typo

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
get rustup from docker image
2026-05-07 15:42:48 +02:00 · 2026-04-02 13:33:03 +02:00 · 2026-04-02 13:30:02 +02:00 · 2026-04-02 13:01:22 +02:00 · 2026-04-02 11:00:01 +00:00 · 2026-04-02 12:37:08 +02:00
3551 changed files with 781931 additions and 25343 deletions
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -1,2 +1,5 @@
+[alias]
+t = ["nextest", "run"]
+
 [build]
 rustflags = ["--cfg", "tokio_unstable"]
--- a/.cargo/deny.toml
+++ b/.cargo/deny.toml
@@ -1,16 +1,13 @@
 [licenses]
 allow = [
-  "Apache-2.0 WITH LLVM-exception",
  "Apache-2.0",
  "BSD-3-Clause",
-  "CC0-1.0",
  "CDLA-Permissive-2.0",
  "ISC",
  "MIT",
  "MPL-2.0",
  "OpenSSL",
  "Unicode-3.0",
-  "Zlib",
 ]

 [licenses.private]
--- a/.cargo/rustfmt.toml
+++ b/.cargo/rustfmt.toml
@@ -12,5 +12,4 @@ reorder_impl_items = true
 style_edition = "2024"
 use_field_init_shorthand = true
 use_try_shorthand = true
-where_single_line = true
 wrap_comments = true
--- a/.dockerignore
+++ b/.dockerignore
@@ -9,7 +9,5 @@ build_docs/**
 **/*Dockerfile
 blueprints/local
 .git
-!gen-ts-api/node_modules
-!gen-ts-api/dist/**
-!gen-go-api/
 .venv
+target
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,9 @@
+packages/client-*/** linguist-generated
+web/packages/lex/* linguist-vendored
+web/packages/node-domexception/* linguist-vendored
+web/packages/formdata-polyfill/* linguist-vendored
+web/packages/sfe/vendored/* linguist-vendored
+website/vendored/* linguist-vendored
+website/docs/** linguist-documentation
+website/integrations/** linguist-documentation
+website/api/** linguist-documentation
--- a/.github/actions/cherry-pick/action.yml
+++ b/.github/actions/cherry-pick/action.yml
@@ -115,20 +115,13 @@ runs:
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: ${{ steps.should_run.outputs.pr_number }}
+        REASON: ${{ steps.should_run.outputs.reason }}
      run: |
        set -e -o pipefail
-        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
-
-        # Get PR details
-        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
-        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
-        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
-
-        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
-        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT

        # Determine which labels to process
-        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+        if [ "${REASON}" = "label_added_to_merged_pr" ]; then
          # Only process the specific label that was just added
          if [ "${{ github.event_name }}" = "issues" ]; then
            LABEL_NAME="${{ github.event.label.name }}"
@@ -152,13 +145,13 @@ runs:
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
+        PR_NUMBER: '${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA: '${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE: ${{ github.event.pull_request.title }}
+        PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+        LABELS: '${{ steps.pr_details.outputs.labels }}'
      run: |
        set -e -o pipefail
-        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
-        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
-        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
-        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
-        LABELS='${{ steps.pr_details.outputs.labels }}'

        echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
        echo "Found backport labels: $LABELS"
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -8,6 +8,11 @@ inputs:
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
+  working-directory:
+    description: |
+      Optional working directory if this repo isn't in the root of the actions workspace.
+      When set, needs to contain a trailing slash
+    default: ""

 runs:
  using: "composite"
@@ -22,57 +27,62 @@ runs:
        sudo rm -rf /usr/local/lib/android
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v5
+      uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v5
      with:
        enable-cache: true
    - name: Setup python
      if: ${{ contains(inputs.dependencies, 'python') }}
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
      with:
-        python-version-file: "pyproject.toml"
+        python-version-file: "${{ inputs.working-directory }}pyproject.toml"
    - name: Install Python deps
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: uv sync --all-extras --dev --frozen
    - name: Setup rust (stable)
      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
+      with:
+        rustflags: ""
    - name: Setup rust (nightly)
      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
      with:
        toolchain: nightly
        components: rustfmt
+        rustflags: ""
    - name: Setup rust dependencies
      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@64c5c20c872907b6f7cd50994ac189e7274160f2 # v2
+      uses: taiki-e/install-action@0cccd59f03b32c54f0db097c518c320bfc8c73b3 # v2
      with:
        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
    - name: Setup node (web)
      if: ${{ contains(inputs.dependencies, 'node') }}
      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
      with:
-        node-version-file: web/package.json
+        node-version-file: "${{ inputs.working-directory }}web/package.json"
        cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
        registry-url: "https://registry.npmjs.org"
    - name: Setup node (root)
      if: ${{ contains(inputs.dependencies, 'node') }}
      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
      with:
-        node-version-file: package.json
+        node-version-file: "${{ inputs.working-directory }}package.json"
        cache: "npm"
-        cache-dependency-path: package-lock.json
+        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
        registry-url: "https://registry.npmjs.org"
    - name: Install Node deps
      if: ${{ contains(inputs.dependencies, 'node') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: npm ci
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
      with:
-        go-version-file: "go.mod"
+        go-version-file: "${{ inputs.working-directory }}go.mod"
    - name: Setup docker cache
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
@@ -81,6 +91,7 @@ runs:
    - name: Setup dependencies
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
+      working-directory: ${{ inputs.working-directory }}
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/compose.yml up -d
@@ -88,6 +99,7 @@ runs:
    - name: Generate config
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: uv run python {0}
+      working-directory: ${{ inputs.working-directory }}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/actions/test-results/action.yml
+++ b/.github/actions/test-results/action.yml
@@ -10,12 +10,12 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
+    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
      with:
        files: ${{ inputs.files }}
        flags: ${{ inputs.flags }}
        use_oidc: true
-    - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
+    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
      with:
        files: ${{ inputs.files }}
        flags: ${{ inputs.flags }}
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@@ -8,3 +8,6 @@ coverage:
        threshold: 1%
 comment:
  after_n_builds: 3
+ignore:
+  - packages/client-rust
+  - packages/client-ts
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -40,6 +40,17 @@ updates:

