add oidcc-config-certification-test-plan

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/setup/action.yml

@@ -25,7 +25,7 @@ runs:
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
       with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext libclang-dev libkadm5clnt-mit12 libkadm5clnt7t64-heimdal libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
         update: true
         upgrade: false
         install-recommends: false
@@ -52,19 +52,19 @@ runs:
       run: uv sync --all-extras --dev --locked
     - name: Setup rust (stable)
       if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         rustflags: ""
     - name: Setup rust (nightly)
       if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         toolchain: nightly
         components: rustfmt
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@ec28e287910af896fd98e04056d31fa68607e7ad # v2
+      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)

.github/workflows/ci-main.yml

@@ -284,6 +284,8 @@ jobs:
         job:
           - name: oidc_basic
             glob: tests/openid_conformance/test_oidc_basic.py
+          - name: oidc_config
+            glob: tests/openid_conformance/test_oidc_config.py
           - name: oidc_implicit
             glob: tests/openid_conformance/test_oidc_implicit.py
           - name: oidc_rp-initiated

.github/workflows/qa-codeql.yml

@@ -28,10 +28,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.4
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4.35.4
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.4
+        uses: github/codeql-action/analyze@v4

.github/workflows/release-branch-off.yml

@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       next_version:
-        description: Next version (for example, if you're currently releasing 2026.5, then enter 2026.8)
+        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
         required: true
         type: string
 
@@ -68,14 +68,10 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: Run migrations
         run: make migrate
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Re-generate API Clients
-        run: make gen
       - name: Create pull request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:

.github/workflows/release-publish.yml

@@ -191,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/release-tag.yml

@@ -82,14 +82,10 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: Run migrations
         run: make migrate
       - name: Bump version
         run: "make bump version=${{ inputs.version }}"
-      - name: Re-generate API Clients
-        run: make gen
       - name: Commit and push
         run: |
           # ID from https://api.github.com/users/authentik-automation[bot]

.npmrc

@@ -1,20 +0,0 @@
-# Block lifecycle scripts (preinstall/install/postinstall/prepare) from dependencies.
-# This neutralizes the dominant npm supply-chain attack vector.
-#
-# Packages that legitimately need a build step (e.g. esbuild, chromedriver, tree-sitter)
-# must be rebuilt explicitly:
-#
-#   npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json
-ignore-scripts=true
-
-# Fail fast if the active Node/npm doesn't match the "engines" field.
-engine-strict=true
-
-# Pin exact versions so `npm install <pkg>` writes "1.2.3" not "^1.2.3".
-save-exact=true
-
-# Surface CVE warnings during install; doesn't block.
-audit=true
-
-# Suppress funding banners.
-fund=false

CODEOWNERS

@@ -34,7 +34,6 @@ packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
-.npmrc                                  @goauthentik/frontend
 tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend

Cargo.lock

@@ -143,45 +143,6 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d902e3d592a523def97af8f317b08ce16b7ab854c1985a0c671e6f15cebc236"
 
-[[package]]
-name = "asn1-rs"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56624a96882bb8c26d61312ae18cb45868e5a9992ea73c58e45c3101e56a1e60"
-dependencies = [
- "asn1-rs-derive",
- "asn1-rs-impl",
- "displaydoc",
- "nom",
- "num-traits",
- "rusticata-macros",
- "thiserror 2.0.18",
- "time",
-]
-
-[[package]]
-name = "asn1-rs-derive"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
- "synstructure",
-]
-
-[[package]]
-name = "asn1-rs-impl"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "async-trait"
 version = "0.1.89"
@@ -215,13 +176,10 @@ dependencies = [
  "arc-swap",
  "argh",
  "authentik-axum",
- "authentik-client",
  "authentik-common",
  "axum",
- "axum-server",
  "color-eyre",
  "eyre",
- "futures",
  "hyper-unix-socket",
  "hyper-util",
  "metrics",
@@ -229,18 +187,9 @@ dependencies = [
  "nix 0.31.2",
  "pyo3",
  "pyo3-build-config",
- "rand 0.10.1",
- "rustls",
- "serde",
- "serde_json",
- "serde_repr",
  "sqlx",
- "time",
  "tokio",
- "tokio-tungstenite",
- "tower",
  "tracing",
- "url",
  "uuid",
  "which",
 ]
@@ -292,14 +241,12 @@ dependencies = [
  "config",
  "console-subscriber",
  "eyre",
- "futures",
  "glob",
  "ipnet",
  "json-subscriber",
  "nix 0.31.2",
  "notify",
  "pin-project-lite",
- "rcgen",
  "reqwest",
  "reqwest-middleware",
  "rustls",
@@ -317,7 +264,6 @@ dependencies = [
  "tracing-error",
  "tracing-subscriber",
  "url",
- "uuid",
 ]
 
 [[package]]
@@ -596,17 +542,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
-[[package]]
-name = "chacha20"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
-dependencies = [
- "cfg-if",
- "cpufeatures 0.3.0",
- "rand_core 0.10.1",
-]
-
 [[package]]
 name = "chrono"
 version = "0.4.44"
@@ -844,15 +779,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "cpufeatures"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "crc"
 version = "3.4.0"
@@ -947,20 +873,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "der-parser"
-version = "10.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07da5016415d5a3c4dd39b11ed26f915f52fc4e0dc197d87908bc916e51bc1a6"
-dependencies = [
- "asn1-rs",
- "displaydoc",
- "nom",
- "num-bigint",
- "num-traits",
- "rusticata-macros",
-]
-
 [[package]]
 name = "deranged"
 version = "0.5.8"
@@ -1379,7 +1291,6 @@ dependencies = [
  "cfg-if",
  "libc",
  "r-efi 6.0.0",
- "rand_core 0.10.1",
  "wasip2",
  "wasip3",
 ]
@@ -1833,6 +1744,16 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "iri-string"
+version = "0.7.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
@@ -2261,16 +2182,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "num-bigint"
-version = "0.4.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
-dependencies = [
- "num-integer",
- "num-traits",
-]
-
 [[package]]
 name = "num-bigint-dig"
 version = "0.8.6"
@@ -2500,15 +2411,6 @@ dependencies = [
  "memchr",
 ]
 
-[[package]]
-name = "oid-registry"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "12f40cff3dde1b6087cc5d5f5d4d65712f34016a03ed60e9c08dcc392736b5b7"
-dependencies = [
- "asn1-rs",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.4"
@@ -2910,17 +2812,6 @@ dependencies = [
  "rand_core 0.9.5",
 ]
 
-[[package]]
-name = "rand"
-version = "0.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207"
-dependencies = [
- "chacha20",
- "getrandom 0.4.2",
- "rand_core 0.10.1",
-]
-
 [[package]]
 name = "rand_chacha"
 version = "0.3.1"
@@ -2959,12 +2850,6 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
-[[package]]
-name = "rand_core"
-version = "0.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
-
 [[package]]
 name = "rand_xoshiro"
 version = "0.7.0"
@@ -2992,19 +2877,6 @@ dependencies = [
  "bitflags 2.11.0",
 ]
 
-[[package]]
-name = "rcgen"
-version = "0.14.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e"
-dependencies = [
- "aws-lc-rs",
- "rustls-pki-types",
- "time",
- "x509-parser",
- "yasna",
-]
-
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
@@ -3168,15 +3040,6 @@ dependencies = [
  "semver",
 ]
 
-[[package]]
-name = "rusticata-macros"
-version = "4.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
-dependencies = [
- "nom",
-]
-
 [[package]]
 name = "rustix"
 version = "1.1.4"
@@ -3340,9 +3203,9 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 
 [[package]]
 name = "sentry"
-version = "0.48.1"
+version = "0.48.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b93b3e19f45495ddd41d8222a152c48c84f6ba45abe9c69e2527e9cdea29bb5b"
+checksum = "e8ac94aab850a23d7507307cc505332ed2bafd36c65930dfc5c43610f9e9b477"
 dependencies = [
  "cfg_aliases",
  "httpdate",
@@ -3537,9 +3400,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with"
-version = "3.19.0"
+version = "3.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f05839ce67618e14a09b286535c0d9c94e85ef25469b0e13cb4f844e5593eb19"
+checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f"
 dependencies = [
  "base64 0.22.1",
  "chrono",
@@ -3556,7 +3419,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
  "cfg-if",
- "cpufeatures 0.2.17",
+ "cpufeatures",
  "digest",
 ]
 
@@ -3567,7 +3430,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
  "cfg-if",
- "cpufeatures 0.2.17",
+ "cpufeatures",
  "digest",
 ]
 
@@ -4071,9 +3934,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.52.3"
+version = "1.52.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
+checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
 dependencies = [
  "bytes",
  "libc",
@@ -4137,12 +4000,8 @@ checksum = "8f72a05e828585856dacd553fba484c242c46e391fb0e58917c942ee9202915c"
 dependencies = [
  "futures-util",
  "log",
- "rustls",
- "rustls-pki-types",
  "tokio",
- "tokio-rustls",
  "tungstenite",
- "webpki-roots 0.26.11",
 ]
 
 [[package]]
@@ -4223,21 +4082,21 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.10"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
  "bitflags 2.11.0",
  "bytes",
  "futures-util",
  "http",
  "http-body",
+ "iri-string",
  "pin-project-lite",
  "tokio",
  "tower",
  "tower-layer",
  "tower-service",
- "url",
 ]
 
 [[package]]
@@ -4356,11 +4215,8 @@ dependencies = [
  "httparse",
  "log",
  "rand 0.9.4",
- "rustls",
- "rustls-pki-types",
  "sha1",
  "thiserror 2.0.18",
- "url",
 ]
 
 [[package]]
@@ -5231,24 +5087,6 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
 
-[[package]]
-name = "x509-parser"
-version = "0.18.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202"
-dependencies = [
- "asn1-rs",
- "aws-lc-rs",
- "data-encoding",
- "der-parser",
- "lazy_static",
- "nom",
- "oid-registry",
- "rusticata-macros",
- "thiserror 2.0.18",
- "time",
-]
-
 [[package]]
 name = "yaml-rust2"
 version = "0.10.4"
@@ -5260,15 +5098,6 @@ dependencies = [
  "hashlink",
 ]
 
-[[package]]
-name = "yasna"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
-dependencies = [
- "time",
-]
-
 [[package]]
 name = "yoke"
 version = "0.8.1"

Cargo.toml

@@ -50,11 +50,6 @@ notify = "= 8.2.0"
 pin-project-lite = "= 0.2.17"
 pyo3 = "= 0.28.3"
 pyo3-build-config = "= 0.28.3"
-rand = "= 0.10.1"
-rcgen = { version = "= 0.14.7", default-features = false, features = [
-  "aws_lc_rs",
-  "fips",
-] }
 regex = "= 1.12.3"
 reqwest = { version = "= 0.13.3", features = [
   "form",
@@ -72,7 +67,7 @@ reqwest-middleware = { version = "= 0.5.1", features = [
   "rustls",
 ] }
 rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.1", default-features = false, features = [
+sentry = { version = "= 0.48.0", default-features = false, features = [
   "backtrace",
   "contexts",
   "debug-images",
@@ -85,7 +80,7 @@ sentry = { version = "= 0.48.1", default-features = false, features = [
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.19.0", default-features = false, features = [
+serde_with = { version = "= 3.18.0", default-features = false, features = [
   "base64",
 ] }
 sqlx = { version = "= 0.8.6", default-features = false, features = [
@@ -102,16 +97,12 @@ sqlx = { version = "= 0.8.6", default-features = false, features = [
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
 time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.3", features = ["full", "tracing"] }
+tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
 tokio-retry2 = "= 0.9.1"
 tokio-rustls = "= 0.26.4"
-tokio-tungstenite = { version = "= 0.29.0", features = [
-  "rustls-tls-webpki-roots",
-  "url",
-] }
 tokio-util = { version = "= 0.7.18", features = ["full"] }
 tower = "= 0.5.3"
-tower-http = { version = "= 0.6.10", features = ["timeout"] }
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
 tracing = "= 0.1.44"
 tracing-error = "= 0.2.1"
 tracing-subscriber = { version = "= 0.3.23", features = [
@@ -269,40 +260,28 @@ publish.workspace = true
 [features]
 default = ["core", "proxy"]
 core = ["ak-common/core", "dep:pyo3", "dep:sqlx"]
-proxy = ["ak-common/proxy", "dep:ak-client"]
+proxy = ["ak-common/proxy"]
 
 [build-dependencies]
 pyo3-build-config.workspace = true
 
 [dependencies]
 ak-axum.workspace = true
-ak-client = { workspace = true, optional = true }
 ak-common.workspace = true
 arc-swap.workspace = true
 argh.workspace = true
-axum-server.workspace = true
 axum.workspace = true
 color-eyre.workspace = true
 eyre.workspace = true
-futures.workspace = true
 hyper-unix-socket.workspace = true
 hyper-util.workspace = true
-metrics-exporter-prometheus.workspace = true
 metrics.workspace = true
+metrics-exporter-prometheus.workspace = true
 nix.workspace = true
 pyo3 = { workspace = true, optional = true }
-rand.workspace = true
-rustls.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-serde_repr.workspace = true
 sqlx = { workspace = true, optional = true }
-time.workspace = true
-tokio-tungstenite.workspace = true
 tokio.workspace = true
-tower.workspace = true
 tracing.workspace = true
-url.workspace = true
 uuid.workspace = true
 which.workspace = true
 

Makefile

@@ -125,7 +125,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en
 
-install: node-install web-install core-install  ## Install all requires dependencies for `node`, `web` and `core`
+install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
 
 dev-drop-db:
 	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
@@ -228,26 +228,14 @@ gen-dev-config:  ## Generate a local development config file
 ## Node.js
 #########################
 
-# Packages whose install/postinstall scripts are required for correct
-# operation (binary downloads, native bindings). The root .npmrc sets
-# `ignore-scripts=true` to block dependency lifecycle scripts by default;
-# this list is rebuilt explicitly with scripts re-enabled. Audit any
-# additions: each entry runs arbitrary code at install time.
-TRUSTED_INSTALL_SCRIPTS := esbuild chromedriver tree-sitter tree-sitter-json
-
 node-install:  ## Install the necessary libraries to build Node.js packages
 	npm ci
+	npm ci --prefix web
 
 #########################
 ## Web
 #########################
 
-web-install: ## Install the necessary libraries to build the Authentik UI
-	npm ci --prefix web
-
-web-postinstall:  ## Trigger postinstall scripts for packages with native bindings or binary downloads, which are blocked by default for security reasons.
-	npm rebuild --prefix web --ignore-scripts=false --foreground-scripts $(TRUSTED_INSTALL_SCRIPTS)
-
 web-build: node-install  ## Build the Authentik UI
 	npm run --prefix web build
 
@@ -280,7 +268,7 @@ web-i18n-extract:
 
 docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
 
-docs-install: node-install
+docs-install:
 	npm ci --prefix website
 
 docs-lint-fix: lint-spellcheck

authentik/api/authentication.py

@@ -42,29 +42,11 @@ def validate_auth(header: bytes, format="bearer") -> str | None:
     return auth_credentials
 
 
-class VirtualUser(AnonymousUser):
-    is_active = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-    def all_roles(self):
-        return []
-
-
-class IPCUser(VirtualUser):
+class IPCUser(AnonymousUser):
     """'Virtual' user for IPC communication between authentik core and the authentik router"""
 
     username = "authentik:system"
+    is_active = True
     is_superuser = True
 
     @property
@@ -80,6 +62,17 @@ class IPCUser(VirtualUser):
     def has_module_perms(self, module):
         return True
 
+    @property
+    def is_anonymous(self):
+        return False
+
+    @property
+    def is_authenticated(self):
+        return True
+
+    def all_roles(self):
+        return []
+
 
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""

authentik/core/api/groups.py

@@ -246,25 +246,6 @@ class GroupSerializer(ModelSerializer):
                 )
         return superuser
 
-    def validate_users(self, users: list) -> list:
-        """Require add_user_to_group permission when adding new members via group PATCH."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return users
-        if not self.instance:
-            return users
-        # BulkManyRelatedField returns raw PKs, not model instances
-        current_user_pks = set(self.instance.users.values_list("pk", flat=True))
-        new_users = [u for u in users if u not in current_user_pks]
-        if not new_users:
-            return users
-        has_perm = request.user.has_perm(
-            "authentik_core.add_user_to_group"
-        ) or request.user.has_perm("authentik_core.add_user_to_group", self.instance)
-        if not has_perm:
-            raise ValidationError(_("User does not have permission to add members to this group."))
-        return users
-
     class Meta:
         model = Group
         fields = [

authentik/core/api/users.py

@@ -297,36 +297,6 @@ class UserSerializer(ModelSerializer):
             raise ValidationError(_("Setting a user to internal service account is not allowed."))
         return user_type
 
-    def validate_groups(self, groups: list) -> list:
-        """Require enable_group_superuser permission when adding a user to a superuser group."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return groups
-        current_groups = set(self.instance.groups.all()) if self.instance else set()
-        for group in groups:
-            if not group.is_superuser:
-                continue
-            if group in current_groups:
-                continue
-            if not request.user.has_perm("authentik_core.enable_group_superuser"):
-                raise ValidationError(
-                    _("User does not have permission to add members to a superuser group.")
-                )
-        return groups
-
-    def validate_roles(self, roles: list) -> list:
-        """Require change_role permission when assigning new roles to a user."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return roles
-        current_roles = set(self.instance.roles.all()) if self.instance else set()
-        new_roles = [r for r in roles if r not in current_roles]
-        if not new_roles:
-            return roles
-        if not request.user.has_perm("authentik_rbac.change_role"):
-            raise ValidationError(_("User does not have permission to assign roles."))
-        return roles
-
     def validate(self, attrs: dict) -> dict:
         if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
             raise ValidationError(_("Can't modify internal service account users"))

authentik/core/tests/test_groups_api.py

@@ -158,58 +158,3 @@ class TestGroupsAPI(APITestCase):
             data={"name": generate_id(), "is_superuser": True},
         )
         self.assertEqual(res.status_code, 201)
-
-    def test_patch_users_no_perm(self):
-        """PATCH group with new users without add_user_to_group must be rejected."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_users_with_global_perm(self):
-        """PATCH group with new users with global add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group")
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_users_with_obj_perm(self):
-        """PATCH group with new users with object-level add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_users_no_perm(self):
-        """PATCH group keeping existing membership without add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)

authentik/core/tests/test_users_api.py

@@ -12,7 +12,6 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     AuthenticatedSession,
-    Group,
     Session,
     Token,
     User,
@@ -26,7 +25,6 @@ from authentik.core.tests.utils import (
 )
 from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
-from authentik.rbac.models import Role
 from authentik.stages.email.models import EmailStage
 
 INVALID_PASSWORD_HASH = "not-a-valid-hash"
@@ -941,79 +939,3 @@ class TestUsersAPI(APITestCase):
         self.assertIn(user2.pk, pks)
         # Verify user2 comes before user1 in descending order
         self.assertLess(pks.index(user2.pk), pks.index(user1.pk))
-
-
-class TestUsersAPIGroupRoleValidation(APITestCase):
-    """Test that PATCH /api/v3/core/users/{pk}/ enforces group and role permission checks."""
-
-    def setUp(self) -> None:
-        self.actor = create_test_user()
-        self.target = create_test_user()
-
-    def _patch(self, data: dict):
-        self.client.force_login(self.actor)
-        return self.client.patch(
-            reverse("authentik_api:user-detail", kwargs={"pk": self.target.pk}),
-            data=data,
-            content_type="application/json",
-        )
-
-    def test_patch_superuser_group_no_perm(self):
-        """Assigning a superuser group without enable_group_superuser must be rejected."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_superuser_group_with_perm(self):
-        """Assigning a superuser group with enable_group_superuser must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        self.actor.assign_perms_to_managed_role("authentik_core.enable_group_superuser")
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_non_superuser_group_no_perm(self):
-        """Assigning a non-superuser group without special permission must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=False)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_superuser_group_no_perm(self):
-        """Keeping an existing superuser group membership without the permission must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        self.target.groups.add(group)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_role_no_perm(self):
-        """Assigning a new role without change_role must be rejected."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        role = Role.objects.create(name=generate_id())
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_role_with_perm(self):
-        """Assigning a new role with change_role must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        self.actor.assign_perms_to_managed_role("authentik_rbac.change_role")
-        role = Role.objects.create(name=generate_id())
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_role_no_perm(self):
-        """Keeping an existing role without change_role must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        role = Role.objects.create(name=generate_id())
-        self.target.roles.add(role)
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 200)

authentik/endpoints/connectors/agent/api/connectors.py

@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -44,6 +44,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_ME
 
 
 class AgentConnectorSerializer(ConnectorSerializer):
+
     class Meta(ConnectorSerializer.Meta):
         model = AgentConnector
         fields = ConnectorSerializer.Meta.fields + [
@@ -62,6 +63,7 @@ class AgentConnectorSerializer(ConnectorSerializer):
 
 
 class MDMConfigSerializer(PassiveSerializer):
+
     platform = ChoiceField(choices=OSFamily.choices)
     enrollment_token = PrimaryKeyRelatedField(
         queryset=EnrollmentToken.objects.including_expired().all()
@@ -87,6 +89,7 @@ class AgentConnectorViewSet(
     UsedByMixin,
     ModelViewSet,
 ):
+
     queryset = AgentConnector.objects.all()
     serializer_class = AgentConnectorSerializer
     search_fields = ["name"]
@@ -118,8 +121,6 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentEnrollmentAuth],
-        # Permissions are handled via AgentEnrollmentAuth
-        permission_classes=[AllowAny],
     )
     def enroll(self, request: Request):
         token: EnrollmentToken = request.auth
@@ -150,13 +151,7 @@ class AgentConnectorViewSet(
         request=OpenApiTypes.NONE,
         responses=AgentConfigSerializer(),
     )
-    @action(
-        methods=["GET"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["GET"], detail=False, authentication_classes=[AgentAuth])
     def agent_config(self, request: Request):
         token: DeviceToken = request.auth
         connector: AgentConnector = token.device.connector.agentconnector
@@ -170,13 +165,7 @@ class AgentConnectorViewSet(
         request=DeviceFacts(),
         responses={204: OpenApiResponse(description="Successfully checked in")},
     )
-    @action(
-        methods=["POST"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
     def check_in(self, request: Request):
         token: DeviceToken = request.auth
         data = DeviceFacts(data=request.data)

authentik/endpoints/connectors/agent/auth.py

@@ -1,6 +1,5 @@
 from typing import Any
 
-from django.db.models import Model
 from django.http import HttpRequest
 from django.utils.timezone import now
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
@@ -10,7 +9,7 @@ from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.api.authentication import VirtualUser, validate_auth
+from authentik.api.authentication import IPCUser, validate_auth
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import User
 from authentik.crypto.apps import MANAGED_KEY
@@ -26,18 +25,9 @@ LOGGER = get_logger()
 PLATFORM_ISSUER = "goauthentik.io/platform"
 
 
-class DeviceUser(VirtualUser):
-
+class DeviceUser(IPCUser):
     username = "authentik:endpoints:device"
 
-    def has_perm(self, perm: str, obj: Model | None = None) -> bool:
-        if perm in [
-            "authentik_core.view_user",
-            "authentik_core.view_group",
-        ]:
-            return True
-        return False
-
 
 class AgentEnrollmentAuth(BaseAuthentication):
 

authentik/endpoints/connectors/agent/tests/test_agent_api.py

@@ -223,17 +223,3 @@ class TestAgentAPI(APITestCase):
             data={"platform": OSFamily.macOS, "enrollment_token": self.token.pk},
         )
         self.assertEqual(res.status_code, 200)
-
-    def test_users_list(self):
-        response = self.client.get(
-            reverse("authentik_api:user-list"),
-            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_other_api_forbidden(self):
-        response = self.client.get(
-            reverse("authentik_api:application-list"),
-            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
-        )
-        self.assertEqual(response.status_code, 403)

authentik/enterprise/endpoints/connectors/agent/api/connectors.py

@@ -2,7 +2,6 @@ from django.urls import reverse
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
@@ -26,13 +25,7 @@ class AgentConnectorViewSetMixin:
         request=OpenApiTypes.NONE,
         responses=AgentAuthenticationResponse(),
     )
-    @action(
-        methods=["POST"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
     @enterprise_action
     def auth_ia(self, request: Request) -> Response:
         token: DeviceToken = request.auth

authentik/enterprise/providers/ws_federation/processors/sign_in.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -56,9 +55,7 @@ class SignInRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        reply = urlparse(req.wreply)
-        configured = urlparse(provider.acs_url)
-        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
+        if not req.wreply.startswith(provider.acs_url):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/processors/sign_out.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -33,9 +32,7 @@ class SignOutRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        reply = urlparse(req.wreply)
-        configured = urlparse(provider.acs_url)
-        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
+        if not req.wreply.startswith(provider.acs_url):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/tests/test_sign_in.py

@@ -27,27 +27,12 @@ class TestWSFedSignIn(TestCase):
             name=generate_id(),
             authorization_flow=self.flow,
             signing_kp=self.cert,
-            acs_url="https://t.goauthentik.io",
-            audience="foo",
         )
         self.app = Application.objects.create(
             name=generate_id(), slug=generate_id(), provider=self.provider
         )
         self.factory = RequestFactory()
 
-    def test_wreply(self):
-        request = self.factory.get(
-            "/?wreply=https://t.goauthentik.io/foo&wa=wsignin1.0&wtrealm=foo",
-            user=get_anonymous_user(),
-        )
-        SignInRequest.parse(request)
-        with self.assertRaises(ValueError):
-            request = self.factory.get(
-                "/?wreply=https://t.goauthentik.io.invalid.com&wa=wsignin1.0&wtrealm=foo",
-                user=get_anonymous_user(),
-            )
-            SignInRequest.parse(request)
-
     def test_token_gen(self):
         request = self.factory.get("/", user=get_anonymous_user())
         proc = SignInProcessor(

authentik/providers/oauth2/api/tokens.py

@@ -9,10 +9,10 @@ from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 
 
@@ -20,7 +20,7 @@ class ExpiringBaseGrantModelSerializer(ModelSerializer, MetaNameSerializer):
     """Serializer for BaseGrantModel and ExpiringBaseGrant"""
 
     user = UserSerializer()
-    provider = ProviderSerializer()
+    provider = OAuth2ProviderSerializer()
     scope = ListField(child=CharField())
 
     class Meta:

authentik/providers/saml/api/providers.py

@@ -61,11 +61,6 @@ class SAMLProviderSerializer(ProviderSerializer):
     url_download_metadata = SerializerMethodField()
     url_issuer = SerializerMethodField()
 
-    # Unified SAML endpoint (primary)
-    url_unified = SerializerMethodField()
-    url_unified_init = SerializerMethodField()
-
-    # Legacy endpoints (for backward compatibility)
     url_sso_post = SerializerMethodField()
     url_sso_redirect = SerializerMethodField()
     url_sso_init = SerializerMethodField()
@@ -102,21 +97,6 @@ class SAMLProviderSerializer(ProviderSerializer):
         if "request" not in self._context:
             return DEFAULT_ISSUER
         request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:metadata-download",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return DEFAULT_ISSUER
-
-    def get_url_unified(self, instance: SAMLProvider) -> str:
-        """Get unified SAML endpoint URL (handles SSO and SLO)"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
         try:
             return request.build_absolute_uri(
                 reverse(
@@ -125,22 +105,7 @@ class SAMLProviderSerializer(ProviderSerializer):
                 )
             )
         except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
-
-    def get_url_unified_init(self, instance: SAMLProvider) -> str:
-        """Get IdP-initiated SAML URL"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:init",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
+            return DEFAULT_ISSUER
 
     def get_url_sso_post(self, instance: SAMLProvider) -> str:
         """Get SSO Post URL"""
@@ -278,8 +243,6 @@ class SAMLProviderSerializer(ProviderSerializer):
             "default_name_id_policy",
             "url_download_metadata",
             "url_issuer",
-            "url_unified",
-            "url_unified_init",
             "url_sso_post",
             "url_sso_redirect",
             "url_sso_init",

authentik/providers/saml/models.py

@@ -241,7 +241,7 @@ class SAMLProvider(Provider):
         """Use IDP-Initiated SAML flow as launch URL"""
         try:
             return reverse(
-                "authentik_providers_saml:init",
+                "authentik_providers_saml:sso-init",
                 kwargs={"application_slug": self.application.slug},
             )
         except Provider.application.RelatedObjectDoesNotExist:

authentik/providers/saml/processors/assertion.py

@@ -147,7 +147,7 @@ class AssertionProcessor:
 
         return self.http_request.build_absolute_uri(
             reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                 kwargs={"application_slug": self.provider.application.slug},
             )
         )

authentik/providers/saml/processors/metadata.py

@@ -48,7 +48,7 @@ class MetadataProcessor:
 
         return self.http_request.build_absolute_uri(
             reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                 kwargs={"application_slug": self.provider.application.slug},
             )
         )
@@ -81,35 +81,54 @@ class MetadataProcessor:
             element.text = name_id_format
             yield element
 
