flow,
      * typically redirecting to the authenticated interface.
@@ -66,19 +74,45 @@ export class SessionFixture extends PageFixture {
     /**
      * Log into the application.
      */
-    public async login({
-        username = GOOD_USERNAME,
-        password = GOOD_PASSWORD,
-        to = SessionFixture.pathname,
-    }: LoginInit = {}) {
+    public async login(
+        {
+            username = GOOD_USERNAME,
+            password = GOOD_PASSWORD,
+            to = SessionFixture.pathname,
+            rememberMe,
+        }: LoginInit = {},
+        page = this.page,
+    ): Promise<void> {
         this.logger.info("Logging in...");
 
-        const initialURL = new URL(this.page.url());
+        const initialURL = new URL(page.url());
 
         if (initialURL.pathname === SessionFixture.pathname) {
             this.logger.info("Skipping navigation because we're already in a authentication flow");
         } else {
-            await this.page.goto(to.toString());
+            await page.goto(to.toString());
+        }
+
+        if (typeof rememberMe === "boolean") {
+            const rememberMeCheckboxVisible = await this.$rememberMeCheckbox.isVisible();
+
+            if (rememberMeCheckboxVisible) {
+                if (rememberMe) {
+                    await this.$rememberMeCheckbox.check();
+
+                    await expect(
+                        this.$rememberMeCheckbox,
+                        "Remember me checkbox is checked",
+                    ).toBeChecked();
+                } else {
+                    await this.$rememberMeCheckbox.uncheck();
+
+                    await expect(
+                        this.$rememberMeCheckbox,
+                        "Remember me checkbox is unchecked",
+                    ).not.toBeChecked();
+                }
+            }
         }
 
         await this.$usernameField.fill(username);
@@ -102,7 +136,7 @@ export class SessionFixture extends PageFixture {
 
     //#region Navigation
 
-    public async toLoginPage() {
-        await this.page.goto(SessionFixture.pathname);
+    public async toLoginPage(page: Page = this.page) {
+        await page.goto(SessionFixture.pathname);
     }
 }