  #region Rust

+  - package-ecosystem: cargo
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "core:"
+    labels:
+      - dependencies
+
  - package-ecosystem: rust-toolchain
    directory: "/"
    schedule:
@@ -261,8 +272,10 @@ updates:
      - dependencies
  - package-ecosystem: docker-compose
    directories:
+      - /packages/client-go
+      - /packages/client-rust
+      - /packages/client-ts
      # - /scripts # Maybe
-      - /scripts/api
      - /tests/e2e
    schedule:
      interval: daily
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ REPLACE ME

 If an API change has been made

-   [ ] The API schema has been updated (`make gen-build`)
+-   [ ] The API schema and clients have been updated (`make gen`)

 If changes to the frontend have been made

--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -72,13 +72,9 @@ jobs:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
      - name: Build Docker Image
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        id: push
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -90,7 +90,7 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2
+      - uses: int128/docker-manifest-create-action@44422a4b046d55dc036df622039ed3aec43c613c # v2
        id: build
        with:
          tags: ${{ matrix.tag }}
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -1,66 +0,0 @@
---
-name: API - Publish Typescript client
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-
-permissions:
-  # Required for NPM OIDC trusted publisher
-  id-token: write
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
-        with:
-          node-version-file: web/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Generate API Client
-        run: make gen-client-ts
-      - name: Publish package
-        working-directory: gen-ts-api/
-        run: |
-          npm i
-          npm publish --tag generated
-      - name: Upgrade /web
-        working-directory: web
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
-        id: cpr
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: update-web-api-client
-          commit-message: "web: bump API Client version"
-          title: "web: bump API Client version"
-          body: "web: bump API Client version"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -16,7 +16,6 @@ env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-  RUSTFLAGS: "-Dwarnings"

 permissions:
  # Needed for checkout
@@ -59,16 +58,22 @@ jobs:
          dependencies: ${{ matrix.deps }}
      - name: run job
        run: make ci-lint-${{ matrix.job }}
-  test-gen-build:
+  test-gen:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
+        with:
+          dependencies: "system,python,go,node,runtime,rust-nightly"
      - name: generate schema
        run: make migrate gen-build
+      - name: generate API clients
+        run: make gen-clients
      - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json
+        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@@ -144,7 +149,6 @@ jobs:
          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
-          PROMETHEUS_MULTIPROC_DIR: /tmp
        run: |
          uv run make ci-test
      - uses: ./.github/actions/test-results
@@ -174,7 +178,6 @@ jobs:
          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
-          PROMETHEUS_MULTIPROC_DIR: /tmp
        run: |
          uv run make ci-test
      - uses: ./.github/actions/test-results
@@ -191,8 +194,6 @@ jobs:
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
      - name: run integration
-        env:
-          PROMETHEUS_MULTIPROC_DIR: /tmp
        run: |
          uv run coverage run manage.py test tests/integration
          uv run coverage xml
@@ -210,29 +211,38 @@ jobs:
        job:
          - name: proxy
            glob: tests/e2e/test_provider_proxy*
+            profiles: selenium
          - name: oauth
            glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
+            profiles: selenium
          - name: oauth-oidc
            glob: tests/e2e/test_provider_oidc*
+            profiles: selenium
          - name: saml
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
+            profiles: selenium
          - name: ldap
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
          - name: ws-fed
            glob: tests/e2e/test_provider_ws_fed*
+            profiles: selenium
          - name: radius
            glob: tests/e2e/test_provider_radius*
          - name: scim
            glob: tests/e2e/test_source_scim*
          - name: flows
            glob: tests/e2e/test_flows*
+            profiles: selenium
          - name: endpoints
            glob: tests/e2e/test_endpoints_*
+            profiles: selenium
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Setup e2e env (chrome, etc)
+      - name: Setup e2e env
+        env:
+          COMPOSE_PROFILES: ${{ matrix.job.profiles }}
        run: |
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - id: cache-web
@@ -245,12 +255,9 @@ jobs:
        working-directory: web
        run: |
          npm ci
-          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run e2e
-        env:
-          PROMETHEUS_MULTIPROC_DIR: /tmp
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
          uv run coverage xml
@@ -275,6 +282,8 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
+        env:
+          COMPOSE_PROFILES: selenium
        run: |
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - name: Setup conformance suite
@@ -290,12 +299,9 @@ jobs:
        working-directory: web
        run: |
          npm ci
-          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run conformance
-        env:
-          PROMETHEUS_MULTIPROC_DIR: /tmp
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
          uv run coverage xml
@@ -335,7 +341,7 @@ jobs:
    if: always()
    needs:
      - lint
-      - test-gen-build
+      - test-gen
      - test-migrations
      - test-migrations-from-stable
      - test-unittest
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -31,8 +31,6 @@ jobs:
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
-      - name: Generate API
-        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v8
        with:
@@ -43,13 +41,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-go
      - name: prepare database
        run: |
          uv run make migrate
@@ -107,8 +103,6 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate API
-        run: make gen-client-go
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -148,7 +142,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -156,8 +150,6 @@ jobs:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
-      - name: Generate API
-        run: make gen-client-go
      - name: Build web
        working-directory: web/
        run: |
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -40,8 +40,6 @@ jobs:
      - working-directory: ${{ matrix.project }}/
        run: |
          npm ci
-      - name: Generate API
-        run: make gen-client-ts
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
@@ -56,8 +54,6 @@ jobs:
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
      - name: build
        working-directory: web/
        run: npm run build
@@ -84,8 +80,6 @@ jobs:
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
      - name: test
        working-directory: web/
        run: npm run test || exit 0
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -32,7 +32,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -19,7 +19,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -14,7 +14,7 @@ jobs:
        if: ${{ env.GH_APP_ID != '' }}
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
        env:
          GH_APP_ID: ${{ secrets.GH_APP_ID }}
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -19,7 +19,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - name: Delete 'dev' containers older than a week
        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
        with:
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -32,7 +32,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - name: Checkout main
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
@@ -60,7 +60,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - name: Checkout main
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -84,7 +84,7 @@ jobs:
          - rac
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -103,10 +103,6 @@ jobs:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
      - name: Docker Login Registry
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
@@ -152,7 +148,7 @@ jobs:
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5
@@ -164,10 +160,6 @@ jobs:
        working-directory: web/
        run: |
          npm ci
-      - name: Generate API Clients
-        run: |
-          make gen-client-ts
-          make gen-client-go
      - name: Build web
        working-directory: web/
        run: |
@@ -244,7 +236,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
+        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -70,7 +70,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - id: get-user-id
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
@@ -118,7 +118,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
          repositories: helm
      - id: get-user-id
        name: Get GitHub app user ID
@@ -160,7 +160,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
          repositories: version
      - id: get-user-id
        name: Get GitHub app user ID
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -18,7 +18,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
        with:
          repo-token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -24,7 +24,7 @@ jobs:
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        if: ${{ github.event_name != 'pull_request' }}
        with:
@@ -33,8 +33,6 @@ jobs:
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
      - name: run extract
        run: |
          uv run make i18n-extract
--- a/.gitignore
+++ b/.gitignore
@@ -220,7 +220,6 @@ media/
 *mmdb