-    def _get_unified_url(self) -> str:
-        """Get the unified SAML endpoint URL"""
-        return self.http_request.build_absolute_uri(
-            reverse(
-                "authentik_providers_saml:base",
-                kwargs={"application_slug": self.provider.application.slug},
-            )
-        )
-
     def get_sso_bindings(self) -> Iterator[Element]:
-        """Get all SSO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
             if self.force_binding and self.force_binding != binding:
                 continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleSignOnService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
             element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
             yield element
 
     def get_slo_bindings(self) -> Iterator[Element]:
-        """Get all SLO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
             if self.force_binding and self.force_binding != binding:
                 continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleLogoutService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
             element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
             yield element
 
     def _prepare_signature(self, entity_descriptor: _Element):

authentik/providers/saml/urls.py

@@ -4,26 +4,19 @@ from django.urls import path
 
 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingViewSet
 from authentik.providers.saml.api.providers import SAMLProviderViewSet
-from authentik.providers.saml.views import metadata, sso, unified
+from authentik.providers.saml.views import metadata, sso
 from authentik.providers.saml.views.sp_slo import (
     SPInitiatedSLOBindingPOSTView,
     SPInitiatedSLOBindingRedirectView,
 )
 
 urlpatterns = [
-    # Unified Endpoint - handles SSO and SLO based on message type
+    # Base path for Issuer/Entity ID
     path(
         "<slug:application_slug>/",
-        unified.SAMLUnifiedView.as_view(),
+        sso.SAMLSSOBindingRedirectView.as_view(),
         name="base",
     ),
-    # IdP-initiated
-    path(
-        "<slug:application_slug>/init/",
-        sso.SAMLSSOBindingInitView.as_view(),
-        name="init",
-    ),
-    # LEGACY Endpoints (backward compatibility)
     # SSO Bindings
     path(
         "<slug:application_slug>/sso/binding/redirect/",

authentik/providers/saml/views/unified.py

@@ -1,118 +0,0 @@
-"""Unified SAML endpoint - handles SSO and SLO based on message type"""
-
-from base64 import b64decode
-
-from defusedxml.lxml import fromstring
-from django.http import HttpRequest, HttpResponse
-from django.utils.decorators import method_decorator
-from django.views import View
-from django.views.decorators.clickjacking import xframe_options_sameorigin
-from django.views.decorators.csrf import csrf_exempt
-from structlog.stdlib import get_logger
-
-from authentik.common.saml.constants import NS_MAP
-from authentik.flows.views.executor import SESSION_KEY_POST
-from authentik.lib.views import bad_request_message
-from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
-from authentik.providers.saml.views.flows import (
-    REQUEST_KEY_SAML_REQUEST,
-    REQUEST_KEY_SAML_RESPONSE,
-)
-from authentik.providers.saml.views.sp_slo import (
-    SPInitiatedSLOBindingPOSTView,
-    SPInitiatedSLOBindingRedirectView,
-)
-from authentik.providers.saml.views.sso import (
-    SAMLSSOBindingPOSTView,
-    SAMLSSOBindingRedirectView,
-)
-
-LOGGER = get_logger()
-
-# SAML message type constants
-SAML_MESSAGE_TYPE_AUTHN_REQUEST = "AuthnRequest"
-SAML_MESSAGE_TYPE_LOGOUT_REQUEST = "LogoutRequest"
-
-
-def detect_saml_message_type(saml_request: str, is_post_binding: bool) -> str | None:
-    """Parse SAML request to determine if AuthnRequest or LogoutRequest."""
-    try:
-        if is_post_binding:
-            decoded_xml = b64decode(saml_request.encode())
-        else:
-            decoded_xml = decode_base64_and_inflate(saml_request)
-
-        root = fromstring(decoded_xml)
-        if len(root.xpath("//samlp:AuthnRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_AUTHN_REQUEST
-        if len(root.xpath("//samlp:LogoutRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_LOGOUT_REQUEST
-        return None
-    except Exception:  # noqa: BLE001
-        return None
-
-
-@method_decorator(xframe_options_sameorigin, name="dispatch")
-@method_decorator(csrf_exempt, name="dispatch")
-class SAMLUnifiedView(View):
-    """Unified SAML endpoint - handles SSO and SLO based on message type.
-
-    The operation type is determined by parsing
-    the incoming SAML message:
-    - AuthnRequest -> SSO flow (delegates to SAMLSSOBindingRedirectView/POSTView)
-    - LogoutRequest -> SLO flow (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    - LogoutResponse -> SLO completion (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    """
-
-    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
-        """Route the request based on SAML message type."""
-        # ak user was not logged in, redirected to login, and is back w POST payload in session
-        if SESSION_KEY_POST in request.session:
-            return self._delegate_to_sso(request, application_slug, is_post_binding=True)
-
-        # Determine binding from HTTP method
-        is_post_binding = request.method == "POST"
-        data = request.POST if is_post_binding else request.GET
-
-        # LogoutResponse - delegate to SLO view (handles it in dispatch)
-        if REQUEST_KEY_SAML_RESPONSE in data:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-
-        # Check for SAML request
-        if REQUEST_KEY_SAML_REQUEST not in data:
-            LOGGER.info("SAML payload missing")
-            return bad_request_message(request, "The SAML request payload is missing.")
-
-        # Detect message type and delegate
-        saml_request = data[REQUEST_KEY_SAML_REQUEST]
-        message_type = detect_saml_message_type(saml_request, is_post_binding)
-
-        if message_type == SAML_MESSAGE_TYPE_AUTHN_REQUEST:
-            return self._delegate_to_sso(request, application_slug, is_post_binding)
-        elif message_type == SAML_MESSAGE_TYPE_LOGOUT_REQUEST:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-        else:
-            LOGGER.warning("Unknown SAML message type", message_type=message_type)
-            return bad_request_message(
-                request, f"Unsupported SAML message type: {message_type or 'unknown'}"
-            )
-
-    def _delegate_to_sso(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SSO view."""
-        if is_post_binding:
-            view = SAMLSSOBindingPOSTView.as_view()
-        else:
-            view = SAMLSSOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)
-
-    def _delegate_to_slo(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SLO view."""
-        if is_post_binding:
-            view = SPInitiatedSLOBindingPOSTView.as_view()
-        else:
-            view = SPInitiatedSLOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)

authentik/sources/saml/processors/response.py

@@ -1,7 +1,6 @@
 """authentik saml source processor"""
 
 from base64 import b64decode
-from datetime import UTC, datetime
 from time import mktime
 from typing import TYPE_CHECKING
 
@@ -41,7 +40,6 @@ from authentik.sources.saml.exceptions import (
     InvalidSignature,
     MismatchedRequestID,
     MissingSAMLResponse,
-    SAMLException,
     UnsupportedNameIDFormat,
 )
 from authentik.sources.saml.models import (
@@ -97,7 +95,6 @@ class ResponseProcessor:
 
         self._verify_request_id()
         self._verify_status()
-        self._verify_conditions()
 
     def _decrypt_response(self):
         """Decrypt SAMLResponse EncryptedAssertion Element"""
@@ -129,20 +126,6 @@ class ResponseProcessor:
         )
         self._assertion = decrypted_assertion
 
-    def _verify_conditions(self):
-        conditions = self.get_assertion().find(f"{{{NS_SAML_ASSERTION}}}Conditions")
-        if conditions is None:
-            return
-        _now = now()
-        before = conditions.attrib.get("NotBefore")
-        if before:
-            if datetime.fromisoformat(before).replace(tzinfo=UTC) > _now:
-                raise SAMLException("Assertion is not valid yet or expired.")
-        on_or_after = conditions.attrib.get("NotOnOrAfter")
-        if on_or_after:
-            if datetime.fromisoformat(on_or_after).replace(tzinfo=UTC) < _now:
-                raise SAMLException("Assertion is not valid yet or expired.")
-
     def _verify_signature(self, signature_node: _Element):
         """Verify a single signature node"""
         xmlsec.tree.add_ids(self._root, ["ID"])
@@ -232,9 +215,10 @@ class ResponseProcessor:
         user has an attribute that refers to our Source for cleanup. The user is also deleted
         on logout and periodically."""
         # Create a temporary User
-        name_id_el, name_id = self._get_name_id()
+        name_id = self._get_name_id()
+        username = name_id.text
         # trim username to ensure it is max 150 chars
-        username = f"ak-{name_id[: USERNAME_MAX_LENGTH - 14]}-transient"
+        username = f"ak-{username[: USERNAME_MAX_LENGTH - 14]}-transient"
         expiry = mktime(
             (now() + timedelta_from_string(self._source.temporary_user_delete_after)).timetuple()
         )
@@ -250,18 +234,20 @@ class ResponseProcessor:
             },
             path=self._source.get_user_path(),
         )
-        LOGGER.debug("Created temporary user for NameID Transient", username=name_id)
+        LOGGER.debug("Created temporary user for NameID Transient", username=name_id.text)
         user.set_unusable_password()
         user.save()
-        UserSAMLSourceConnection.objects.create(source=self._source, user=user, identifier=name_id)
+        UserSAMLSourceConnection.objects.create(
+            source=self._source, user=user, identifier=name_id.text
+        )
         return SAMLSourceFlowManager(
             source=self._source,
             request=self._http_request,
-            identifier=str(name_id),
+            identifier=str(name_id.text),
             user_info={
                 "root": self._root,
                 "assertion": self.get_assertion(),
-                "name_id": name_id_el,
+                "name_id": name_id,
             },
             policy_context={},
         )
@@ -272,7 +258,7 @@ class ResponseProcessor:
             return self._assertion
         return self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
 
-    def _get_name_id(self) -> tuple[Element, str]:
+    def _get_name_id(self) -> Element:
         """Get NameID Element"""
         assertion = self.get_assertion()
         if assertion is None:
@@ -283,11 +269,12 @@ class ResponseProcessor:
         name_id = subject.find(f"{{{NS_SAML_ASSERTION}}}NameID")
         if name_id is None:
             raise ValueError("NameID element not found")
-        return name_id, "".join(name_id.itertext())
+        return name_id
 
     def _get_name_id_filter(self) -> dict[str, str]:
         """Returns the subject's NameID as a Filter for the `User`"""
-        name_id_el, name_id = self._get_name_id()
+        name_id_el = self._get_name_id()
+        name_id = name_id_el.text
         if not name_id:
             raise UnsupportedNameIDFormat("Subject's NameID is empty.")
         _format = name_id_el.attrib["Format"]
@@ -308,26 +295,26 @@ class ResponseProcessor:
 
     def prepare_flow_manager(self) -> SourceFlowManager:
         """Prepare flow plan depending on whether or not the user exists"""
-        name_id_el, name_id = self._get_name_id()
+        name_id = self._get_name_id()
         # Sanity check, show a warning if NameIDPolicy doesn't match what we go
-        if self._source.name_id_policy != name_id_el.attrib["Format"]:
+        if self._source.name_id_policy != name_id.attrib["Format"]:
             LOGGER.warning(
                 "NameID from IdP doesn't match our policy",
                 expected=self._source.name_id_policy,
-                got=name_id_el.attrib["Format"],
+                got=name_id.attrib["Format"],
             )
         # transient NameIDs are handled separately as they don't have to go through flows.
-        if name_id_el.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
+        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
             return self._handle_name_id_transient()
 
         return SAMLSourceFlowManager(
             source=self._source,
             request=self._http_request,
-            identifier=str(name_id),
+            identifier=str(name_id.text),
             user_info={
                 "root": self._root,
                 "assertion": self.get_assertion(),
-                "name_id": name_id_el,
+                "name_id": name_id,
             },
             policy_context={
                 "saml_response": etree.tostring(self._root),

authentik/sources/saml/tests/test_property_mappings.py

@@ -4,7 +4,6 @@ from base64 import b64encode
 
 from defusedxml.lxml import fromstring
 from django.test import TestCase
-from freezegun import freeze_time
 
 from authentik.common.saml.constants import NS_SAML_ASSERTION
 from authentik.core.tests.utils import RequestFactory, create_test_flow
@@ -35,7 +34,6 @@ class TestPropertyMappings(TestCase):
             pre_authentication_flow=create_test_flow(),
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_user_base_properties(self):
         """Test user base properties"""
         properties = self.source.get_base_user_properties(
@@ -63,7 +61,6 @@ class TestPropertyMappings(TestCase):
             properties = self.source.get_base_group_properties(root=ROOT, group_id=group_id)
             self.assertEqual(properties, {"name": group_id})
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_user_property_mappings(self):
         """Test user property mappings"""
         self.source.user_property_mappings.add(
@@ -97,7 +94,6 @@ class TestPropertyMappings(TestCase):
             },
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_group_property_mappings(self):
         """Test group property mappings"""
         self.source.group_property_mappings.add(

authentik/sources/saml/tests/test_response.py

@@ -3,7 +3,6 @@
 from base64 import b64encode
 
 from django.test import TestCase
-from freezegun import freeze_time
 
 from authentik.core.tests.utils import RequestFactory, create_test_cert, create_test_flow
 from authentik.crypto.models import CertificateKeyPair
@@ -47,7 +46,6 @@ class TestResponseProcessor(TestCase):
         ):
             ResponseProcessor(self.source, request).parse()
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_success(self):
         """Test success"""
         request = self.factory.post(
@@ -74,7 +72,6 @@ class TestResponseProcessor(TestCase):
             },
         )
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_success_with_status_message_and_detail(self):
         """Test success with StatusMessage and StatusDetail present (should not raise error)"""
         request = self.factory.post(
@@ -91,7 +88,6 @@ class TestResponseProcessor(TestCase):
         sfm = parser.prepare_flow_manager()
         self.assertEqual(sfm.user_properties["username"], "jens@goauthentik.io")
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_error_with_message_and_detail(self):
         """Test error status with StatusMessage and StatusDetail includes both in error"""
         request = self.factory.post(
@@ -109,7 +105,6 @@ class TestResponseProcessor(TestCase):
         self.assertIn("User account is disabled", str(ctx.exception))
         self.assertIn("Authentication failed", str(ctx.exception))
 
-    @freeze_time("2024-08-07T15:48:09.325Z")
     def test_encrypted_correct(self):
         """Test encrypted"""
         key = load_fixture("fixtures/encrypted-key.pem")
@@ -147,7 +142,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaises(InvalidEncryption):
             parser.parse()
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_verification_assertion(self):
         """Test verifying signature inside assertion"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -170,7 +164,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2014-07-17T01:02:18Z")
     def test_verification_assertion_duplicate(self):
         """Test verifying signature inside assertion, where the response has another assertion
         before our signed assertion"""
@@ -193,35 +186,9 @@ class TestResponseProcessor(TestCase):
 
         parser = ResponseProcessor(self.source, request)
         parser.parse()
-        self.assertNotEqual(parser._get_name_id()[1], "bad")
-        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
+        self.assertNotEqual(parser._get_name_id().text, "bad")
+        self.assertEqual(parser._get_name_id().text, "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
 
-    @freeze_time("2022-10-14T14:15:00")
-    def test_name_id_comment(self):
-        """Test comment in name ID"""
-        fixture = load_fixture("fixtures/response_signed_assertion_dup.xml")
-        fixture = fixture.replace(
-            "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7",
-            "_ce3d2948b4cf20146dee0a0b3dd6f<!--x-->69b6cf86f62d7",
-        )
-        key = load_fixture("fixtures/signature_cert.pem")
-        kp = CertificateKeyPair.objects.create(
-            name=generate_id(),
-            certificate_data=key,
-        )
-        self.source.verification_kp = kp
-        self.source.signed_assertion = True
-        self.source.signed_response = False
-        request = self.factory.post(
-            "/",
-            data={"SAMLResponse": b64encode(fixture.encode()).decode()},
-        )
-
-        parser = ResponseProcessor(self.source, request)
-        parser.parse()
-        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
-
-    @freeze_time("2014-07-17T01:02:18Z")
     def test_verification_response(self):
         """Test verifying signature inside response"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -244,7 +211,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2024-01-18T06:20:48Z")
     def test_verification_response_and_assertion(self):
         """Test verifying signature inside response and assertion"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -291,7 +257,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaisesMessage(InvalidSignature, ""):
             parser.parse()
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_verification_no_signature(self):
         """Test rejecting response without signature when signed_assertion is True"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -338,7 +303,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaisesMessage(InvalidSignature, ""):
             parser.parse()
 
-    @freeze_time("2025-10-30T05:45:47.619Z")
     def test_signed_encrypted_response(self):
         """Test signed & encrypted response"""
         verification_key = load_fixture("fixtures/signature_cert2.pem")
@@ -366,7 +330,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2026-01-21T14:23")
     def test_transient(self):
         """Test SAML transient NameID"""
         verification_key = load_fixture("fixtures/signature_cert2.pem")

authentik/sources/saml/tests/test_views.py

@@ -4,7 +4,6 @@ from base64 import b64encode
 
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
-from freezegun import freeze_time
 
 from authentik.core.tests.utils import create_test_flow
 from authentik.flows.planner import PLAN_CONTEXT_REDIRECT, FlowPlan
@@ -27,7 +26,6 @@ class TestViews(TestCase):
             pre_authentication_flow=create_test_flow(),
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_enroll(self):
         """Enroll"""
         flow = create_test_flow()
@@ -54,7 +52,6 @@ class TestViews(TestCase):
         plan: FlowPlan = self.client.session.get(SESSION_KEY_PLAN)
         self.assertIsNotNone(plan)
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_enroll_redirect(self):
         """Enroll when attempting to access a provider"""
         initial_redirect = f"http://{generate_id()}"

authentik/tenants/api/settings.py

@@ -19,12 +19,6 @@ from authentik.tenants.models import Tenant
 
 class FlagJSONField(JSONDictField):
 
-    def to_internal_value(self, data: str):
-        flags = super().to_internal_value(data)
-        for flag in Flag.available(visibility="system", exclude_system=False):
-            flags[flag().key] = flag.get()
-        return flags
-
     def to_representation(self, value: dict) -> dict:
         new_value = value.copy()
         for flag in Flag.available(exclude_system=False):
@@ -39,10 +33,13 @@ class FlagJSONField(JSONDictField):
 
     def run_validators(self, value: dict):
         super().run_validators(value)
-        for flag in Flag.available():
+        for flag in Flag.available(exclude_system=False):
             _flag = flag()
             if _flag.key not in value:
                 continue
+            if _flag.visibility == "system":
+                value.pop(_flag.key, None)
+                continue
             flag_value = value.get(_flag.key)
             flag_type = get_args(_flag.__orig_bases__[0])[0]
             if flag_value and not isinstance(flag_value, flag_type):

authentik/tenants/tests/test_local_settings.py

@@ -85,30 +85,10 @@ class TestLocalSettingsAPI(APITestCase):
                 "flags": {"tenants_test_flag_sys": 123},
             },
         )
+        print(response.content)
         self.assertEqual(response.status_code, 200)
         self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
-
-    def test_settings_flags_system_empty_put(self):
-        """Test settings API"""
-        self.tenant.flags = {}
-        self.tenant.save()
-
-        class _TestFlag(Flag[bool], key="tenants_test_flag_sys"):
-
-            default = False
-            visibility = "system"
-
-        self.client.force_login(self.local_admin)
-        response = self.client.patch(
-            reverse("authentik_api:tenant_settings"),
-            data={
-                "flags": {},
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
+        self.assertEqual(self.tenant.flags, {})
 
     def test_command(self):
         self.tenant.flags = {}

blueprints/example/flow-default-account-lockdown.yaml

@@ -36,10 +36,14 @@ entries:
       attrs:
         order: 50
         initial_value: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          pending_user = user if getattr(user, "is_authenticated", False) else None
-          target_uuid = str(getattr(pending_user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          pending_user = None
+          if target_uuid and not is_self_service:
+              from authentik.core.models import User
+
+              pending_user = User.objects.filter(pk=target_uuid).first()
           if is_self_service:
               return (
                   "<p><strong>You are about to lock down your own account.</strong></p>"
@@ -59,15 +63,14 @@ entries:
           from django.utils.html import escape
 
           if pending_user:
-              detail = pending_user.email or pending_user.name
-              user_html = f"<code>{escape(pending_user.username)}</code>"
-              if detail and detail != pending_user.username:
-                  user_html = f"{user_html} ({escape(detail)})"
+              email = escape(pending_user.email or pending_user.name or "No email")
+              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
           else:
-              user_html = "the account selected when this one-time lockdown link was created"
+              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
 
           return (
-              f"<p><strong>You are about to lock down the following account:</strong> {user_html}</p>"
+              "<p><strong>You are about to lock down the following account:</strong></p>"
+              f"{user_html}"
               "<p>This is an emergency action for cutting off access to the account right away. "
               "It does not lock the administrator who opened this page.</p>"
               "<p><strong>This will immediately:</strong></p>"
@@ -96,9 +99,9 @@ entries:
       attrs:
         order: 100
         initial_value: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          target_uuid = str(getattr(user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
           if is_self_service:
               info = (
                   "Use this if you no longer trust your current password or sessions. "
@@ -131,9 +134,9 @@ entries:
       attrs:
         order: 200
         placeholder: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          target_uuid = str(getattr(user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
           if is_self_service:
               return "Describe why you are locking your account..."
           return "Describe why this account is being locked down..."
@@ -181,10 +184,14 @@ entries:
       attrs:
         order: 300
         initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
           from django.utils.html import escape
+          from authentik.core.models import User
 
-          if getattr(user, "is_authenticated", False):
-              return f"<p><code>{escape(user.username)}</code> has been locked down.</p>"
+          if target_uuid:
+              target = User.objects.filter(pk=target_uuid).first()
+              if target:
+                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
 
           return "<p>The selected account has been locked down.</p>"
         initial_value_expression: true
@@ -214,9 +221,9 @@ entries:
       attrs:
         name: default-account-lockdown-admin-policy
         expression: |
-          actor_uuid = str(getattr(request.http_request.user, "pk", ""))
-          target_uuid = str(getattr(request.user, "pk", ""))
-          return bool(target_uuid) and target_uuid != actor_uuid
+          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != current_user_uuid
       identifiers:
         name: default-account-lockdown-admin-policy
       id: admin-policy

go.mod

@@ -7,10 +7,10 @@ require (
 	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/coreos/go-oidc/v3 v3.18.0
-	github.com/getsentry/sentry-go v0.46.2
+	github.com/getsentry/sentry-go v0.46.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.13
-	github.com/go-openapi/runtime v0.29.5
+	github.com/go-openapi/runtime v0.29.4
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -57,7 +57,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
 	github.com/go-openapi/loads v0.23.3 // indirect
 	github.com/go-openapi/spec v0.22.4 // indirect
-	github.com/go-openapi/strfmt v0.26.2 // indirect
+	github.com/go-openapi/strfmt v0.26.1 // indirect
 	github.com/go-openapi/swag/conv v0.26.0 // indirect
 	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
 	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
@@ -90,10 +90,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.46.2 h1:1jhYwrKGa3sIpo/y5iDNXS5wDoT7I1KNzMHrnK6ojns=
-github.com/getsentry/sentry-go v0.46.2/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
+github.com/getsentry/sentry-go v0.46.1 h1:mZyQFaQYkPxAdDG4HR8gDg6j4CnKYVWt4TF92N7i3XY=
+github.com/getsentry/sentry-go v0.46.1/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -51,12 +51,12 @@ github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe
 github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
 github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
 github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
-github.com/go-openapi/runtime v0.29.5 h1:uc5+/TtqLIfDBTUxnF3uppoGMt+9DzonwUWsviINlrY=
-github.com/go-openapi/runtime v0.29.5/go.mod h1:D9IUbWccdYv+km8QwmAm90FZvDcQk47vP2Y7y5as/D8=
+github.com/go-openapi/runtime v0.29.4 h1:k2lDxrGoSAJRdhFG2tONKMpkizY/4X1cciSdtzk4Jjo=
+github.com/go-openapi/runtime v0.29.4/go.mod h1:K0k/2raY6oqXJnZAgWJB2i/12QKrhUKpZcH4PfV9P18=
 github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
 github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
-github.com/go-openapi/strfmt v0.26.2 h1:ysjheCh4i1rmFEo2LanhELDNucNzfWTZhUDKgWWPaFM=
-github.com/go-openapi/strfmt v0.26.2/go.mod h1:fXh1e449cyUn2NYuz+wb3wARBUdMl7qPEZwX00nqivY=
+github.com/go-openapi/strfmt v0.26.1 h1:7zGCHji7zSYDC2tCXIusoxYQz/48jAf2q+sF6wXTG+c=
+github.com/go-openapi/strfmt v0.26.1/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
 github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
 github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
 github.com/go-openapi/swag/fileutils v0.26.0 h1:WJoPRvsA7QRiiWluowkLJa9jaYR7FCuxmDvnCgaRRxU=
@@ -77,10 +77,10 @@ github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFu
 github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE=
 github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
 github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0 h1:3hZD1fwydvCx/cc1R2uYNQirHqf2s6lqpKV3FcNTURA=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0/go.mod h1:TvDZKBH7ZbMaF3EqH2AwTvNQCmzyZq8K1agRjf1B+Nk=
-github.com/go-openapi/testify/v2 v2.5.0 h1:UOCr63aAsMIDydZbZGqo5Ev01D4eydItRbekDuZMJLw=
-github.com/go-openapi/testify/v2 v2.5.0/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
+github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
+github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
 github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
 github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -216,8 +216,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -227,8 +227,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -245,8 +245,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -258,8 +258,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/outpost/proxyv2/application/mode_common.go

@@ -110,6 +110,17 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) (*url.URL, error) {
 
 // getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
 func (a *Application) getNginxForwardUrl(r *http.Request) (*url.URL, error) {
+	ou := r.Header.Get("X-Original-URI")
+	if ou != "" {
+		// Turn this full URL into a relative URL
+		u := &url.URL{
+			Host:   "",
+			Scheme: "",
+			Path:   ou,
+		}
+		a.log.WithField("url", u.String()).Info("building forward URL from X-Original-URI")
+		return u, nil
+	}
 	h := r.Header.Get("X-Original-URL")
 	if len(h) < 1 {
 		return nil, errors.New("no forward URL found")

internal/outpost/proxyv2/application/mode_forward_nginx_test.go

@@ -5,8 +5,10 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
+	"goauthentik.io/internal/outpost/proxyv2/types"
 	api "goauthentik.io/packages/client-go"
 )
 
@@ -45,6 +47,67 @@ func TestForwardHandleNginx_Single_Headers(t *testing.T) {
 	assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
 }
 
+func TestForwardHandleNginx_Single_URI(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "https://foo.bar/outpost.goauthentik.io/auth/nginx", nil)
+	req.Header.Set("X-Original-URI", "/app")
+
+	rr := httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+
+	s, _ := a.sessions.Get(req, a.SessionName())
+	assert.Equal(t, "/app", s.Values[constants.SessionRedirect])
+}
+
+func TestForwardHandleNginx_Single_Claims(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
+	req.Header.Set("X-Original-URI", "/")
+
+	rr := httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	s, _ := a.sessions.Get(req, a.SessionName())
+	s.ID = uuid.New().String()
+	s.Options.MaxAge = 86400
+	s.Values[constants.SessionClaims] = types.Claims{
+		Sub: "foo",
+		Proxy: &types.ProxyClaims{
+			UserAttributes: map[string]any{
+				"username": "foo",
+				"password": "bar",
+				"additionalHeaders": map[string]any{
+					"foo": "bar",
+				},
+			},
+		},
+	}
+	err := a.sessions.Save(req, rr, s)
+	if err != nil {
+		panic(err)
+	}
+
+	rr = httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	h := rr.Result().Header
+
+	assert.Equal(t, []string{"Basic Zm9vOmJhcg=="}, h["Authorization"])
+	assert.Equal(t, []string{"bar"}, h["Foo"])
+	assert.Equal(t, []string{""}, h["User-Agent"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Email"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Groups"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Jwt"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-App"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Jwks"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Outpost"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Name"])
+	assert.Equal(t, []string{"foo"}, h["X-Authentik-Uid"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Username"])
+}
+
 func TestForwardHandleNginx_Domain_Blank(t *testing.T) {
 	a := newTestApplication()
 	a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()

lifecycle/ak

@@ -38,10 +38,6 @@ function run_authentik {
             echo cargo run -- "$@"
         fi
         ;;
-    manage)
-        shift 1
-        echo python -m manage "$@"
-        ;;
     *)
         echo "$@"
         ;;

lifecycle/container/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:4f2b45e32dc7d2caf66b6dbd59fac50e32f8077769efe0ef4d4c3f114672537d AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:735dd688da64d22ebd9dd374b3e7e5a874635668fd2a6ec20ca1f99264294086 AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -101,6 +101,8 @@ RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
     rustc --version && \
     cargo --version
 