web/package-lock.json

@@ -78,7 +78,7 @@
                 "globals": "^17.5.0",
                 "guacamole-common-js": "^1.5.0",
                 "hastscript": "^9.0.1",
-                "knip": "^6.6.0",
+                "knip": "^6.6.3",
                 "lex": "^2025.11.0",
                 "lit": "^3.3.2",
                 "lit-analyzer": "^2.0.3",
@@ -2224,9 +2224,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-android-arm-eabi": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.126.0.tgz",
-            "integrity": "sha512-svyoHt25J4741QJ5aa4R+h0iiBeSRt63Lr3aAZcxy2c/NeSE1IfDeMnSij6rIg7EjxkdlXzz613wUjeCeilBNA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.127.0.tgz",
+            "integrity": "sha512-0LC7ye4hvqbIKxAzThzvswgHLFu2AURKzYLeSVvLdu2TBOYWQDmHnTqPLeA597BcUCxiLqLsS4CJ5uoI5WYWCQ==",
             "cpu": [
                 "arm"
             ],
@@ -2240,9 +2240,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-android-arm64": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.126.0.tgz",
-            "integrity": "sha512-hPEBRKgplp1mG9GkINFsr4JVMDNrGJLOqfDaadTWpAoTnzYR5Rmv8RMvB3hJZpiNvbk1aacopdHUP1pggMQ/cw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.127.0.tgz",
+            "integrity": "sha512-b5jtVTH6AU5CJXHNdj7Jj9IEiR9yVjjnwHzPJhGyHGPdcsZSzBCkS9GBbV33niRMvKthDwQRFRJfI4a+k4PvYg==",
             "cpu": [
                 "arm64"
             ],
@@ -2256,9 +2256,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-darwin-arm64": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.126.0.tgz",
-            "integrity": "sha512-ccRpu9sdYmznePJQG5halhs0FW5tw5a8zRSoZXOzM1OjoeZ4jiRRruFiPclsD59edoVAK1l83dvfjWz1nQi6lg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.127.0.tgz",
+            "integrity": "sha512-obCE8B7ISKkJidjlhv9xRGJPOSDG2Yu6PRga9Ruaz35uintHxbp1Ki/Yc71wx4rj3Edrm0a1kzG1TAwit0wFpg==",
             "cpu": [
                 "arm64"
             ],
@@ -2272,9 +2272,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-darwin-x64": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.126.0.tgz",
-            "integrity": "sha512-CHB4zVjNSKqx8Fw9pHowzQQnjjuq04i4Ng0Avj+DixlwhwAoMYqlFbocYIlbg+q3zOLGlm7vEHm83jqEMitnyg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.127.0.tgz",
+            "integrity": "sha512-JL6Xb5IwPQT8rUzlpsX7E+AgfcdNklXNPFp8pjCQQ5MQOQo5rtEB2ui+3Hgg9Sn7Y9Egj6YOLLiHhLpdAe12Aw==",
             "cpu": [
                 "x64"
             ],
@@ -2288,9 +2288,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-freebsd-x64": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.126.0.tgz",
-            "integrity": "sha512-RQ3nEJdcDKBfBjmLJ3Vl1d0KQERPV1P8eUrnBm7+VTYyoaJSPLVFuPg1mlD1hk3n0/879VLFMfusFkBal4ssWQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.127.0.tgz",
+            "integrity": "sha512-SDQ/3MQFw58fqQz3Z1PhSKFF3JoCF4gmlNjziDm8X02tTahCw0qJbd7FGPDKw1i4VTBZene9JPyC3mHtSvi+wA==",
             "cpu": [
                 "x64"
             ],
@@ -2304,9 +2304,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.126.0.tgz",
-            "integrity": "sha512-onipc2wCDA7Bauzb4KK1mab0GsEDf4ujiIfWECdnmY/2LlzAoX3xdQRLAUyEDB1kn3yilHBrkmXDdHluyHXxiw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.127.0.tgz",
+            "integrity": "sha512-Av+D1MIqzV0YMGPT9we2SIZaMKD7Cxs4CvXSx/yxaWHewZjYEjScpOf5igc8IILASViw4WTnjlwUdI1KzVtDHQ==",
             "cpu": [
                 "arm"
             ],
@@ -2320,9 +2320,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm-musleabihf": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.126.0.tgz",
-            "integrity": "sha512-5BuJJPohrV5NJ8lmcYOMbfRCUGoYH5J9HZHeuqOLwkHXWAuPMN3X1h8bC/2mWjmosdbfTtmyIdX3spS/TkqKNg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.127.0.tgz",
+            "integrity": "sha512-Cs2fdJ8cPpFdeebj6p4dag8A4+56hPvZ0AhQQzlaLswGz1tz7bXt1nETLeorrM9+AMcWFFkqxcXwDGfTVidY8g==",
             "cpu": [
                 "arm"
             ],
@@ -2336,9 +2336,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm64-gnu": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.126.0.tgz",
-            "integrity": "sha512-r2KApRgm2pOJaduRm6GOT8x0whcr67AyejNkSdzPt34GJ+Y3axcXN2mwlTs+8lfO/SSmpO5ZJGYiHYnxEE0jkw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.127.0.tgz",
+            "integrity": "sha512-qdOfTcT6SY8gsJrrV92uyEUyjqMGPpIB5JZUG6QN5dukYd+7/j0kX6MwK1DgQj39jtUYixxPiaRUiEN1+0CXgQ==",
             "cpu": [
                 "arm64"
             ],
@@ -2352,9 +2352,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm64-musl": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.126.0.tgz",
-            "integrity": "sha512-FQ+MMh7MT0Dr/u8+RWmWKlfoeWPQyHDbhhxJShJlYtROXXPHsRs9EvmQOZZ3sx4Nn7JU8NX+oyw2YzQ7anBJcA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.127.0.tgz",
+            "integrity": "sha512-EoTCZneNFU/P2qrpEM+RHmQwt+CvDkyGESG6qhr7KaegXLZwePfbrkCDfAk8/rhxbDUVGsZILX+2tqPzFtoFWA==",
             "cpu": [
                 "arm64"
             ],
@@ -2368,9 +2368,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-ppc64-gnu": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.126.0.tgz",
-            "integrity": "sha512-Wv/T8C98hRQhGTlx2XFyLn5raRMp9U1lOQD+YnXNgAr7wHbJJpZ8mDBU7Rw+M3WytGcGTFcr6kqgfyQeHVtLbQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.127.0.tgz",
+            "integrity": "sha512-zALjmZYgxFLHjXeudcDF0xFGNydTAtkAeXAr2EuC17ywCyFxcmQra4w0BMde0Yi/re4Bi4iwEoEXtYN7l6eBLQ==",
             "cpu": [
                 "ppc64"
             ],
@@ -2384,9 +2384,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-riscv64-gnu": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.126.0.tgz",
-            "integrity": "sha512-DHx1rT1zauW0ZbLHOiQh5AC9Xs3UkWx2XmfZHs+7nnWYr3sagrufoUQC+/XPwwjMIlCFXiFGM0sFh3TyOCZwqA==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.127.0.tgz",
+            "integrity": "sha512-fPP8M6zQLS7Jz7o9d5ArUSuAuSK3e+WCYVrCpdzeCOejidtZExJ9tjhDrAd3HEPqARBCPmdpqxESPFqy44vkBQ==",
             "cpu": [
                 "riscv64"
             ],
@@ -2400,9 +2400,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-riscv64-musl": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.126.0.tgz",
-            "integrity": "sha512-umDc2mTShH0U2zcEYf8mIJ163seLJNn54ZUZYeI5jD4qlg9izPwoLrC2aNPKlMJTu6u/ysmQWiEvIiaAG+INkw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.127.0.tgz",
+            "integrity": "sha512-7IcC4Ao02oGpfnjt+X/oF4U2mllo2qoSkw5xxiXNKL9MCTsTiAC6616beOuehdxGcnz1bRoPC1RQ2f1GQDdN+g==",
             "cpu": [
                 "riscv64"
             ],
@@ -2416,9 +2416,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-s390x-gnu": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.126.0.tgz",
-            "integrity": "sha512-PXXeWayclRtO1pxQEeCpiqIglQdhK2mAI2VX5xnsWdImzSB5GpoQ8TNw7vTCKk2k+GZuxl+q1knncidjCyUP9w==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.127.0.tgz",
+            "integrity": "sha512-pbXIhiNFHoqWeqDNLiJ9JkpHz1IM9k4DXa66x+1GTWMG7iLxtkXgE53iiuKSXwmk3zIYmaPVfBvgcAhS583K4Q==",
             "cpu": [
                 "s390x"
             ],
@@ -2432,9 +2432,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-x64-gnu": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.126.0.tgz",
-            "integrity": "sha512-wzocjxm34TbB3bFlqG65JiLtvf6ZDg2ZxRkLLbgXwDQUNU+0MPjQN8zy/0jBKNA5fnPLk3XeVdZ7Uin+7+CVkg==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.127.0.tgz",
+            "integrity": "sha512-MYCguB9RvBvlSd6gbuNI7QwiLoCCAlGnlRJFPrzLI6U1/9wkC/WK6LtBAUln55H1Ctqw45PWmqrobKoMhsYQzQ==",
             "cpu": [
                 "x64"
             ],
@@ -2448,9 +2448,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-x64-musl": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.126.0.tgz",
-            "integrity": "sha512-e83uftP60jmkPs2+CW6T6A1GYzN2H6IumDAiTntv9WyHR73PI3ImHNBkYqnA3ukeKI3xjcCbhSh9QeJWmufxGQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.127.0.tgz",
+            "integrity": "sha512-5eY0B/bxf1xIUxb4NOTvOI3KWtBQfPWYyKAzgcrCt0mDibSZygVpO1Pz8bkeiSZ5Jj9+M09dkggG3H8I5d0Uyg==",
             "cpu": [
                 "x64"
             ],
@@ -2464,9 +2464,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-openharmony-arm64": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.126.0.tgz",
-            "integrity": "sha512-4WiOILHnPrTDY2/L4mE6PZCYwLN1d3ghma6BuTJ452CCgzRMt3uFplCtR+o3r9zdUWJYb370UizpI9CUcWXr1A==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.127.0.tgz",
+            "integrity": "sha512-Gld0ajrFTUXNtdw20fVBuTQx66FA75nIVg+//pPfR3sXkuABB4mTBhl3r9JNzrJpgW//qiwxf0nWXUWGJSL3UQ==",
             "cpu": [
                 "arm64"
             ],
@@ -2480,9 +2480,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-wasm32-wasi": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.126.0.tgz",
-            "integrity": "sha512-Y17hhnrQTrxgAxAyAq401vnN9URsAL4s5AjqpG1NDsXSlhe1yBNnns+rC2P6xcMoitgX5nKH2ryYt9oiFRlzLw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.127.0.tgz",
+            "integrity": "sha512-T6KVD7rhLzFlwGRXMnxUFfkCZD8FHnb968wVXW1mXzgRFc5RNXOBY2mPPDZ77x5Ln76ltLMgtPg0cOkU1NSrEQ==",
             "cpu": [
                 "wasm32"
             ],
@@ -2494,13 +2494,13 @@
                 "@napi-rs/wasm-runtime": "^1.1.4"
             },
             "engines": {
-                "node": ">=14.0.0"
+                "node": "^20.19.0 || >=22.12.0"
             }
         },
         "node_modules/@oxc-parser/binding-win32-arm64-msvc": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.126.0.tgz",
-            "integrity": "sha512-Znug1u1iRvT4VC3jANz6nhGBHsFwEFMxuimYpJFwMtsB6H5FcEoZRMmH26tHkSTD03JvDmG+gB65W3ajLjPcSw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.127.0.tgz",
+            "integrity": "sha512-Ujvw4X+LD1CCGULcsQcvb4YNVoBGqt+JHgNNzGGaCImELiZLk477ifUH53gIbE7EKd933NdTi25JWEr9K2HwXw==",
             "cpu": [
                 "arm64"
             ],
@@ -2514,9 +2514,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-win32-ia32-msvc": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.126.0.tgz",
-            "integrity": "sha512-qrw7mx5hFFTxVSXToOA40hpnjgNB/DJprZchtB4rDKNLKqkD3F26HbzaQeH1nxAKej0efSZfJd5Sw3qdtOLGhw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.127.0.tgz",
+            "integrity": "sha512-0cwxKO7KHQQQfo4Uf4B2SQrhgm+cJaP9OvFFhx52Tkg4bezsacu83GB2/In5bC415Ueeym+kXdnge/57rbSfTw==",
             "cpu": [
                 "ia32"
             ],
@@ -2530,9 +2530,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-win32-x64-msvc": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.126.0.tgz",
-            "integrity": "sha512-ibB1s+mPUFXvS7MFJO2jpw/aCNs/P6ifnWlRyTYB+WYBpniOiCcHQQskZneJtwcjQMDRol3RGG3ihoYnzXSY4w==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.127.0.tgz",
+            "integrity": "sha512-rOrnSQSCbhI2kowr9XxE7m9a8oQXnBHjnS6j95LxxAnEZ0+Fz20WlRXG4ondQb+ejjt2KOsa65sE6++L6kUd+w==",
             "cpu": [
                 "x64"
             ],
@@ -2546,9 +2546,9 @@
             }
         },
         "node_modules/@oxc-project/types": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.126.0.tgz",
-            "integrity": "sha512-oGfVtjAgwQVVpfBrbtk4e1XDyWHRFta6BS3GWVzrF8xYBT2VGQAk39yJS/wFSMrZqoiCU4oghT3Ch0HaHGIHcQ==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.127.0.tgz",
+            "integrity": "sha512-aIYXQBo4lCbO4z0R3FHeucQHpF46l2LbMdxRvqvuRuW2OxdnSkcng5B8+K12spgLDj93rtN3+J2Vac/TIO+ciQ==",
             "license": "MIT",
             "funding": {
                 "url": "https://github.com/sponsors/Boshen"
@@ -11569,9 +11569,9 @@
             }
         },
         "node_modules/knip": {
-            "version": "6.6.0",
-            "resolved": "https://registry.npmjs.org/knip/-/knip-6.6.0.tgz",
-            "integrity": "sha512-IT1YDiHyRctYYsuZNBd/ZiGoa7HmCaxs+ZrWxCfYjQKPG6QyRqMfkteqC+rBuMymBJeLXyBnRa7hn95O+sGG8Q==",
+            "version": "6.6.3",
+            "resolved": "https://registry.npmjs.org/knip/-/knip-6.6.3.tgz",
+            "integrity": "sha512-7HSf5bLx6r66+sjXwSvSiDEE9RjRzHuAkrEFLE6XXHqaPDY97tdzNvyRVF9DeusbiV72kStAFiNnhj72rxJNGQ==",
             "funding": [
                 {
                     "type": "github",
@@ -11589,13 +11589,13 @@
                 "get-tsconfig": "4.14.0",
                 "jiti": "^2.6.0",
                 "minimist": "^1.2.8",
-                "oxc-parser": "^0.126.0",
+                "oxc-parser": "^0.127.0",
                 "oxc-resolver": "^11.19.1",
                 "picomatch": "^4.0.4",
                 "smol-toml": "^1.6.1",
                 "strip-json-comments": "5.0.3",
                 "tinyglobby": "^0.2.16",
-                "unbash": "^2.2.0",
+                "unbash": "^3.0.0",
                 "yaml": "^2.8.2",
                 "zod": "^4.1.11"
             },
@@ -14283,12 +14283,12 @@
             }
         },
         "node_modules/oxc-parser": {
-            "version": "0.126.0",
-            "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.126.0.tgz",
-            "integrity": "sha512-FktCvLby/mOHyuijZt22+nOt10dS24gGUZE3XwIbUg7Kf4+rer3/5T7RgwzazlNuVsCjPloZ3p8E+4ONT3A8Kw==",
+            "version": "0.127.0",
+            "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.127.0.tgz",
+            "integrity": "sha512-bkgD4qHlN7WxLdX8bLXdaU54TtQtAIg/ZBAfm0aje/mo3MRDo3P0hZSgr4U7O3xfX+fQmR5AP04JS/TGcZLcFA==",
             "license": "MIT",
             "dependencies": {
-                "@oxc-project/types": "^0.126.0"
+                "@oxc-project/types": "^0.127.0"
             },
             "engines": {
                 "node": "^20.19.0 || >=22.12.0"
@@ -14297,26 +14297,26 @@
                 "url": "https://github.com/sponsors/Boshen"
             },
             "optionalDependencies": {
-                "@oxc-parser/binding-android-arm-eabi": "0.126.0",
-                "@oxc-parser/binding-android-arm64": "0.126.0",
-                "@oxc-parser/binding-darwin-arm64": "0.126.0",
-                "@oxc-parser/binding-darwin-x64": "0.126.0",
-                "@oxc-parser/binding-freebsd-x64": "0.126.0",
-                "@oxc-parser/binding-linux-arm-gnueabihf": "0.126.0",
-                "@oxc-parser/binding-linux-arm-musleabihf": "0.126.0",
-                "@oxc-parser/binding-linux-arm64-gnu": "0.126.0",
-                "@oxc-parser/binding-linux-arm64-musl": "0.126.0",
-                "@oxc-parser/binding-linux-ppc64-gnu": "0.126.0",
-                "@oxc-parser/binding-linux-riscv64-gnu": "0.126.0",
-                "@oxc-parser/binding-linux-riscv64-musl": "0.126.0",
-                "@oxc-parser/binding-linux-s390x-gnu": "0.126.0",
-                "@oxc-parser/binding-linux-x64-gnu": "0.126.0",
-                "@oxc-parser/binding-linux-x64-musl": "0.126.0",
-                "@oxc-parser/binding-openharmony-arm64": "0.126.0",
-                "@oxc-parser/binding-wasm32-wasi": "0.126.0",
-                "@oxc-parser/binding-win32-arm64-msvc": "0.126.0",
-                "@oxc-parser/binding-win32-ia32-msvc": "0.126.0",
-                "@oxc-parser/binding-win32-x64-msvc": "0.126.0"
+                "@oxc-parser/binding-android-arm-eabi": "0.127.0",
+                "@oxc-parser/binding-android-arm64": "0.127.0",
+                "@oxc-parser/binding-darwin-arm64": "0.127.0",
+                "@oxc-parser/binding-darwin-x64": "0.127.0",
+                "@oxc-parser/binding-freebsd-x64": "0.127.0",
+                "@oxc-parser/binding-linux-arm-gnueabihf": "0.127.0",
+                "@oxc-parser/binding-linux-arm-musleabihf": "0.127.0",
+                "@oxc-parser/binding-linux-arm64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-arm64-musl": "0.127.0",
+                "@oxc-parser/binding-linux-ppc64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-riscv64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-riscv64-musl": "0.127.0",
+                "@oxc-parser/binding-linux-s390x-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-x64-gnu": "0.127.0",
+                "@oxc-parser/binding-linux-x64-musl": "0.127.0",
+                "@oxc-parser/binding-openharmony-arm64": "0.127.0",
+                "@oxc-parser/binding-wasm32-wasi": "0.127.0",
+                "@oxc-parser/binding-win32-arm64-msvc": "0.127.0",
+                "@oxc-parser/binding-win32-ia32-msvc": "0.127.0",
+                "@oxc-parser/binding-win32-x64-msvc": "0.127.0"
             }
         },
         "node_modules/oxc-resolver": {
@@ -18014,9 +18014,9 @@
             }
         },
         "node_modules/unbash": {
-            "version": "2.2.0",
-            "resolved": "https://registry.npmjs.org/unbash/-/unbash-2.2.0.tgz",
-            "integrity": "sha512-X2wH19RAPZE3+ldGicOkoj/SIA83OIxcJ6Cuaw23hf8Xc6fQpvZXY0SftE2JgS0QhYLUG4uwodSI3R53keyh7w==",
+            "version": "3.0.0",
+            "resolved": "https://registry.npmjs.org/unbash/-/unbash-3.0.0.tgz",
+            "integrity": "sha512-FeFPZ/WFT0mbRCuydiZzpPFlrYN8ZUpphQKoq4EeElVIYjYyGzPMxQR/simUwCOJIyVhpFk4RbtyO7RuMpMnHA==",
             "license": "ISC",
             "engines": {
                 "node": ">=14"