 .idea/
-/gen-*/
 data/

 # Local Netlify folder
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,6 +1,7 @@
 # Prettier Ignorefile

 ## Static Files
+CODEOWNERS
 **/LICENSE

 authentik/stages/**/*
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -17,6 +17,6 @@
        "ms-python.vscode-pylance",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -38,10 +38,10 @@
        "!AtIndex scalar",
        "!ParseJSON scalar"
    ],
-    "typescript.preferences.importModuleSpecifier": "non-relative",
-    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
-    "typescript.enablePromptUseWorkspaceTsdk": true,
+    "js/ts.preferences.importModuleSpecifier": "non-relative",
+    "js/ts.preferences.importModuleSpecifierEnding": "index",
+    "js/ts.tsdk.path": "./node_modules/typescript/lib",
+    "js/ts.tsdk.promptToUseWorkspaceVersion": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
    },
@@ -57,5 +57,13 @@
    "go.testEnvVars": {
        "WORKSPACE_DIR": "${workspaceFolder}"
    },
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"],
+    "search.exclude": {
+        "**/*.code-search": true,
+        "**/bower_components": true,
+        "**/node_modules": true,
+        "**/playwright-report/**": true,
+        "**/website/**/build": true,
+        "**/client-*": true
+    }
 }
--- a/6
+++ b/6
@@ -16,7 +16,7 @@ Cargo.toml                              @goauthentik/backend
 Cargo.lock                              @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
-.config/                                @goauthentik/backend
+.cargo/                                 @goauthentik/backend
 rust-toolchain.toml                     @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
@@ -27,14 +27,18 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
+packages/ak-*                           @goauthentik/backend
+packages/client-rust                    @goauthentik/backend
 packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
+tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend
 packages/package.json                   @goauthentik/frontend
 packages/package-lock.json              @goauthentik/frontend
+packages/client-ts                      @goauthentik/frontend
 packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,9 +1,15 @@
 [workspace]
-members = [".", "website/scripts/docsmg"]
+members = [
+  "packages/ak-common",
+  "packages/client-rust",
+  "website/scripts/docsmg",
+]
 resolver = "3"

 [workspace.package]
+version = "2026.5.0-rc1"
 authors = ["authentik Team <hello@goauthentik.io>"]
+description = "Making authentication simple."
 edition = "2024"
 readme = "README.md"
 homepage = "https://goauthentik.io"
@@ -12,101 +18,40 @@ license-file = "LICENSE"
 publish = false