+RUN cat /root/.rustup/settings.toml
+
 # Stage: Download uv
 FROM ghcr.io/astral-sh/uv:0.11.5@sha256:555ac94f9a22e656fc5f2ce5dfee13b04e94d099e46bb8dd3a73ec7263f2e484 AS uv
 # Stage: Base python image
@@ -226,7 +228,8 @@ RUN apt-get update && \
     # Required for runtime
     apt-get install -y --no-install-recommends \
     libpq5 libmaxminddb0 ca-certificates \
-    libkadm5clnt-mit12 libkadm5clnt7t64-heimdal \
+    krb5-multidev libkrb5-3 libkdb5-10 libkadm5clnt-mit12 \
+    heimdal-multidev libkadm5clnt7t64-heimdal \
     libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \

lifecycle/container/proxy.Dockerfile

@@ -21,45 +21,33 @@ COPY web .
 RUN npm run build-proxy
 
 # Stage 2: Build
-FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:7726387c78b5787d2146868c2ccc8948a3591d0a5a6436f7780c8c28acc76341 AS builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.26.2-trixie@sha256:4a7137ea573f79c86ae451ff05817ed762ef5597fcf732259e97abeb3108d873 AS builder
 
+ARG TARGETOS
 ARG TARGETARCH
 ARG TARGETVARIANT
 
-ENV PATH="/root/.cargo/bin:$PATH"
-SHELL ["/bin/sh", "-o", "pipefail", "-c"]
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
-RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
-    --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
-    apt-get update && \
-    # Required for installing pip packages
-    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential \
-    # aws-lc deps
-    cmake clang golang && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal --default-toolchain none && \
-    rustup install && \
-    rustup default "$(sed -n 's/channel = "\(.*\)"/\1/p' rust-toolchain.toml)" && \
-    rustc --version && \
-    cargo --version
-# See https://github.com/aws/aws-lc-rs/issues/569
-ENV AWS_LC_FIPS_SYS_CC=clang
+ARG GOOS=$TARGETOS
+ARG GOARCH=$TARGETARCH
 
-RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
-    --mount=type=bind,target=Cargo.toml,src=Cargo.toml \
-    --mount=type=bind,target=Cargo.lock,src=Cargo.lock \
-    --mount=type=bind,target=.cargo/,src=.cargo/ \
-    --mount=type=bind,target=src/,src=src/ \
-    --mount=type=bind,target=packages/,src=packages/ \
-    --mount=type=bind,target=authentik/lib/default.yml,src=authentik/lib/default.yml \
-    # Required otherwise workspace discovery fails
-    --mount=type=bind,target=website/scripts/docsmg/,src=website/scripts/docsmg/ \
-    --mount=type=cache,id=cargo-git-db-$TARGETARCH$TARGETVARIANT,target=/root/.cargo/git/db/ \
-    --mount=type=cache,id=cargo-registry-$TARGETARCH$TARGETVARIANT,target=/root/.cargo/registry/ \
-    --mount=type=cache,id=rust-target-$TARGETARCH$TARGETVARIANT,target=/build/target/ \
-    cargo build --package authentik --no-default-features --features proxy --locked --release && \
-    cp ./target/release/authentik /bin/authentik
+WORKDIR /go/src/goauthentik.io
+
+RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
+    dpkg --add-architecture arm64 && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
+
+RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
+    --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
+    --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+COPY . .
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
+    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
+    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    go build -o /go/proxy ./cmd/proxy
 
 # Stage 3: Run
 FROM ghcr.io/goauthentik/fips-debian:trixie-slim-fips@sha256:7726387c78b5787d2146868c2ccc8948a3591d0a5a6436f7780c8c28acc76341
@@ -84,13 +72,13 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/*
 
-COPY --from=builder /bin/authentik /
+COPY --from=builder /go/proxy /
 COPY --from=web-builder /static/robots.txt /web/robots.txt
 COPY --from=web-builder /static/security.txt /web/security.txt
 COPY --from=web-builder /static/dist/ /web/dist/
 COPY --from=web-builder /static/authentik/ /web/authentik/
 
-HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/authentik", "healthcheck" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/proxy", "healthcheck" ]
 
 EXPOSE 9000 9300 9443
 
@@ -99,4 +87,4 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
     GOFIPS=1
 
-ENTRYPOINT ["/authentik", "proxy"]
+ENTRYPOINT ["/proxy"]

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-13 05:39+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -226,10 +226,6 @@ msgstr ""
 msgid "The slug '{slug}' is reserved and cannot be used for applications."
 msgstr ""
 
-#: authentik/core/api/groups.py
-msgid "User does not have permission to add members to this group."
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -260,14 +256,6 @@ msgstr ""
 msgid "Setting a user to internal service account is not allowed."
 msgstr ""
 
-#: authentik/core/api/users.py
-msgid "User does not have permission to add members to a superuser group."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "User does not have permission to assign roles."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "Can't modify internal service account users"
 msgstr ""

locale/en/dictionaries/people.txt

@@ -11,4 +11,3 @@ Naur
 Wärting
 Aadit
 Kilby
-Kahmen

locale/en/dictionaries/software-terms.txt

@@ -164,4 +164,3 @@ yamltags
 zxcvbn
 ~uuid
 ~uuids
-wreply

packages/ak-common/Cargo.toml

@@ -22,13 +22,11 @@ axum-server.workspace = true
 config-rs.workspace = true
 console-subscriber.workspace = true
 eyre.workspace = true
-futures.workspace = true
 glob.workspace = true
 ipnet.workspace = true
 json-subscriber.workspace = true
 notify.workspace = true
 pin-project-lite.workspace = true
-rcgen.workspace = true
 reqwest.workspace = true
 reqwest-middleware.workspace = true
 rustls.workspace = true
@@ -45,7 +43,6 @@ tracing-error.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
 url.workspace = true
-uuid.workspace = true
 
 [dev-dependencies]
 nix.workspace = true

packages/ak-common/src/api.rs

@@ -1,6 +1,6 @@
 //! Utilities for working with the authentik API client.
 
-use ak_client::{apis::configuration::Configuration, models::Pagination};
+use ak_client::apis::configuration::Configuration;
 use eyre::{Result, eyre};
 use url::Url;
 
@@ -60,42 +60,6 @@ pub fn make_config() -> Result<Configuration> {
     })
 }
 
-/// Fetch all pages from a paginated API endpoint, returning all results combined.
-///
-/// - `fetch`: a function that takes a page number and returns a future resolving to a paginated
-/// response.
-/// - `get_pagination`: a function that extracts the [`Pagination`] metadata from a response.
-/// - `get_results`: a function that extracts the result items from a response.
-pub async fn fetch_all<T, R, E, F, Fut>(
-    fetch: F,
-    get_pagination: impl Fn(&R) -> &Pagination,
-    get_results: impl Fn(R) -> Vec<T>,
-) -> std::result::Result<Vec<T>, E>
-where
-    F: Fn(i32) -> Fut,
-    Fut: Future<Output = std::result::Result<R, E>>,
-{
-    let mut page = 1;
-    let mut results = Vec::with_capacity(0);
-
-    loop {
-        let response = fetch(page).await?;
-        let next = get_pagination(&response).next;
-        if page == 1 {
-            let count = get_pagination(&response).count as usize;
-            results.reserve(count);
-        }
-        results.extend(get_results(response));
-        if next > 0.0 {
-            page += 1;
-        } else {
-            break;
-        }
-    }
-
-    Ok(results)
-}
-
 #[cfg(test)]
 mod tests {
     use serde_json::json;

packages/ak-common/src/config/schema.rs

@@ -3,9 +3,8 @@ use std::{collections::HashMap, net::SocketAddr, num::NonZeroUsize};
 use ipnet::IpNet;
 use serde::{Deserialize, Serialize};
 
-pub(super) const KEYS_TO_PARSE_AS_LIST: [&str; 5] = [
+pub(super) const KEYS_TO_PARSE_AS_LIST: [&str; 4] = [
     "listen.http",
-    "listen.https",
     "listen.metrics",
     "listen.trusted_proxy_cidrs",
     "log.http_headers",
@@ -60,7 +59,6 @@ pub struct PostgreSQLConfig {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ListenConfig {
     pub http: Vec<SocketAddr>,
-    pub https: Vec<SocketAddr>,
     pub metrics: Vec<SocketAddr>,
     pub debug_tokio: SocketAddr,
     pub trusted_proxy_cidrs: Vec<IpNet>,

packages/ak-common/src/tls.rs

@@ -7,9 +7,6 @@ use tracing::trace;
 
 use crate::config;
 
-pub mod self_signed;
-pub mod store;
-
 /// Dummy resolver for FIPS compliance check.
 #[derive(Debug)]
 struct EmptyCertResolver;

packages/ak-common/src/tls/self_signed.rs

@@ -1,52 +0,0 @@
-use eyre::Result;
-use rcgen::{
-    Certificate, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, KeyPair,
-    KeyUsagePurpose, PKCS_RSA_SHA256, SanType,
-};
-use rustls::{
-    crypto::aws_lc_rs::sign::any_supported_type,
-    pki_types::{CertificateDer, PrivateKeyDer},
-    sign::CertifiedKey,
-};
-use time::{Duration, OffsetDateTime};
-
-pub fn generate() -> Result<(Certificate, KeyPair)> {
-    let signing_key = KeyPair::generate_for(&PKCS_RSA_SHA256)?;
-
-    let mut params = CertificateParams::default();
-    params.not_before = OffsetDateTime::now_utc();
-    params.not_after = OffsetDateTime::now_utc() + Duration::days(365);
-    params.distinguished_name = {
-        let mut dn = DistinguishedName::new();
-        dn.push(DnType::OrganizationName, "authentik");
-        dn.push(DnType::CommonName, "authentik default certificate");
-        dn
-    };
-    params.subject_alt_names = vec![SanType::DnsName("*".try_into()?)];
-    params.key_usages = vec![
-        KeyUsagePurpose::DigitalSignature,
-        KeyUsagePurpose::KeyEncipherment,
-    ];
-    params.extended_key_usages = vec![ExtendedKeyUsagePurpose::ServerAuth];
-
-    let cert = params.self_signed(&signing_key)?;
-
-    Ok((cert, signing_key))
-}
-
-pub fn generate_certifiedkey() -> Result<CertifiedKey> {
-    let (cert, keypair) = generate()?;
-
-    let cert_der = cert.der().to_vec();
-    let key_der = keypair.serialize_der();
-
-    let private_key =
-        PrivateKeyDer::try_from(key_der).map_err(|_| rcgen::Error::CouldNotParseKeyPair)?;
-    let signing_key =
-        any_supported_type(&private_key).map_err(|_| rcgen::Error::CouldNotParseKeyPair)?;
-
-    Ok(CertifiedKey::new(
-        vec![CertificateDer::from(cert_der)],
-        signing_key,
-    ))
-}

packages/ak-common/src/tls/store.rs

@@ -1,92 +0,0 @@
-use std::{collections::HashMap, sync::Arc};
-
-use ak_client::apis::{
-    configuration::Configuration,
-    crypto_api::{
-        crypto_certificatekeypairs_retrieve, crypto_certificatekeypairs_view_certificate_retrieve,
-        crypto_certificatekeypairs_view_private_key_retrieve,
-    },
-};
-use eyre::{Report, Result};
-use futures::FutureExt as _;
-use rustls::{
-    crypto::CryptoProvider,
-    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject as _},
-    sign::CertifiedKey,
-};
-use tokio::sync::Mutex;
-use uuid::Uuid;
-
-#[derive(Debug)]
-pub struct Certificate {
-    pub fingerprint: String,
-
-    pub certificate: String,
-    pub key: String,
-
-    pub certified_key: Arc<CertifiedKey>,
-}
-
-#[derive(Clone, Debug, Default)]
-pub struct CertificateStore {
-    certificates: Arc<Mutex<HashMap<Uuid, Arc<Certificate>>>>,
-}
-
-impl CertificateStore {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub async fn ensure_keypair(
-        &self,
-        api_config: &Configuration,
-        kp_uuid: Uuid,
-    ) -> Result<Arc<Certificate>> {
-        let kp_uuid_s = kp_uuid.to_string();
-
-        let fingerprint = crypto_certificatekeypairs_retrieve(api_config, &kp_uuid_s)
-            .await?
-            .fingerprint_sha256;
-
-        if let Some(certificate) = self.certificates.lock().await.get(&kp_uuid)
-            && let Some(fingerprint) = &fingerprint
-            && &certificate.fingerprint == fingerprint
-        {
-            return Ok(Arc::clone(certificate));
-        }
-
-        let (cert, key) = tokio::try_join!(
-            crypto_certificatekeypairs_view_certificate_retrieve(api_config, &kp_uuid_s, None,)
-                .map(|res| res.map_err(Report::from)),
-            crypto_certificatekeypairs_view_private_key_retrieve(api_config, &kp_uuid_s, None,)
-                .map(|res| res.map_err(Report::from)),
-        )?;
-
-        let certified_key = {
-            let cert_chain = CertificateDer::pem_reader_iter(cert.data.as_bytes())
-                .collect::<Result<Vec<_>, _>>()?;
-            let key_der = PrivateKeyDer::from_pem_reader(key.data.as_bytes())?;
-            let provider = CryptoProvider::get_default().expect("no rustls provider installed");
-            Arc::new(CertifiedKey::new(
-                cert_chain,
-                provider.key_provider.load_private_key(key_der)?,
-            ))
-        };
-
-        let cert = Arc::new(Certificate {
-            fingerprint: fingerprint.unwrap_or_default(),
-            certificate: cert.data,
-            key: key.data,
-            certified_key,
-        });
-
-        if !cert.fingerprint.is_empty() {
-            self.certificates
-                .lock()
-                .await
-                .insert(kp_uuid, Arc::clone(&cert));
-        }
-
-        Ok(cert)
-    }
-}

packages/ak-common/src/tracing.rs

@@ -30,12 +30,12 @@ pub fn install() -> Result<()> {
     }
 
     if config.debug {
-        // let console_layer = console_subscriber::ConsoleLayer::builder()
-        //     .server_addr(config.listen.debug_tokio)
-        //     .spawn();
+        let console_layer = console_subscriber::ConsoleLayer::builder()
+            .server_addr(config.listen.debug_tokio)
+            .spawn();
         tracing_subscriber::registry()
             .with(ErrorLayer::default())
-            // .with(console_layer)
+            .with(console_layer)
             .with(
                 fmt::layer()
                     .compact()
@@ -187,10 +187,13 @@ pub mod sentry {
             environment: config.environment,
             send_pii: config.send_pii,
             #[expect(
-                clippy::as_conversions,
                 clippy::cast_possible_truncation,
                 reason = "This is fine, we'll never get big values here."
             )]
+            #[expect(
+                clippy::as_conversions,
+                reason = "This is fine, we'll never get big values here."
+            )]
             sample_rate: config.traces_sample_rate as f32,
         })
     }

packages/client-ts/src/models/ExpiringBaseGrantModel.ts

@@ -12,8 +12,8 @@
  * Do not edit the class manually.
  */
 
-import type { Provider } from "./Provider";
-import { ProviderFromJSON, ProviderToJSON } from "./Provider";
+import type { OAuth2Provider } from "./OAuth2Provider";
+import { OAuth2ProviderFromJSON, OAuth2ProviderToJSON } from "./OAuth2Provider";
 import type { User } from "./User";
 import { UserFromJSON, UserToJSON } from "./User";
 
@@ -31,10 +31,10 @@ export interface ExpiringBaseGrantModel {
     readonly pk: number;
     /**
      *
-     * @type {Provider}
+     * @type {OAuth2Provider}
      * @memberof ExpiringBaseGrantModel
      */
-    provider: Provider;
+    provider: OAuth2Provider;
     /**
      *
      * @type {User}
@@ -86,7 +86,7 @@ export function ExpiringBaseGrantModelFromJSONTyped(
     }
     return {
         pk: json["pk"],
-        provider: ProviderFromJSON(json["provider"]),
+        provider: OAuth2ProviderFromJSON(json["provider"]),
         user: UserFromJSON(json["user"]),
         isExpired: json["is_expired"],
         expires: json["expires"] == null ? undefined : new Date(json["expires"]),
@@ -107,7 +107,7 @@ export function ExpiringBaseGrantModelToJSONTyped(
     }
 
     return {
-        provider: ProviderToJSON(value["provider"]),
+        provider: OAuth2ProviderToJSON(value["provider"]),
         user: UserToJSON(value["user"]),
         expires: value["expires"] == null ? value["expires"] : value["expires"].toISOString(),
         scope: value["scope"],

packages/client-ts/src/models/SAMLProvider.ts

@@ -266,18 +266,6 @@ export interface SAMLProvider {
      * @memberof SAMLProvider
      */
     readonly urlIssuer: string;
-    /**
-     * Get unified SAML endpoint URL (handles SSO and SLO)
-     * @type {string}
-     * @memberof SAMLProvider
-     */
-    readonly urlUnified: string;
-    /**
-     * Get IdP-initiated SAML URL
-     * @type {string}
-     * @memberof SAMLProvider
-     */
-    readonly urlUnifiedInit: string;
     /**
      * Get SSO Post URL
      * @type {string}
@@ -340,8 +328,6 @@ export function instanceOfSAMLProvider(value: object): value is SAMLProvider {
     if (!("urlDownloadMetadata" in value) || value["urlDownloadMetadata"] === undefined)
         return false;
     if (!("urlIssuer" in value) || value["urlIssuer"] === undefined) return false;
-    if (!("urlUnified" in value) || value["urlUnified"] === undefined) return false;
-    if (!("urlUnifiedInit" in value) || value["urlUnifiedInit"] === undefined) return false;
     if (!("urlSsoPost" in value) || value["urlSsoPost"] === undefined) return false;
     if (!("urlSsoRedirect" in value) || value["urlSsoRedirect"] === undefined) return false;
     if (!("urlSsoInit" in value) || value["urlSsoInit"] === undefined) return false;
@@ -428,8 +414,6 @@ export function SAMLProviderFromJSONTyped(json: any, ignoreDiscriminator: boolea
                 : SAMLNameIDPolicyEnumFromJSON(json["default_name_id_policy"]),
         urlDownloadMetadata: json["url_download_metadata"],
         urlIssuer: json["url_issuer"],
-        urlUnified: json["url_unified"],
-        urlUnifiedInit: json["url_unified_init"],
         urlSsoPost: json["url_sso_post"],
         urlSsoRedirect: json["url_sso_redirect"],
         urlSsoInit: json["url_sso_init"],
@@ -456,8 +440,6 @@ export function SAMLProviderToJSONTyped(
         | "meta_model_name"
         | "url_download_metadata"
         | "url_issuer"
-        | "url_unified"
-        | "url_unified_init"
         | "url_sso_post"
         | "url_sso_redirect"
         | "url_sso_init"

packages/client-ts/src/models/TokenModel.ts

@@ -12,8 +12,8 @@
  * Do not edit the class manually.
  */
 
-import type { Provider } from "./Provider";
-import { ProviderFromJSON, ProviderToJSON } from "./Provider";
+import type { OAuth2Provider } from "./OAuth2Provider";
+import { OAuth2ProviderFromJSON, OAuth2ProviderToJSON } from "./OAuth2Provider";
 import type { User } from "./User";
 import { UserFromJSON, UserToJSON } from "./User";
 
@@ -31,10 +31,10 @@ export interface TokenModel {
     readonly pk: number;
     /**
      *
-     * @type {Provider}
+     * @type {OAuth2Provider}
      * @memberof TokenModel
      */
-    provider: Provider;
+    provider: OAuth2Provider;
     /**
      *
      * @type {User}
@@ -96,7 +96,7 @@ export function TokenModelFromJSONTyped(json: any, ignoreDiscriminator: boolean)
     }
     return {
         pk: json["pk"],
-        provider: ProviderFromJSON(json["provider"]),
+        provider: OAuth2ProviderFromJSON(json["provider"]),
         user: UserFromJSON(json["user"]),
         isExpired: json["is_expired"],
         expires: json["expires"] == null ? undefined : new Date(json["expires"]),
@@ -119,7 +119,7 @@ export function TokenModelToJSONTyped(
     }
 
     return {
-        provider: ProviderToJSON(value["provider"]),
+        provider: OAuth2ProviderToJSON(value["provider"]),
         user: UserToJSON(value["user"]),
         expires: value["expires"] == null ? value["expires"] : value["expires"].toISOString(),
         scope: value["scope"],

packages/logger-js/lib/shared.js

@@ -60,7 +60,7 @@ export const LogLevels = /** @type {Level[]} */ (Object.keys(LogLevelLabel));
 /**
  * @callback LoggerFactory
  * @param {string | null} [prefix]
- * @param {...string[]} args
+ * @param {...string} args
  * @returns {Logger}
  */
 
@@ -207,7 +207,7 @@ export function pinoLight(options) {
  * Creates a logger with the given prefix.
  *
  * @param {string} [prefix]
- * @param {...string[]} args
+ * @param {...string} args
  * @returns {Logger}
  *
  */

packages/logger-js/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/logger-js",
-    "version": "1.1.2",
+    "version": "1.1.1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/logger-js",
-            "version": "1.1.2",
+            "version": "1.1.1",
             "license": "MIT",
             "devDependencies": {
                 "@eslint/js": "^9.39.3",
@@ -68,7 +68,7 @@
         },
         "../tsconfig": {
             "name": "@goauthentik/tsconfig",
-            "version": "1.0.9",
+            "version": "1.0.8",
             "dev": true,
             "license": "MIT",
             "engines": {

packages/logger-js/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/logger-js",
-    "version": "1.1.2",
+    "version": "1.1.1",
     "description": "Pino-based logger for authentik",
     "license": "MIT",
     "repository": {

pyproject.toml

@@ -7,7 +7,7 @@ requires-python = "==3.14.*"
 dependencies = [
   "ak-guardian==3.2.0",
   "argon2-cffi==25.1.0",
-  "cachetools==7.1.1",
+  "cachetools==7.0.6",
   "channels==4.3.2",
   "cryptography==48.0.0",
   "dacite==1.9.2",
@@ -36,7 +36,7 @@ dependencies = [
   "fido2==2.2.0",
   "geoip2==5.2.0",
   "geopy==2.4.1",
-  "google-api-python-client==2.195.0",
+  "google-api-python-client==2.194.0",
   "gssapi==1.11.1",
   "gunicorn==25.3.0",
   "jsonpatch==1.33",
@@ -47,22 +47,22 @@ dependencies = [
   "msgraph-sdk==1.56.0",
   "opencontainers==0.0.15",
   "packaging==26.2",
-  "paramiko==5.0.0",
+  "paramiko==4.0.0",
   "psycopg[c,pool]==3.3.4",
   "pydantic-scim==0.0.8",
-  "pydantic==2.13.4",
+  "pydantic==2.13.3",
   "pyjwt==2.11.0",
   "pyrad==2.5.4",
-  "python-kadmin-rs==0.7.2",
+  "python-kadmin-rs==0.7.0",
   "pyyaml==6.0.3",
   "requests-oauthlib==2.0.0",
   "scim2-filter-parser==0.7.0",
-  "sentry-sdk==2.59.0",
+  "sentry-sdk==2.58.0",
   "service-identity==24.2.0",
   "setproctitle==1.3.7",
   "structlog==25.5.0",
   "swagger-spec-validator==3.0.4",
-  "twilio==9.10.9",
+  "twilio==9.10.5",
   "ua-parser==1.0.2",
   "unidecode==1.4.0",
   "urllib3<3",
@@ -76,7 +76,7 @@ dependencies = [
 
 [dependency-groups]
 dev = [
-  "aws-cdk-lib==2.252.0",
+  "aws-cdk-lib==2.251.0",
   "bandit==1.9.4",
   "black==26.3.1",
   "bpython==0.26",
@@ -85,7 +85,7 @@ dev = [
   "coverage[toml]==7.13.5",
   "daphne==4.2.1",
   "debugpy==1.8.20",
-  "django-stubs[compatible-mypy]==6.0.4",
+  "django-stubs[compatible-mypy]==6.0.3",
   "djangorestframework-stubs[compatible-mypy]==3.16.9",
   "drf-jsonschema-serializer==3.0.0",
   "freezegun==1.5.5",
@@ -107,7 +107,7 @@ dev = [
   "types-docker==7.1.0.20260409",
   "types-jwcrypto==1.5.7.20260409",
   "types-ldap3==2.9.13.20260408",
-  "types-requests==2.33.0.20260503",
+  "types-requests==2.33.0.20260408",
   "types-zxcvbn==4.5.0.20260408",
 ]
 

schema.yml

@@ -5386,8 +5386,6 @@ paths:
         using this object
       tags:
       - endpoints
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -5432,8 +5430,6 @@ paths:
         using this object
       tags:
       - endpoints
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -5457,8 +5453,6 @@ paths:
           application/json:
             schema:
               $ref: '#/components/schemas/DeviceFactsRequest'
-      security:
-      - {}
       responses:
         '204':
           description: Successfully checked in
@@ -5479,8 +5473,6 @@ paths:
             schema:
               $ref: '#/components/schemas/EnrollRequest'
         required: true
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -39086,7 +39078,7 @@ components:
           readOnly: true
           title: ID
         provider:
-          $ref: '#/components/schemas/Provider'
+          $ref: '#/components/schemas/OAuth2Provider'
         user:
           $ref: '#/components/schemas/User'
         is_expired:
@@ -54336,14 +54328,6 @@ components:
           type: string
           description: Get Issuer/EntityID URL
           readOnly: true
-        url_unified:
-          type: string
-          description: Get unified SAML endpoint URL (handles SSO and SLO)
-          readOnly: true
-        url_unified_init:
-          type: string
-          description: Get IdP-initiated SAML URL
-          readOnly: true
         url_sso_post:
           type: string
           description: Get SSO Post URL
@@ -54383,8 +54367,6 @@ components:
       - url_sso_init
       - url_sso_post
       - url_sso_redirect
-      - url_unified
-      - url_unified_init
       - verbose_name
       - verbose_name_plural
     SAMLProviderImportRequest:
@@ -57261,7 +57243,7 @@ components:
           readOnly: true
           title: ID
         provider:
-          $ref: '#/components/schemas/Provider'
+          $ref: '#/components/schemas/OAuth2Provider'
         user:
           $ref: '#/components/schemas/User'
         is_expired:

src/main.rs

@@ -8,8 +8,6 @@ use eyre::{Result, eyre};
 use tracing::{error, info, trace};
 
 mod metrics;
-#[cfg(feature = "proxy")]
-mod outpost;
 #[cfg(feature = "core")]
 mod server;
 #[cfg(feature = "core")]
@@ -31,8 +29,6 @@ enum Command {
     Server(server::Cli),
     #[cfg(feature = "core")]
     Worker(worker::Cli),
-    #[cfg(feature = "proxy")]
-    Proxy(outpost::proxy::Cli),
 }
 