web/package.json

@@ -154,7 +154,7 @@
         "globals": "^17.5.0",
         "guacamole-common-js": "^1.5.0",
         "hastscript": "^9.0.1",
-        "knip": "^6.6.0",
+        "knip": "^6.6.3",
         "lex": "^2025.11.0",
         "lit": "^3.3.2",
         "lit-analyzer": "^2.0.3",

web/src/admin/brands/BrandForm.ts

@@ -1,6 +1,7 @@
 import "#admin/common/ak-crypto-certificate-search";
 import "#admin/common/ak-flow-search/ak-flow-search";
 import "#elements/CodeMirror";
+import "#elements/Alert";
 import "#elements/ak-dual-select/ak-dual-select-dynamic-selected-provider";
 import "#elements/ak-dual-select/ak-dual-select-provider";
 import "#elements/forms/FormGroup";
@@ -25,42 +26,79 @@ import {
     Brand,
     CoreApi,
     CoreApplicationsListRequest,
+    Flow,
     FlowDesignationEnum,
+    FlowsApi,
     UsageEnum,
 } from "@goauthentik/api";
+import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum.js";
 
 import YAML from "yaml";
 
 import { msg } from "@lit/localize";
 import { html, TemplateResult } from "lit";
-import { customElement } from "lit/decorators.js";
+import { customElement, state } from "lit/decorators.js";
 
 @customElement("ak-brand-form")
 export class BrandForm extends ModelForm<Brand, string> {
     public static override verboseName = msg("Brand");
     public static override verboseNamePlural = msg("Brands");
 
-    loadInstance(pk: string): Promise<Brand> {
-        return new CoreApi(DEFAULT_CONFIG).coreBrandsRetrieve({
-            brandUuid: pk,
+    #coreAPI = new CoreApi(DEFAULT_CONFIG);
+    #flowsAPI = new FlowsApi(DEFAULT_CONFIG);
+
+    @state()
+    protected lockdownFlowAuthentication: AuthenticationEnum | null = null;
+
+    async loadInstance(pk: string): Promise<Brand> {
+        return this.#coreAPI.coreBrandsRetrieve({ brandUuid: pk }).then(async (brand) => {
+            if (!brand.flowLockdown) {
+                this.lockdownFlowAuthentication = null;
+
+                return brand;
+            }
+
+            return this.#flowsAPI
+                .flowsInstancesList({ flowUuid: brand.flowLockdown })
+                .then((flows) => {
+                    this.lockdownFlowAuthentication = flows.results[0]?.authentication ?? null;
+
+                    return brand;
+                });
         });
     }
 
-    getSuccessMessage(): string {
+    protected lockdownFlowInputListener = (event: Event): void => {
+        const target = event.currentTarget as HTMLElement & {
+            selectedFlow?: Flow | null;
+        };
+        this.lockdownFlowAuthentication = target.selectedFlow?.authentication ?? null;
+    };
+
+    protected get lockdownWarningVisible(): boolean {
+        return !!(
+            this.lockdownFlowAuthentication &&
+            this.lockdownFlowAuthentication !== AuthenticationEnum.RequireAuthenticated
+        );
+    }
+
+    public override getSuccessMessage(): string {
         return this.instance
             ? msg("Successfully updated brand.")
             : msg("Successfully created brand.");
     }
 
-    async send(data: Brand): Promise<Brand> {
+    protected override async send(data: Brand): Promise<Brand> {
         data.attributes ??= {};
+
         if (this.instance?.brandUuid) {
-            return new CoreApi(DEFAULT_CONFIG).coreBrandsPartialUpdate({
+            return this.#coreAPI.coreBrandsPartialUpdate({
                 brandUuid: this.instance.brandUuid,
                 patchedBrandRequest: data,
             });
         }
-        return new CoreApi(DEFAULT_CONFIG).coreBrandsCreate({
+
+        return this.#coreAPI.coreBrandsCreate({
             brandRequest: data,
         });
     }
@@ -285,6 +323,29 @@ export class BrandForm extends ModelForm<Brand, string> {
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Account lockdown flow")}
+                        name="flowLockdown"
+                    >
+                        <ak-flow-search
+                            placeholder=${msg("Select an account lockdown flow...")}
+                            flowType=${FlowDesignationEnum.StageConfiguration}
+                            .currentFlow=${this.instance?.flowLockdown}
+                            @input=${this.lockdownFlowInputListener}
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Flow used when a user triggers account lockdown (e.g. in case of compromise). Should contain an Account Lockdown stage.",
+                            )}
+                        </p>
+                        ${this.lockdownWarningVisible
+                            ? html`<ak-alert inline>
+                                  ${msg(
+                                      "Account lockdown flows should require authentication so they can only be started from a signed-in session.",
+                                  )}
+                              </ak-alert>`
+                            : null}
+                    </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
             <ak-form-group label="${msg("Other global settings")} ">

web/src/admin/events/RuleForm.ts

@@ -104,7 +104,7 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
                 </p>
                 <p class="pf-c-form__helper-text">
                     ${msg(
-                        "If no group is selected and 'Send notification to event user' is disabled the rule is disabled. ",
+                        "If no group is selected and 'Send notification to event user' is disabled, the rule is disabled.",
                     )}
                 </p>
             </ak-form-element-horizontal>
@@ -113,7 +113,7 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
                 label=${msg("Send notification to event user")}
                 ?checked=${this.instance?.destinationEventUser ?? false}
                 help=${msg(
-                    "When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport. If no group is selected and 'Send notification to event user' is disabled the rule is disabled. ",
+                    "When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.",
                 )}
             >
             </ak-switch-input>

web/src/admin/events/RuleListPage.ts

@@ -80,7 +80,7 @@ export class RuleListPage extends TablePage<NotificationRule> {
     protected override row(item: NotificationRule): SlottedTemplateResult[] {
         const enabled = !!item.destinationGroupObj || item.destinationEventUser;
         return [
-            html`<ak-status-label type="warning" ?good=${enabled}></ak-status-label>`,
+            html`<ak-status-label ?good=${enabled}></ak-status-label>`,
             html`${item.name}`,
             html`${severityToLabel(item.severity)}`,
             html`${item.destinationGroupObj

web/src/admin/lifecycle/LifecycleRuleForm.ts

@@ -234,7 +234,7 @@ export class LifecycleRuleForm extends ModelForm<LifecycleRule, string, Lifecycl
                 ${this.renderReviewerGroupsSelection()}
             </ak-form-element-horizontal>
             <ak-number-input
-                label=${msg("Min reviewers")}
+                label=${msg("Minimum reviewers")}
                 min=${1}
                 name="minReviewers"
                 value="${this.instance?.minReviewers ?? 1}"
@@ -245,7 +245,7 @@ export class LifecycleRuleForm extends ModelForm<LifecycleRule, string, Lifecycl
             <ak-switch-input
                 name="minReviewersIsPerGroup"
                 ?checked=${this.instance?.minReviewersIsPerGroup ?? false}
-                label=${msg("Min reviewers is per-group")}
+                label=${msg("Minimum reviewers is per-group")}
                 .help=${msg(
                     html`If checked, approving a review will require at least that many users from
                         <em>each</em> of the selected groups. When disabled, the value is a total

web/src/admin/lifecycle/LifecycleRuleListPage.ts

@@ -26,7 +26,6 @@ import { customElement } from "lit/decorators.js";
 
 @customElement("ak-lifecycle-rule-list")
 export class LifecycleRuleListPage extends TablePage<LifecycleRule> {
-    public override expandable = true;
     public override checkbox = true;
     public override clearOnRefresh = true;
     public override searchPlaceholder = msg("Search for a lifecycle rule by name or target...");
@@ -95,26 +94,6 @@ export class LifecycleRuleListPage extends TablePage<LifecycleRule> {
         ];
     }
 