 [workspace.dependencies]
-arc-swap = "1.8.2"
-argh = "0.1.17"
-async-trait = "0.1.89"
-aws-lc-rs = { version = "1.16.1", features = ["fips"] }
-axum = { version = "0.8.8", features = ["http2", "macros", "ws"] }
-axum-server = { version = "0.8.0", features = ["tls-rustls-no-provider"] }
-bytes = "1.11.1"
-chrono = "0.4.44"
-clap = { version = "4.5.59", features = ["derive", "env"] }
-client-ip = { version = "0.2.1", features = ["forwarded-header"] }
-color-eyre = "0.6.5"
-colored = "3.1.1"
-config = { version = "0.15.19", default-features = false, features = [
-  "yaml",
-  "async",
-] }
-console-subscriber = "0.5.0"
-dotenvy = "0.15.7"
-durstr = "0.4.0"
-eyre = "0.6.12"
-forwarded-header-value = "0.1.1"
-futures = "0.3.32"
-glob = "0.3.3"
-http-body-util = "0.1.3"
-hyper = "1.8.1"
-hyper-unix-socket = "0.3.0"
-hyper-util = "0.1.20"
-ipnet = { version = "2.12.0", features = ["serde"] }
-# See https://github.com/mladedav/json-subscriber/pull/23
-json-subscriber = { git = "https://github.com/rissson/json-subscriber.git", rev = "950ad7cb887a0a14fd5cb8afb8e76db1f456c032" }
-jsonwebtoken = { version = "10.3.0", default-features = false, features = [
-  "aws_lc_rs",
-] }
-metrics = "0.24.3"
-metrics-exporter-prometheus = { version = "0.18.1", default-features = false }
-nix = { version = "0.31.2", features = ["hostname", "signal"] }
-notify = "8.2.0"
-pem = "3.0.6"
-pin-project-lite = "0.2.17"
-pyo3 = "0.28.2"
-percent-encoding = "2.3.2"
-rcgen = { version = "0.14.7", default-features = false, features = [
-  "aws_lc_rs",
-  "fips",
-] }
-regex = "1.12.3"
-rustls = { version = "0.23.37", features = ["fips"] }
-sentry = { version = "0.47.0", default-features = false, features = [
-  "backtrace",
-  "contexts",
-  "debug-images",
-  "panic",
+aws-lc-rs = { version = "= 1.16.2", features = ["fips"] }
+clap = { version = "= 4.6.0", features = ["derive", "env"] }
+colored = "= 3.1.1"
+dotenvy = "= 0.15.7"
+eyre = "= 0.6.12"
+regex = "= 1.12.3"
+reqwest = { version = "= 0.13.2", features = [
+  "form",
+  "json",
+  "multipart",
+  "query",
  "rustls",
-  "reqwest",
-  "tower",
-  "tracing",
+  "stream",
 ] }
-serde = { version = "1.0.228", features = ["derive"] }
-serde_json = "1.0.149"
-sqlx = { version = "0.8.6", default-features = false, features = [
-  "runtime-tokio",
-  "tls-rustls-aws-lc-rs",
-  "postgres",
-  "derive",
-  "macros",
-  "uuid",
-  "chrono",
-  "ipnet",
+reqwest-middleware = { version = "= 0.5.1", features = [
+  "form",
  "json",
+  "multipart",
+  "query",
+  "rustls",
 ] }
-time = "0.3.47"
-thiserror = "2.0.18"
-tokio = { version = "1.50.0", features = ["full"] }
-tokio-rustls = "0.26.4"
-tokio-tungstenite = "0.28.0"
-tokio-util = "0.7.18"
-tower = "0.5.3"
-tower-http = { version = "0.6.8", features = [
-  "compression-br",
-  "compression-deflate",
-  "compression-gzip",
-  "compression-zstd",
-  "fs",
-  "timeout",
+rustls = { version = "= 0.23.37", features = ["fips"] }
+serde = { version = "= 1.0.228", features = ["derive"] }
+serde_json = "= 1.0.149"
+serde_repr = "= 0.1.20"
+serde_with = { version = "= 3.18.0", default-features = false, features = [
+  "base64",
 ] }
-tower-service = "0.3.3"
-tracing = "0.1.44"
-tracing-error = "0.2.1"
-tracing-subscriber = { version = "0.3.22", features = [
-  "env-filter",
-  "json",
-  "tracing-log",
-] }
-url = "2.5.8"
-uuid = { version = "1.22.0", features = ["v4"] }
+tokio = { version = "= 1.50.0", features = ["full", "tracing"] }
+tokio-util = { version = "= 0.7.18", features = ["full"] }
+url = "= 2.5.8"
+uuid = { version = "= 1.23.0", features = ["serde", "v4"] }
+
+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common" }

 [profile.dev.package.backtrace]
 opt-level = 3
@@ -153,13 +98,17 @@ suspicious = { priority = -1, level = "warn" }
 ### cargo group
 multiple_crate_versions = "allow"
 ### pedantic group
+missing_errors_doc = "allow"
+missing_panics_doc = "allow"
+must_use_candidate = "allow"
 redundant_closure_for_method_calls = "allow"
 struct_field_names = "allow"
 too_many_lines = "allow"
 ### nursery
 missing_const_for_fn = "allow"
-redundant_pub_crate = "allow"
 option_if_let_else = "allow"
+redundant_pub_crate = "allow"
+significant_drop_tightening = "allow"
 ### restriction group
 allow_attributes = "warn"
 allow_attributes_without_reason = "warn"
@@ -224,73 +173,3 @@ unused_trait_names = "warn"
 unwrap_in_result = "warn"
 unwrap_used = "warn"
 verbose_file_reads = "warn"
-
-[package]
-name = "authentik"
-version = "2026.5.0-rc1"
-authors.workspace = true
-edition.workspace = true
-readme.workspace = true
-homepage.workspace = true
-repository.workspace = true
-license-file.workspace = true
-publish.workspace = true
-
-[features]
-default = ["core", "proxy"]
-proxy = []
-core = ["proxy", "dep:sqlx", "dep:pyo3"]
-
-[dependencies]
-arc-swap.workspace = true
-argh.workspace = true
-async-trait.workspace = true
-aws-lc-rs.workspace = true
-axum-server.workspace = true
-axum.workspace = true
-client-ip.workspace = true
-color-eyre.workspace = true
-config.workspace = true
-console-subscriber.workspace = true
-durstr.workspace = true
-eyre.workspace = true
-forwarded-header-value.workspace = true
-futures.workspace = true
-glob.workspace = true
-http-body-util.workspace = true
-hyper-unix-socket.workspace = true
-hyper-util.workspace = true
-hyper.workspace = true
-ipnet.workspace = true
-json-subscriber.workspace = true
-jsonwebtoken.workspace = true
-metrics.workspace = true
-metrics-exporter-prometheus.workspace = true
-nix.workspace = true
-notify.workspace = true
-pem.workspace = true
-percent-encoding.workspace = true
-pin-project-lite.workspace = true
-pyo3 = { workspace = true, optional = true }
-rcgen.workspace = true
-rustls.workspace = true
-sentry.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-sqlx = { workspace = true, optional = true }
-thiserror.workspace = true
-time.workspace = true
-tokio-rustls.workspace = true
-tokio-tungstenite.workspace = true
-tokio-util.workspace = true
-tokio.workspace = true
-tower-http.workspace = true
-tower.workspace = true
-tracing-error.workspace = true
-tracing-subscriber.workspace = true
-tracing.workspace = true
-url.workspace = true
-uuid.workspace = true
-
-[lints]
-workspace = true
--- a/92
+++ b/92
@@ -15,10 +15,6 @@ else
 	SED_INPLACE = sed -i
 endif