 #[derive(Debug, FromArgs, PartialEq)]
@@ -57,8 +53,6 @@ fn main() -> Result<()> {
         Command::Server(_) => Mode::set(Mode::Server)?,
         #[cfg(feature = "core")]
         Command::Worker(_) => Mode::set(Mode::Worker)?,
-        #[cfg(feature = "proxy")]
-        Command::Proxy(_) => Mode::set(Mode::Proxy)?,
     }
 
     trace!("installing error formatting");
@@ -114,10 +108,6 @@ fn main() -> Result<()> {
                     let workers = worker::start(args, &mut tasks)?;
                     metrics.workers.store(Some(workers));
                 }
-                #[cfg(feature = "proxy")]
-                Command::Proxy(args) => {
-                    outpost::start::<outpost::proxy::ProxyOutpost>(args, &mut tasks).await?;
-                }
             }
 
             let errors = tasks.run().await;

src/outpost/event.rs

@@ -1,318 +0,0 @@
-use std::{fmt::Display, sync::Arc};
-
-use ak_common::{Arbiter, Tasks, VERSION, api, arbiter, authentik_build_hash};
-use axum::http::{HeaderValue, header::AUTHORIZATION};
-use eyre::{Result, eyre};
-use futures::{SinkExt as _, StreamExt as _};
-use nix::unistd::gethostname;
-use serde::{Deserialize, Serialize};
-use serde_repr::{Deserialize_repr, Serialize_repr};
-use time::UtcDateTime;
-use tokio::{
-    signal::unix::SignalKind,
-    time::{Duration, interval, sleep},
-};
-use tokio_tungstenite::tungstenite::{Message, client::IntoClientRequest as _};
-use tracing::{debug, info, instrument, trace, warn};
-use url::Url;
-
-use crate::outpost::{Outpost, OutpostController};
-
-#[derive(Serialize_repr, Deserialize_repr, PartialEq, Debug, Clone, Copy, Eq)]
-#[repr(u8)]
-enum EventKind {
-    /// Code used to acknowledge a previous message.
-    Ack = 0,
-    /// Code used to send a healthcheck keepalive.
-    Hello = 1,
-    /// Code received to trigger a config update.
-    TriggerUpdate = 2,
-    /// Code received to trigger some provider specific function.
-    ProviderSpecific = 3,
-    /// Code received to identify the end of a session.
-    SessionEnd = 4,
-}
-
-impl Display for EventKind {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            Self::Ack => write!(f, "Ack"),
-            Self::Hello => write!(f, "Hello"),
-            Self::TriggerUpdate => write!(f, "TriggerUpdate"),
-            Self::ProviderSpecific => write!(f, "ProviderSpecific"),
-            Self::SessionEnd => write!(f, "SessionEnd"),
-        }
-    }
-}
-
-#[derive(Serialize, Deserialize)]
-struct Event {
-    instruction: EventKind,
-    args: serde_json::Value,
-}
-
-#[derive(Debug, Deserialize)]
-pub(crate) struct EventSessionEnd {
-    session_id: String,
-}
-
-fn build_ws_url(mut url: Url, outpost_pk: &str, instance_uuid: &str, attempt: u32) -> Result<Url> {
-    let ws_scheme = match url.scheme() {
-        "https" => "wss",
-        "http" => "ws",
-        other => return Err(eyre!("Unsupported scheme for WebSocket URL: {other}")),
-    };
-
-    url.set_scheme(ws_scheme)
-        .map_err(|()| eyre!("Failed to set URL scheme to {ws_scheme}"))?;
-    url.set_path(&format!("{}ws/outpost/{outpost_pk}/", url.path()));
-    url.query_pairs_mut()
-        .append_pair("instance_uuid", instance_uuid)
-        .append_pair("attempt", &attempt.to_string());
-
-    Ok(url)
-}
-
-fn hello_args(instance_uuid: &str) -> serde_json::Value {
-    let raw_hostname = gethostname().unwrap_or_default();
-    let hostname = raw_hostname.to_string_lossy();
-
-    serde_json::json!({
-        "version": VERSION,
-        "buildHash": authentik_build_hash(None),
-        "uuid": instance_uuid,
-        // TODO: rust version and AWS-LC versions
-        "hostname": hostname,
-    })
-}
-
-#[instrument(skip_all)]
-async fn handle_event<O: Outpost>(
-    controller: Arc<OutpostController>,
-    outpost: Arc<O>,
-    event: Event,
-    reload_offset: Option<Duration>,
-) -> Result<()> {
-    match event.instruction {
-        EventKind::Ack | EventKind::Hello => {}
-        EventKind::TriggerUpdate => {
-            info!("received update trigger, refreshing outpost");
-            if let Some(reload_offset) = reload_offset {
-                sleep(reload_offset).await;
-            }
-            controller.refresh().await?;
-            debug!("outpost controller has been refreshed");
-            outpost.refresh().await?;
-            debug!("outpost has been refreshed");
-            #[expect(
-                clippy::as_conversions,
-                clippy::cast_precision_loss,
-                reason = "This is fine, we'll never get big values here."
-            )]
-            controller
-                .m_last_update
-                .set(UtcDateTime::now().unix_timestamp() as f64);
-        }
-        EventKind::SessionEnd => {
-            let event: EventSessionEnd = serde_json::from_value(event.args)?;
-            outpost.end_session(event).await?;
-        }
-        #[expect(
-            clippy::unimplemented,
-            reason = "this is only relevant for the RAC provider"
-        )]
-        EventKind::ProviderSpecific => unimplemented!(),
-    }
-    Ok(())
-}
-
-async fn watch_events_inner<O: Outpost>(
-    arbiter: Arbiter,
-    controller: Arc<OutpostController>,
-    outpost: Arc<O>,
-    attempt: u32,
-) -> Result<()> {
-    let server_config = api::ServerConfig::new()?;
-    let ws_url = build_ws_url(
-        server_config.host,
-        &controller.outpost.load().pk.to_string(),
-        &controller.instance_uuid.to_string(),
-        attempt,
-    )?;
-
-    debug!(url = %ws_url, "connecting to websocket");
-    let mut request = ws_url.into_client_request()?;
-    let token = controller
-        .api_config
-        .bearer_access_token
-        .as_deref()
-        .unwrap_or("");
-    request.headers_mut().insert(
-        AUTHORIZATION,
-        HeaderValue::from_str(&format!("Bearer {token}"))?,
-    );
-
-    let (ws_stream, _response) = tokio_tungstenite::connect_async(request).await?;
-    let (mut ws_write, mut ws_read) = ws_stream.split();
-
-    info!(
-        outpost = %controller.outpost.load().pk,
-        "connected to websocket"
-    );
-    controller.m_connection.set(1_u8);
-
-    let get_refresh_interval = || {
-        let mut interval = controller.outpost.load().refresh_interval_s;
-        // Ensure timer interval is not negative or 0.
-        // If it is, we default to 5 minutes.
-        if interval <= 0_i32 {
-            interval = 60_i32 * 5_i32;
-        }
-        // Clamp interval to be at least 30 seconds.
-        if interval < 30_i32 {
-            interval = 30_i32;
-        }
-        // infallible because we bound it to be positive above
-        Duration::from_secs(interval.try_into().expect("infallible"))
-    };
-    let mut refresh_interval = interval(get_refresh_interval());
-    let mut heartbeat_interval = interval(Duration::from_secs(10));
-
-    let mut events_rx = arbiter.events_subscribe();
-
-    loop {
-        tokio::select! {
-            _ = refresh_interval.tick() => {
-                info!("refreshing outpost on interval");
-                if let Err(err) = handle_event(
-                    Arc::clone(&controller),
-                    Arc::clone(&outpost),
-                    Event {
-                        instruction: EventKind::TriggerUpdate,
-                        args: serde_json::Value::Null
-                    },
-                    None,
-                ).await {
-                    warn!(?err, "failed to refresh");
-                }
-                refresh_interval = interval(get_refresh_interval());
-                // Since we re-create the interval, we need to make it tick instantly to avoid
-                // ending up in a never-ending tick-loop.
-                refresh_interval.tick().await;
-            },
-            _ = heartbeat_interval.tick() => {
-                let ping = Event {
-                    instruction: EventKind::Hello,
-                    args: hello_args(&controller.instance_uuid.to_string()),
-                };
-                ws_write.send(Message::text(serde_json::to_string(&ping)?)).await?;
-                trace!("sent websocket hello (heartbeat)");
-            },
-            Ok(arbiter::Event::Signal(signal)) = events_rx.recv() => {
-                if signal == SignalKind::user_defined1() {
-                    info!("refreshing outpost on signal");
-                    if let Err(err) = handle_event(
-                        Arc::clone(&controller),
-                        Arc::clone(&outpost),
-                        Event {
-                            instruction: EventKind::TriggerUpdate,
-                            args: serde_json::Value::Null
-                        },
-                        None,
-                    ).await {
-                        warn!(?err, "failed to refresh");
-                    }
-                }
-            },
-            msg = ws_read.next() => {
-                let Some(msg) = msg else {
-                    break;
-                };
-                let msg = msg?;
-                match msg {
-                    Message::Text(text) => {
-                        let Ok(event): Result<Event, _> = serde_json::from_str(&text) else {
-                            warn!(data = text.as_str(), "failed to parse event");
-                            continue;
-                        };
-                        trace!(event = %event.instruction, "received websocket event");
-                        if let Err(err) = handle_event(
-                            Arc::clone(&controller),
-                            Arc::clone(&outpost),
-                            event,
-                            Some(controller.reload_offset),
-                        ).await {
-                            warn!(?err, "failed to handle event");
-                        }
-                    },
-                    Message::Ping(data) => {
-                        ws_write.send(Message::Pong(data)).await?;
-                    },
-                    Message::Close(_) => {
-                        break;
-                    },
-                    _ => {},
-                }
-            },
-            () = arbiter.shutdown() => break,
-        }
-    }
-
-    Ok(())
-}
-
-async fn watch_events<O: Outpost>(
-    arbiter: Arbiter,
-    controller: Arc<OutpostController>,
-    outpost: Arc<O>,
-) -> Result<()> {
-    const MAX_BACKOFF: Duration = Duration::from_mins(5);
-    let mut backoff = Duration::from_secs(1);
-    let mut attempt: u32 = 0;
-
-    loop {
-        tokio::select! {
-            () = arbiter.shutdown() => break,
-            res = watch_events_inner(
-                arbiter.clone(),
-                Arc::clone(&controller),
-                Arc::clone(&outpost),
-                attempt
-            ) => {
-                controller.m_connection.set(0_u8);
-                match res {
-                    Ok(()) => debug!("websocket disconnected cleanly"),
-                    Err(err) => warn!(?err, attempt, "websocket error"),
-                }
-
-                info!(attempt, delay = backoff.as_secs(), "reconnecting websocket in {}s...", backoff.as_secs());
-
-                tokio::select! {
-                    () = arbiter.shutdown() => break,
-                    () = sleep(backoff) => {}
-                }
-
-                backoff = (backoff * 2).min(MAX_BACKOFF);
-                attempt += 1;
-            }
-        }
-    }
-
-    info!("stopping event watcher");
-
-    Ok(())
-}
-
-pub(crate) fn start<O: Outpost + 'static>(
-    tasks: &mut Tasks,
-    controller: Arc<OutpostController>,
-    outpost: Arc<O>,
-) -> Result<()> {
-    let arbiter = tasks.arbiter();
-    tasks
-        .build_task()
-        .name(&format!("{}::watch_events", module_path!()))
-        .spawn(watch_events(arbiter, controller, outpost))?;
-
-    Ok(())
-}

src/outpost/mod.rs

@@ -1,123 +0,0 @@
-use std::{sync::Arc, time::Duration};
-
-use ak_client::{
-    apis::{configuration::Configuration, outposts_api::outposts_instances_list},
-    models::Outpost as OutpostModel,
-};
-use ak_common::{Tasks, VERSION, api, authentik_build_hash};
-use arc_swap::ArcSwap;
-use eyre::{Result, eyre};
-use tracing::{debug, info, instrument};
-use uuid::Uuid;
-
-pub(crate) mod event;
-#[cfg(feature = "proxy")]
-pub(crate) mod proxy;
-
-pub(crate) trait Outpost: Send + Sync + Sized {
-    const OUTPOST_TYPE: &'static str;
-    type Cli: Send + Sync;
-
-    async fn new(controller: Arc<OutpostController>) -> Result<Self>;
-
-    fn start(self: Arc<Self>, tasks: &mut Tasks) -> Result<()>;
-    fn refresh(&self) -> impl Future<Output = Result<()>> + Send;
-
-    fn end_session(&self, event: event::EventSessionEnd)
-    -> impl Future<Output = Result<()>> + Send;
-}
-
-#[derive(Debug)]
-pub(crate) struct OutpostController {
-    api_config: Configuration,
-    outpost: ArcSwap<OutpostModel>,
-    instance_uuid: Uuid,
-    reload_offset: Duration,
-    m_info: metrics::Gauge,
-    m_last_update: metrics::Gauge,
-    m_connection: metrics::Gauge,
-}
-
-impl OutpostController {
-    #[instrument(skip_all)]
-    async fn get_outpost(api_config: &Configuration) -> Result<OutpostModel> {
-        let outposts = outposts_instances_list(
-            api_config, None, None, None, None, None, None, None, None, None, None, None, None,
-        )
-        .await?;
-
-        let Some(outpost) = outposts.results.into_iter().next() else {
-            return Err(eyre!(
-                "No outposts found with given token, ensure the given token corresponds to an \
-                 authentik Outpost"
-            ));
-        };
-        debug!(name = outpost.name, "fetched outpost configuration");
-
-        Ok(outpost)
-    }
-
-    #[instrument(skip_all)]
-    async fn new<O: Outpost>() -> Result<Self> {
-        let api_config = api::make_config()?;
-        let outpost = Self::get_outpost(&api_config).await?;
-        let instance_uuid = Uuid::new_v4();
-
-        let m_labels = [
-            ("outpost_name", outpost.name.clone()),
-            ("outpost_type", O::OUTPOST_TYPE.to_owned()),
-            ("uuid", instance_uuid.to_string()),
-            ("version", VERSION.to_owned()),
-            ("build", authentik_build_hash(None)),
-        ];
-        metrics::describe_gauge!("authentik_outpost_info", "Outpost info");
-        let m_info = metrics::gauge!("authentik_outpost_info", &m_labels);
-        metrics::describe_gauge!("authentik_outpost_last_update", "Time of last update");
-        let m_last_update = metrics::gauge!("authentik_outpost_last_update", &m_labels);
-        metrics::describe_gauge!("authentik_outpost_connection", "Connection status");
-        let m_connection = metrics::gauge!("authentik_outpost_connection", &m_labels);
-
-        let reload_offset = Duration::from_secs(rand::random_range(0..10));
-        let controller = Self {
-            api_config,
-            outpost: ArcSwap::from_pointee(outpost),
-            instance_uuid,
-            reload_offset,
-            m_info,
-            m_last_update,
-            m_connection,
-        };
-
-        info!(embedded = controller.is_embedded(), "outpost mode");
-        debug!(?reload_offset, "HA Reload offset");
-
-        Ok(controller)
-    }
-
-    fn is_embedded(&self) -> bool {
-        self.outpost
-            .load()
-            .managed
-            .as_ref()
-            .and_then(|m| m.as_deref())
-            .is_some_and(|m| m == "goauthentik.io/outposts/embedded")
-    }
-
-    async fn refresh(&self) -> Result<()> {
-        let outpost = Self::get_outpost(&self.api_config).await?;
-        self.outpost.swap(Arc::new(outpost));
-        Ok(())
-    }
-}
-
-#[instrument(skip_all)]
-pub(crate) async fn start<O: Outpost + 'static>(_cli: O::Cli, tasks: &mut Tasks) -> Result<()> {
-    let controller = Arc::new(OutpostController::new::<O>().await?);
-    let outpost = Arc::new(O::new(Arc::clone(&controller)).await?);
-
-    event::start(tasks, Arc::clone(&controller), Arc::clone(&outpost))?;
-    outpost.start(tasks)?;
-    controller.m_info.set(1_u8);
-
-    Ok(())
-}

src/outpost/proxy/application.rs

@@ -1,61 +0,0 @@
-use std::sync::Arc;
-
-use ak_client::models::ProxyOutpostConfig;
-use ak_common::tls::store::Certificate;
-use axum::Router;
-use eyre::{Result, eyre};
-use tracing::instrument;
-use url::Url;
-
-use crate::outpost::proxy::ProxyOutpost;
-
-const _REDIRECT_PARAM: &str = "rd";
-const CALLBACK_SIGNATURE: &str = "X-authentik-auth-callback";
-const _LOGOUT_SIGNATURE: &str = "X-authentik-logout";
-
-#[derive(Debug)]
-pub(super) struct Application {
-    pub(super) host: String,
-    pub(super) provider: ProxyOutpostConfig,
-    pub(super) router: Router,
-    pub(super) cert: Option<Arc<Certificate>>,
-}
-
-impl Application {
-    #[instrument(skip_all)]
-    pub(super) async fn new(outpost: &ProxyOutpost, provider: ProxyOutpostConfig) -> Result<Self> {
-        let external_url = Url::parse(&provider.external_host)?;
-        if !external_url.has_authority() {
-            return Err(eyre!("no host in external host"));
-        }
-        let external_host = external_url.authority();
-
-        let _old_app = outpost.apps.load().get(external_host);
-
-        let cert = if let Some(Some(kp_uuid)) = provider.certificate {
-            Some(
-                outpost
-                    .certificate_store
-                    .ensure_keypair(&outpost.controller.api_config, kp_uuid)
-                    .await?,
-            )
-        } else {
-            None
-        };
-
-        let _redirect_url = {
-            let mut redirect_url = external_url.join("outpost.goauthentik.io/callback")?;
-            redirect_url.set_query(Some(&format!("{CALLBACK_SIGNATURE}=true")));
-            redirect_url
-        };
-
-        let router = Router::new();
-
-        Ok(Self {
-            host: external_host.to_owned(),
-            provider,
-            router,
-            cert,
-        })
-    }
-}

src/outpost/proxy/handlers.rs

@@ -1,87 +0,0 @@
-use std::sync::Arc;
-
-use ak_axum::{error::Result, extract::host::Host};
-use axum::{
-    extract::{Request, State},
-    http::{Method, StatusCode, header::CONTENT_TYPE},
-    response::{IntoResponse as _, Response},
-};
-use metrics::histogram;
-use serde_json::json;
-use tokio::time::Instant;
-use tower::util::ServiceExt as _;
-use tracing::{Instrument as _, debug, field, info_span, instrument, trace, warn};
-
-use crate::outpost::proxy::ProxyOutpost;
-
-#[instrument(skip_all)]
-pub(super) async fn handle_ping(
-    method: Method,
-    Host(host): Host,
-    State(outpost): State<Arc<ProxyOutpost>>,
-) -> Response {
-    let start = Instant::now();
-    histogram!(
-        "authentik_outpost_proxy_request_duration_seconds",
-        "outpost_name" => outpost.controller.outpost.load().name.clone(),
-        "method" => method.to_string(),
-        "host" => host,
-        "type" => "ping",
-    )
-    .record(start.elapsed().as_secs_f64());
-    StatusCode::NO_CONTENT.into_response()
-}
-
-#[instrument(skip_all)]
-pub(super) async fn default(
-    method: Method,
-    Host(host): Host,
-    State(outpost): State<Arc<ProxyOutpost>>,
-    request: Request,
-) -> Result<Response> {
-    let span = info_span!("proxy outpost request", user = field::Empty);
-    let start = Instant::now();
-
-    let app = outpost.lookup_app(&host).or_else(|| {
-        // If we only have a single app, host name switching doesn't matter.
-        let apps = outpost.apps.load();
-        if apps.len() == 1
-            && let Some(app) = apps.values().next()
-        {
-            debug!(app = app.provider.name, "found a single app, using it");
-            return Some(Arc::clone(app));
-        }
-        None
-    });
-    let Some(app) = app else {
-        trace!(headers = ?request.headers(), "tracing headers for no hostname match");
-        warn!("no app for hostname");
-        return Ok(Response::builder()
-            .status(StatusCode::BAD_REQUEST)
-            .header(CONTENT_TYPE, "application/json")
-            .body(
-                json!({
-                    "message": "no app for hostname",
-                    "host": host,
-                    "detail": format!("check the outpost settings and make sure '{host}' is included."),
-                })
-                .to_string()
-                .into(),
-            )
-            .expect("infallible"));
-    };
-
-    trace!("passing to application");
-    let response = app.router.clone().oneshot(request).instrument(span).await?;
-
-    histogram!(
-        "authentik_outpost_proxy_request_duration_seconds",
-        "outpost_name" => outpost.controller.outpost.load().name.clone(),
-        "method" => method.to_string(),
-        "host" => host,
-        "type" => "app",
-    )
-    .record(start.elapsed().as_secs_f64());
-
-    Ok(response)
-}

src/outpost/proxy/mod.rs

@@ -1,231 +0,0 @@
-use std::{collections::HashMap, sync::Arc};
-
-use ak_axum::router::wrap_router;
-use ak_client::{apis::outposts_api::outposts_proxy_list, models::ProxyMode};
-use ak_common::{
-    Tasks,
-    api::fetch_all,
-    config,
-    tls::{self, store::CertificateStore},
-};
-use arc_swap::ArcSwap;
-use argh::FromArgs;
-use axum::Router;
-use axum_server::tls_rustls::RustlsConfig;
-use eyre::Result;
-use rustls::{
-    ServerConfig,
-    server::{ClientHello, ResolvesServerCert},
-    sign::CertifiedKey,
-};
-use tracing::{debug, error, info, instrument, warn};
-
-use crate::outpost::{Outpost, OutpostController, proxy::application::Application};
-
-mod application;
-mod handlers;
-
-#[derive(Debug, Default, FromArgs, PartialEq, Eq)]
-/// Run the authentik proxy outpost.
-#[argh(subcommand, name = "proxy")]
-#[expect(
-    clippy::empty_structs_with_brackets,
-    reason = "argh doesn't support unit structs"
-)]
-pub(crate) struct Cli {}
-
-#[derive(Debug)]
-pub(crate) struct ProxyOutpost {
-    controller: Arc<OutpostController>,
-    apps: ArcSwap<HashMap<String, Arc<Application>>>,
-    certificate_store: CertificateStore,
-    default_cert: Arc<CertifiedKey>,
-}
-
-impl Outpost for ProxyOutpost {
-    type Cli = Cli;
-
-    const OUTPOST_TYPE: &'static str = "proxy";
-
-    #[instrument(skip_all)]
-    async fn new(controller: Arc<OutpostController>) -> Result<Self> {
-        Ok(Self {
-            controller,
-            apps: ArcSwap::from_pointee(HashMap::with_capacity(0)),
-            certificate_store: CertificateStore::new(),
-            default_cert: Arc::new(tls::self_signed::generate_certifiedkey()?),
-        })
-    }
-
-    fn start(self: Arc<Self>, tasks: &mut Tasks) -> Result<()> {
-        let router = build_router(Arc::clone(&self));
-
-        for addr in config::get().listen.http.iter().copied() {
-            ak_axum::server::start_plain(tasks, "proxy-outpost", router.clone(), addr)?;
-        }
-
-        for addr in config::get().listen.https.iter().copied() {
-            let resolver = Arc::clone(&self);
-            let server_config = ServerConfig::builder()
-                .with_no_client_auth()
-                .with_cert_resolver(resolver);
-            let rustls_config = RustlsConfig::from_config(Arc::new(server_config));
-            ak_axum::server::start_tls(
-                tasks,
-                "proxy-outpost",
-                router.clone(),
-                addr,
-                rustls_config,
-            )?;
-        }
-
-        Ok(())
-    }
-
-    #[instrument(skip_all)]
-    async fn refresh(&self) -> Result<()> {
-        debug!(
-            outpost_pk = %self.controller.outpost.load().pk,
-            "requesting providers for outpost"
-        );
-
-        let providers = fetch_all(
-            |page| {
-                outposts_proxy_list(
-                    &self.controller.api_config,
-                    None,
-                    None,
-                    Some(page),
-                    Some(100_i32),
-                    None,
-                )
-            },
-            |r| &r.pagination,
-            |r| r.results,
-        )
-        .await
-        .inspect_err(|err| error!(?err, "failed to fetch providers"))?;
-        debug!(count = providers.len(), "fetched providers");
-
-        if providers.is_empty() && !self.controller.is_embedded() {
-            warn!(
-                "no providers assigned to this outpost, check outpost configuration in authentik"
-            );
-        }
-
-        for (i, provider) in providers.iter().enumerate() {
-            debug!(
-                index = i,
-                name = provider.name,
-                external_host = provider.external_host,
-                assigned_to_app = provider.assigned_application_name,
-                "provider details"
-            );
-        }
-
-        let mut apps = HashMap::with_capacity(providers.len());
-
-        for provider in providers {
-            let name = provider.name.clone();
-            let Ok(application) = Application::new(self, provider)
-                .await
-                .inspect_err(|err| warn!(?err, "failed to setup application, skipping provider"))
-            else {
-                continue;
-            };
-            info!(name, host = application.host, "loaded application");
-
-            apps.insert(application.host.clone(), Arc::new(application));
-        }
-
-        self.apps.store(Arc::new(apps));
-
-        Ok(())
-    }
-
-    async fn end_session(&self, _event: super::event::EventSessionEnd) -> Result<()> {
-        // todo!()
-        warn!(?_event, "removing session");
-        Ok(())
-    }
-}
-
-impl ResolvesServerCert for ProxyOutpost {
-    fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
-        if let Some(server_name) = client_hello.server_name()
-            && let Some(app) = self.apps.load().get(server_name)
-            && let Some(cert) = &app.cert
-        {
-            return Some(Arc::clone(&cert.certified_key));
-        }
-        Some(Arc::clone(&self.default_cert))
-    }
-
-    fn only_raw_public_keys(&self) -> bool {
-        false
-    }
-}
-
-impl ProxyOutpost {
-    #[instrument(skip(self))]
-    fn lookup_app(&self, host: &str) -> Option<Arc<Application>> {
-        let apps = self.apps.load();
-
-        if apps.is_empty() {
-            return None;
-        }
-
-        if let Some(app) = apps.get(host) {
-            debug!(app = app.provider.name, "found app based direct host match");
-            return Some(Arc::clone(app));
-        }
-
-        // For forward_auth_domain, we don't have a direct app to domain relationship.
-        // Check through all apps, and check how much of their cookie domain matches the host.
-        // Return the application that has the longest match.
-        let mut longest_match = None;
-        let mut longest_len = 0_usize;
-
-        for app in apps.values() {
-            if app.provider.mode != Some(ProxyMode::ForwardDomain) {
-                continue;
-            }
-
-            if let Some(cookie_domain) = app.provider.cookie_domain.as_deref() {
-                // Check if the cookie domain has a leading period for a wildcard.
-                // This will decrease the weight of a wildcard domain, but a request to example.com
-                // with the cookie domain set to example.com will still be routed correctly.
-                let domain = cookie_domain.trim_start_matches('.');
-
-                if host.ends_with(domain) && domain.len() > longest_len {
-                    longest_len = domain.len();
-                    longest_match = Some(Arc::clone(app));
-                }
-                // For forward_auth_domain, we need to response on the external domain too.
-                if app.provider.external_host == host {
-                    debug!(app = app.provider.name, "found app based on external_host");
-                    return Some(Arc::clone(app));
-                }
-            }
-        }
-
-        if let Some(app) = &longest_match {
-            debug!(app = app.provider.name, "found app based on cookie domain");
-        }
-
-        longest_match
-    }
-}
-
-fn build_router(outpost: Arc<ProxyOutpost>) -> Router {
-    wrap_router(
-        Router::new()
-            .nest(
-                "/outpost.goauthentik.io/ping",
-                Router::new().fallback(handlers::handle_ping),
-            )
-            .fallback(handlers::default)
-            .with_state(outpost),
-        true,
-    )
-}

tests/openid_conformance/base.py

@@ -63,7 +63,10 @@ class TestOpenIDConformance(SSLLiveMixin, SeleniumTestCase):
         }
 
     def run_test(
-        self, test_name: str, test_plan_config: dict[str, Any], test_variant: dict[str, Any]
+        self,
+        test_name: str,
+        test_plan_config: dict[str, Any],
+        test_variant: dict[str, Any] | None = None,
     ):
         self.conformance = Conformance(f"https://{self.host}:8443/", None, verify_ssl=False)
 