-    protected override renderExpanded(item: LifecycleRule): SlottedTemplateResult {
-        const [appLabel, modelName] = ModelEnum.AuthentikLifecycleLifecyclerule.split(".");
-        return html`<dl class="pf-c-description-list pf-m-horizontal">
-            <div class="pf-c-description-list__group">
-                <dt class="pf-c-description-list__term">
-                    <span class="pf-c-description-list__text">${msg("Tasks")}</span>
-                </dt>
-                <dd class="pf-c-description-list__description">
-                    <div class="pf-c-description-list__text">
-                        <ak-task-list
-                            search-placeholder=${msg("Search tasks...")}
-                            .relObjAppLabel=${appLabel}
-                            .relObjModel=${modelName}
-                            .relObjId="${item.id}"
-                        ></ak-task-list>
-                    </div>
-                </dd>
-            </div>
-        </dl>`;
-    }
     protected override renderObjectCreate(): SlottedTemplateResult {
         return ModalInvokerButton(LifecycleRuleForm);
     }

web/src/admin/lifecycle/ObjectLifecyclePage.ts

@@ -1,53 +1,39 @@
 import "#admin/lifecycle/LifecyclePreviewBanner";
-import "#components/ak-textarea-input";
-import "#elements/forms/ModalForm";
-import "#elements/timestamp/ak-timestamp";
-import "#admin/lifecycle/ObjectReviewForm";
+import "#admin/lifecycle/ObjectReviewIteration";
 
 import { DEFAULT_CONFIG } from "#common/api/config";
-import { createPaginatedResponse } from "#common/api/responses";
+import { EVENT_REFRESH } from "#common/constants";
 import { isResponseErrorLike } from "#common/errors/network";
 
-import { ModalInvokerButton } from "#elements/dialogs";
-import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
+import { AKElement } from "#elements/Base";
+import { WithLicenseSummary } from "#elements/mixins/license";
+import { WithSession } from "#elements/mixins/session";
+import Styles from "#elements/table/Table.css";
 import { SlottedTemplateResult } from "#elements/types";
 import { ifPreviousValue } from "#elements/utils/properties";
 
-import { ObjectReviewForm } from "#admin/lifecycle/ObjectReviewForm";
-import { LifecycleIterationStatus } from "#admin/lifecycle/utils";
+import { ContentTypeEnum, LifecycleApi, LifecycleIteration } from "@goauthentik/api";
 
-import {
-    ContentTypeEnum,
-    LifecycleApi,
-    LifecycleIteration,
-    LifecycleIterationStateEnum,
-    Review,
-} from "@goauthentik/api";
-
-import { match, P } from "ts-pattern";
-
-import { msg, str } from "@lit/localize";
-import { html, nothing, PropertyValues, TemplateResult } from "lit";
+import { msg } from "@lit/localize";
+import { html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 
 import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
-import PFCard from "@patternfly/patternfly/components/Card/card.css";
-import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
-import PFFlex from "@patternfly/patternfly/layouts/Flex/flex.css";
+import PFTitle from "@patternfly/patternfly/components/Title/title.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
+import PFSpacing from "@patternfly/patternfly/utilities/Spacing/spacing.css";
 
 @customElement("ak-object-lifecycle-page")
-export class ObjectLifecyclePage extends Table<Review> {
+export class ObjectLifecyclePage extends WithLicenseSummary(WithSession(AKElement)) {
     static styles = [
         // ---
-        ...super.styles,
+        PFTitle,
         PFGrid,
         PFBanner,
-        PFCard,
-        PFFlex,
+        Styles,
+        PFSpacing,
         PFPage,
-        PFDescriptionList,
     ];
 
     //#region Public Properties
@@ -58,237 +44,67 @@ export class ObjectLifecyclePage extends Table<Review> {
     @property({ attribute: "object-pk", hasChanged: ifPreviousValue, useDefault: true })
     public objectPk: string | number | null = null;
 
-    public override paginated = false;
-
     //#endregion
 
     //#region Protected Properties
 
-    protected override emptyStateMessage = msg("No reviews yet.");
-
-    protected columns: TableColumn[] = [
-        [msg("Reviewed on"), "timestamp"],
-        [msg("Reviewer"), "reviewer"],
-        [msg("Note"), "note"],
-    ];
-
     //#region Lifecycle
 
     @state()
-    protected iteration: LifecycleIteration | null = null;
+    protected iterations: LifecycleIteration[] | null = null;
 
-    protected apiEndpoint(): Promise<PaginatedResponse<Review>> {
+    #refreshListener = () => {
+        return this.fetch();
+    };
+
+    public override connectedCallback(): void {
+        super.connectedCallback();
+        this.addEventListener(EVENT_REFRESH, this.#refreshListener);
+    }
+
+    public async fetch(): Promise<void> {
         if (!this.model || !this.objectPk) {
-            return Promise.resolve(createPaginatedResponse<Review>());
+            return Promise.resolve();
         }
-
         return new LifecycleApi(DEFAULT_CONFIG)
-            .lifecycleIterationsLatestRetrieve({
+            .lifecycleIterationsListLatest({
                 contentType: this.model,
                 objectId: String(this.objectPk),
             })
-            .then((iteration) => {
-                this.iteration = iteration;
-
-                return createPaginatedResponse(iteration.reviews);
+            .then((iterations) => {
+                this.iterations = iterations;
             })
             .catch(async (error: unknown) => {
                 if (isResponseErrorLike(error) && error.response.status === 404) {
-                    this.iteration = null;
-
-                    return createPaginatedResponse<Review>();
+                    this.iterations = null;
                 }
-
                 throw error;
             });
     }
 
-    protected updated(changedProperties: PropertyValues<this>): void {
-        super.updated(changedProperties);
-
-        if (changedProperties.has("model") || changedProperties.has("objectPk")) {
-            this.fetch();
-        }
-    }
-
     //#endregion
 
     //#region Rendering
 
-    //#region Summary Card
-
-    protected renderReviewers(): SlottedTemplateResult {
-        if (!this.iteration) {
-            return html`<span>${msg("No review iteration found for this object.")}</span>`;
-        }
-
-        const { reviewers, reviewerGroups, minReviewers } = this.iteration;
-
-        const result: TemplateResult[] = [];
-
-        if (reviewers.length) {
-            result.push(html`<div>${reviewers.map((u) => u.name).join(", ")}</div>`);
-        }
-
-        const groupList = reviewerGroups.map((g) => g.name).join(", ");
-
-        const label =
-            minReviewers === 1
-                ? reviewerGroups.length === 1
-                    ? msg(str`At least ${minReviewers} user from this group: ${groupList}.`)
-                    : msg(str`At least ${minReviewers} user from these groups: ${groupList}.`)
-                : reviewerGroups.length === 1
-                  ? msg(str`At least ${minReviewers} users from this group: ${groupList}.`)
-                  : msg(str`At least ${minReviewers} users from these groups: ${groupList}.`);
-
-        result.push(html`<div>${label}</div>`);
-
-        return result;
-    }
-
-    protected renderOpenedOn(): SlottedTemplateResult {
-        return html`<div class="pf-c-description-list__group">
-            <dt class="pf-c-description-list__term">
-                <span class="pf-c-description-list__text">${msg("Review opened on")}</span>
-            </dt>
-            <dd class="pf-c-description-list__description">
-                <div class="pf-c-description-list__text">
-                    <ak-timestamp
-                        .timestamp=${this.iteration?.openedOn}
-                        .elapsed=${false}
-                        dateonly
-                        datetime
-                    ></ak-timestamp>
-                </div>
-            </dd>
-        </div>`;
-    }
-
-    protected renderGracePeriodTill(): SlottedTemplateResult {
-        return html`<div class="pf-c-description-list__group">
-            <dt class="pf-c-description-list__term">
-                <span class="pf-c-description-list__text">${msg("Grace period till")}</span>
-            </dt>
-            <dd class="pf-c-description-list__description">
-                <div class="pf-c-description-list__text">
-                    <ak-timestamp
-                        .timestamp=${this.iteration?.gracePeriodEnd}
-                        .elapsed=${false}
-                        dateonly
-                        datetime
-                    ></ak-timestamp>
-                </div>
-            </dd>
-        </div>`;
-    }
-
-    protected renderNextReviewDate(): SlottedTemplateResult {
-        return html`<div class="pf-c-description-list__group">
-            <dt class="pf-c-description-list__term">
-                <span class="pf-c-description-list__text">${msg("Next review date")}</span>
-            </dt>
-            <dd class="pf-c-description-list__description">
-                <div class="pf-c-description-list__text">
-                    <ak-timestamp
-                        .timestamp=${this.iteration?.nextReviewDate}
-                        .elapsed=${false}
-                        dateonly
-                        datetime
-                    ></ak-timestamp>
-                </div>
-            </dd>
-        </div>`;
-    }
-
-    protected renderReviewDates() {
-        return match(this.iteration?.state)
-            .with(P.nullish, LifecycleIterationStateEnum.UnknownDefaultOpenApi, () => nothing)
-            .with(
-                LifecycleIterationStateEnum.Pending,
-                () => html`${this.renderOpenedOn()}${this.renderGracePeriodTill()}`,
-            )
-            .with(LifecycleIterationStateEnum.Reviewed, () => this.renderNextReviewDate())
-            .with(LifecycleIterationStateEnum.Overdue, () => this.renderOpenedOn())
-            .with(LifecycleIterationStateEnum.Canceled, () => this.renderOpenedOn())
-            .exhaustive();
-    }
-
-    protected renderReviewSummary() {
-        return html`<div class="pf-c-card pf-l-grid__item pf-m-3-col">
-            <div class="pf-c-card__title">${msg("Latest review for this object")}</div>
-            <div class="pf-c-card__body">
-                <dl class="pf-c-description-list">
-                    <div class="pf-c-description-list__group">
-                        <dt class="pf-c-description-list__term">
-                            <span class="pf-c-description-list__text">${msg("Review state")}</span>
-                        </dt>
-                        <dd class="pf-c-description-list__description">
-                            <div class="pf-c-description-list__text">
-                                ${LifecycleIterationStatus({
-                                    status: this.iteration?.state,
-                                })}
-                            </div>
-                        </dd>
-                    </div>
-
-                    <div class="pf-c-description-list__group">
-                        <dt class="pf-c-description-list__term">
-                            <span class="pf-c-description-list__text"
-                                >${msg("Required reviewers")}</span
-                            >
-                        </dt>
-                        <dd class="pf-c-description-list__description">
-                            <div class="pf-c-description-list__text">${this.renderReviewers()}</div>
-                        </dd>
-                    </div>
-                    ${this.renderReviewDates()}
-                </dl>
-            </div>
-        </div>`;
-    }
-
-    //#endregion
-
-    //#region Table
-
-    protected row(item: Review): SlottedTemplateResult[] {
-        return [
-            Timestamp(item.timestamp),
-            html`<span>${item.reviewer.name}</span>`,
-            html`<span>${item.note}</span>`,
-        ];
-    }
-
-    protected override renderEmpty(): SlottedTemplateResult {
-        return super.renderEmpty(
-            html`<ak-empty-state icon="pf-icon-task"
-                ><span>${this.emptyStateMessage}</span></ak-empty-state
-            >`,
-        );
-    }
-
-    protected renderObjectCreate(): SlottedTemplateResult {
-        if (!this.iteration?.userCanReview) {
-            return null;
-        }
-
-        return ModalInvokerButton(ObjectReviewForm, {
-            iteration: this.iteration,
-        });
-    }
-
     protected override render(): SlottedTemplateResult {
-        return html`<ak-lifecycle-preview-banner></ak-lifecycle-preview-banner>
-            <div class="pf-c-page__main-section pf-m-no-padding-mobile">
-                <div class="pf-l-grid pf-m-gutter">
-                    ${this.renderReviewSummary()}
-                    <div class="pf-c-card pf-l-grid__item pf-m-9-col">
-                        <div class="pf-c-card__title">${msg("Reviews")}</div>
-                        ${super.render()}
-                    </div>
-                </div>
+        return html`
+            <ak-lifecycle-preview-banner></ak-lifecycle-preview-banner>
+            <div class="pf-l-grid pf-m-gutter pf-c-page__main-section pf-m-no-padding-mobile">
+                <h2 class="pf-c-title pf-m-xl">
+                    ${this.iterations?.length
+                        ? msg("The following reviews apply to this object:")
+                        : msg("This object has no reviews yet.")}
+                </h2>
+                ${this.iterations?.map(
+                    (i) =>
+                        html` <h3 class="pf-c-title pf-m-lg">${i.rule.name}</h3>
+                            <ak-object-review-iteration
+                                .iteration=${i}
+                                class="pf-u-pl-lg-on-lg"
+                            ></ak-object-review-iteration>`,
+                )}
             </div>
-        </div>`;
+        `;
     }
 