-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
-
 BREW_LDFLAGS :=
 BREW_CPPFLAGS :=
 BREW_PKG_CONFIG_PATH :=
@@ -81,10 +77,12 @@ test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage html
 	$(UV) run coverage report

-lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix-rust:
+	$(CARGO) +nightly fmt --all -- --config-path "${PWD}/.cargo/rustfmt.toml"
+
+lint-fix: lint-fix-rust  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)
-	$(CARGO) +nightly fmt --all -- --config-path .cargo/rustfmt.toml

 lint-spellcheck:  ## Reports spelling errors.
 	npm run lint:spellcheck
@@ -110,32 +108,19 @@ i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that requir
 aws-cfn:
 	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn

-run:  ## Run the authentik server and worker, without auto reloading
-	$(UV) run ak allinone
-
-run-watch:  ## Run the authentik server and worker, with auto reloading
-	$(UV) run watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- ak allinone
-
-run-server:  ## Run the authentik server, without auto reloading
+run-server:  ## Run the main authentik server process
 	$(UV) run ak server

-run-server-watch:  ## Run the authentik server, with auto reloading
-	$(UV) run watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- ak server
-
-run-worker:  ## Run the authentik worker, without auto reloading
+run-worker:  ## Run the main authentik worker process
 	$(UV) run ak worker

-run-worker-watch:  ## Run the authentik worker, with auto reloading
-	$(UV) run watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- ak worker
-
 core-i18n-extract:
 	$(UV) run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
 		--ignore internal \
-		--ignore ${GEN_API_TS} \
-		--ignore ${GEN_API_GO} \
+		--ignore packages/client-ts \
 		--ignore website \
 		-l en

@@ -166,8 +151,9 @@ ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
-	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml ${PWD}/Cargo.toml
+	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
+	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
@@ -201,7 +187,7 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
 	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
 	git show ${last_version}:schema.yml > schema-old.yml
-	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
+	docker compose -f scripts/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
 		/local/schema-old.yml \
@@ -211,51 +197,26 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	$(SED_INPLACE) 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md

-gen-clean-ts:  ## Remove generated API client for TypeScript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+gen-client-go:  ## Build and install the authentik API for Golang
+	make -C "${PWD}/packages/client-go" build

-gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}
+gen-client-rust:  ## Build and install the authentik API for Rust
+	make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
+	make lint-fix-rust

-gen-clean-go:  ## Remove generated API client for Go
-	rm -rf ${PWD}/${GEN_API_GO}
+gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
+	make -C "${PWD}/packages/client-ts" build
+	npm --prefix web install

-gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
+_gen-clients: gen-client-go gen-client-rust gen-client-ts
+gen-clients:  ## Build and install API clients used by authentik
+	$(MAKE) _gen-clients -j

-gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" gen \
-		generate \
-		-i /local/schema.yml \
-		-g typescript-fetch \
-		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api/ts-config.yaml \
-		--additional-properties=npmVersion=${NPM_VERSION} \
-		--git-repo-id authentik \
-		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm i
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
-
-gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	mkdir -p ${PWD}/${GEN_API_PY}
-	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
-	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
-
-gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build version=${NPM_VERSION}
-	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+gen: gen-build gen-clients  ## Build and install API schema and clients used by authentik

 gen-dev-config:  ## Generate a local development config file
 	$(UV) run scripts/generate_config.py

-gen: gen-build gen-client-ts
-
 #########################
 ## Node.js
 #########################
@@ -324,7 +285,7 @@ docs-api-build:
 	npm run --prefix website -w api build

 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api build:api
+	npm run --prefix website -w api generate
 	npm run --prefix website -w api start

 docs-api-clean: ## Clean generated API documentation
@@ -335,7 +296,6 @@ docs-api-clean: ## Clean generated API documentation
 #########################

 docker:  ## Build a docker image of the current source tree
-	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . -f lifecycle/container/Dockerfile --progress plain --tag ${DOCKER_IMAGE}

 test-docker:
@@ -371,16 +331,16 @@ ci-lint-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check

 ci-lint-cargo-deny: ci--meta-debug
-	$(CARGO) deny --locked --workspace check --config .cargo/deny.toml
+	$(CARGO) deny --locked --workspace check --config "${PWD}/.cargo/deny.toml"

 ci-lint-cargo-machete: ci--meta-debug
 	$(CARGO) machete

 ci-lint-rustfmt: ci--meta-debug
-	$(CARGO) +nightly fmt --all --check -- --config-path .cargo/rustfmt.toml
+	$(CARGO) +nightly fmt --all --check -- --config-path "${PWD}/.cargo/rustfmt.toml"

 ci-lint-clippy: ci--meta-debug
-	$(CARGO) clippy -- -D warnings
+	$(CARGO) clippy --workspace -- -D warnings

 ci-test: ci--meta-debug
 	$(UV) run coverage run manage.py test --keepdb authentik
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -60,6 +60,36 @@ authentik reserves the right to reclassify CVSS as necessary. To determine sever
 | 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |

+## Intended functionality
+
+The following capabilities are part of intentional system design and should not be reported as security vulnerabilities:
+
+- Expressions (property mappings/policies/prompts) can execute arbitrary Python code without safeguards.
+
+This is expected behavior. Any user with permission to create or modify objects containing expression fields can write code that is executed within authentik. If a vulnerability allows a user without the required permissions to write or modify code and have it executed, that would be a valid security report.
+
+However, the fact that expressions are executed as part of normal operations is not considered a privilege escalation or security vulnerability.
+
+- Blueprints can access all files on the filesystem.
+
+This access is intentional to allow legitimate configuration and deployment tasks. It does not represent a security problem by itself.
+
+- Importing blueprints allows arbitrary modification of application objects.
+
+This is intended functionality. This behavior reflects the privileged design of blueprint imports. It is "exploitable" when importing blueprints from untrusted sources without reviewing the blueprint beforehand. However, any method to create, modify or execute blueprints without the required permissions would be a valid security report.
+
+- Flow imports may contain objects other than flows (such as policies, users, groups, etc.)
+
+This is expected behavior as flow imports are blueprint files.
+
+- Prompt HTML is not escaped.
+
+Prompts intentionally allow raw HTML, including script tags, so they can be used to create interactive or customized user interface elements. Because of this, scripts within prompts may affect or interact with the surrounding page as designed.
+
+- Open redirects that do not include tokens or other sensitive information are not considered a security vulnerability.
+
+Redirects that only change navigation flow and do not expose session tokens, API keys, or other confidential data are considered acceptable and do not require reporting.
+
 ## Disclosure process

 1. Report from Github or Issue is reported via Email as listed above.
--- a/authentik/admin/api/meta.py
+++ b/authentik/admin/api/meta.py
@@ -8,8 +8,8 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

 from authentik.core.api.utils import PassiveSerializer
+from authentik.lib.api import Models
 from authentik.lib.utils.reflection import get_apps
-from authentik.policies.event_matcher.models import model_choices


 class AppSerializer(PassiveSerializer):
@@ -42,6 +42,6 @@ class ModelViewSet(ViewSet):
    def list(self, request: Request) -> Response:
        """Read-only view list all installed models"""
        data = []
-        for name, label in model_choices():
+        for name, label in Models.choices:
            data.append({"name": name, "label": label})
        return Response(AppSerializer(data, many=True).data)
--- a/authentik/admin/files/backends/file.py
+++ b/authentik/admin/files/backends/file.py
@@ -92,7 +92,6 @@ class FileBackend(ManageableBackend):
                    "nbf": now() - timedelta(seconds=15),
                },
                key=sha256(f"{settings.SECRET_KEY}:{self.usage}".encode()).hexdigest(),
-                # Must match crates/authentik-server/src/static.rs
                algorithm="HS256",
            )
            url = f"{prefix}/files/{path}?token={token}"
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -106,14 +106,14 @@ class TokenAuthentication(BaseAuthentication):
        if not auth_credentials:
            return None
        # first, check traditional tokens
-        key_token = Token.filter_not_expired(
+        key_token = Token.objects.filter(
            key=auth_credentials, intent=TokenIntents.INTENT_API
        ).first()
        if key_token:
            CTX_AUTH_VIA.set("api_token")
            return key_token.user, key_token
        # then try to auth via JWT
-        jwt_token = AccessToken.filter_not_expired(
+        jwt_token = AccessToken.objects.filter(
            token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
        ).first()
        if jwt_token:
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@@ -4,7 +4,7 @@ from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response

-from authentik.api.v3.schema.response import PAGINATION
+from authentik.api.v3.schema.pagination import PAGINATION