@@ -82,7 +85,14 @@ class TestOpenIDConformance(SSLLiveMixin, SeleniumTestCase):
             )
             module_id = module_instance["id"]
             self.run_single_test(module_id)
-            self.conformance.wait_for_state(module_id, ["FINISHED"], timeout=self.wait_timeout)
+            module = self.conformance.wait_for_state(
+                module_id, ["FINISHED"], timeout=self.wait_timeout
+            )
+            self.assertIn(
+                module["result"],
+                ["PASSED", "SKIPPED", "WARNING"],
+                f"Module {module['testName']} did not finish with expected status.",
+            )
             sleep(2)
         self.conformance.export_html(plan_id, Path(__file__).parent / "exports")
 

tests/openid_conformance/conformance.py

@@ -205,7 +205,7 @@ class Conformance:
             info = self.get_module_info(module_id)
             status: str | None = info.get("status")
             if status in required_states:
-                return status
+                return info
             if status == "INTERRUPTED":
                 raise ConformanceException(f"Test module {module_id} has moved to INTERRUPTED")
             sleep(1)

tests/openid_conformance/test_oidc_config.py

@@ -0,0 +1,29 @@
+from authentik.providers.oauth2.models import IssuerMode, OAuth2Provider
+from tests.decorators import retry
+from tests.live import SSLLiveMixin
+from tests.openid_conformance.base import TestOpenIDConformance
+
+
+class TestOpenIDConformanceConfig(TestOpenIDConformance, SSLLiveMixin):
+
+    def setUp(self):
+        super().setUp()
+        OAuth2Provider.objects.filter(name__startswith="oidc-conformance-").update(
+            issuer_mode=IssuerMode.PER_PROVIDER
+        )
+
+    @retry()
+    def test_oidcc_config_certification_test_plan(self):
+        self.run_test(
+            "oidcc-config-certification-test-plan",
+            {
+                "alias": "authentik",
+                "description": "authentik",
+                "server": {
+                    "discoveryUrl": self.url(
+                        "authentik_providers_oauth2:provider-info",
+                        application_slug="oidc-conformance-1",
+                    ),
+                },
+            },
+        )

uv.lock

@@ -316,7 +316,7 @@ dev = [
 requires-dist = [
     { name = "ak-guardian", editable = "packages/ak-guardian" },
     { name = "argon2-cffi", specifier = "==25.1.0" },
-    { name = "cachetools", specifier = "==7.1.1" },
+    { name = "cachetools", specifier = "==7.0.6" },
     { name = "channels", specifier = "==4.3.2" },
     { name = "cryptography", specifier = "==48.0.0" },
     { name = "dacite", specifier = "==1.9.2" },
@@ -345,7 +345,7 @@ requires-dist = [
     { name = "fido2", specifier = "==2.2.0" },
     { name = "geoip2", specifier = "==5.2.0" },
     { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.195.0" },
+    { name = "google-api-python-client", specifier = "==2.194.0" },
     { name = "gssapi", specifier = "==1.11.1" },
     { name = "gunicorn", specifier = "==25.3.0" },
     { name = "jsonpatch", specifier = "==1.33" },
@@ -356,22 +356,22 @@ requires-dist = [
     { name = "msgraph-sdk", specifier = "==1.56.0" },
     { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
     { name = "packaging", specifier = "==26.2" },
-    { name = "paramiko", specifier = "==5.0.0" },
+    { name = "paramiko", specifier = "==4.0.0" },
     { name = "psycopg", extras = ["c", "pool"], specifier = "==3.3.4" },
-    { name = "pydantic", specifier = "==2.13.4" },
+    { name = "pydantic", specifier = "==2.13.3" },
     { name = "pydantic-scim", specifier = "==0.0.8" },
     { name = "pyjwt", specifier = "==2.11.0" },
     { name = "pyrad", specifier = "==2.5.4" },
-    { name = "python-kadmin-rs", specifier = "==0.7.2" },
+    { name = "python-kadmin-rs", specifier = "==0.7.0" },
     { name = "pyyaml", specifier = "==6.0.3" },
     { name = "requests-oauthlib", specifier = "==2.0.0" },
     { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.59.0" },
+    { name = "sentry-sdk", specifier = "==2.58.0" },
     { name = "service-identity", specifier = "==24.2.0" },
     { name = "setproctitle", specifier = "==1.3.7" },
     { name = "structlog", specifier = "==25.5.0" },
     { name = "swagger-spec-validator", specifier = "==3.0.4" },
-    { name = "twilio", specifier = "==9.10.9" },
+    { name = "twilio", specifier = "==9.10.5" },
     { name = "ua-parser", specifier = "==1.0.2" },
     { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
@@ -385,7 +385,7 @@ requires-dist = [
 
 [package.metadata.requires-dev]
 dev = [
-    { name = "aws-cdk-lib", specifier = "==2.252.0" },
+    { name = "aws-cdk-lib", specifier = "==2.251.0" },
     { name = "bandit", specifier = "==1.9.4" },
     { name = "black", specifier = "==26.3.1" },
     { name = "bpython", specifier = "==0.26" },
@@ -394,7 +394,7 @@ dev = [
     { name = "coverage", extras = ["toml"], specifier = "==7.13.5" },
     { name = "daphne", specifier = "==4.2.1" },
     { name = "debugpy", specifier = "==1.8.20" },
-    { name = "django-stubs", extras = ["compatible-mypy"], specifier = "==6.0.4" },
+    { name = "django-stubs", extras = ["compatible-mypy"], specifier = "==6.0.3" },
     { name = "djangorestframework-stubs", extras = ["compatible-mypy"], specifier = "==3.16.9" },
     { name = "drf-jsonschema-serializer", specifier = "==3.0.0" },
     { name = "freezegun", specifier = "==1.5.5" },
@@ -416,7 +416,7 @@ dev = [
     { name = "types-docker", specifier = "==7.1.0.20260409" },
     { name = "types-jwcrypto", specifier = "==1.5.7.20260409" },
     { name = "types-ldap3", specifier = "==2.9.13.20260408" },
-    { name = "types-requests", specifier = "==2.33.0.20260503" },
+    { name = "types-requests", specifier = "==2.33.0.20260408" },
     { name = "types-zxcvbn", specifier = "==4.5.0.20260408" },
 ]
 
@@ -495,7 +495,7 @@ wheels = [
 
 [[package]]
 name = "aws-cdk-lib"
-version = "2.252.0"
+version = "2.251.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aws-cdk-asset-awscli-v1" },
@@ -506,9 +506,9 @@ dependencies = [
     { name = "publication" },
     { name = "typeguard" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/0b/2e/468ed756570af782831bc0518b4f187773b036342ce1b6f3d4e13e6127d8/aws_cdk_lib-2.252.0.tar.gz", hash = "sha256:2498d771ab141599c48494bd2564ee9a4fbaade54befa9356811e9454616d0a0", size = 49479070, upload-time = "2026-04-30T12:31:54.452Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b8/6c/d60d96e1848aabf1882e6a1d30a27de4a592affc9437d6918848f0e06497/aws_cdk_lib-2.251.0.tar.gz", hash = "sha256:ed69e7ea6896c62ac2ce01857083601baf541d5d875370bee6d213d641e8921e", size = 49353237, upload-time = "2026-04-24T23:21:04.805Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ae/94/32c21ad93dc21554286955fd5ebc68cb91149cc5f7f3154b07927c3fc693/aws_cdk_lib-2.252.0-py3-none-any.whl", hash = "sha256:c96d02582d344ee81ea2ef8a5e22b6e680789973804720ec9f0e95a050257db1", size = 50157828, upload-time = "2026-04-30T12:31:11.041Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/fb/ab682b518e3ca5d18b23b252832e0fade4e6617a2c0f2b0ae0d8d2e74312/aws_cdk_lib-2.251.0-py3-none-any.whl", hash = "sha256:a684f3461d096443ac688adbf559abe1af2d50dd5c8e0fa7dbf4a5f361702db8", size = 50035969, upload-time = "2026-04-24T23:20:18.952Z" },
 ]
 
 [[package]]
@@ -688,11 +688,11 @@ wheels = [
 
 [[package]]
 name = "cachetools"
-version = "7.1.1"
+version = "7.0.6"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ff/e2/85f227594656000ff4d8adadae91a21f536d4a84c6c716a86bd6685874be/cachetools-7.1.1.tar.gz", hash = "sha256:27bdf856d68fd3c71c26c01b5edc312124ed427524d1ddb31aa2b7746fe20d4b", size = 40202, upload-time = "2026-05-03T20:00:29.391Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/76/7b/1755ed2c6bfabd1d98b37ae73152f8dcf94aa40fee119d163c19ed484704/cachetools-7.0.6.tar.gz", hash = "sha256:e5d524d36d65703a87243a26ff08ad84f73352adbeafb1cde81e207b456aaf24", size = 37526, upload-time = "2026-04-20T19:02:23.289Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/bf/0f/f897abe4ea0a8c408ae65c8c83bffab4936ad65d6032d4fb4cd35bbdc3ee/cachetools-7.1.1-py3-none-any.whl", hash = "sha256:0335cd7a0952d2b22327441fb0628139e234c565559eeb91a8a4ac7551c5353d", size = 16775, upload-time = "2026-05-03T20:00:27.857Z" },
+    { url = "https://files.pythonhosted.org/packages/fe/c4/cf76242a5da1410917107ff14551764aa405a5fd10cd10cf9a5ca8fa77f4/cachetools-7.0.6-py3-none-any.whl", hash = "sha256:4e94956cfdd3086f12042cdd29318f5ced3893014f7d0d059bf3ead3f85b7f8b", size = 13976, upload-time = "2026-04-20T19:02:21.187Z" },
 ]
 
 [[package]]
@@ -1269,7 +1269,7 @@ s3 = [
 
 [[package]]
 name = "django-stubs"
-version = "6.0.4"
+version = "6.0.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "django" },
@@ -1277,9 +1277,9 @@ dependencies = [
     { name = "types-pyyaml" },
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/f9/82/ccf2a2dc9cdb4bd9cbe91f11e887589bf2da7609506db00ccbc73bd8a6da/django_stubs-6.0.4.tar.gz", hash = "sha256:7aee77e8de9c14c0d9cf84988befe826d93cbc15a87e0ade2943f14d553451cf", size = 280019, upload-time = "2026-05-09T21:24:30.436Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/86/0c/8d0d875af79bf774c1c3997c84aa118dba3a77be12086b9c14e130e8ec72/django_stubs-6.0.3.tar.gz", hash = "sha256:ee895f403c373608eeb50822f0733f9d9ec5ab12731d4ab58956053bb95fdd9e", size = 278214, upload-time = "2026-04-18T15:11:22.327Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ba/e7/5128914ada94dd6277626ef5a4a5680a4def7d2f9366214d26c1cd86723b/django_stubs-6.0.4-py3-none-any.whl", hash = "sha256:e991c68f77239663577a5f4fc75e99c84f867f378cafc97cbf4acc5aff378279", size = 543791, upload-time = "2026-05-09T21:24:28.218Z" },
+    { url = "https://files.pythonhosted.org/packages/80/a3/6751b7684d20fc4f228bdd3dd8341d382ab3faaf65d3d050c0d59ab0a1b0/django_stubs-6.0.3-py3-none-any.whl", hash = "sha256:5fee22bcbbad59a78c727a820b6f4e68ff442ca76a922b7002e57c25dd7cb390", size = 541570, upload-time = "2026-04-18T15:11:20.711Z" },
 ]
 
 [package.optional-dependencies]
@@ -1597,7 +1597,7 @@ wheels = [
 
 [[package]]
 name = "google-api-python-client"
-version = "2.195.0"
+version = "2.194.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "google-api-core" },
@@ -1606,9 +1606,9 @@ dependencies = [
     { name = "httplib2" },
     { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/69/07/08d759b9cb10f48af14b25262dd0d6685ca8cda6c1f9e8a8109f57457205/google_api_python_client-2.195.0.tar.gz", hash = "sha256:c72cf2661c3addf01c880ce60541e83e1df354644b874f7f9d8d5ed2070446ae", size = 14584819, upload-time = "2026-04-30T21:51:50.638Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/60/ab/e83af0eb043e4ccc49571ca7a6a49984e9d00f4e9e6e6f1238d60bc84dce/google_api_python_client-2.194.0.tar.gz", hash = "sha256:db92647bd1a90f40b79c9618461553c2b20b6a43ce7395fa6de07132dc14f023", size = 14443469, upload-time = "2026-04-08T23:07:35.757Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/21/b9/2c71095e31fff57668fec7c07ac897df065f15521d070e63229e13689590/google_api_python_client-2.195.0-py3-none-any.whl", hash = "sha256:753e62057f23049a89534bea0162b60fe391b85fb86d80bcdf884d05ec91c5bf", size = 15162418, upload-time = "2026-04-30T21:51:47.444Z" },
+    { url = "https://files.pythonhosted.org/packages/b0/34/5a624e49f179aa5b0cb87b2ce8093960299030ff40423bfbde09360eb908/google_api_python_client-2.194.0-py3-none-any.whl", hash = "sha256:61eaaac3b8fc8fdf11c08af87abc3d1342d1b37319cc1b57405f86ef7697e717", size = 15016514, upload-time = "2026-04-08T23:07:33.093Z" },
 ]
 
 [[package]]
@@ -2589,7 +2589,7 @@ wheels = [
 
 [[package]]
 name = "paramiko"
-version = "5.0.0"
+version = "4.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "bcrypt" },
@@ -2597,9 +2597,9 @@ dependencies = [
     { name = "invoke" },
     { name = "pynacl" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/62/93/dcc25d52f49022ae6175d15e6bd751f1acc99b98bc61fc55e5155a7be2e7/paramiko-5.0.0.tar.gz", hash = "sha256:36763b5b95c2a0dcfdf1abc48e48156ee425b21efe2f0e787c2dd5a95c0e5e79", size = 1548586, upload-time = "2026-05-09T18:28:52.256Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/1f/e7/81fdcbc7f190cdb058cffc9431587eb289833bdd633e2002455ca9bb13d4/paramiko-4.0.0.tar.gz", hash = "sha256:6a25f07b380cc9c9a88d2b920ad37167ac4667f8d9886ccebd8f90f654b5d69f", size = 1630743, upload-time = "2025-08-04T01:02:03.711Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/82/5b/eadf6d45de38d30ab603f49393b6cd2cbe7e233af8cf90197e32782b68a9/paramiko-5.0.0-py3-none-any.whl", hash = "sha256:b7044611c30140d9a75261653210e2002977b71a0497ff3ba0d98d7edbf62f7c", size = 208919, upload-time = "2026-05-09T18:28:50.295Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/90/a744336f5af32c433bd09af7854599682a383b37cfd78f7de263de6ad6cb/paramiko-4.0.0-py3-none-any.whl", hash = "sha256:0e20e00ac666503bf0b4eda3b6d833465a2b7aff2e2b3d79a8bba5ef144ee3b9", size = 223932, upload-time = "2025-08-04T01:02:02.029Z" },
 ]
 
 [[package]]
@@ -2813,7 +2813,7 @@ wheels = [
 
 [[package]]
 name = "pydantic"
-version = "2.13.4"
+version = "2.13.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "annotated-types" },
@@ -2821,9 +2821,9 @@ dependencies = [
     { name = "typing-extensions" },
     { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/18/a5/b60d21ac674192f8ab0ba4e9fd860690f9b4a6e51ca5df118733b487d8d6/pydantic-2.13.4.tar.gz", hash = "sha256:c40756b57adaa8b1efeeced5c196f3f3b7c435f90e84ea7f443901bec8099ef6", size = 844775, upload-time = "2026-05-06T13:43:05.343Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d9/e4/40d09941a2cebcb20609b86a559817d5b9291c49dd6f8c87e5feffbe703a/pydantic-2.13.3.tar.gz", hash = "sha256:af09e9d1d09f4e7fe37145c1f577e1d61ceb9a41924bf0094a36506285d0a84d", size = 844068, upload-time = "2026-04-20T14:46:43.632Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fd/7b/122376b1fd3c62c1ed9dc80c931ace4844b3c55407b6fb2d199377c9736f/pydantic-2.13.4-py3-none-any.whl", hash = "sha256:45a282cde31d808236fd7ea9d919b128653c8b38b393d1c4ab335c62924d9aba", size = 472262, upload-time = "2026-05-06T13:43:02.641Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/0a/fd7d723f8f8153418fb40cf9c940e82004fce7e987026b08a68a36dd3fe7/pydantic-2.13.3-py3-none-any.whl", hash = "sha256:6db14ac8dfc9a1e57f87ea2c0de670c251240f43cb0c30a5130e9720dc612927", size = 471981, upload-time = "2026-04-20T14:46:41.402Z" },
 ]
 
 [package.optional-dependencies]
@@ -2833,43 +2833,43 @@ email = [
 
 [[package]]
 name = "pydantic-core"
-version = "2.46.4"
+version = "2.46.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9d/56/921726b776ace8d8f5db44c4ef961006580d91dc52b803c489fafd1aa249/pydantic_core-2.46.4.tar.gz", hash = "sha256:62f875393d7f270851f20523dd2e29f082bcc82292d66db2b64ea71f64b6e1c1", size = 471464, upload-time = "2026-05-06T13:37:06.98Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/2a/ef/f7abb56c49382a246fd2ce9c799691e3c3e7175ec74b14d99e798bcddb1a/pydantic_core-2.46.3.tar.gz", hash = "sha256:41c178f65b8c29807239d47e6050262eb6bf84eb695e41101e62e38df4a5bc2c", size = 471412, upload-time = "2026-04-20T14:40:56.672Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/8d/74/228a26ddad29c6672b805d9fd78e8d251cd04004fa7eed0e622096cd0250/pydantic_core-2.46.4-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:428e04521a40150c85216fc8b85e8d39fece235a9cf5e383761238c7fa9b96fb", size = 2102079, upload-time = "2026-05-06T13:38:41.019Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/1f/8970b150a4b4365623ae00fc88603491f763c627311ae8031e3111356d6e/pydantic_core-2.46.4-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:23ace664830ee0bfe014a0c7bc248b1f7f25ed7ad103852c317624a1083af462", size = 1952179, upload-time = "2026-05-06T13:36:59.812Z" },
-    { url = "https://files.pythonhosted.org/packages/95/30/5211a831ae054928054b2f79731661087a2bc5c01e825c672b3a4a8f1b3e/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ce5c1d2a8b27468f433ca974829c44060b8097eedc39933e3c206a90ee49c4a9", size = 1978926, upload-time = "2026-05-06T13:37:39.933Z" },
-    { url = "https://files.pythonhosted.org/packages/57/e9/689668733b1eb67adeef047db3c2e8788fcf65a7fd9c9e2b46b7744fe245/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7283d57845ecf5a163403eb0702dfc220cc4fbdd18919cb5ccea4f95ee1cdab4", size = 2046785, upload-time = "2026-05-06T13:38:01.995Z" },
-    { url = "https://files.pythonhosted.org/packages/60/d9/6715260422ff50a2109878fd24d948a6c3446bb2664f34ee78cd972b3acd/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8daafc69c93ee8a0204506a3b6b30f586ef54028f52aeeeb5c4cfc5184fd5914", size = 2228733, upload-time = "2026-05-06T13:40:50.371Z" },
-    { url = "https://files.pythonhosted.org/packages/18/ae/fdb2f64316afca925640f8e70bb1a564b0ec2721c1389e25b8eb4bf9a299/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd2213145bcc2ba85884d0ac63d222fece9209678f77b9b4d76f054c561adb28", size = 2307534, upload-time = "2026-05-06T13:37:21.531Z" },
-    { url = "https://files.pythonhosted.org/packages/89/1d/8eff589b45bb8190a9d12c49cfad0f176a5cbd1534908a6b5125e2886239/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7a5f930472650a82629163023e630d160863fce524c616f4e5186e5de9d9a49b", size = 2099732, upload-time = "2026-05-06T13:39:31.942Z" },
-    { url = "https://files.pythonhosted.org/packages/06/d5/ee5a3366637fee41dee51a1fc91562dcf12ddbc68fda34e6b253da2324bb/pydantic_core-2.46.4-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:c1b3f518abeca3aa13c712fd202306e145abf59a18b094a6bafb2d2bbf59192c", size = 2129627, upload-time = "2026-05-06T13:37:25.033Z" },
-    { url = "https://files.pythonhosted.org/packages/94/33/2414be571d2c6a6c4d08be21f9292b6d3fdb08949a97b6dfe985017821db/pydantic_core-2.46.4-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:1a7dd0b3ee80d90150e3495a3a13ac34dbcbfd4f012996a6a1d8900e91b5c0fb", size = 2179141, upload-time = "2026-05-06T13:37:14.046Z" },
-    { url = "https://files.pythonhosted.org/packages/7b/79/7daa95be995be0eecc4cf75064cb33f9bbbfe3fe0158caf2f0d4a996a5c7/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:3fb702cd90b0446a3a1c5e470bfa0dd23c0233b676a9099ddcc964fa6ca13898", size = 2184325, upload-time = "2026-05-06T13:36:53.615Z" },
-    { url = "https://files.pythonhosted.org/packages/9f/cb/d0a382f5c0de8a222dc61c65348e0ce831b1f68e0a018450d31c2cace3a5/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:b8458003118a712e66286df6a707db01c52c0f52f7db8e4a38f0da1d3b94fc4e", size = 2323990, upload-time = "2026-05-06T13:40:29.971Z" },
-    { url = "https://files.pythonhosted.org/packages/05/db/d9ba624cc4a5aced1598e88c04fdbd8310c8a69b9d38b9a3d39ce3a61ed7/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:372429a130e469c9cd698925ce5fc50940b7a1336b0d82038e63d5bbc4edc519", size = 2369978, upload-time = "2026-05-06T13:37:23.027Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/20/d15df15ba918c423461905802bfd2981c3af0bfa0e40d05e13edbfa48bc3/pydantic_core-2.46.4-cp314-cp314-win32.whl", hash = "sha256:85bb3611ff1802f3ee7fdd7dbff26b56f343fb432d57a4728fdd49b6ef35e2f4", size = 1966354, upload-time = "2026-05-06T13:38:03.499Z" },
-    { url = "https://files.pythonhosted.org/packages/fc/b6/6b8de4c0a7d7ab3004c439c80c5c1e0a3e8d78bbae19379b01960383d9e5/pydantic_core-2.46.4-cp314-cp314-win_amd64.whl", hash = "sha256:811ff8e9c313ab425368bcbb36e5c4ebd7108c2bbf4e4089cfbb0b01eff63fac", size = 2072238, upload-time = "2026-05-06T13:39:40.807Z" },
-    { url = "https://files.pythonhosted.org/packages/32/36/51eb763beec1f4cf59b1db243a7dcc39cbb41230f050a09b9d69faaf0a48/pydantic_core-2.46.4-cp314-cp314-win_arm64.whl", hash = "sha256:bfec22eab3c8cc2ceec0248aec886624116dc079afa027ecc8ad4a7e62010f8a", size = 2018251, upload-time = "2026-05-06T13:37:26.72Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/91/855af51d625b23aa987116a19e231d2aaef9c4a415273ddc189b79a45fee/pydantic_core-2.46.4-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:af8244b2bef6aaad6d92cda81372de7f8c8d36c9f0c3ea36e827c60e7d9467a0", size = 2099593, upload-time = "2026-05-06T13:39:47.682Z" },
-    { url = "https://files.pythonhosted.org/packages/fb/1b/8784a54c65edb5f49f0a14d6977cf1b209bba85a4c77445b255c2de58ab3/pydantic_core-2.46.4-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:5a4330cdbc57162e4b3aa303f588ba752257694c9c9be3e7ebb11b4aca659b5d", size = 1935226, upload-time = "2026-05-06T13:40:40.428Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/e7/1955d28d1afc56dd4b3ad7cc0cf39df1b9852964cf16e5d13912756d6d6b/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:29c61fc04a3d840155ff08e475a04809278972fe6aef51e2720554e96367e34b", size = 1974605, upload-time = "2026-05-06T13:37:32.029Z" },
-    { url = "https://files.pythonhosted.org/packages/93/e2/3fedbf0ba7a22850e6e9fd78117f1c0f10f950182344d8a6c535d468fdd8/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c50f2528cf200c5eed56faf3f4e22fcd5f38c157a8b78576e6ba3168ec35f000", size = 2030777, upload-time = "2026-05-06T13:38:55.239Z" },
-    { url = "https://files.pythonhosted.org/packages/f8/61/46be275fcaaba0b4f5b9669dd852267ce1ff616592dccf7a7845588df091/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0cbe8b01f948de4286c74cdd6c667aceb38f5c1e26f0693b3983d9d74887c65e", size = 2236641, upload-time = "2026-05-06T13:37:08.096Z" },
-    { url = "https://files.pythonhosted.org/packages/60/db/12e93e46a8bac9988be3c016860f83293daea8c716c029c9ace279036f2f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:617d7e2ca7dcb8c5cf6bcb8c59b8832c94b36196bbf1cbd1bfb56ed341905edd", size = 2286404, upload-time = "2026-05-06T13:40:20.221Z" },
-    { url = "https://files.pythonhosted.org/packages/e2/4a/4d8b19008f38d31c53b8219cfedc2e3d5de5fe99d90076b7e767de29274f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7027560ee92211647d0d34e3f7cd6f50da56399d26a9c8ad0da286d3869a53f3", size = 2109219, upload-time = "2026-05-06T13:38:12.153Z" },
-    { url = "https://files.pythonhosted.org/packages/88/70/3cbc40978fefb7bb09c6708d40d4ad1a5d70fd7213c3d17f971de868ec1f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:f99626688942fb746e545232e7726926f3be91b5975f8b55327665fafda991c7", size = 2110594, upload-time = "2026-05-06T13:40:02.971Z" },
-    { url = "https://files.pythonhosted.org/packages/9d/20/b8d36736216e29491125531685b2f9e61aa5b4b2599893f8268551da3338/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fc3e9034a63de20e15e8ade85358bc6efc614008cab72898b4b4952bea0509ff", size = 2159542, upload-time = "2026-05-06T13:39:27.506Z" },
-    { url = "https://files.pythonhosted.org/packages/1d/a2/367df868eb584dacf6bf82a389272406d7178e301c4ac82545ab98bc2dd9/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:97e7cf2be5c77b7d1a9713a05605d49460d02c6078d38d8bef3cbe323c548424", size = 2168146, upload-time = "2026-05-06T13:38:31.93Z" },
-    { url = "https://files.pythonhosted.org/packages/c1/b8/4460f77f7e201893f649a29ab355dddd3beee8a97bcb1a320db414f9a06e/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:3bf92c5d0e00fefaab325a4d27828fe6b6e2a21848686b5b60d2d9eeb09d76c6", size = 2306309, upload-time = "2026-05-06T13:37:44.717Z" },
-    { url = "https://files.pythonhosted.org/packages/64/c4/be2639293acd87dc8ddbcec41a73cee9b2ebf996fe6d892a1a74e88ad3f7/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:3ecbc122d18468d06ca279dc26a8c2e2d5acb10943bb35e36ae92096dc3b5565", size = 2369736, upload-time = "2026-05-06T13:37:05.645Z" },
-    { url = "https://files.pythonhosted.org/packages/30/a6/9f9f380dbb301f67023bf8f707aaa75daadf84f7152d95c410fd7e81d994/pydantic_core-2.46.4-cp314-cp314t-win32.whl", hash = "sha256:e846ae7835bf0703ae43f534ab79a867146dadd59dc9ca5c8b53d5c8f7c9ef02", size = 1955575, upload-time = "2026-05-06T13:38:51.116Z" },
-    { url = "https://files.pythonhosted.org/packages/40/1f/f1eb9eb350e795d1af8586289746f5c5677d16043040d63710e22abc43c9/pydantic_core-2.46.4-cp314-cp314t-win_amd64.whl", hash = "sha256:2108ba5c1c1eca18030634489dc544844144ee36357f2f9f780b93e7ddbb44b5", size = 2051624, upload-time = "2026-05-06T13:38:21.672Z" },
-    { url = "https://files.pythonhosted.org/packages/f6/d2/42dd53d0a85c27606f316d3aa5d2869c4e8470a5ed6dec30e4a1abe19192/pydantic_core-2.46.4-cp314-cp314t-win_arm64.whl", hash = "sha256:4fcbe087dbc2068af7eda3aa87634eba216dbda64d1ae73c8684b621d33f6596", size = 2017325, upload-time = "2026-05-06T13:40:52.723Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/db/a7bcb4940183fda36022cd18ba8dd12f2dff40740ec7b58ce7457befa416/pydantic_core-2.46.3-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:afa3aa644f74e290cdede48a7b0bee37d1c35e71b05105f6b340d484af536d9b", size = 2097614, upload-time = "2026-04-20T14:44:38.374Z" },
+    { url = "https://files.pythonhosted.org/packages/24/35/e4066358a22e3e99519db370494c7528f5a2aa1367370e80e27e20283543/pydantic_core-2.46.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ced3310e51aa425f7f77da8bbbb5212616655bedbe82c70944320bc1dbe5e018", size = 1951896, upload-time = "2026-04-20T14:40:53.996Z" },
+    { url = "https://files.pythonhosted.org/packages/87/92/37cf4049d1636996e4b888c05a501f40a43ff218983a551d57f9d5e14f0d/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e29908922ce9da1a30b4da490bd1d3d82c01dcfdf864d2a74aacee674d0bfa34", size = 1979314, upload-time = "2026-04-20T14:41:49.446Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/36/9ff4d676dfbdfb2d591cf43f3d90ded01e15b1404fd101180ed2d62a2fd3/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0c9ff69140423eea8ed2d5477df3ba037f671f5e897d206d921bc9fdc39613e7", size = 2056133, upload-time = "2026-04-20T14:42:23.574Z" },
+    { url = "https://files.pythonhosted.org/packages/bc/f0/405b442a4d7ba855b06eec8b2bf9c617d43b8432d099dfdc7bf999293495/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b675ab0a0d5b1c8fdb81195dc5bcefea3f3c240871cdd7ff9a2de8aa50772eb2", size = 2228726, upload-time = "2026-04-20T14:44:22.816Z" },
+    { url = "https://files.pythonhosted.org/packages/e7/f8/65cd92dd5a0bd89ba277a98ecbfaf6fc36bbd3300973c7a4b826d6ab1391/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0087084960f209a9a4af50ecd1fb063d9ad3658c07bb81a7a53f452dacbfb2ba", size = 2301214, upload-time = "2026-04-20T14:44:48.792Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/86/ef96a4c6e79e7a2d0410826a68fbc0eccc0fd44aa733be199d5fcac3bb87/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ed42e6cc8e1b0e2b9b96e2276bad70ae625d10d6d524aed0c93de974ae029f9f", size = 2099927, upload-time = "2026-04-20T14:41:40.196Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/53/269caf30e0096e0a8a8f929d1982a27b3879872cca2d917d17c2f9fdf4fe/pydantic_core-2.46.3-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:f1771ce258afb3e4201e67d154edbbae712a76a6081079fe247c2f53c6322c22", size = 2128789, upload-time = "2026-04-20T14:41:15.868Z" },
+    { url = "https://files.pythonhosted.org/packages/00/b0/1a6d9b6a587e118482910c244a1c5acf4d192604174132efd12bf0ac486f/pydantic_core-2.46.3-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a7610b6a5242a6c736d8ad47fd5fff87fcfe8f833b281b1c409c3d6835d9227f", size = 2173815, upload-time = "2026-04-20T14:44:25.152Z" },
+    { url = "https://files.pythonhosted.org/packages/87/56/e7e00d4041a7e62b5a40815590114db3b535bf3ca0bf4dca9f16cef25246/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:ff5e7783bcc5476e1db448bf268f11cb257b1c276d3e89f00b5727be86dd0127", size = 2181608, upload-time = "2026-04-20T14:41:28.933Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/22/4bd23c3d41f7c185d60808a1de83c76cf5aeabf792f6c636a55c3b1ec7f9/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:9d2e32edcc143bc01e95300671915d9ca052d4f745aa0a49c48d4803f8a85f2c", size = 2326968, upload-time = "2026-04-20T14:42:03.962Z" },
+    { url = "https://files.pythonhosted.org/packages/24/ac/66cd45129e3915e5ade3b292cb3bc7fd537f58f8f8dbdaba6170f7cabb74/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:6e42d83d1c6b87fa56b521479cff237e626a292f3b31b6345c15a99121b454c1", size = 2369842, upload-time = "2026-04-20T14:41:35.52Z" },
+    { url = "https://files.pythonhosted.org/packages/a2/51/dd4248abb84113615473aa20d5545b7c4cd73c8644003b5259686f93996c/pydantic_core-2.46.3-cp314-cp314-win32.whl", hash = "sha256:07bc6d2a28c3adb4f7c6ae46aa4f2d2929af127f587ed44057af50bf1ce0f505", size = 1959661, upload-time = "2026-04-20T14:41:00.042Z" },
+    { url = "https://files.pythonhosted.org/packages/20/eb/59980e5f1ae54a3b86372bd9f0fa373ea2d402e8cdcd3459334430f91e91/pydantic_core-2.46.3-cp314-cp314-win_amd64.whl", hash = "sha256:8940562319bc621da30714617e6a7eaa6b98c84e8c685bcdc02d7ed5e7c7c44e", size = 2071686, upload-time = "2026-04-20T14:43:16.471Z" },
+    { url = "https://files.pythonhosted.org/packages/8c/db/1cf77e5247047dfee34bc01fa9bca134854f528c8eb053e144298893d370/pydantic_core-2.46.3-cp314-cp314-win_arm64.whl", hash = "sha256:5dcbbcf4d22210ced8f837c96db941bdb078f419543472aca5d9a0bb7cddc7df", size = 2026907, upload-time = "2026-04-20T14:43:31.732Z" },
+    { url = "https://files.pythonhosted.org/packages/57/c0/b3df9f6a543276eadba0a48487b082ca1f201745329d97dbfa287034a230/pydantic_core-2.46.3-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:d0fe3dce1e836e418f912c1ad91c73357d03e556a4d286f441bf34fed2dbeecf", size = 2095047, upload-time = "2026-04-20T14:42:37.982Z" },
+    { url = "https://files.pythonhosted.org/packages/66/57/886a938073b97556c168fd99e1a7305bb363cd30a6d2c76086bf0587b32a/pydantic_core-2.46.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:9ce92e58abc722dac1bf835a6798a60b294e48eb0e625ec9fd994b932ac5feee", size = 1934329, upload-time = "2026-04-20T14:43:49.655Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/7c/b42eaa5c34b13b07ecb51da21761297a9b8eb43044c864a035999998f328/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a03e6467f0f5ab796a486146d1b887b2dc5e5f9b3288898c1b1c3ad974e53e4a", size = 1974847, upload-time = "2026-04-20T14:42:10.737Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/9b/92b42db6543e7de4f99ae977101a2967b63122d4b6cf7773812da2d7d5b5/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:2798b6ba041b9d70acfb9071a2ea13c8456dd1e6a5555798e41ba7b0790e329c", size = 2041742, upload-time = "2026-04-20T14:40:44.262Z" },
+    { url = "https://files.pythonhosted.org/packages/0f/19/46fbe1efabb5aa2834b43b9454e70f9a83ad9c338c1291e48bdc4fecf167/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9be3e221bdc6d69abf294dcf7aff6af19c31a5cdcc8f0aa3b14be29df4bd03b1", size = 2236235, upload-time = "2026-04-20T14:41:27.307Z" },
+    { url = "https://files.pythonhosted.org/packages/77/da/b3f95bc009ad60ec53120f5d16c6faa8cabdbe8a20d83849a1f2b8728148/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f13936129ce841f2a5ddf6f126fea3c43cd128807b5a59588c37cf10178c2e64", size = 2282633, upload-time = "2026-04-20T14:44:33.271Z" },
+    { url = "https://files.pythonhosted.org/packages/cc/6e/401336117722e28f32fb8220df676769d28ebdf08f2f4469646d404c43a3/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:28b5f2ef03416facccb1c6ef744c69793175fd27e44ef15669201601cf423acb", size = 2109679, upload-time = "2026-04-20T14:44:41.065Z" },
+    { url = "https://files.pythonhosted.org/packages/fc/53/b289f9bc8756a32fe718c46f55afaeaf8d489ee18d1a1e7be1db73f42cc4/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:830d1247d77ad23852314f069e9d7ddafeec5f684baf9d7e7065ed46a049c4e6", size = 2108342, upload-time = "2026-04-20T14:42:50.144Z" },
+    { url = "https://files.pythonhosted.org/packages/10/5b/8292fc7c1f9111f1b2b7c1b0dcf1179edcd014fc3ea4517499f50b829d71/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d0793c90c1a3c74966e7975eaef3ed30ebdff3260a0f815a62a22adc17e4c01c", size = 2157208, upload-time = "2026-04-20T14:42:08.133Z" },
+    { url = "https://files.pythonhosted.org/packages/2b/9e/f80044e9ec07580f057a89fc131f78dda7a58751ddf52bbe05eaf31db50f/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:d2d0aead851b66f5245ec0c4fb2612ef457f8bbafefdf65a2bf9d6bac6140f47", size = 2167237, upload-time = "2026-04-20T14:42:25.412Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/84/6781a1b037f3b96be9227edbd1101f6d3946746056231bf4ac48cdff1a8d/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:2f40e4246676beb31c5ce77c38a55ca4e465c6b38d11ea1bd935420568e0b1ab", size = 2312540, upload-time = "2026-04-20T14:40:40.313Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/db/19c0839feeb728e7df03255581f198dfdf1c2aeb1e174a8420b63c5252e5/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:cf489cf8986c543939aeee17a09c04d6ffb43bfef8ca16fcbcc5cfdcbed24dba", size = 2369556, upload-time = "2026-04-20T14:41:09.427Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/15/3228774cb7cd45f5f721ddf1b2242747f4eb834d0c491f0c02d606f09fed/pydantic_core-2.46.3-cp314-cp314t-win32.whl", hash = "sha256:ffe0883b56cfc05798bf994164d2b2ff03efe2d22022a2bb080f3b626176dd56", size = 1949756, upload-time = "2026-04-20T14:41:25.717Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/2a/c79cf53fd91e5a87e30d481809f52f9a60dd221e39de66455cf04deaad37/pydantic_core-2.46.3-cp314-cp314t-win_amd64.whl", hash = "sha256:706d9d0ce9cf4593d07270d8e9f53b161f90c57d315aeec4fb4fd7a8b10240d8", size = 2051305, upload-time = "2026-04-20T14:43:18.627Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/db/d8182a7f1d9343a032265aae186eb063fe26ca4c40f256b21e8da4498e89/pydantic_core-2.46.3-cp314-cp314t-win_arm64.whl", hash = "sha256:77706aeb41df6a76568434701e0917da10692da28cb69d5fb6919ce5fdb07374", size = 2026310, upload-time = "2026-04-20T14:41:01.778Z" },
 ]
 