     //#endregion

web/src/admin/lifecycle/ObjectReviewIteration.ts

@@ -0,0 +1,281 @@
+import "#admin/lifecycle/LifecyclePreviewBanner";
+import "#components/ak-textarea-input";
+import "#elements/forms/ModalForm";
+import "#elements/timestamp/ak-timestamp";
+import "#admin/lifecycle/ObjectReviewForm";
+
+import { createPaginatedResponse } from "#common/api/responses";
+import { EVENT_REFRESH } from "#common/constants";
+
+import { ModalInvokerButton } from "#elements/dialogs";
+import { PaginatedResponse, Table, TableColumn, Timestamp } from "#elements/table/Table";
+import { SlottedTemplateResult } from "#elements/types";
+
+import { ObjectReviewForm } from "#admin/lifecycle/ObjectReviewForm";
+import { LifecycleIterationStatus } from "#admin/lifecycle/utils";
+
+import { LifecycleIteration, LifecycleIterationStateEnum, Review } from "@goauthentik/api";
+
+import { match, P } from "ts-pattern";
+
+import { msg, str } from "@lit/localize";
+import { html, nothing, PropertyValues, TemplateResult } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
+import PFCard from "@patternfly/patternfly/components/Card/card.css";
+import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
+import PFFlex from "@patternfly/patternfly/layouts/Flex/flex.css";
+import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
+
+@customElement("ak-object-review-iteration")
+export class ObjectReviewIteration extends Table<Review> {
+    static styles = [
+        // ---
+        ...super.styles,
+        PFGrid,
+        PFBanner,
+        PFCard,
+        PFFlex,
+        PFDescriptionList,
+    ];
+
+    //#region Public Properties
+
+    @property({ attribute: false })
+    public iteration: LifecycleIteration | null = null;
+
+    public override paginated = false;
+
+    //#endregion
+
+    //#region Protected Properties
+
+    protected override emptyStateMessage = msg("No reviews yet.");
+
+    protected columns: TableColumn[] = [
+        [msg("Reviewed on"), "timestamp"],
+        [msg("Reviewer"), "reviewer"],
+        [msg("Note"), "note"],
+    ];
+
+    //#region Lifecycle
+
+    protected updated(changedProperties: PropertyValues<this>): void {
+        super.updated(changedProperties);
+
+        if (changedProperties.has("iteration")) {
+            this.fetch();
+        }
+    }
+
+    protected apiEndpoint(): Promise<PaginatedResponse<Review>> {
+        if (!this.iteration) {
+            return Promise.resolve(createPaginatedResponse<Review>());
+        }
+
+        return Promise.resolve(createPaginatedResponse(this.iteration.reviews));
+    }
+
+    #triggerRefresh = () => {
+        this.dispatchEvent(
+            new CustomEvent(EVENT_REFRESH, {
+                bubbles: true,
+                composed: true,
+            }),
+        );
+    };
+
+    //#endregion
+
+    //#region Rendering
+
+    //#region Summary Card
+
+    protected renderReviewers(): SlottedTemplateResult {
+        if (!this.iteration) {
+            return html`<span>${msg("No review iteration found for this object.")}</span>`;
+        }
+
+        const { reviewers, reviewerGroups, minReviewers } = this.iteration.rule;
+
+        const result: TemplateResult[] = [];
+
+        if (reviewers.length) {
+            result.push(html` <div>${reviewers.map((u) => u.name).join(", ")}</div>`);
+        }
+
+        const groupList = reviewerGroups.map((g) => g.name).join(", ");
+
+        const label =
+            minReviewers === 1
+                ? reviewerGroups.length === 1
+                    ? msg(str`At least ${minReviewers} user from this group: ${groupList}.`)
+                    : msg(str`At least ${minReviewers} user from these groups: ${groupList}.`)
+                : reviewerGroups.length === 1
+                  ? msg(str`At least ${minReviewers} users from this group: ${groupList}.`)
+                  : msg(str`At least ${minReviewers} users from these groups: ${groupList}.`);
+
+        result.push(html` <div>${label}</div>`);
+
+        return result;
+    }
+
+    protected renderOpenedOn(): SlottedTemplateResult {
+        return html` <div class="pf-c-description-list__group">
+            <dt class="pf-c-description-list__term">
+                <span class="pf-c-description-list__text">${msg("Review opened on")}</span>
+            </dt>
+            <dd class="pf-c-description-list__description">
+                <div class="pf-c-description-list__text">
+                    <ak-timestamp
+                        .timestamp=${this.iteration?.openedOn}
+                        .elapsed=${false}
+                        dateonly
+                        datetime
+                    ></ak-timestamp>
+                </div>
+            </dd>
+        </div>`;
+    }
+
+    protected renderGracePeriodTill(): SlottedTemplateResult {
+        return html` <div class="pf-c-description-list__group">
+            <dt class="pf-c-description-list__term">
+                <span class="pf-c-description-list__text">${msg("Grace period till")}</span>
+            </dt>
+            <dd class="pf-c-description-list__description">
+                <div class="pf-c-description-list__text">
+                    <ak-timestamp
+                        .timestamp=${this.iteration?.gracePeriodEnd}
+                        .elapsed=${false}
+                        dateonly
+                        datetime
+                    ></ak-timestamp>
+                </div>
+            </dd>
+        </div>`;
+    }
+
+    protected renderNextReviewDate(): SlottedTemplateResult {
+        return html` <div class="pf-c-description-list__group">
+            <dt class="pf-c-description-list__term">
+                <span class="pf-c-description-list__text">${msg("Next review date")}</span>
+            </dt>
+            <dd class="pf-c-description-list__description">
+                <div class="pf-c-description-list__text">
+                    <ak-timestamp
+                        .timestamp=${this.iteration?.nextReviewDate}
+                        .elapsed=${false}
+                        dateonly
+                        datetime
+                    ></ak-timestamp>
+                </div>
+            </dd>
+        </div>`;
+    }
+
+    protected renderReviewDates() {
+        return match(this.iteration?.state)
+            .with(P.nullish, LifecycleIterationStateEnum.UnknownDefaultOpenApi, () => nothing)
+            .with(
+                LifecycleIterationStateEnum.Pending,
+                () => html`${this.renderOpenedOn()}${this.renderGracePeriodTill()}`,
+            )
+            .with(LifecycleIterationStateEnum.Reviewed, () => this.renderNextReviewDate())
+            .with(LifecycleIterationStateEnum.Overdue, () => this.renderOpenedOn())
+            .with(LifecycleIterationStateEnum.Canceled, () => this.renderOpenedOn())
+            .exhaustive();
+    }
+
+    protected renderReviewSummary() {
+        return html` <div class="pf-c-card pf-l-grid__item pf-m-3-col">
+            <div class="pf-c-card__title">${msg("Latest review for this object")}</div>
+            <div class="pf-c-card__body">
+                <dl class="pf-c-description-list">
+                    <div class="pf-c-description-list__group">
+                        <dt class="pf-c-description-list__term">
+                            <span class="pf-c-description-list__text">${msg("Review state")}</span>
+                        </dt>
+                        <dd class="pf-c-description-list__description">
+                            <div class="pf-c-description-list__text">
+                                ${LifecycleIterationStatus({
+                                    status: this.iteration?.state,
+                                })}
+                            </div>
+                        </dd>
+                    </div>
+
+                    <div class="pf-c-description-list__group">
+                        <dt class="pf-c-description-list__term">
+                            <span class="pf-c-description-list__text"
+                                >${msg("Required reviewers")}</span
+                            >
+                        </dt>
+                        <dd class="pf-c-description-list__description">
+                            <div class="pf-c-description-list__text">${this.renderReviewers()}</div>
+                        </dd>
+                    </div>
+                    ${this.renderReviewDates()}
+                </dl>
+            </div>
+        </div>`;
+    }
+
+    //#endregion
+
+    //#region Table
+
+    protected renderToolbar(): SlottedTemplateResult {
+        return html`${this.renderObjectCreate()}
+            <ak-spinner-button .callAction=${this.#triggerRefresh} class="pf-m-secondary">
+                ${msg("Refresh")}
+            </ak-spinner-button>`;
+    }
+
+    protected row(item: Review): SlottedTemplateResult[] {
+        return [
+            Timestamp(item.timestamp),
+            html`<span>${item.reviewer.name}</span>`,
+            html`<span>${item.note}</span>`,
+        ];
+    }
+
+    protected override renderEmpty(): SlottedTemplateResult {
+        return super.renderEmpty(
+            html` <ak-empty-state icon="pf-icon-task"
+                ><span>${this.emptyStateMessage}</span></ak-empty-state
+            >`,
+        );
+    }
+
+    protected renderObjectCreate(): SlottedTemplateResult {
+        if (!this.iteration?.userCanReview) {
+            return null;
+        }
+
+        return ModalInvokerButton(ObjectReviewForm, {
+            iteration: this.iteration,
+        });
+    }
+
+    protected override render(): SlottedTemplateResult {
+        return html` <div class="pf-l-grid pf-m-gutter">
+            ${this.renderReviewSummary()}
+            <div class="pf-c-card pf-l-grid__item pf-m-9-col">
+                <div class="pf-c-card__title">${msg("Reviews")}</div>
+                <div class="pf-c-card__body">${super.render()}</div>
+            </div>
+        </div>`;
+    }
+
+    //#endregion
+
+    //#endregion
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-object-review-iteration": ObjectReviewIteration;
+    }
+}

web/src/admin/lifecycle/ReviewListPage.ts

@@ -70,6 +70,7 @@ export class ReviewListPage extends TablePage<LifecycleIteration> {
     protected columns: TableColumn[] = [
         [msg("State"), "state"],
         [msg("Object"), "content_type__model"],
+        [msg("Rule"), "rule__name"],
         [msg("Opened"), "opened_on"],
         [msg("Grace period ends")],
     ];
@@ -78,6 +79,7 @@ export class ReviewListPage extends TablePage<LifecycleIteration> {
         return [
             LifecycleIterationStatus({ status: item.state }),
             html`<a href="#${item.objectAdminUrl}">${item.objectVerbose}</a>`,
+            html`${item.rule.name}`,
             html`<ak-timestamp .timestamp=${item.openedOn} datetime dateonly></ak-timestamp>`,
             html`<ak-timestamp .timestamp=${item.gracePeriodEnd} datetime dateonly></ak-timestamp>`,
         ];

web/src/admin/stages/BaseStageForm.ts

@@ -8,7 +8,7 @@ export abstract class BaseStageForm<T extends Stage> extends ModelForm<T, string
     public static override verboseName = msg("Stage");
     public static override verboseNamePlural = msg("Stages");
 
-    getSuccessMessage(): string {
+    public override getSuccessMessage(): string {
         return this.instance
             ? msg("Successfully updated stage.")
             : msg("Successfully created stage.");

web/src/admin/stages/account_lockdown/AccountLockdownStageForm.ts

@@ -0,0 +1,119 @@
+import "#elements/forms/HorizontalFormElement";
+import "#admin/common/ak-flow-search/ak-flow-search";
+import "#components/ak-switch-input";
+import "#components/ak-text-input";
+
+import { DEFAULT_CONFIG } from "#common/api/config";
+
+import { SlottedTemplateResult } from "#elements/types";
+import { ifPresent } from "#elements/utils/attributes";
+
+import { BaseStageForm } from "#admin/stages/BaseStageForm";
+
+import { AccountLockdownStage, StagesApi } from "@goauthentik/api";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement } from "lit/decorators.js";
+
+@customElement("ak-stage-account-lockdown-form")
+export class AccountLockdownStageForm extends BaseStageForm<AccountLockdownStage> {
+    #api = new StagesApi(DEFAULT_CONFIG);
+
+    protected override loadInstance(pk: string): Promise<AccountLockdownStage> {
+        return this.#api.stagesAccountLockdownRetrieve({ stageUuid: pk });
+    }
+
+    protected override async send(data: AccountLockdownStage): Promise<AccountLockdownStage> {
+        if (this.instance) {
+            return this.#api.stagesAccountLockdownUpdate({
+                stageUuid: this.instance.pk || "",
+                accountLockdownStageRequest: data,
+            });
+        }
+
+        return this.#api.stagesAccountLockdownCreate({
+            accountLockdownStageRequest: data,
+        });
+    }
+
+    protected override renderForm(): SlottedTemplateResult {
+        return html`<span>
+                ${msg(
+                    "This stage executes account lockdown actions on a target user. Configure which actions to perform when this stage runs.",
+                )}
+            </span>
+            <ak-text-input
+                label=${msg("Stage Name")}
+                placeholder=${msg("Type a name for this stage...")}
+                required
+                name="name"
+                value=${ifPresent(this.instance?.name || "")}
+                ?autofocus=${!this.instance}
+            ></ak-text-input>
+            <ak-form-group open label=${msg("Stage-specific settings")}>
+                <div class="pf-c-form">
+                    <ak-switch-input
+                        name="deactivateUser"
+                        label=${msg("Deactivate user")}
+                        ?checked=${this.instance?.deactivateUser ?? true}
+                        help=${msg("Deactivate the user account (set is_active to False).")}
+                    >
+                    </ak-switch-input>
+                    <ak-switch-input
+                        name="setUnusablePassword"
+                        label=${msg("Set unusable password")}
+                        ?checked=${this.instance?.setUnusablePassword ?? true}
+                        help=${msg("Set an unusable password for the user.")}
+                    >
+                    </ak-switch-input>
+                    <ak-switch-input
+                        name="deleteSessions"
+                        label=${msg("Delete sessions")}
+                        ?checked=${this.instance?.deleteSessions ?? true}
+                        help=${msg("Delete all active sessions for the user.")}
+                    >
+                    </ak-switch-input>
+                    <ak-switch-input
+                        name="revokeTokens"
+                        label=${msg("Revoke tokens")}
+                        ?checked=${this.instance?.revokeTokens ?? true}
+                        help=${msg(
+                            "Revoke all tokens for the user (API, app password, recovery, verification).",
+                        )}
+                    >
+                    </ak-switch-input>
+                </div>
+            </ak-form-group>
+            <ak-form-group
+                label=${msg("Self-service completion")}
+                open
+                description=${msg(
+                    "Configure what happens after a user locks their own account. Since all sessions are deleted, the user cannot continue in the current flow and will be redirected to a separate completion flow.",
+                )}
+            >
+                <div class="pf-c-form">
+                    <ak-form-element-horizontal
+                        label=${msg("Completion flow")}
+                        name="selfServiceCompletionFlow"
+                    >
+                        <ak-flow-search
+                            placeholder=${msg("Select a completion flow...")}
+                            .currentFlow=${this.instance?.selfServiceCompletionFlow}
+                        ></ak-flow-search>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Flow to redirect users to after self-service lockdown. This flow must not require authentication since the user's session is deleted.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
+                </div>
+            </ak-form-group>`;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-stage-account-lockdown-form": AccountLockdownStageForm;
+    }
+}

web/src/admin/stages/prompt/PromptForm.ts

@@ -148,6 +148,9 @@ export class PromptForm extends ModelForm<Prompt, string> {
             [PromptTypeEnum.Separator, msg("Separator: Static Separator Line")],
             [PromptTypeEnum.Hidden, msg("Hidden: Hidden field, can be used to insert data into form.")],
             [PromptTypeEnum.Static, msg("Static: Static value, displayed as-is.")],
+            [PromptTypeEnum.AlertInfo, msg("Alert (Info): Static alert box with info styling")],
+            [PromptTypeEnum.AlertWarning, msg("Alert (Warning): Static alert box with warning styling")],
+            [PromptTypeEnum.AlertDanger, msg("Alert (Danger): Static alert box with danger styling")],
             [PromptTypeEnum.AkLocale, msg("authentik: Locale: Displays a list of locales authentik supports.")],
         ];
         const currentType = this.instance?.type;

web/src/admin/stages/register.ts

@@ -22,6 +22,7 @@ import "#admin/stages/password/PasswordStageForm";
 import "#admin/stages/prompt/PromptStageForm";
 import "#admin/stages/redirect/RedirectStageForm";
 import "#admin/stages/source/SourceStageForm";
+import "#admin/stages/account_lockdown/AccountLockdownStageForm";
 import "#admin/stages/user_delete/UserDeleteStageForm";
 import "#admin/stages/user_login/UserLoginStageForm";
 import "#admin/stages/user_logout/UserLogoutStageForm";

web/src/admin/users/UserActiveForm.ts

@@ -4,9 +4,7 @@ import "#elements/forms/FormGroup";
 import { DEFAULT_CONFIG } from "#common/api/config";
 import { formatDisambiguatedUserDisplayName } from "#common/users";
 