 [[package]]
@@ -3083,18 +3083,18 @@ wheels = [
 
 [[package]]
 name = "python-kadmin-rs"
-version = "0.7.2"
+version = "0.7.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ab/96/f5ed764f06621d1c06b469ec2a24c2da64a0fdb9f13d1c7005c70fd7804d/python_kadmin_rs-0.7.2.tar.gz", hash = "sha256:1f57ab7b61540c420eb684154e56638d42e4bafe2ac66362c2d667cda7d0ce8c", size = 119177, upload-time = "2026-05-11T13:31:19.071Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c6/18/2773570703e5ab13fc0390797685cb6c09b8002d96438c57a8e887cc3234/python_kadmin_rs-0.7.0.tar.gz", hash = "sha256:e8a539fda1a1006fe5f0868c0e59a36b3b90d451da9c0c2bc3a9bfc7173efbdc", size = 112469, upload-time = "2026-01-15T17:49:10.467Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/63/f2/e86b79e1cc8d43c8865f65b5b9c7b06fbfb56e56b812bd279c38faa100cd/python_kadmin_rs-0.7.2-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:2c77b425805669831e2c4eb316304b9f4690ac27a74cb34e2b92dc0979ab0d3c", size = 512988, upload-time = "2026-05-11T13:31:01.655Z" },
-    { url = "https://files.pythonhosted.org/packages/17/d6/200dd8ca05bbdf48d77050a0a75c183fca740f2d33e59c8083832514d300/python_kadmin_rs-0.7.2-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:403c04a395f42d87cbfa46d60f9145841a8b5c6d8ac1f2dab0f457e3e3b7049c", size = 527527, upload-time = "2026-05-11T13:31:03.528Z" },
-    { url = "https://files.pythonhosted.org/packages/54/03/e9ebb35c7c1441722ced8097c19c1737b1db28c18d9a0c219fe12fe94257/python_kadmin_rs-0.7.2-cp314-cp314-manylinux_2_28_aarch64.whl", hash = "sha256:5f1560747e1a936cc9509c87d45180e351096b3be47c8af81a6f3dd4516ca34b", size = 564813, upload-time = "2026-05-11T13:31:05.464Z" },
-    { url = "https://files.pythonhosted.org/packages/f9/d8/c2706859bec76cc629d7665effd6fd540d31b10631d800796269806c86cc/python_kadmin_rs-0.7.2-cp314-cp314-manylinux_2_28_x86_64.whl", hash = "sha256:cb51f980597383c4f4adb308e3e4c0c796e5dba560f68b17e4b3cd269c043ae2", size = 562188, upload-time = "2026-05-11T13:31:06.875Z" },
-    { url = "https://files.pythonhosted.org/packages/00/ad/808be9b2b5a52ff0244e323a4d2ec00b66c21c98e49088399a744da15085/python_kadmin_rs-0.7.2-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:08fea0f139d5cfdcda24446355578071b8ac02223bb9433077b895df6655cb9e", size = 511783, upload-time = "2026-05-11T13:31:08.291Z" },
-    { url = "https://files.pythonhosted.org/packages/0c/9a/73ab8930b37eafa3a41341c245df6066d38a5b8076cae4f39d7f59eab7bb/python_kadmin_rs-0.7.2-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:ff124a363e6c8707d738191969e22c08d2cef73b3d6fc0ce86f1dcd81715e170", size = 526356, upload-time = "2026-05-11T13:31:10.137Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/26/acddc2766900537b94e923ecd12c9f4d5ee6a0f551ffe7998826055c8193/python_kadmin_rs-0.7.2-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:5124b7f27b67d034c6c13ebfbb65c036e197e30bc47c457853489e08d535cb3c", size = 561923, upload-time = "2026-05-11T13:31:11.843Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/4e/42b317789b5e204995431762b7dcede1544581ee5caacebac36d8991f478/python_kadmin_rs-0.7.2-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:0741de2fd55338b356a424899c2cc400314dd57ae2031ed879a2765edfc2f0a1", size = 562006, upload-time = "2026-05-11T13:31:13.206Z" },
+    { url = "https://files.pythonhosted.org/packages/71/05/94e7575a69ea5d3fc23d4df4a8e4d5acb6f6d3633f23b0a8b6b6360da775/python_kadmin_rs-0.7.0-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:d1418825ba6c161d504b7905a99ef475d5ec1fdf15e6f5b72e4641f350fbc261", size = 510261, upload-time = "2026-01-15T17:48:52.002Z" },
+    { url = "https://files.pythonhosted.org/packages/d7/16/58671c341caef38a492e327cf3e0b24aba2842419da15566f8e3d42c9382/python_kadmin_rs-0.7.0-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:b247bc5f5a075107088cdcec22c67125aa6706fdcd2e264a99a478f1bedecd7d", size = 527751, upload-time = "2026-01-15T17:48:53.504Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/d1/505e34ce204601aae0fcecaf56c66e808803426199948d3a26a6c16a9e5b/python_kadmin_rs-0.7.0-cp314-cp314-manylinux_2_28_aarch64.whl", hash = "sha256:8e6d8ea17a02bb0527219abadac08a63a47f97351f41c79fade77dd11a380795", size = 552634, upload-time = "2026-01-15T17:48:54.96Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/51/391a3d8ee99aeb2466efe499e52ef6a7479d7ac426635d92cd050a5fe3f9/python_kadmin_rs-0.7.0-cp314-cp314-manylinux_2_28_x86_64.whl", hash = "sha256:82107ee5ea3dc1a3b716323687febc64ed2fa462ebd986565fba7394add04792", size = 554659, upload-time = "2026-01-15T17:48:56.408Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/77/6a2fe8a9bef6e3d94f842492db7216c4d0a47c5a67a8a7265c126ed5be58/python_kadmin_rs-0.7.0-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:ed58ec35dd89a381408fa92f0404d6321f2e6687c58c974f820f113a7052f39f", size = 512638, upload-time = "2026-01-15T17:48:58.519Z" },
+    { url = "https://files.pythonhosted.org/packages/ef/e4/ddd909d4b5ff00a3ed277699f3e2204785367a52088dcb41465b8e01f733/python_kadmin_rs-0.7.0-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:6a6b63680e10a450e553a84a15216f61af838d86d623caec1fb1c2977907d1ef", size = 530752, upload-time = "2026-01-15T17:49:00.108Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/b2/7d4ea81b768a4ea6be57d9bc70f1841828483a092598b60243a7ad8c798c/python_kadmin_rs-0.7.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:e48cdf80bdece9fdcc70d9ef9237821ae9366cf7944742cd412ac2ebd07a40cc", size = 553270, upload-time = "2026-01-15T17:49:01.682Z" },
+    { url = "https://files.pythonhosted.org/packages/26/b7/87851916c895f31e67a9fe827dabfe3a2f09cf8ecf090cb4ac513f100157/python_kadmin_rs-0.7.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:e63aec5daa1a8469f5b617aa8a5b5a689e2b18241026c7e666ca0f8b5e8688c8", size = 556308, upload-time = "2026-01-15T17:49:03.199Z" },
 ]
 
 [[package]]
@@ -3332,15 +3332,15 @@ wheels = [
 
 [[package]]
 name = "sentry-sdk"
-version = "2.59.0"
+version = "2.58.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/65/e0/9bf5e5fc7442b10880f3ec0eff0ef4208b84a099606f343ec4f5445227fb/sentry_sdk-2.59.0.tar.gz", hash = "sha256:cd265808ef8bf3f3edf69b527c0a0b2b6b1322762679e55b8987db2e9584aec1", size = 447331, upload-time = "2026-05-04T12:19:06.538Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/26/b3/fb8291170d0e844173164709fc0fa0c221ed75a5da740c8746f2a83b4eb1/sentry_sdk-2.58.0.tar.gz", hash = "sha256:c1144d947352d54e5b7daa63596d9f848adf684989c06c4f5a659f0c85a18f6f", size = 438764, upload-time = "2026-04-13T17:23:26.265Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/bf/00/b8cc413748fb6383d1582e7cda51314f99743351c462a92dc690d5b5853b/sentry_sdk-2.59.0-py2.py3-none-any.whl", hash = "sha256:abcf65ee9a9d9cdebf9ad369782408ecca9c1c792686ef06ba34f5ab233527fe", size = 468432, upload-time = "2026-05-04T12:19:04.741Z" },
+    { url = "https://files.pythonhosted.org/packages/fa/eb/d875669993b762556ae8b2efd86219943b4c0864d22204d622a9aee3052b/sentry_sdk-2.58.0-py2.py3-none-any.whl", hash = "sha256:688d1c704ddecf382ea3326f21a67453d4caa95592d722b7c780a36a9d23109e", size = 460919, upload-time = "2026-04-13T17:23:24.675Z" },
 ]
 
 [[package]]
@@ -3524,7 +3524,7 @@ wheels = [
 
 [[package]]
 name = "twilio"
-version = "9.10.9"
+version = "9.10.5"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aiohttp" },
@@ -3532,9 +3532,9 @@ dependencies = [
     { name = "pyjwt" },
     { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/30/af/275130be4783c6e2b2122d3b278b63da0007611d1dc073d6414adcc6be03/twilio-9.10.9.tar.gz", hash = "sha256:eb74fc026c85a89372836414f57e262119efaa160b9419cf4d05b59056b8e89d", size = 1762839, upload-time = "2026-05-07T17:34:38.162Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b5/97/c439bc2c058f8a24edd732f5cc82adedd8794bcc2da0836c2eff1e2dbe91/twilio-9.10.5.tar.gz", hash = "sha256:d9f93b9280349ee7b52e7f17a0600fd7bfd0f7ff88eb00c40270164bc058743f", size = 1641690, upload-time = "2026-04-14T09:52:09.392Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ed/6b/df08b499d01ba6b9f7f42f9dd51b82aab1eb26c93602f3b89179a520494f/twilio-9.10.9-py2.py3-none-any.whl", hash = "sha256:1c50bfb394b5dbc044bacab24b2e3b550bee0c08da51c4a1fa4816293303e66c", size = 2452983, upload-time = "2026-05-07T17:34:36.459Z" },
+    { url = "https://files.pythonhosted.org/packages/4a/97/4fdde5e54fcbb789aa1a70c371f2f33d7eb1e58e8a6131fdbd8a98490976/twilio-9.10.5-py2.py3-none-any.whl", hash = "sha256:7972db54496fbf501b238f34d1f717f80ff22720313dc706632787aad5934997", size = 2284944, upload-time = "2026-04-14T09:52:07.333Z" },
 ]
 
 [[package]]
@@ -3663,14 +3663,14 @@ wheels = [
 
 [[package]]
 name = "types-requests"
-version = "2.33.0.20260503"
+version = "2.33.0.20260408"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a1/b8/57e94268c0d82ac3eaa2fc35aa8ca7bbc2542f726b67dcf90b0b00a3b14d/types_requests-2.33.0.20260503.tar.gz", hash = "sha256:9721b2d9dbee7131f2fb39f20f0ebb1999c18cef4b512c9a7932f3722de7c5f4", size = 23931, upload-time = "2026-05-03T05:20:08.882Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/69/6a/749dc53a54a3f35842c1f8197b3ca6b54af6d7458a1bfc75f6629b6da666/types_requests-2.33.0.20260408.tar.gz", hash = "sha256:95b9a86376807a216b2fb412b47617b202091c3ea7c078f47cc358d5528ccb7b", size = 23882, upload-time = "2026-04-08T04:34:49.33Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c3/82/959113a6351f3ca046cd0a8cd2cee071d7ea47473560557a01eeae9a6fe2/types_requests-2.33.0.20260503-py3-none-any.whl", hash = "sha256:02aaa7e3577a13471715bb1bddb693cc985ea514f754b503bf033e6a09a3e528", size = 20736, upload-time = "2026-05-03T05:20:07.858Z" },
+    { url = "https://files.pythonhosted.org/packages/90/b8/78fd6c037de4788c040fdd323b3369804400351b7827473920f6c1d03c10/types_requests-2.33.0.20260408-py3-none-any.whl", hash = "sha256:81f31d5ea4acb39f03be7bc8bed569ba6d5a9c5d97e89f45ac43d819b68ca50f", size = 20739, upload-time = "2026-04-08T04:34:48.325Z" },
 ]
 