-import { RawContent } from "#elements/ak-table/ak-simple-table";
 import { modalInvoker } from "#elements/dialogs";
-import { pluckEntityName } from "#elements/entities/names";
 import { DestructiveModelForm } from "#elements/forms/DestructiveModelForm";
 import { WithLocale } from "#elements/mixins/locale";
 import { SlottedTemplateResult } from "#elements/types";
@@ -77,41 +75,6 @@ export class UserActivationToggleForm extends WithLocale(DestructiveModelForm<Us
 
         return this.coreAPI.coreUsersUsedByList({ id: this.instance.pk });
     };
-
-    protected override renderUsedBySection(): SlottedTemplateResult {
-        if (this.instance?.isActive) {
-            return super.renderUsedBySection();
-        }
-
-        const displayName = this.formatDisplayName();
-        const { usedByList, verboseName } = this;
-
-        return html`<ak-form-group
-            open
-            label=${msg("Objects associated with this user", {
-                id: "usedBy.associated-objects.label",
-            })}
-        >
-            <div
-                class="pf-m-monospace"
-                aria-description=${msg(
-                    str`List of objects that are associated with this ${verboseName}.`,
-                    {
-                        id: "usedBy.description",
-                    },
-                )}
-                slot="description"
-            >
-                ${displayName}
-            </div>
-            <ak-simple-table
-                .columns=${[msg("Object Name"), msg("ID")]}
-                .content=${usedByList.map((ub): RawContent[] => {
-                    return [pluckEntityName(ub) || msg("Unnamed"), html`<code>${ub.pk}</code>`];
-                })}
-            ></ak-simple-table>
-        </ak-form-group>`;
-    }
 }
 
 declare global {

web/src/admin/users/UserListPage.ts

@@ -22,6 +22,7 @@ import { formatUserDisplayName } from "#common/users";
 import { IconEditButton, modalInvoker } from "#elements/dialogs";
 import { WithBrandConfig } from "#elements/mixins/branding";
 import { CapabilitiesEnum, WithCapabilitiesConfig } from "#elements/mixins/capabilities";
+import { WithLicenseSummary } from "#elements/mixins/license";
 import { WithSession } from "#elements/mixins/session";
 import { getURLParam, updateURLParams } from "#elements/router/RouteMatch";
 import { PaginatedResponse, TableColumn, Timestamp } from "#elements/table/Table";
@@ -56,8 +57,8 @@ const recoveryButtonStyles = css`
 `;
 
 @customElement("ak-user-list")
-export class UserListPage extends WithBrandConfig(
-    WithCapabilitiesConfig(WithSession(TablePage<User>)),
+export class UserListPage extends WithLicenseSummary(
+    WithBrandConfig(WithCapabilitiesConfig(WithSession(TablePage<User>))),
 ) {
     static styles: CSSResult[] = [
         ...TablePage.styles,
@@ -195,7 +196,7 @@ export class UserListPage extends WithBrandConfig(
                               </div>
                               <h4 class="pf-c-alert__title">
                                   ${msg(
-                                      str`Warning: You're about to delete the user you're logged in as (${shouldShowWarning.username}). Proceed at your own risk.`,
+                                      str`Warning: You are about to delete user ${shouldShowWarning.username}, but you are currently logged in as this user. Proceed at your own risk.`,
                                   )}
                               </h4>
                           </div>

web/src/admin/users/UserPasswordForm.ts

@@ -2,20 +2,30 @@ import "#elements/buttons/SpinnerButton/index";
 import "#elements/forms/HorizontalFormElement";
 
 import { DEFAULT_CONFIG } from "#common/api/config";
+import { PFSize } from "#common/enums";
 
 import { Form } from "#elements/forms/Form";
+import { ifPresent } from "#elements/utils/attributes";
 import { FocusTarget } from "#elements/utils/focus";
 
+import { AKLabel } from "#components/ak-label";
+
 import { CoreApi, UserPasswordSetRequest } from "@goauthentik/api";
 
 import { msg } from "@lit/localize";
 import { html, nothing, TemplateResult } from "lit";
 import { customElement, property } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
 @customElement("ak-user-password-form")
 export class UserPasswordForm extends Form<UserPasswordSetRequest> {
-    public override submitLabel = msg("Set Password");
+    public static shadowRootOptions: ShadowRootInit = {
+        ...Form.shadowRootOptions,
+        delegatesFocus: true,
+    };
+
+    public static override verboseName = msg("Password");
+    public static override verboseNamePlural = msg("Passwords");
+    public static override submittingVerb = msg("Setting");
 
     protected autofocusTarget = new FocusTarget<HTMLInputElement>();
 
@@ -23,6 +33,9 @@ export class UserPasswordForm extends Form<UserPasswordSetRequest> {
 
     //#region Properties
 
+    public override submitLabel = msg("Set Password");
+    public override successMessage = msg("Successfully updated password.");
+
     @property({ type: Number })
     public instancePk?: number;
 
@@ -30,13 +43,15 @@ export class UserPasswordForm extends Form<UserPasswordSetRequest> {
     public label = msg("New Password");
 
     @property({ type: String })
-    public placeholder = msg("New Password");
+    public placeholder = msg("Type a new password...");
 
-    @property({ type: String })
-    public username?: string;
+    @property({ type: String, useDefault: true })
+    public username: string | null = null;
 
-    @property({ type: String })
-    public email?: string;
+    @property({ type: String, useDefault: true })
+    public email: string | null = null;
+
+    public override size = PFSize.Medium;
 
     /**
      * The autocomplete attribute to use for the password field.
@@ -50,17 +65,15 @@ export class UserPasswordForm extends Form<UserPasswordSetRequest> {
 
     //#endregion
 
-    public override getSuccessMessage(): string {
-        return msg("Successfully updated password.");
-    }
-
     public override connectedCallback(): void {
         super.connectedCallback();
         this.addEventListener("focus", this.autofocusTarget.toEventListener());
     }
 
     public override firstUpdated(): void {
-        this.focus();
+        requestAnimationFrame(() => {
+            this.focus();
+        });
     }
 
     protected override async send(data: UserPasswordSetRequest): Promise<void> {
@@ -94,17 +107,26 @@ export class UserPasswordForm extends Form<UserPasswordSetRequest> {
                   />`
                 : nothing}
 
-            <ak-form-element-horizontal label=${this.label} required name="password">
+            <ak-form-element-horizontal required name="password">
+                ${AKLabel(
+                    {
+                        slot: "label",
+                        className: "pf-c-form__group-label",
+                        htmlFor: "password",
+                        required: true,
+                    },
+                    this.label,
+                )}
                 <input
                     autofocus
                     ${this.autofocusTarget.toRef()}
+                    id="password"
                     type="password"
                     value=""
                     class="pf-c-form-control"
                     required
-                    placeholder=${ifDefined(this.placeholder || this.label)}
-                    aria-label=${this.label}
-                    autocomplete=${ifDefined(this.autocomplete)}
+                    placeholder=${ifPresent(this.placeholder || this.label)}
+                    autocomplete=${ifPresent(this.autocomplete)}
                 />
             </ak-form-element-horizontal>`;
     }

web/src/admin/users/UserViewPage.ts

@@ -30,7 +30,11 @@ import "#elements/ak-mdx/ak-mdx";
 import { DEFAULT_CONFIG } from "#common/api/config";
 import { AKRefreshEvent } from "#common/events";
 import { userTypeToLabel } from "#common/labels";
-import { formatDisambiguatedUserDisplayName, formatUserDisplayName } from "#common/users";
+import {
+    formatDisambiguatedUserDisplayName,
+    formatUserDisplayName,
+    startAccountLockdown,
+} from "#common/users";
 
 import { AKElement } from "#elements/Base";
 import { listen } from "#elements/decorators/listen";
@@ -41,7 +45,6 @@ import { WithLicenseSummary } from "#elements/mixins/license";
 import { WithLocale } from "#elements/mixins/locale";
 import { WithSession } from "#elements/mixins/session";
 import { Timestamp } from "#elements/table/shared";
-import { SlottedTemplateResult } from "#elements/types";
 
 import { setPageDetails } from "#components/ak-page-navbar";
 import { type DescriptionPair, renderDescriptionList } from "#components/DescriptionList";
@@ -151,19 +154,21 @@ export class UserViewPage extends WithLicenseSummary(
 
         const user = this.user;
 
-        // prettier-ignore
         const userInfo: DescriptionPair[] = [
-            [ msg("Username"), user.username ],
-            [ msg("Name"), user.name ],
-            [ msg("Email"), user.email || "-" ],
-            [ msg("Last login"), Timestamp(user.lastLogin) ],
-            [ msg("Last password change"), Timestamp(user.passwordChangeDate) ],
-            [ msg("Active"), html`<ak-status-label ?good=${user.isActive}></ak-status-label>` ],
-            [ msg("Type"), userTypeToLabel(user.type) ],
-            [ msg("Superuser"), html`<ak-status-label type="warning" ?good=${user.isSuperuser}></ak-status-label>` ],
-            [ msg("Actions"), this.renderActionButtons(user) ],
-            [ msg("Recovery"), this.renderRecoveryButtons(user) ],
-        ]
+            [msg("Username"), user.username],
+            [msg("Name"), user.name],
+            [msg("Email"), user.email || "-"],
+            [msg("Last login"), Timestamp(user.lastLogin)],
+            [msg("Last password change"), Timestamp(user.passwordChangeDate)],
+            [msg("Active"), html`<ak-status-label ?good=${user.isActive}></ak-status-label>`],
+            [msg("Type"), userTypeToLabel(user.type)],
+            [
+                msg("Superuser"),
+                html`<ak-status-label type="warning" ?good=${user.isSuperuser}></ak-status-label>`,
+            ],
+            [msg("Actions"), this.renderActionButtons(user)],
+            [msg("Recovery"), this.renderRecoveryButtons(user)],
+        ];
 
         return html`
             <div class="pf-c-card__title">${msg("User Info")}</div>
@@ -173,9 +178,21 @@ export class UserViewPage extends WithLicenseSummary(
         `;
     }
 
-    protected renderActionButtons(user: User): SlottedTemplateResult {
+    /**
+     * Initiates the account lockdown flow for this user, if any.
+     */
+    protected lockdownUser = async () => {
+        if (!this.user) {
+            return;
+        }
+
+        return startAccountLockdown(this.user.pk).catch(showAPIErrorMessage);
+    };
+
+    protected renderActionButtons(user: User) {
         const showImpersonate =
             this.can(CapabilitiesEnum.CanImpersonate) && user.pk !== this.currentUser?.pk;
+        const showLockdown = this.hasEnterpriseLicense && user.pk !== this.currentUser?.pk;
 
         const displayName = formatUserDisplayName(user);
 
@@ -188,6 +205,15 @@ export class UserViewPage extends WithLicenseSummary(
             </button>
 
             ${ToggleUserActivationButton(user, { className: "pf-m-block" })}
+            ${showLockdown
+                ? html`<button
+                      class="pf-c-button pf-m-danger pf-m-block"
+                      @click=${this.lockdownUser}
+                      type="button"
+                  >
+                      ${msg("Account Lockdown")}
+                  </button>`
+                : null}
             ${showImpersonate
                 ? html`<button
                       class="pf-c-button pf-m-tertiary pf-m-block"

web/src/common/storage.ts

@@ -0,0 +1,140 @@
+/**
+ * @file Storage utilities.
+ */
+
+import { ConsoleLogger } from "#logger/browser";
+
+/**
+ * A utility class for safely accessing web storage (localStorage or sessionStorage) with error handling.
+ */
+export class StorageAccessor {
+    constructor(
+        /**
+         * The key under which the value is stored in the storage backend.
+         */
+        public readonly key: string,
+        /**
+         * The storage backend to use, e.g. `window.localStorage` or `window.sessionStorage`.
+         */
+        protected readonly storage: Storage,
+        protected logger = ConsoleLogger.prefix("storage-accessor"),
+    ) {
+        if (typeof key !== "string") {
+            throw new TypeError("Storage key must be a string");
+        }
+
+        if (!key) {
+            throw new TypeError("Storage key must be a non-empty string");
+        }
+    }
+
+    /**
+     * Create a {@link StorageAccessor} for local storage.
+     *
+     * @param key The key under which the value is stored in localStorage.
+     */
+    public static local = (key: string) => new StorageAccessor(key, self.localStorage);
+    /**
+     * Create a {@link StorageAccessor} for session storage.
+     *
+     * @param key The key under which the value is stored in sessionStorage.
+     */
+    public static session = (key: string) => new StorageAccessor(key, self.sessionStorage);
+
+    /**
+     * Read the value from storage.
+     *
+     * @param fallback An optional value to return if the key does not exist or an error occurs. Defaults to `null`.
+     *
+     * @returns The stored value, or `null` if the key does not exist or an error occurs.
+     */
+    public read<T extends string>(fallback?: T): T | null {
+        try {
+            const value = this.storage.getItem(this.key);
+            return value !== null ? (value as T) : (fallback ?? null);
+        } catch (_error: unknown) {
+            return fallback ?? null;
+        }
+    }
+
+    /**
+     * Write a value to storage.
+     *
+     * @param value The value to store.
+     *
+     * @returns `true` if the value was successfully stored, or `false` if an error occurred.
+     */
+    public write(value: string | null): boolean {
+        if (!value) {
+            if (this.read()) {
+                return this.delete();
+            }
+
+            return true;
+        }
+
+        try {
+            this.storage.setItem(this.key, value);
+            return true;
+        } catch (_error: unknown) {
+            return false;
+        }
+    }
+
+    /**
+     * Read the value from storage and parse it as JSON.
+     *
+     * @param fallback An optional value to return if the key does not exist, the value is not valid JSON, or an error occurs. Defaults to `null`.
+     *
+     * @returns The parsed value, or `null` if the key does not exist, the value is not valid JSON, or an error occurs.
+     */
+    public readJSON<T>(fallback?: T): T | null {
+        const value = this.read<string>();
+
+        if (value === null) {
+            return fallback ?? null;
+        }
+
+        try {
+            return JSON.parse(value) as T;
+        } catch (_error: unknown) {
+            return fallback ?? null;
+        }
+    }
+
+    /**
+     * Write a value to storage after stringifying it as JSON.
+     *
+     * @param value The value to store.
+     *
+     * @returns `true` if the value was successfully stored, or `false` if an error occurred.
+     */
+    public writeJSON(value: unknown): boolean {
+        try {
+            const stringified = JSON.stringify(value);
+            return this.write(stringified);
+        } catch (error: unknown) {
+            this.logger.error("Failed to write JSON value to storage", error);
+
+            return false;
+        }
+    }
+
+    /**
+     * Delete the value from storage.
+     *
+     * @returns `true` if the value was successfully deleted, or `false` if an error occurred.
+     */
+    public delete(): boolean {
+        this.logger.debug("Deleting value from storage");
+
+        try {
+            this.storage.removeItem(this.key);
+            return true;
+        } catch (error: unknown) {
+            this.logger.error("Failed to delete value from storage", error);
+
+            return false;
+        }
+    }
+}

web/src/common/users.ts

@@ -157,6 +157,18 @@ export function redirectToAuthFlow(nextPathname = "/flows/-/default/authenticati
     window.location.assign(authFlowRedirectURL);
 }
 
+/**
+ * Start account lockdown and follow the returned flow link.
+ */
+export async function startAccountLockdown(user?: number): Promise<void> {
+    const response = await new CoreApi(DEFAULT_CONFIG).coreUsersAccountLockdownCreate({
+        userAccountLockdownRequest: user !== undefined ? { user } : {},
+    });
+    if (response.link) {
+        window.location.assign(response.link);
+    }
+}
+
 /**
  * Retrieve the current user session.
  *

web/src/components/ak-nav-buttons.ts

@@ -207,6 +207,7 @@ export class NavigationButtons extends WithNotifications(WithSession(AKElement))
                     <a
                         href="${globalAK().api.base}flows/-/default/invalidation/"
                         class="pf-c-button pf-m-plain"
+                        aria-label=${msg("Sign out")}
                     >
                         <pf-tooltip position="top" content=${msg("Sign out")}>
                             <i class="fas fa-sign-out-alt" aria-hidden="true"></i>

web/src/elements/forms/Form.ts

@@ -414,6 +414,13 @@ export class Form<T = Record<string, unknown>, D = T>
 
         const { submittingVerb, verboseName } = this.constructor as typeof Form;
 
+        if (!verboseName) {
+            return msg(str`${submittingVerb}...`, {
+                id: "form.submitting.no-entity",
+                desc: "The message shown while a form is being submitted, when no entity name is provided.",
+            });
+        }
+
         return msg(str`${submittingVerb} ${verboseName}...`, {
             id: "form.submitting",
             desc: "The message shown while a form is being submitted.",
@@ -615,6 +622,7 @@ export class Form<T = Record<string, unknown>, D = T>
     protected doSubmit = (event: SubmitEvent): void => {
         if (this.submitting) {
             this.logger.info("Skipping submit. Already submitting!");
+            return;
         }
 
         this.submitting = true;

web/src/elements/utils/focus.ts

@@ -4,6 +4,44 @@
 
 import { createRef, ref, Ref } from "lit/directives/ref.js";
 
+export interface FocusErrorOptions extends ErrorOptions {
+    target: Element | null;
+}
+
+export class FocusAssertionError extends Error {
+    public override name = "FocusAssertionError";
+    public readonly target: Element | null;
+
+    constructor(message: string, { target, ...options }: FocusErrorOptions) {
+        super(message, options);
+        this.target = target;
+    }
+}
+
+export function assertFocusable(target: Element | null | undefined): asserts target is HTMLElement {
+    if (!target) {
+        throw new FocusAssertionError("Skipping focus, no target", { target: null });
+    }
+    if (!(target instanceof HTMLElement)) {
+        throw new FocusAssertionError("Skipping focus, target is not an HTMLElement", { target });
+    }
+
+    if (document.activeElement === target) {
+        throw new FocusAssertionError("Target is already focused", { target });
+    }
+
+    // Despite our type definitions, this method isn't available in all browsers,
+    // so we fallback to assuming the element is visible.
+    const visible = target.checkVisibility?.() ?? true;
+
+    if (!visible) {
+        throw new FocusAssertionError("Skipping focus, target is not visible", { target });
+    }
+
+    if (typeof target.focus !== "function") {
+        throw new FocusAssertionError("Skipping focus, target has no focus method", { target });
+    }
+}
 /**
  * Recursively check if the target element or any of its children are active (i.e. "focused").
  *
@@ -36,35 +74,17 @@ export function isActiveElement(
  * @category DOM
  */
 export function isFocusable(target: Element | null | undefined): target is HTMLElement {
-    if (!target) {
-        console.debug("FocusTarget: Skipping focus, no target", target);
+    try {
+        assertFocusable(target);
+        return true;
+    } catch (error) {
+        if (error instanceof FocusAssertionError) {
+            console.debug(error.message, error.target);
+        } else {
+            console.error("Unexpected error during focus assertion", error);
+        }
         return false;
     }
-    if (!(target instanceof HTMLElement)) {
-        console.debug("FocusTarget: Skipping focus, target is not an HTMLElement", target);
-        return false;
-    }
-
-    if (document.activeElement === target) {
-        console.debug("FocusTarget: Target is already focused", target);
-        return false;
-    }
-
-    // Despite our type definitions, this method isn't available in all browsers,
-    // so we fallback to assuming the element is visible.
-    const visible = target.checkVisibility?.() ?? true;
-
-    if (!visible) {
-        console.debug("FocusTarget: Skipping focus, target is not visible", target);
-        return false;
-    }
-
-    if (typeof target.focus !== "function") {
-        console.debug("FocusTarget: Skipping focus, target has no focus method", target);
-        return false;
-    }
-
-    return true;
 }
 
 /**

web/src/flow/FormStatic.ts

@@ -4,6 +4,7 @@ import { ifPresent } from "#elements/utils/attributes";
 import { isDefaultAvatar } from "#elements/utils/images";
 
 import Styles from "#flow/FormStatic.css";
+import { RememberMeStorage } from "#flow/stages/identification/controllers/RememberMeController";
 import { StageChallengeLike } from "#flow/types";
 
 import { msg, str } from "@lit/localize";
@@ -69,7 +70,9 @@ export const FlowUserDetails: LitFC<FlowUserDetailsProps> = ({ challenge }) => {
                 ${flowInfo?.cancelUrl
                     ? html`
                           <div slot="link">
-                              <a href=${flowInfo.cancelUrl}>${msg("Not you?")}</a>
+                              <a href=${flowInfo.cancelUrl} @click=${RememberMeStorage.reset}
+                                  >${msg("Not you?")}</a
+                              >
                           </div>
                       `
                     : nothing}