 [[package]]
@@ -3743,32 +3743,32 @@ wheels = [
 
 [[package]]
 name = "ujson"
-version = "5.12.1"
+version = "5.12.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/bc/78/937198ea8708182dd1edbf0237bf255a96feab3f511691ad08b84da98e5d/ujson-5.12.1.tar.gz", hash = "sha256:5b7e96406c301a1366534479a7352ec40ec68bb327c0c119091635acd5925e35", size = 7164538, upload-time = "2026-05-05T22:05:01.354Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/cb/3e/c35530c5ffc25b71c59ae0cd7b8f99df37313daa162ce1e2f7925f7c2877/ujson-5.12.0.tar.gz", hash = "sha256:14b2e1eb528d77bc0f4c5bd1a7ebc05e02b5b41beefb7e8567c9675b8b13bcf4", size = 7158451, upload-time = "2026-03-11T22:19:30.397Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f8/ca/d88d86f90f8f237985f3e347b9a4f9fa24e8d30d19ec7d477ed18aa58393/ujson-5.12.1-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:6f19e9a407a24230df0cc1ec1c0f5999872ba526b14a780f80ad6479f5eed9bc", size = 58099, upload-time = "2026-05-05T22:04:06.688Z" },
-    { url = "https://files.pythonhosted.org/packages/ae/2d/a0a88407cee3550f7ed1e49b41157ee2d410f51905ed51fb134844255280/ujson-5.12.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:8b657e870c77aaacdeea86cfad3e6d2ef9b52517e45988c9c367f7ee764fe4dd", size = 55631, upload-time = "2026-05-05T22:04:07.925Z" },
-    { url = "https://files.pythonhosted.org/packages/a9/6d/12a3b8e72132db244ae048075e71a0079b3c5f61ff45b7ca81d5193ab3e7/ujson-5.12.1-cp314-cp314-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:984b5a99d1e0a037c2046c3c4b34cec832565d62d5017be0a035bf3cbfab72dc", size = 59469, upload-time = "2026-05-05T22:04:09.208Z" },
-    { url = "https://files.pythonhosted.org/packages/a2/72/310f8c21737554f2d2b4f1883e1a71e8a6ab0d8f92f0feb8aaa85e0f4b66/ujson-5.12.1-cp314-cp314-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:f48ef8a16f1d85bd7982beac7adfd3fb704058631db84c1c61c8a1b7072b1508", size = 61611, upload-time = "2026-05-05T22:04:10.836Z" },
-    { url = "https://files.pythonhosted.org/packages/50/50/ab4b2f7bab6c7a67298c8f2aca80e2082eaf6f332cf2d099762647b5301e/ujson-5.12.1-cp314-cp314-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4f39ba3b65cc637b59731532f7e7c807786bff1d0332ab2d5b96a04d2584d78f", size = 59122, upload-time = "2026-05-05T22:04:12.137Z" },
-    { url = "https://files.pythonhosted.org/packages/21/48/5d81cbe76fc2aa9e071aa489a3041cf0712f5e0663d60d501641f92b7bb4/ujson-5.12.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:07f307780f85b49cba93f291718421b6f5f3b627a323b431fad937a18f6587cb", size = 1038938, upload-time = "2026-05-05T22:04:13.548Z" },
-    { url = "https://files.pythonhosted.org/packages/fb/a7/abe1acb0e5d8b8d724b35533a44c89684c88100a5fd9f2fee7f7155528d5/ujson-5.12.1-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:1c335caea51c31494e514b82d50763b9792d3960d2c7d9fdb6b6fb8ed50ebdd0", size = 1198416, upload-time = "2026-05-05T22:04:15.609Z" },
-    { url = "https://files.pythonhosted.org/packages/ed/6e/087067d6ee22bd01bfba9fb1f32ce98c24ae2bcbab53bd2fbf8f7a80fe9e/ujson-5.12.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:19ea07e29a45d199f926aadf93a9974128438c01b83141fba32477c0ee604b33", size = 1091425, upload-time = "2026-05-05T22:04:17.909Z" },
-    { url = "https://files.pythonhosted.org/packages/4e/d2/28938574b766980f873b68962abb4c68a944d939446768982934ad3bcd93/ujson-5.12.1-cp314-cp314-win32.whl", hash = "sha256:c8e626b6bc9bdd2e8f7393b7d99f3daa2ca4022e6203662e70de7bb3604b21b9", size = 42334, upload-time = "2026-05-05T22:04:19.85Z" },
-    { url = "https://files.pythonhosted.org/packages/49/b0/0af30bf65d96b73c28054b344ebbe24bc96780ae8a7f2973f5dad979510a/ujson-5.12.1-cp314-cp314-win_amd64.whl", hash = "sha256:c6d3bdd020333688ee60559437021ed68a98a28fdd609b5af16de5dd58f90cba", size = 46586, upload-time = "2026-05-05T22:04:21.298Z" },
-    { url = "https://files.pythonhosted.org/packages/4e/3b/0ee2555823724e60cc847c715c299f5792aa444bdde69c51d4aa42d885c2/ujson-5.12.1-cp314-cp314-win_arm64.whl", hash = "sha256:e3c9c894971f4ada3ded16a804ed4640e1f2b3e5239beaeec7c48296f39f4232", size = 41178, upload-time = "2026-05-05T22:04:22.597Z" },
-    { url = "https://files.pythonhosted.org/packages/3f/3d/7547835cd0b7fa22eb1122702f81b2403c38a0027a2cc0d75acc449a4a66/ujson-5.12.1-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:49dd9c378e1c8e676785ff2b62cb490074229f15ab54abf45b623713cb2c36b5", size = 58565, upload-time = "2026-05-05T22:04:23.75Z" },
-    { url = "https://files.pythonhosted.org/packages/ed/6a/1784e0b24aab50623eb47b2f7a8dc22c9d809d798854d2568a9cb7c3560f/ujson-5.12.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:6d8827904358d7da59ccf2e1fd8de59e78248036d17fecc0462e62c6721f1102", size = 56157, upload-time = "2026-05-05T22:04:25.028Z" },
-    { url = "https://files.pythonhosted.org/packages/91/2d/2c1b24df24eee309047d81460c3a1acf0d047207327edc6f3cab8a614985/ujson-5.12.1-cp314-cp314t-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:dc26caebea90425662ef0b979f945f6ac832651881107d6ec9a3c4d4a4ba929c", size = 60288, upload-time = "2026-05-05T22:04:26.273Z" },
-    { url = "https://files.pythonhosted.org/packages/c5/14/c0c603e3dff2ef98f7deee2df7795e6055abbc5825c6ef530024b3b06a15/ujson-5.12.1-cp314-cp314t-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:45022aae09ac3d45bda6fbfc631088d1aff9a0465542d40bd6d295ced378c430", size = 62302, upload-time = "2026-05-05T22:04:27.516Z" },
-    { url = "https://files.pythonhosted.org/packages/5c/0d/889bbc044561d9adc9bf413620fbd9878f352c9fd36da829d319bca2f5ad/ujson-5.12.1-cp314-cp314t-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:b22aa0f644516d3d5b29464949e4b23fe784f84b4a1030ab9ac3cb42aaedabb1", size = 59784, upload-time = "2026-05-05T22:04:28.776Z" },
-    { url = "https://files.pythonhosted.org/packages/18/35/3b1d8ff8cd6dc048f5c495af6ee6ded43055562610a7e9b78b438dc6421e/ujson-5.12.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:7dc5cf44ea42365cd1b66e6ed3fc6ca040c86587b024a6659b98e99d31cff2cd", size = 1039759, upload-time = "2026-05-05T22:04:30.291Z" },
-    { url = "https://files.pythonhosted.org/packages/6a/d8/3c66cdf839420a6da2d6140a54a882c15efd135bcced103bd4473d577636/ujson-5.12.1-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:8df5d984ff4ac1ef292d70f30da03417038a7e1e0bc272d28ca9d34f02f41682", size = 1199121, upload-time = "2026-05-05T22:04:31.961Z" },
-    { url = "https://files.pythonhosted.org/packages/54/51/c3d1b94a4ad27dc7532e9f7d00b869463157cede2295ba6d57566afeb8cd/ujson-5.12.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:485f0182a0c0b54c304061cdc826d8343ce595c4055f7a24e72772a8520e5f7b", size = 1092085, upload-time = "2026-05-05T22:04:33.697Z" },
-    { url = "https://files.pythonhosted.org/packages/ae/52/4d4a6e78290a5eef3f576f6d281e6355535db903a08483fd1bb393bf8cb9/ujson-5.12.1-cp314-cp314t-win32.whl", hash = "sha256:4e12ca368b397aed7fa1eec534ea1ba8d94977b376f9df3e93ae1acfd004ec40", size = 43243, upload-time = "2026-05-05T22:04:35.486Z" },
-    { url = "https://files.pythonhosted.org/packages/3d/c8/849366785de52b513e5fc89d7aea0b531e71bb5641407cbdfdf47a99ede8/ujson-5.12.1-cp314-cp314t-win_amd64.whl", hash = "sha256:cec6b9b539539affc1f01a795c99574592a635ce22331b64f2b42e0af570659e", size = 47662, upload-time = "2026-05-05T22:04:37.07Z" },
-    { url = "https://files.pythonhosted.org/packages/8a/46/36a67f5a531a15308124786f3e2b7b96414b9d23dbcdc2a182dd3ffa2e1d/ujson-5.12.1-cp314-cp314t-win_arm64.whl", hash = "sha256:696224d4cfb8883fa5c0285dff31e5ce924704dd9ccd38e9ea8b5bf4a42b12fc", size = 41680, upload-time = "2026-05-05T22:04:39.083Z" },
+    { url = "https://files.pythonhosted.org/packages/10/bd/9a8d693254bada62bfea75a507e014afcfdb6b9d047b6f8dd134bfefaf67/ujson-5.12.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:85833bca01aa5cae326ac759276dc175c5fa3f7b3733b7d543cf27f2df12d1ef", size = 56499, upload-time = "2026-03-11T22:18:45.431Z" },
+    { url = "https://files.pythonhosted.org/packages/bd/2d/285a83df8176e18dcd675d1a4cff8f7620f003f30903ea43929406e98986/ujson-5.12.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:d22cad98c2a10bbf6aa083a8980db6ed90d4285a841c4de892890c2b28286ef9", size = 53998, upload-time = "2026-03-11T22:18:47.184Z" },
+    { url = "https://files.pythonhosted.org/packages/bf/8b/e2f09e16dabfa91f6a84555df34a4329fa7621e92ed054d170b9054b9bb2/ujson-5.12.0-cp314-cp314-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:99cc80facad240b0c2fb5a633044420878aac87a8e7c348b9486450cba93f27c", size = 57783, upload-time = "2026-03-11T22:18:48.271Z" },
+    { url = "https://files.pythonhosted.org/packages/68/fb/ba1d06f3658a0c36d0ab3869ec3914f202bad0a9bde92654e41516c7bb13/ujson-5.12.0-cp314-cp314-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:d1831c07bd4dce53c4b666fa846c7eba4b7c414f2e641a4585b7f50b72f502dc", size = 60011, upload-time = "2026-03-11T22:18:49.284Z" },
+    { url = "https://files.pythonhosted.org/packages/64/2b/3e322bf82d926d9857206cd5820438d78392d1f523dacecb8bd899952f73/ujson-5.12.0-cp314-cp314-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0e00cec383eab2406c9e006bd4edb55d284e94bb943fda558326048178d26961", size = 57465, upload-time = "2026-03-11T22:18:50.584Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/fd/af72d69603f9885e5136509a529a4f6d88bf652b457263ff96aefcd3ab7d/ujson-5.12.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:f19b3af31d02a2e79c5f9a6deaab0fb3c116456aeb9277d11720ad433de6dfc6", size = 1037275, upload-time = "2026-03-11T22:18:51.998Z" },
+    { url = "https://files.pythonhosted.org/packages/9c/a7/a2411ec81aef7872578e56304c3e41b3a544a9809e95c8e1df46923fc40b/ujson-5.12.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:bacbd3c69862478cbe1c7ed4325caedec580d8acf31b8ee1b9a1e02a56295cad", size = 1196758, upload-time = "2026-03-11T22:18:53.548Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/85/aa18ae175dd03a118555aa14304d4f466f9db61b924c97c6f84388ecacb1/ujson-5.12.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:94c5f1621cbcab83c03be46441f090b68b9f307b6c7ec44d4e3f6d5997383df4", size = 1089760, upload-time = "2026-03-11T22:18:55.336Z" },
+    { url = "https://files.pythonhosted.org/packages/d3/d4/4b40b67ac7e916ebffc3041ae2320c5c0b8a045300d4c542b6e50930cca5/ujson-5.12.0-cp314-cp314-win32.whl", hash = "sha256:e6369ac293d2cc40d52577e4fa3d75a70c1aae2d01fa3580a34a4e6eff9286b9", size = 41043, upload-time = "2026-03-11T22:18:56.505Z" },
+    { url = "https://files.pythonhosted.org/packages/24/38/a1496d2a3428981f2b3a2ffbb4656c2b05be6cc406301d6b10a6445f6481/ujson-5.12.0-cp314-cp314-win_amd64.whl", hash = "sha256:31348a0ffbfc815ce78daac569d893349d85a0b57e1cd2cdbba50b7f333784da", size = 45303, upload-time = "2026-03-11T22:18:57.454Z" },
+    { url = "https://files.pythonhosted.org/packages/85/d3/39dbd3159543d9c57ec3a82d36226152cf0d710784894ce5aa24b8220ac1/ujson-5.12.0-cp314-cp314-win_arm64.whl", hash = "sha256:6879aed770557f0961b252648d36f6fdaab41079d37a2296b5649fd1b35608e0", size = 39860, upload-time = "2026-03-11T22:18:58.578Z" },
+    { url = "https://files.pythonhosted.org/packages/c3/71/9b4dacb177d3509077e50497222d39eec04c8b41edb1471efc764d645237/ujson-5.12.0-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:7ddb08b3c2f9213df1f2e3eb2fbea4963d80ec0f8de21f0b59898e34f3b3d96d", size = 56845, upload-time = "2026-03-11T22:18:59.629Z" },
+    { url = "https://files.pythonhosted.org/packages/24/c2/8abffa3be1f3d605c4a62445fab232b3e7681512ce941c6b23014f404d36/ujson-5.12.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0a3ae28f0b209be5af50b54ca3e2123a3de3a57d87b75f1e5aa3d7961e041983", size = 54463, upload-time = "2026-03-11T22:19:00.697Z" },
+    { url = "https://files.pythonhosted.org/packages/db/2e/60114a35d1d6796eb428f7affcba00a921831ff604a37d9142c3d8bbe5c5/ujson-5.12.0-cp314-cp314t-manylinux_2_24_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d30ad4359413c8821cc7b3707f7ca38aa8bc852ba3b9c5a759ee2d7740157315", size = 58689, upload-time = "2026-03-11T22:19:01.739Z" },
+    { url = "https://files.pythonhosted.org/packages/c8/ad/010925c2116c21ce119f9c2ff18d01f48a19ade3ff4c5795da03ce5829fc/ujson-5.12.0-cp314-cp314t-manylinux_2_24_i686.manylinux_2_28_i686.whl", hash = "sha256:02f93da7a4115e24f886b04fd56df1ee8741c2ce4ea491b7ab3152f744ad8f8e", size = 60618, upload-time = "2026-03-11T22:19:03.101Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/74/db7f638bf20282b1dccf454386cbd483faaaed3cdbb9cb27e06f74bb109e/ujson-5.12.0-cp314-cp314t-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:3ff4ede90ed771140caa7e1890de17431763a483c54b3c1f88bd30f0cc1affc0", size = 58151, upload-time = "2026-03-11T22:19:04.175Z" },
+    { url = "https://files.pythonhosted.org/packages/9c/7e/3ebaecfa70a2e8ce623db8e21bd5cb05d42a5ef943bcbb3309d71b5de68d/ujson-5.12.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:a7bf9cc97f05048ac8f3e02cd58f0fe62b901453c24345bfde287f4305dcc31c", size = 1038117, upload-time = "2026-03-11T22:19:05.558Z" },
+    { url = "https://files.pythonhosted.org/packages/2e/aa/e073eda7f0036c2973b28db7bb99faba17a932e7b52d801f9bb3e726271f/ujson-5.12.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:2324d9a0502317ffc35d38e153c1b2fa9610ae03775c9d0f8d0cca7b8572b04e", size = 1197434, upload-time = "2026-03-11T22:19:06.92Z" },
+    { url = "https://files.pythonhosted.org/packages/1c/01/b9a13f058fdd50c746b192c4447ca8d6352e696dcda912ccee10f032ff85/ujson-5.12.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:50524f4f6a1c839714dbaff5386a1afb245d2d5ec8213a01fbc99cea7307811e", size = 1090401, upload-time = "2026-03-11T22:19:08.383Z" },
+    { url = "https://files.pythonhosted.org/packages/c4/37/3d1b4e0076b6e43379600b5229a5993db8a759ff2e1830ea635d876f6644/ujson-5.12.0-cp314-cp314t-win32.whl", hash = "sha256:f7a0430d765f9bda043e6aefaba5944d5f21ec43ff4774417d7e296f61917382", size = 41880, upload-time = "2026-03-11T22:19:09.671Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/c5/3c2a262a138b9f0014fe1134a6b5fdc2c54245030affbaac2fcbc0632138/ujson-5.12.0-cp314-cp314t-win_amd64.whl", hash = "sha256:ccbfd94e59aad4a2566c71912b55f0547ac1680bfac25eb138e6703eb3dd434e", size = 46365, upload-time = "2026-03-11T22:19:10.662Z" },
+    { url = "https://files.pythonhosted.org/packages/83/40/956dc20b7e00dc0ff3259871864f18dab211837fce3478778bedb3132ac1/ujson-5.12.0-cp314-cp314t-win_arm64.whl", hash = "sha256:42d875388fbd091c7ea01edfff260f839ba303038ffb23475ef392012e4d63dd", size = 40398, upload-time = "2026-03-11T22:19:11.666Z" },
 ]
 
 [[package]]
@@ -3791,11 +3791,11 @@ wheels = [
 
 [[package]]
 name = "urllib3"
-version = "2.7.0"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]
 
 [package.optional-dependencies]

web/README.md

@@ -3,27 +3,6 @@
 This is the default UI for the authentik server. The documentation is going to be a little sparse
 for awhile, but at least let's get started.
 
-# Setup
-
-Install dependencies from the repo root with `make node-install` (or `make install` for the full
-Python + web + docs bootstrap). This wraps `npm ci` and explicitly rebuilds the small set of
-packages whose install scripts are required for the toolchain to function — currently `esbuild`,
-`chromedriver`, `tree-sitter`, and `tree-sitter-json`.
-
-The repo-root `.npmrc` sets `ignore-scripts=true` to neutralize the dominant npm supply-chain
-attack vector. As a side effect, running `npm ci` directly in this directory will install
-dependencies but skip those rebuilds, leaving `esbuild` and `chromedriver` in a non-functional
-state. If you bypass `make`, run the rebuild step yourself:
-
-```bash
-npm rebuild --ignore-scripts=false --foreground-scripts \
-    esbuild chromedriver tree-sitter tree-sitter-json
-```
-
-New dependencies that ship install scripts must be audited and added to `TRUSTED_INSTALL_SCRIPTS`
-in the repo-root `Makefile`. Each entry is arbitrary code that runs at install time, so the list
-is intentionally small.
-
 # The Theory of the authentik UI
 
 In Peter Naur's 1985 essay [Programming as Theory

web/icons/brand.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="d" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 3064.87 487.37"><defs><symbol id="a" viewBox="0 0 2865.3 437.72"><g style="isolation:isolate;"><path d="M238.73,125.38h76.4v304.5h-76.4v-32.18c-14.91,14.18-29.87,24.4-44.87,30.65-15,6.25-31.26,9.37-48.78,9.37-39.32,0-73.33-15.25-102.04-45.76C14.35,361.45,0,323.53,0,278.19s13.89-85.54,41.65-115.58c27.77-30.04,61.5-45.06,101.19-45.06,18.26,0,35.4,3.45,51.43,10.35,16.03,6.91,30.84,17.26,44.45,31.07v-33.58ZM158.41,188.07c-23.62,0-43.24,8.35-58.86,25.05-15.62,16.7-23.43,38.11-23.43,64.23s7.95,47.96,23.84,64.93c15.9,16.98,35.47,25.47,58.72,25.47s43.89-8.35,59.69-25.05c15.8-16.7,23.71-38.57,23.71-65.63s-7.9-47.95-23.71-64.37c-15.81-16.42-35.8-24.63-59.97-24.63Z" style="fill:#fd4b2d;"/><path d="M403.16,125.38h77.24v146.65c0,28.55,1.96,48.37,5.89,59.47,3.93,11.1,10.24,19.73,18.94,25.89,8.69,6.16,19.4,9.24,32.12,9.24s23.52-3.03,32.4-9.1c8.88-6.06,15.47-14.97,19.78-26.73,3.18-8.77,4.77-27.52,4.77-56.25V125.38h76.41v129.02c0,53.18-4.2,89.56-12.59,109.15-10.26,23.88-25.38,42.22-45.34,54.99-19.97,12.78-45.34,19.17-76.13,19.17-33.4,0-60.41-7.46-81.02-22.39-20.62-14.92-35.13-35.73-43.52-62.41-5.97-18.47-8.96-52.06-8.96-100.75v-126.78Z" style="fill:#fd4b2d;"/><path d="M796.76,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M999.76,7.84h75.85v148.33c14.93-12.88,29.95-22.53,45.06-28.97,15.11-6.44,30.41-9.65,45.9-9.65,30.23,0,55.7,10.45,76.41,31.34,17.73,18.1,26.59,44.69,26.59,79.76v201.23h-75.29v-133.5c0-35.27-1.68-59.15-5.04-71.65-3.36-12.5-9.09-21.83-17.21-27.99-8.12-6.15-18.15-9.23-30.09-9.23-15.49,0-28.78,5.13-39.88,15.39-11.11,10.26-18.8,24.26-23.09,41.98-2.24,9.14-3.36,30.04-3.36,62.69v122.3h-75.85V7.84Z" style="fill:#fd4b2d;"/><path d="M1688.63,299.74h-245.45c3.54,21.65,13.01,38.86,28.41,51.64,15.39,12.78,35.03,19.17,58.91,19.17,28.55,0,53.08-9.98,73.6-29.95l64.37,30.23c-16.05,22.77-35.26,39.6-57.65,50.52-22.39,10.91-48.98,16.37-79.76,16.37-47.77,0-86.67-15.06-116.71-45.2-30.04-30.13-45.06-67.87-45.06-113.21s14.97-85.03,44.92-115.73c29.95-30.69,67.49-46.04,112.65-46.04,47.95,0,86.95,15.35,116.99,46.04,30.04,30.69,45.06,71.23,45.06,121.61l-.28,14.55ZM1612.22,239.57c-5.05-16.98-15-30.79-29.86-41.42-14.86-10.63-32.1-15.95-51.72-15.95-21.3,0-40,5.98-56.07,17.91-10.09,7.47-19.44,20.62-28.03,39.46h165.68Z" style="fill:#fd4b2d;"/><path d="M1790.6,125.38h76.41v31.21c17.33-14.61,33.02-24.77,47.09-30.48,14.06-5.71,28.46-8.57,43.18-8.57,30.18,0,55.8,10.54,76.85,31.62,17.7,17.91,26.55,44.41,26.55,79.48v201.23h-75.57v-133.35c0-36.34-1.63-60.47-4.89-72.4-3.26-11.93-8.93-21.01-17.03-27.26-8.1-6.24-18.1-9.36-30.01-9.36-15.45,0-28.71,5.17-39.78,15.51-11.08,10.35-18.76,24.65-23.04,42.91-2.24,9.5-3.35,30.1-3.35,61.78v122.16h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2183.92,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M2416.46,0c13.39,0,24.88,4.85,34.46,14.55,9.58,9.7,14.38,21.46,14.38,35.27s-4.75,25.24-14.24,34.84c-9.49,9.61-20.84,14.41-34.04,14.41s-25.16-4.9-34.75-14.69c-9.58-9.79-14.37-21.69-14.37-35.68s4.74-24.91,14.23-34.43c9.49-9.51,20.93-14.27,34.33-14.27ZM2378.26,125.38h76.41v304.5h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2564.75,7.84h76.41v243.09l112.51-125.54h95.96l-131.17,145.94,146.86,158.56h-94.85l-129.3-140.34v140.34h-76.41V7.84Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="2865.3" height="437.72" transform="translate(99.78 24.83)" xlink:href="#a"/></svg>
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 144.29"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M106,41.08h25.39v101.2H106v-10.7a50,50,0,0,1-14.92,10.19,41.84,41.84,0,0,1-16.21,3.11q-19.61,0-33.91-15.21T26.64,91.86q0-23.43,13.85-38.41t33.63-15a42.78,42.78,0,0,1,17.09,3.44A46.82,46.82,0,0,1,106,52.24ZM79.29,61.91a25.65,25.65,0,0,0-19.56,8.33q-7.78,8.33-7.79,21.34t7.93,21.58a25.66,25.66,0,0,0,19.51,8.47,26.15,26.15,0,0,0,19.84-8.33q7.88-8.33,7.88-21.81,0-13.2-7.88-21.39T79.29,61.91Z"/><path class="cls-1" d="M168.39,41.08h25.67V89.82q0,14.22,2,19.76a17.24,17.24,0,0,0,6.29,8.61A18.06,18.06,0,0,0,213,121.26a18.6,18.6,0,0,0,10.77-3,17.7,17.7,0,0,0,6.57-8.88q1.59-4.36,1.59-18.7V41.08h25.39V84q0,26.51-4.18,36.27a39.6,39.6,0,0,1-15.07,18.28q-10,6.38-25.3,6.37-16.65,0-26.93-7.44T171.36,116.7q-3-9.21-3-33.49Z"/><path class="cls-1" d="M297.3,3.78h25.39v37.3h15.07V62.93H322.69v79.35H297.3V62.93h-13V41.08h13Z"/><path class="cls-1" d="M362.86,2h25.21v49.3a57.74,57.74,0,0,1,15-9.63,38.56,38.56,0,0,1,15.25-3.21,34.36,34.36,0,0,1,25.39,10.42q8.83,9,8.84,26.51v66.88h-25V97.91q0-17.58-1.68-23.81t-5.71-9.3a16.07,16.07,0,0,0-10-3.07,18.85,18.85,0,0,0-13.26,5.11q-5.53,5.11-7.67,14-1.12,4.56-1.12,20.84v40.65H362.86Z"/><path class="cls-1" d="M589.91,99H508.33q1.77,10.78,9.44,17.16t19.58,6.37a33.86,33.86,0,0,0,24.46-10l21.4,10a50.54,50.54,0,0,1-19.16,16.79q-11.16,5.44-26.51,5.44-23.82,0-38.79-15t-15-37.63q0-23.16,14.93-38.46t37.44-15.3q23.91,0,38.88,15.3t15,40.42Zm-25.4-20a25.48,25.48,0,0,0-9.92-13.77A28.81,28.81,0,0,0,537.4,60a30.42,30.42,0,0,0-18.64,5.95q-5,3.72-9.31,13.12Z"/><path class="cls-1" d="M621.89,41.08h25.39V51.45q8.64-7.29,15.65-10.13a37.82,37.82,0,0,1,14.35-2.85A34.77,34.77,0,0,1,702.83,49q8.82,8.94,8.82,26.42v66.88H686.54V98q0-18.12-1.63-24.06a16.44,16.44,0,0,0-5.66-9.06,15.8,15.8,0,0,0-10-3.11,18.73,18.73,0,0,0-13.23,5.15Q650.53,72,648.4,81.14q-1.12,4.74-1.12,20.54v40.6H621.89Z"/><path class="cls-1" d="M750.71,3.78H776.1v37.3h15.07V62.93H776.1v79.35H750.71V62.93h-13V41.08h13Z"/><path class="cls-1" d="M826.09-.6a15.55,15.55,0,0,1,11.45,4.84A16.08,16.08,0,0,1,842.31,16a15.87,15.87,0,0,1-4.72,11.58,15.34,15.34,0,0,1-11.32,4.79,15.6,15.6,0,0,1-11.55-4.88A16.35,16.35,0,0,1,810,15.59a15.57,15.57,0,0,1,4.73-11.44A15.53,15.53,0,0,1,826.09-.6Z"/><rect class="cls-1" x="813.39" y="41.08" width="25.39" height="101.2"/><path class="cls-1" d="M873.47,2h25.39V82.8l37.39-41.72h31.89l-43.59,48.5,48.81,52.7H941.83l-43-46.64v46.64H873.47Z"/></svg>

web/icons/icon.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="c" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1000 1000"><defs><symbol id="a" viewBox="0 0 998.94 763.82"><path d="M829.67,0h-425.28c-93.1,0-169.27,76.17-169.27,169.27v425.28c0,93.1,76.17,169.27,169.27,169.27h50.18v-165.68h324.96v165.68h50.14c93.1,0,169.27-76.17,169.27-169.27V169.27C998.94,76.17,922.77,0,829.67,0ZM755.98,463.53H235.4v-114.49h268.96v-158.97h43.68v94.7h25.61v-94.7h30.88v69.64h25.61v-69.64h30.88v116.35h25.61v-116.35h43.68v158.97h25.69v114.49Z" style="fill:#fd4b2d;"/><g id="b"><path d="M237.36,342.19h-.02c-25.34-34.27-63.32-69.15-105.42-69.15-48.4.03-92.89,26.58-115.91,69.15-48.08,83.85,18.39,196.94,115.91,194.36,75.46,0,137.69-111.95,137.69-131.75,0-8.76-12.18-35.49-32.25-62.61ZM77.32,342.19c27.16-23.43,66.59-30.27,95.1,0h.02c21.51,19.51,40.28,47.91,47.08,62.35-84.6,176.88-232.87,26.13-142.2-62.35Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="998.94" height="763.82" transform="translate(1 117.03)" xlink:href="#a"/></svg>
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><rect class="cls-1" x="546.66" y="275.34" width="34.99" height="99.97"/><rect class="cls-1" x="637.66" y="271.13" width="34.99" height="78.19"/><path class="cls-1" d="M127.64,385.31a127.57,127.57,0,0,0-112.13,66.9H74.82c26.27-22.67,64.42-29.28,92,0h62.8C205.11,419.06,168.36,385.31,127.64,385.31Z"/><path class="cls-1" d="M212.39,512.53C130.55,683.65-12.89,537.81,74.82,452.21H15.51C-31,533.33,33.3,642.73,127.64,640.24c73,0,133.2-108.3,133.2-127.46,0-8.47-11.78-34.33-31.2-60.57h-62.8C187.65,471.08,205.81,498.56,212.39,512.53Zm2.17-5h0Z"/><path class="cls-1" d="M999.94,274.11V725.89c0,86.58-70.42,157.06-157.05,157.06H776.22V729.12H457.88V883H391.22c-86.64,0-157.06-70.48-157.06-157.06V583.81H738.87V312.11H495.24V464.76H234.16V274.11a151.29,151.29,0,0,1,1.06-18,154.4,154.4,0,0,1,3.88-21.15c.58-2.23,1.23-4.46,1.88-6.64a13.66,13.66,0,0,1,.52-1.64c.36-1.12.71-2.17,1.06-3.23s.76-2.17,1.18-3.23c.47-1.23.88-2.41,1.35-3.58s1-2.35,1.47-3.53a159,159,0,0,1,14.27-26.49c.06-.06.12-.17.17-.23,1.41-2.06,2.88-4.11,4.41-6.17,1.29-1.7,2.58-3.35,3.88-5,1.52-1.82,3.11-3.7,4.69-5.46s3.12-3.47,4.76-5.11l.18-.18a36.53,36.53,0,0,1,2.64-2.64,159.75,159.75,0,0,1,18.68-15.63c1.76-1.29,3.64-2.52,5.52-3.76,2.11-1.35,4.23-2.64,6.4-3.93,4.11-2.41,8.28-4.64,12.63-6.64,1.35-.64,2.76-1.29,4.11-1.88a152.81,152.81,0,0,1,18.38-6.63c2.41-.71,4.82-1.35,7.29-1.94,1.17-.3,2.35-.59,3.58-.82a158.5,158.5,0,0,1,21.26-3.12l3.12-.17c.52,0,1-.06,1.52-.06,2.35-.12,4.76-.18,7.17-.18H842.89c2.4,0,4.81.06,7.16.18.53,0,1,.06,1.53.06l3.11.17A158.26,158.26,0,0,1,876,120.58c1.24.23,2.41.52,3.59.82,2.46.59,4.87,1.23,7.28,1.94A152.81,152.81,0,0,1,905.2,130c1.35.59,2.76,1.24,4.11,1.88,4.35,2,8.52,4.23,12.63,6.64,2.18,1.29,4.29,2.58,6.4,3.93,1.88,1.24,3.76,2.47,5.52,3.76a157.53,157.53,0,0,1,21.5,18.45c1.65,1.64,3.23,3.34,4.76,5.11s3.17,3.64,4.7,5.46c1.29,1.64,2.58,3.29,3.87,5,1.53,2.06,3,4.11,4.41,6.17.06.06.12.17.18.23a159.71,159.71,0,0,1,14.27,26.49c.47,1.18,1,2.35,1.47,3.53s.88,2.35,1.35,3.58c.41,1.06.82,2.11,1.17,3.23s.71,2.11,1.06,3.23a15.74,15.74,0,0,1,.53,1.64c.64,2.18,1.29,4.41,1.88,6.64a155.92,155.92,0,0,1,3.87,21.15A151.29,151.29,0,0,1,999.94,274.11Z"/><path class="cls-1" d="M973.27,186.59H260.84A157.05,157.05,0,0,1,391.2,117.07H842.9A157.08,157.08,0,0,1,973.27,186.59Z"/><path class="cls-1" d="M998.94,256.1H235.16a155.35,155.35,0,0,1,25.68-69.51H973.27A155.34,155.34,0,0,1,998.94,256.1Z"/><path class="cls-1" d="M1000,274.11v51.51H738.87V312.11H495.24v13.51H234.1V274.11a153.41,153.41,0,0,1,1.06-18H998.94A151.29,151.29,0,0,1,1000,274.11Z"/><rect class="cls-1" x="234.1" y="325.62" width="261.13" height="69.54"/><rect class="cls-1" x="738.87" y="325.62" width="261.13" height="69.54"/><rect class="cls-1" x="234.1" y="395.16" width="261.13" height="69.48"/><rect class="cls-1" x="738.87" y="395.16" width="261.13" height="69.48"/></svg>

web/icons/icon_left_brand.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="i" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 3767.3 592.89"><defs><symbol id="a" viewBox="0 0 998.94 763.82"><path d="M829.67,0h-425.28c-93.1,0-169.27,76.17-169.27,169.27v425.28c0,93.1,76.17,169.27,169.27,169.27h50.18v-165.68h324.96v165.68h50.14c93.1,0,169.27-76.17,169.27-169.27V169.27C998.94,76.17,922.77,0,829.67,0ZM755.98,463.53H235.4v-114.49h268.96v-158.97h43.68v94.7h25.61v-94.7h30.88v69.64h25.61v-69.64h30.88v116.35h25.61v-116.35h43.68v158.97h25.69v114.49Z" style="fill:#fd4b2d;"/><g id="b"><path d="M237.36,342.19h-.02c-25.34-34.27-63.32-69.15-105.42-69.15-48.4.03-92.89,26.58-115.91,69.15-48.08,83.85,18.39,196.94,115.91,194.36,75.46,0,137.69-111.95,137.69-131.75,0-8.76-12.18-35.49-32.25-62.61ZM77.32,342.19c27.16-23.43,66.59-30.27,95.1,0h.02c21.51,19.51,40.28,47.91,47.08,62.35-84.6,176.88-232.87,26.13-142.2-62.35Z" style="fill:#fd4b2d;"/></g></symbol><symbol id="c" viewBox="0 0 2865.3 437.72"><g style="isolation:isolate;"><path d="M238.73,125.38h76.4v304.5h-76.4v-32.18c-14.91,14.18-29.87,24.4-44.87,30.65-15,6.25-31.26,9.37-48.78,9.37-39.32,0-73.33-15.25-102.04-45.76C14.35,361.45,0,323.53,0,278.19s13.89-85.54,41.65-115.58c27.77-30.04,61.5-45.06,101.19-45.06,18.26,0,35.4,3.45,51.43,10.35,16.03,6.91,30.84,17.26,44.45,31.07v-33.58ZM158.41,188.07c-23.62,0-43.24,8.35-58.86,25.05-15.62,16.7-23.43,38.11-23.43,64.23s7.95,47.96,23.84,64.93c15.9,16.98,35.47,25.47,58.72,25.47s43.89-8.35,59.69-25.05c15.8-16.7,23.71-38.57,23.71-65.63s-7.9-47.95-23.71-64.37c-15.81-16.42-35.8-24.63-59.97-24.63Z" style="fill:#fd4b2d;"/><path d="M403.16,125.38h77.24v146.65c0,28.55,1.96,48.37,5.89,59.47,3.93,11.1,10.24,19.73,18.94,25.89,8.69,6.16,19.4,9.24,32.12,9.24s23.52-3.03,32.4-9.1c8.88-6.06,15.47-14.97,19.78-26.73,3.18-8.77,4.77-27.52,4.77-56.25V125.38h76.41v129.02c0,53.18-4.2,89.56-12.59,109.15-10.26,23.88-25.38,42.22-45.34,54.99-19.97,12.78-45.34,19.17-76.13,19.17-33.4,0-60.41-7.46-81.02-22.39-20.62-14.92-35.13-35.73-43.52-62.41-5.97-18.47-8.96-52.06-8.96-100.75v-126.78Z" style="fill:#fd4b2d;"/><path d="M796.76,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M999.76,7.84h75.85v148.33c14.93-12.88,29.95-22.53,45.06-28.97,15.11-6.44,30.41-9.65,45.9-9.65,30.23,0,55.7,10.45,76.41,31.34,17.73,18.1,26.59,44.69,26.59,79.76v201.23h-75.29v-133.5c0-35.27-1.68-59.15-5.04-71.65-3.36-12.5-9.09-21.83-17.21-27.99-8.12-6.15-18.15-9.23-30.09-9.23-15.49,0-28.78,5.13-39.88,15.39-11.11,10.26-18.8,24.26-23.09,41.98-2.24,9.14-3.36,30.04-3.36,62.69v122.3h-75.85V7.84Z" style="fill:#fd4b2d;"/><path d="M1688.63,299.74h-245.45c3.54,21.65,13.01,38.86,28.41,51.64,15.39,12.78,35.03,19.17,58.91,19.17,28.55,0,53.08-9.98,73.6-29.95l64.37,30.23c-16.05,22.77-35.26,39.6-57.65,50.52-22.39,10.91-48.98,16.37-79.76,16.37-47.77,0-86.67-15.06-116.71-45.2-30.04-30.13-45.06-67.87-45.06-113.21s14.97-85.03,44.92-115.73c29.95-30.69,67.49-46.04,112.65-46.04,47.95,0,86.95,15.35,116.99,46.04,30.04,30.69,45.06,71.23,45.06,121.61l-.28,14.55ZM1612.22,239.57c-5.05-16.98-15-30.79-29.86-41.42-14.86-10.63-32.1-15.95-51.72-15.95-21.3,0-40,5.98-56.07,17.91-10.09,7.47-19.44,20.62-28.03,39.46h165.68Z" style="fill:#fd4b2d;"/><path d="M1790.6,125.38h76.41v31.21c17.33-14.61,33.02-24.77,47.09-30.48,14.06-5.71,28.46-8.57,43.18-8.57,30.18,0,55.8,10.54,76.85,31.62,17.7,17.91,26.55,44.41,26.55,79.48v201.23h-75.57v-133.35c0-36.34-1.63-60.47-4.89-72.4-3.26-11.93-8.93-21.01-17.03-27.26-8.1-6.24-18.1-9.36-30.01-9.36-15.45,0-28.71,5.17-39.78,15.51-11.08,10.35-18.76,24.65-23.04,42.91-2.24,9.5-3.35,30.1-3.35,61.78v122.16h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2183.92,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M2416.46,0c13.39,0,24.88,4.85,34.46,14.55,9.58,9.7,14.38,21.46,14.38,35.27s-4.75,25.24-14.24,34.84c-9.49,9.61-20.84,14.41-34.04,14.41s-25.16-4.9-34.75-14.69c-9.58-9.79-14.37-21.69-14.37-35.68s4.74-24.91,14.23-34.43c9.49-9.51,20.93-14.27,34.33-14.27ZM2378.26,125.38h76.41v304.5h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2564.75,7.84h76.41v243.09l112.51-125.54h95.96l-131.17,145.94,146.86,158.56h-94.85l-129.3-140.34v140.34h-76.41V7.84Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="998.94" height="763.82" transform="translate(28.54 36.14) scale(.68)" xlink:href="#a"/><use width="2865.3" height="437.72" transform="translate(802.22 67.81)" xlink:href="#c"/></svg>
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 994.71 151.65"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M284.72,50.4H305.5v82.84H284.72v-8.76a40.79,40.79,0,0,1-12.21,8.34,34.14,34.14,0,0,1-13.27,2.55q-16.05,0-27.76-12.45T219.77,92q0-19.18,11.33-31.45t27.53-12.26a34.94,34.94,0,0,1,14,2.82,38.32,38.32,0,0,1,12.1,8.45ZM262.87,67.45a21,21,0,0,0-16,6.82q-6.37,6.81-6.38,17.47T247,109.4a21,21,0,0,0,16,6.93,21.42,21.42,0,0,0,16.24-6.81q6.45-6.81,6.45-17.86,0-10.8-6.45-17.51A21.71,21.71,0,0,0,262.87,67.45Z"/><path class="cls-1" d="M335.8,50.4h21V90.29q0,11.65,1.6,16.18a14.16,14.16,0,0,0,5.16,7,14.76,14.76,0,0,0,8.74,2.51,15.25,15.25,0,0,0,8.81-2.48,14.49,14.49,0,0,0,5.38-7.27q1.31-3.57,1.3-15.3V50.4h20.79V85.5q0,21.69-3.43,29.69a32.32,32.32,0,0,1-12.33,15q-8.16,5.22-20.71,5.22-13.64,0-22.05-6.09a32.2,32.2,0,0,1-11.84-17q-2.43-7.55-2.43-27.41Z"/><path class="cls-1" d="M441.32,19.86H462.1V50.4h12.34V68.29H462.1v65H441.32V68.29H430.66V50.4h10.66Z"/><path class="cls-1" d="M495,18.42h20.63V58.77a47.41,47.41,0,0,1,12.26-7.88,31.62,31.62,0,0,1,12.49-2.63,28.13,28.13,0,0,1,20.78,8.53q7.23,7.4,7.24,21.7v54.75H547.9V96.92q0-14.4-1.37-19.49a13.6,13.6,0,0,0-4.68-7.62,13.19,13.19,0,0,0-8.18-2.51,15.43,15.43,0,0,0-10.85,4.19,22.14,22.14,0,0,0-6.28,11.42q-.91,3.72-.92,17v33.28H495Z"/><path class="cls-1" d="M680.84,97.83H614.06a22.25,22.25,0,0,0,7.73,14q6.29,5.22,16,5.21a27.7,27.7,0,0,0,20-8.14l17.51,8.22a41.31,41.31,0,0,1-15.68,13.74q-9.13,4.46-21.7,4.46-19.5,0-31.75-12.3T594,92.27q0-19,12.22-31.48t30.65-12.53q19.56,0,31.82,12.53t12.26,33.08ZM660.05,81.46a20.87,20.87,0,0,0-8.12-11.27,23.61,23.61,0,0,0-14.08-4.34,24.88,24.88,0,0,0-15.25,4.88q-4.11,3-7.62,10.73Z"/><path class="cls-1" d="M707,50.4H727.8v8.49a50.15,50.15,0,0,1,12.81-8.3,31.08,31.08,0,0,1,11.75-2.33,28.44,28.44,0,0,1,20.91,8.61q7.22,7.31,7.22,21.62v54.75H759.93V97q0-14.83-1.33-19.7A13.48,13.48,0,0,0,754,69.85a13,13,0,0,0-8.16-2.55A15.32,15.32,0,0,0,735,71.52a22.6,22.6,0,0,0-6.27,11.67q-.9,3.89-.91,16.81v33.24H707Z"/><path class="cls-1" d="M812.46,19.86h20.79V50.4h12.33V68.29H833.25v65H812.46V68.29H801.8V50.4h10.66Z"/><path class="cls-1" d="M874.16,16.29a12.74,12.74,0,0,1,9.38,3.95,13.18,13.18,0,0,1,3.91,9.6,13,13,0,0,1-3.87,9.48,12.6,12.6,0,0,1-9.27,3.92,12.73,12.73,0,0,1-9.45-4A13.39,13.39,0,0,1,861,29.53a12.78,12.78,0,0,1,3.87-9.36A12.71,12.71,0,0,1,874.16,16.29Z"/><rect class="cls-1" x="863.77" y="50.4" width="20.79" height="82.84"/><path class="cls-1" d="M913,18.42h20.78V84.55L964.34,50.4h26.11L954.76,90.1l40,43.14h-25.8L933.73,95.06v38.18H913Z"/><rect class="cls-1" x="107.1" y="34.93" width="6.37" height="18.2"/><rect class="cls-1" x="123.67" y="34.16" width="6.37" height="14.23"/><path class="cls-1" d="M30.83,55A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,78.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/><path class="cls-1" d="M189.62,34.71V117A28.62,28.62,0,0,1,161,145.54H148.89v-28H90.94v28H78.81A28.62,28.62,0,0,1,50.22,117V91.08h91.87V41.62H97.74V69.41H50.22V34.71a27.43,27.43,0,0,1,.19-3.29,27.09,27.09,0,0,1,.71-3.84c.1-.41.22-.82.34-1.21a2.13,2.13,0,0,1,.09-.3c.07-.21.13-.4.2-.59s.14-.4.21-.59.16-.44.25-.65.18-.43.26-.64a29.35,29.35,0,0,1,2.6-4.82l0-.05c.26-.37.53-.75.81-1.12s.47-.61.7-.91.57-.67.86-1,.56-.63.86-.93l0,0a4.53,4.53,0,0,1,.49-.49,29.23,29.23,0,0,1,3.4-2.84c.32-.24.66-.46,1-.68s.77-.49,1.17-.72a23.78,23.78,0,0,1,2.29-1.21l.75-.34a27.84,27.84,0,0,1,3.35-1.21c.44-.13.88-.24,1.33-.35a6.19,6.19,0,0,1,.65-.15,28.86,28.86,0,0,1,3.87-.57l.56,0h.28c.43,0,.87,0,1.31,0H161c.43,0,.87,0,1.3,0h.28l.56,0a29.25,29.25,0,0,1,3.88.57c.22,0,.43.09.65.15.45.11.88.22,1.32.35a27.23,27.23,0,0,1,3.35,1.21l.75.34a25.19,25.19,0,0,1,2.3,1.21c.39.23.78.47,1.16.72s.69.44,1,.68a29.23,29.23,0,0,1,3.91,3.36q.45.45.87.93c.29.32.57.66.85,1l.71.91c.28.37.54.75.8,1.12l0,.05a28.61,28.61,0,0,1,2.6,4.82l.27.64.24.65c.08.19.15.39.22.59l.19.59c0,.09.06.19.1.3.11.39.23.8.34,1.21a28.56,28.56,0,0,1,.7,3.84A27.42,27.42,0,0,1,189.62,34.71Z"/><path class="cls-1" d="M184.76,18.78H55.07A28.59,28.59,0,0,1,78.8,6.12H161A28.59,28.59,0,0,1,184.76,18.78Z"/><path class="cls-1" d="M189.43,31.43H50.4a28.29,28.29,0,0,1,4.67-12.65H184.76A28.17,28.17,0,0,1,189.43,31.43Z"/><path class="cls-1" d="M189.63,34.71v9.37H142.09V41.62H97.74v2.46H50.21V34.71a27.43,27.43,0,0,1,.19-3.29h139A27.42,27.42,0,0,1,189.63,34.71Z"/><rect class="cls-1" x="50.21" y="44.08" width="47.54" height="12.66"/><rect class="cls-1" x="142.09" y="44.08" width="47.54" height="12.66"/><rect class="cls-1" x="50.21" y="56.74" width="47.54" height="12.65"/><rect class="cls-1" x="142.09" y="56.74" width="47.54" height="12.65"/></svg>

web/logger/browser.js

@@ -63,7 +63,7 @@ const LogLevelColors = /** @type {const} */ ({
  * Creates a logger with the given prefix.
  *
  * @param {string} [prefix]
- * @param {...string[]} args
+ * @param {...string} args
  * @returns {Logger}
  *
  */

web/package.json

@@ -97,7 +97,7 @@
         "@codemirror/theme-one-dark": "^6.1.3",
         "@eslint/js": "^9.39.3",
         "@floating-ui/dom": "^1.7.6",
-        "@formatjs/intl-listformat": "^8.3.5",
+        "@formatjs/intl-listformat": "^8.3.4",
         "@fortawesome/fontawesome-free": "^7.2.0",
         "@goauthentik/api": "0.0.0",
         "@goauthentik/core": "^1.0.0",
@@ -127,15 +127,14 @@
         "@types/codemirror": "^5.60.17",
         "@types/grecaptcha": "^3.0.9",
         "@types/guacamole-common-js": "^1.5.5",
-        "@types/node": "^25.6.2",
+        "@types/node": "^25.6.0",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
         "@typescript-eslint/eslint-plugin": "^8.57.2",
         "@typescript-eslint/parser": "^8.57.2",
         "@typescript-eslint/utils": "^8.57.2",
-        "@typescript/native-preview": "^7.0.0-dev.20260421.2",
-        "@vitest/browser": "^4.1.6",
-        "@vitest/browser-playwright": "^4.1.6",
+        "@vitest/browser": "^4.1.5",
+        "@vitest/browser-playwright": "^4.0.15",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "change-case": "^5.4.4",
@@ -152,28 +151,28 @@
         "eslint-plugin-lit": "^2.2.1",
         "eslint-plugin-wc": "^3.1.0",
         "fuse.js": "^7.3.0",
-        "globals": "^17.6.0",
+        "globals": "^17.5.0",
         "guacamole-common-js": "^1.5.0",
         "hastscript": "^9.0.1",
-        "knip": "^6.11.0",
+        "knip": "^6.9.0",
         "lex": "^2025.11.0",
         "lit": "^3.3.2",
         "lit-analyzer": "^2.0.3",
         "lit-element": "^4.2.2",
         "lit-html": "^3.3.2",
         "md-front-matter": "^1.0.4",
-        "mermaid": "^11.15.0",
+        "mermaid": "^11.14.0",
         "node-domexception": "^2025.11.0",
         "npm-run-all": "^4.1.5",
         "pino": "^10.3.1",
         "pino-pretty": "^13.1.2",
-        "playwright": "^1.60.0",
+        "playwright": "^1.58.2",
         "prettier": "^3.8.3",
         "prettier-plugin-packagejson": "^3.0.2",
         "pseudolocale": "^2.2.0",
         "rapidoc": "^9.3.8",
-        "react": "^19.2.6",
-        "react-dom": "^19.2.6",
+        "react": "^19.2.5",
+        "react-dom": "^19.2.5",
         "rehype-highlight": "^7.0.2",
         "rehype-mermaid": "^3.0.0",
         "rehype-parse": "^9.0.1",
@@ -184,7 +183,6 @@
         "remark-mdx-frontmatter": "^5.2.0",
         "storybook": "^10.2.1",
         "style-mod": "^4.1.3",
-        "stylelint": "^17.11.0",
         "trusted-types": "^2.0.0",
         "ts-pattern": "^5.9.0",
         "turnstile-types": "^1.2.3",
@@ -192,8 +190,8 @@
         "typescript": "^6.0.3",
         "typescript-eslint": "^8.57.2",
         "unist-util-visit": "^5.1.0",
-        "vite": "^8.0.12",
-        "vitest": "^4.1.6",
+        "vite": "^8.0.10",
+        "vitest": "^4.1.1",
         "webcomponent-qr-code": "^1.3.0",
         "wireit": "^0.14.12",
         "yaml": "^2.8.4"
@@ -204,7 +202,8 @@
         "@esbuild/linux-x64": "^0.28.0",
         "@rollup/rollup-darwin-arm64": "^4.57.1",
         "@rollup/rollup-linux-arm64-gnu": "^4.57.1",
-        "@rollup/rollup-linux-x64-gnu": "^4.57.1"
+        "@rollup/rollup-linux-x64-gnu": "^4.57.1",
+        "chromedriver": "^147.0.4"
     },
     "workspaces": [
         "./packages/*"
@@ -261,7 +260,10 @@
             "command": "lit-analyzer src"
         },
         "lint:types": {
-            "command": "tsgo -p .",
+            "command": "tsc -p .",
+            "env": {
+                "NODE_OPTIONS": "--max_old_space_size=8192"
+            },
             "dependencies": [
                 "build-locales"
             ]
@@ -290,7 +292,10 @@
             }
         },
         "tsc": {
-            "command": "tsgo -p .",
+            "command": "tsc -p .",
+            "env": {
+                "NODE_OPTIONS": "--max_old_space_size=8192"
+            },
             "dependencies": [
                 "build-locales"
             ]
@@ -327,8 +332,7 @@
             "typescript": "$typescript"
         },
         "@mrmarble/djangoql-completion": {
-            "lex": "$lex",
-            "lodash": "^4.18.1"
+            "lex": "$lex"
         },
         "@typescript-eslint/eslint-plugin": {
             "typescript": "$typescript"
@@ -336,9 +340,6 @@
         "@typescript-eslint/parser": {
             "typescript": "$typescript"
         },
-        "@typescript-eslint/typescript-estree": {
-            "typescript": "$typescript"
-        },
         "@typescript-eslint/utils": {
             "typescript": "$typescript"
         },
@@ -353,9 +354,6 @@
         },
         "typescript-eslint": {
             "typescript": "$typescript"
-        },
-        "wireit": {
-            "brace-expansion": "^1.1.14"
         }
     }
 }

web/packages/core/package.json

@@ -45,7 +45,7 @@
     },
     "dependencies": {
         "@goauthentik/tsconfig": "^1.0.9",
-        "@types/node": "^25.6.2",
+        "@types/node": "^25.6.0",
         "@types/semver": "^7.7.1",
         "semver": "^7.7.4",
         "typescript": "^6.0.3"

web/packages/lex/index.js

@@ -25,7 +25,7 @@
  *
  * @callback LexerAction
  * @this {Lexer}
- * @param {...string[]} match
+ * @param {...string} match
  * @returns {Token | Token[] | null | void}
  */
 

web/src/admin/providers/saml/SAMLProviderViewPage.ts

@@ -391,20 +391,28 @@ export class SAMLProviderViewPage extends AKElement {
                                       <div class="pf-c-form__group">
                                           <label class="pf-c-form__label">
                                               <span class="pf-c-form__label-text"
-                                                  >${msg("SAML Endpoint")}</span
+                                                  >${msg("SSO URL (Post)")}</span
                                               >
                                           </label>
                                           <input
                                               class="pf-c-form-control"
                                               readonly
                                               type="text"
-                                              value="${ifDefined(this.provider.urlUnified)}"
+                                              value="${ifDefined(this.provider.urlSsoPost)}"
+                                          />
+                                      </div>
+                                      <div class="pf-c-form__group">
+                                          <label class="pf-c-form__label">
+                                              <span class="pf-c-form__label-text"
+                                                  >${msg("SSO URL (Redirect)")}</span
+                                              >
+                                          </label>
+                                          <input
+                                              class="pf-c-form-control"
+                                              readonly
+                                              type="text"
+                                              value="${ifDefined(this.provider.urlSsoRedirect)}"
                                           />
-                                          <p class="pf-c-form__helper-text">
-                                              ${msg(
-                                                  "SAML provider endpoint. Use this URL for SP configuration.",
-                                              )}
-                                          </p>
                                       </div>
                                       <div class="pf-c-form__group">
                                           <label class="pf-c-form__label">
@@ -416,7 +424,33 @@ export class SAMLProviderViewPage extends AKElement {
                                               class="pf-c-form-control"
                                               readonly
                                               type="text"
-                                              value="${ifDefined(this.provider.urlUnifiedInit)}"
+                                              value="${ifDefined(this.provider.urlSsoInit)}"
+                                          />
+                                      </div>
+                                      <div class="pf-c-form__group">
+                                          <label class="pf-c-form__label">
+                                              <span class="pf-c-form__label-text"
+                                                  >${msg("SLO URL (Post)")}</span
+                                              >
+                                          </label>
+                                          <input
+                                              class="pf-c-form-control"
+                                              readonly
+                                              type="text"
+                                              value="${ifDefined(this.provider.urlSloPost)}"
+                                          />
+                                      </div>
+                                      <div class="pf-c-form__group">
+                                          <label class="pf-c-form__label">
+                                              <span class="pf-c-form__label-text"
+                                                  >${msg("SLO URL (Redirect)")}</span
+                                              >
+                                          </label>
+                                          <input
+                                              class="pf-c-form-control"
+                                              readonly
+                                              type="text"
+                                              value="${ifDefined(this.provider.urlSloRedirect)}"
                                           />
                                       </div>
                                   </form>

web/src/admin/users/UserViewPage.ts

@@ -54,7 +54,7 @@ import { ToggleUserActivationButton } from "#admin/users/UserActiveForm";
 import { UserForm } from "#admin/users/UserForm";
 import { UserImpersonateForm } from "#admin/users/UserImpersonateForm";
 
-import { CapabilitiesEnum, CoreApi, ModelEnum, User, UserTypeEnum } from "@goauthentik/api";
+import { CapabilitiesEnum, CoreApi, ModelEnum, User } from "@goauthentik/api";
 
 import { msg, str } from "@lit/localize";
 import { css, html, PropertyValues, TemplateResult } from "lit";
@@ -192,10 +192,7 @@ export class UserViewPage extends WithLicenseSummary(
     protected renderActionButtons(user: User) {
         const showImpersonate =
             this.can(CapabilitiesEnum.CanImpersonate) && user.pk !== this.currentUser?.pk;
-        const showLockdown =
-            this.hasEnterpriseLicense &&
-            user.pk !== this.currentUser?.pk &&
-            user.type !== UserTypeEnum.InternalServiceAccount;
+        const showLockdown = this.hasEnterpriseLicense && user.pk !== this.currentUser?.pk;
 
         const displayName = formatUserDisplayName(user);
 

web/src/admin/users/ak-user-wizard.ts

@@ -11,8 +11,6 @@ import { CreateWizard } from "#elements/wizard/CreateWizard";
 import { TypeCreateWizardPageLayouts } from "#elements/wizard/TypeCreateWizardPage";
 import { WizardPage } from "#elements/wizard/WizardPage";
 
-import { ButtonKindLabelRecord } from "#components/ak-wizard/shared";
-
 import { UserForm } from "#admin/users/UserForm";
 
 import { TypeCreate, UserServiceAccountResponse, UserTypeEnum } from "@goauthentik/api";
@@ -59,7 +57,7 @@ export interface UserWizardState {
 export class ServiceAccountResultPage extends WizardPage<UserWizardState> {
     public static styles: CSSResult[] = [PFForm, PFFormControl];
 
-    public override headline = msg("View Credentials");
+    public override headline = msg("Review Credentials");
 
     @state()
     protected result: UserServiceAccountResponse | null = null;
@@ -77,10 +75,6 @@ export class ServiceAccountResultPage extends WizardPage<UserWizardState> {
         this.host.cancelable = false;
     };
 
-    public formatNextLabel(): SlottedTemplateResult | null {
-        return ButtonKindLabelRecord.close();
-    }
-
     public override nextCallback = async (): Promise<boolean> => true;
 
     protected override render(): SlottedTemplateResult {

web/src/components/ak-wizard/WizardStep.ts

@@ -58,10 +58,9 @@ export abstract class WizardStep extends AKElement {
 
             .pf-c-wizard__main-body {
                 display: flex;
-                flex-flow: column;
+                flex-flow: row wrap;
 
                 & > * {
-                    width: 100%;
                     flex: 1 1 auto;
                 }
             }

web/src/elements/ak-drawer/ak-drawer.component.ts

@@ -1,73 +1,32 @@
-import AKDrawer from "./ak-drawer.styles";
-import { DrawerResizeController } from "./drawerResizeController";
+import Style from "./ak-drawer.css";
 
-import { html, LitElement, nothing, PropertyValues } from "lit";
+import { AKElement } from "#elements/Base";
+import { classList } from "#elements/directives/class-list";
+
+import { html } from "lit";
 import { property } from "lit/decorators.js";
 
-export class DrawerExpandRequest extends Event {
-    static readonly eventName = "ak-drawer-expand-request";
-    expanded: boolean | null = null;
+import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
 
-    constructor(expanded: boolean | null = null) {
-        super(DrawerExpandRequest.eventName, { bubbles: true, composed: true });
-        this.expanded = expanded;
-    }
-}
-
-export class AkDrawer extends LitElement {
-    static readonly styles = [AKDrawer];
-
-    @property({ type: Boolean })
-    public resizable = false;
+export class Drawer extends AKElement {
+    static readonly styles = [PFDrawer, Style];
 
     @property({ type: Boolean, reflect: true })
-    public expanded = false;
+    public open = false;
 
-    @property({ type: Boolean, reflect: true })
-    public resizing = false;
+    render() {
+        const open = [(this.open && "pf-m-expanded") || "pf-m-collapsed"];
 
-    @property({ type: String, reflect: true })
-    public width = "33";
-
-    private resize = new DrawerResizeController(this);
-
-    onDrawerRequest = (ev: DrawerExpandRequest) => {
-        ev.stopPropagation();
-        this.expanded = ev.expanded === null ? !this.expanded : ev.expanded;
-    };
-
-    constructor() {
-        super();
-        this.addEventListener(DrawerExpandRequest.eventName, this.onDrawerRequest);
-    }
-
-    public override render() {
         return html`
-            <div class="ak-v2-c-drawer" part="drawer">
-                <div class="ak-v2-c-drawer__main" part="drawer-main">
-                    <div class="ak-v2-c-drawer__content" part="drawer-content">
-                        <div class="ak-v2-c-drawer__body" part="drawer-body">
-                            <slot></slot>
+            <div class="pf-c-page__drawer">
+                <div class="pf-c-drawer ${classList(open)}" id="flow-drawer">
+                    <div class="pf-c-drawer__main">
+                        <div class="pf-c-drawer__content">
+                            <div class="pf-c-drawer__body">
+                                <slot></slot>
+                            </div>
                         </div>
-                    </div>
-                    <div class="ak-v2-c-drawer__panel" part="drawer-panel">
-                        ${this.resizable
-                            ? html` <div
-                                  class="ak-v2-c-drawer__splitter"
-                                  part="drawer-splitter"
-                                  @mousedown=${this.resize.handleMouseDown}
-                                  @keydown=${this.resize.handleKeyDown}
-                                  @touchstart=${this.resize.handleTouchStart}
-                                  role="separator"
-                                  tabindex="0"
-                              >
-                                  <div
-                                      class="ak-v2-c-drawer__splitter-handle"
-                                      aria-hidden="true"
-                                  ></div>
-                              </div>`
-                            : nothing}
-                        <div class="ak-v2-c-drawer__panel-main" part="drawer-panel-main">
+                        <div class="pf-c-drawer__panel pf-m-width-33">
                             <slot name="panel"></slot>
                         </div>
                     </div>
@@ -75,26 +34,4 @@ export class AkDrawer extends LitElement {
             </div>
         `;
     }
-
-    public override updated(changed: PropertyValues<this>) {
-        super.updated(changed);
-
-        // Simulate the behavior of summary/details, another disclosure pattern.
-        const expanded = changed.get("expanded");
-        if (expanded !== undefined) {
-            const expandedMsg = (i: boolean) => (i ? "open" : "closed");
-            this.dispatchEvent(
-                new ToggleEvent("toggle", {
-                    newState: expandedMsg(this.expanded),
-                    oldState: expandedMsg(expanded),
-                }),
-            );
-        }
-    }
-}
-
-declare global {
-    interface GlobalEventHandlersEventMap {
-        [DrawerExpandRequest.eventName]: DrawerExpandRequest;
-    }
 }

web/src/elements/ak-drawer/ak-drawer.css

@@ -0,0 +1,40 @@
+slot {
+    display: content;
+}
+
+[data-theme="dark"] {
+    --pf-c-drawer__panel--BackgroundColor: var(--ak-dark-background);
+}
+
+.pf-c-drawer {
+    /* TODO: Revisit this after native <dialog> modals are implemented. */
+    --pf-c-drawer__content--ZIndex: auto;
+}
+
+.pf-c-drawer__body {
+    display: flex;
+    flex-flow: column;
+}
+
+.pf-c-drawer__content {
+    --pf-c-drawer__content--BackgroundColor: transparent;
+}
+
+.pf-c-drawer {
+    .pf-c-drawer__panel {
+        background-color: var(--pf-c-drawer__panel--BackgroundColor);
+
+        transition-behavior: allow-discrete;
+
+        gap: var(--pf-global--spacer--sm);
+
+        @media (width > 768px) {
+            flex-flow: row;
+
+            .pf-c-drawer__panel_content {
+                flex: 1 1 auto;
+                max-width: 33dvw;
+            }
+        }
+    }
+}