 class Pagination(pagination.PageNumberPagination):
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@@ -1,103 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
-from collections.abc import Callable
-from typing import Any
-
-from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import ResolvedComponent
-from drf_spectacular.renderers import OpenApiJsonRenderer
-from drf_spectacular.settings import spectacular_settings
-from structlog.stdlib import get_logger
-
-from authentik.api.apps import AuthentikAPIConfig
-from authentik.api.v3.schema.query import QUERY_PARAMS
-from authentik.api.v3.schema.response import (
-    GENERIC_ERROR,
-    GENERIC_ERROR_RESPONSE,
-    PAGINATION,
-    VALIDATION_ERROR,
-    VALIDATION_ERROR_RESPONSE,
-)
-
-LOGGER = get_logger()
-
-
-def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
-
-
-def postprocess_schema_register(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Register custom schema components"""
-    LOGGER.debug("Registering custom schemas")
-    generator.registry.register_on_missing(PAGINATION)
-    generator.registry.register_on_missing(GENERIC_ERROR)
-    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
-    generator.registry.register_on_missing(VALIDATION_ERROR)
-    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
-    for query in QUERY_PARAMS.values():
-        generator.registry.register_on_missing(query)
-    return result
-
-
-def postprocess_schema_responses(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Default error responses"""
-    LOGGER.debug("Adding default error responses")
-    for path in result["paths"].values():
-        for method in path.values():
-            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
-            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
-
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-
-    # This is a workaround for authentik/stages/prompt/stage.py
-    # since the serializer PromptChallengeResponse
-    # accepts dynamic keys
-    for component in result["components"]["schemas"]:
-        if component == "PromptChallengeResponseRequest":
-            comp = result["components"]["schemas"][component]
-            comp["additionalProperties"] = {}
-    return result
-
-
-def postprocess_schema_query_params(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
-    declare them globally and refer to them"""
-    LOGGER.debug("Deduplicating query parameters")
-    for path in result["paths"].values():
-        for method in path.values():
-            for idx, param in enumerate(method.get("parameters", [])):
-                if param["name"] not in QUERY_PARAMS:
-                    continue
-                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
-    return result
-
-
-def postprocess_schema_remove_unused(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Remove unused components"""
-    # To check if the schema is used, render it to JSON and then substring check that
-    # less efficient than walking through the tree but a lot simpler and no
-    # possibility that we miss something
-    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
-    count = 0
-    for key in result["components"][ResolvedComponent.SCHEMA].keys():
-        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
-        if schema_usages >= 1:
-            continue
-        del generator.registry[(key, ResolvedComponent.SCHEMA)]
-        count += 1
-    LOGGER.debug("Removing unused components", count=count)
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-    return result
--- a/authentik/api/v3/schema/cleanup.py
+++ b/authentik/api/v3/schema/cleanup.py
@@ -0,0 +1,75 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+
+from collections.abc import Callable
+from typing import Any
+
+from drf_spectacular.contrib.django_filters import (
+    DjangoFilterExtension as BaseDjangoFilterExtension,
+)
+from drf_spectacular.generators import SchemaGenerator
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    follow_field_source,
+)
+from drf_spectacular.renderers import OpenApiJsonRenderer
+from drf_spectacular.settings import spectacular_settings
+from structlog.stdlib import get_logger
+
+from authentik.api.apps import AuthentikAPIConfig
+
+LOGGER = get_logger()
+
+
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
+
+
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    count = 0
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
+        if schema_usages >= 1:
+            continue
+        del generator.registry[(key, ResolvedComponent.SCHEMA)]
+        count += 1
+    LOGGER.debug("Removing unused components", count=count)
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result
+
+
+class DjangoFilterExtension(BaseDjangoFilterExtension):
+    """
+    From https://github.com/netbox-community/netbox/pull/21521:
+
+    Overrides drf-spectacular's DjangoFilterExtension to fix a regression in v0.29.0 where
+    _get_model_field() incorrectly double-appends to_field_name when field_name already ends
+    with that value (e.g. field_name='tags__slug', to_field_name='slug' produces the invalid
+    path ['tags', 'slug', 'slug']). This caused hundreds of spurious warnings during schema
+    generation for filters such as TagFilter, TenancyFilterSet.tenant, and OwnerFilterMixin.owner.
+
+    See: https://github.com/netbox-community/netbox/issues/20787
+         https://github.com/tfranzel/drf-spectacular/issues/1475
+    """
+
+    priority = 1
+
+    def _get_model_field(self, filter_field, model):
+        if not filter_field.field_name:
+            return None
+        path = filter_field.field_name.split("__")
+        to_field_name = filter_field.extra.get("to_field_name")
+        if to_field_name is not None and path[-1] != to_field_name:
+            path.append(to_field_name)
+        return follow_field_source(model, path, emit_warnings=False)
--- a/authentik/api/v3/schema/enum.py
+++ b/authentik/api/v3/schema/enum.py
@@ -0,0 +1,287 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+
+import functools
+import inspect
+import re
+from collections import defaultdict
+from enum import Enum
+
+from django.db.models import Choices
+from django.utils.translation import get_language
+from drf_spectacular.drainage import error, warn
+from drf_spectacular.hooks import postprocess_schema_enum_id_removal
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    deep_import_string,
+    list_hash,
+    safe_ref,
+)
+from drf_spectacular.settings import spectacular_settings
+from inflection import camelize
+from structlog.stdlib import get_logger
+
+LOGGER = get_logger()
+
+
+# See https://github.com/tfranzel/drf-spectacular/blob/master/drf_spectacular/hooks.py
+# and https://github.com/tfranzel/drf-spectacular/issues/520
+def postprocess_schema_enums(result, generator, **kwargs):  # noqa: PLR0912, PLR0915
+    """
+    simple replacement of Enum/Choices that globally share the same name and have
+    the same choices. Aids client generation to not generate a separate enum for
+    every occurrence. only takes effect when replacement is guaranteed to be correct.
+    """
+
+    def is_enum_prop(prop_schema):
+        return (
+            "enum" in prop_schema
+            or prop_schema.get("type") == "array"
+            and "enum" in prop_schema.get("items", {})
+        )
+
+    def iter_field_schemas():
+        def iter_prop_containers(schema, component_name=None):
+            if not component_name:
+                for _component_name, _schema in schema.items():
+                    if spectacular_settings.COMPONENT_SPLIT_PATCH:
+                        _component_name = re.sub("^Patched(.+)", r"\1", _component_name)
+                    if spectacular_settings.COMPONENT_SPLIT_REQUEST:
+                        _component_name = re.sub("(.+)Request$", r"\1", _component_name)
+                    yield from iter_prop_containers(_schema, _component_name)
+            elif isinstance(schema, list):
+                for item in schema:
+                    yield from iter_prop_containers(item, component_name)
+            elif isinstance(schema, dict):
+                if schema.get("properties"):
+                    yield component_name, schema["properties"]
+                yield from iter_prop_containers(schema.get("oneOf", []), component_name)
+                yield from iter_prop_containers(schema.get("allOf", []), component_name)
+                yield from iter_prop_containers(schema.get("anyOf", []), component_name)
+
+        def iter_path_parameters():
+            for path in result.get("paths", {}).values():
+                for operation in path.values():
+                    for parameter in operation.get("parameters", []):
+                        parameter_schema = parameter.get("schema", {})
+                        if is_enum_prop(parameter_schema):
+                            # Move description into enum schema
+                            if "description" in parameter:
+                                parameter_schema["description"] = parameter.pop("description")
+                        if "name" not in parameter:
+                            continue
+                        yield "", {parameter["name"]: parameter_schema}
+
+        component_schemas = result.get("components", {}).get("schemas", {})
+
+        yield from iter_prop_containers(component_schemas)
+        yield from iter_path_parameters()
+
+    def create_enum_component(name, schema):
+        component = ResolvedComponent(
+            name=name,
+            type=ResolvedComponent.SCHEMA,
+            schema=schema,
+            object=name,
+        )
+        generator.registry.register_on_missing(component)
+        return component
+
+    def extract_hash(schema):
+        if "x-spec-enum-id" in schema:
+            # try to use the injected enum hash first as it generated from (name, value) tuples,
+            # which prevents collisions on choice sets only differing in labels not values.
+            return schema["x-spec-enum-id"]
+        else:
+            # fall back to actual list hashing when we encounter enums not generated by us.
+            # remove blank/null entry for hashing. will be reconstructed in the last step
+            return list_hash([(i, i) for i in schema["enum"] if i not in ("", None)])
+
+    overrides = load_enum_name_overrides()
+
+    prop_hash_mapping = defaultdict(set)
+    hash_name_mapping = defaultdict(set)
+    # collect all enums, their names and choice sets
+    for component_name, props in iter_field_schemas():
+        for prop_name, prop_schema in props.items():
+            _prop_schema = prop_schema
+            if prop_schema.get("type") == "array":
+                _prop_schema = prop_schema.get("items", {})
+            if "enum" not in _prop_schema:
+                continue
+
+            prop_enum_cleaned_hash = extract_hash(_prop_schema)
+            prop_hash_mapping[prop_name].add(prop_enum_cleaned_hash)
+            hash_name_mapping[prop_enum_cleaned_hash].add((component_name, prop_name))
+
+    # get the suffix to be used for enums from settings
+    enum_suffix = spectacular_settings.ENUM_SUFFIX
+
+    # traverse all enum properties and generate a name for the choice set. naming collisions
+    # are resolved and a warning is emitted. giving a choice set multiple names is technically
+    # correct but potentially unwanted. also emit a warning there to make the user aware.
+    enum_name_mapping = {}
+    for prop_name, prop_hash_set in prop_hash_mapping.items():
+        for prop_hash in prop_hash_set:
+            if prop_hash in overrides:
+                enum_name = overrides[prop_hash]
+            elif len(prop_hash_set) == 1:
+                # prop_name has been used exclusively for one choice set (best case)
+                enum_name = f"{camelize(prop_name)}{enum_suffix}"
+            elif len(hash_name_mapping[prop_hash]) == 1:
+                # prop_name has multiple choice sets, but each one limited to one component only
+                component_name, _ = next(iter(hash_name_mapping[prop_hash]))
+                enum_name = f"{camelize(component_name)}{camelize(prop_name)}{enum_suffix}"
+            else:
+                enum_name = f"{camelize(prop_name)}{prop_hash[:3].capitalize()}{enum_suffix}"
+                warn(
+                    f"enum naming encountered a non-optimally resolvable collision for fields "
+                    f'named "{prop_name}". The same name has been used for multiple choice sets '
+                    f'in multiple components. The collision was resolved with "{enum_name}". '
+                    f"add an entry to ENUM_NAME_OVERRIDES to fix the naming."
+                )
+            if enum_name_mapping.get(prop_hash, enum_name) != enum_name:
+                warn(
+                    f"encountered multiple names for the same choice set ({enum_name}). This "
+                    f"may be unwanted even though the generated schema is technically correct. "
+                    f"Add an entry to ENUM_NAME_OVERRIDES to fix the naming."
+                )
+                del enum_name_mapping[prop_hash]
+            else:
+                enum_name_mapping[prop_hash] = enum_name
+            enum_name_mapping[(prop_hash, prop_name)] = enum_name
+
+    # replace all enum occurrences with a enum schema component. cut out the
+    # enum, replace it with a reference and add a corresponding component.
+    for _, props in iter_field_schemas():
+        for prop_name, _prop_schema in props.items():
+            prop_schema = _prop_schema
+            is_array = prop_schema.get("type") == "array"
+            if is_array:
+                prop_schema = prop_schema.get("items", {})
+
+            if "enum" not in prop_schema:
+                continue
+
+            prop_enum_original_list = prop_schema["enum"]
+            prop_schema["enum"] = [i for i in prop_schema["enum"] if i not in ["", None]]
+            prop_hash = extract_hash(prop_schema)
+            # when choice sets are reused under multiple names, the generated name cannot be
+            # resolved from the hash alone. fall back to prop_name and hash for resolution.
+            enum_name = enum_name_mapping.get(prop_hash) or enum_name_mapping[prop_hash, prop_name]
+
+            # split property into remaining property and enum component parts
+            enum_schema = {k: v for k, v in prop_schema.items() if k in ["type", "enum"]}
+            prop_schema = {
+                k: v for k, v in prop_schema.items() if k not in ["type", "enum", "x-spec-enum-id"]
+            }
+
+            # separate actual description from name-value tuples
+            if spectacular_settings.ENUM_GENERATE_CHOICE_DESCRIPTION:
+                if prop_schema.get("description", "").startswith("*"):
+                    enum_schema["description"] = prop_schema.pop("description")
+                elif "\n\n*" in prop_schema.get("description", ""):
+                    _, _, post = prop_schema["description"].partition("\n\n*")
+                    enum_schema["description"] = "*" + post
+
+            components = [create_enum_component(enum_name, schema=enum_schema)]
+            if spectacular_settings.ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE:
+                if "" in prop_enum_original_list:
+                    components.append(
+                        create_enum_component(f"Blank{enum_suffix}", schema={"enum": [""]})
+                    )
+                if None in prop_enum_original_list:
+                    if spectacular_settings.OAS_VERSION.startswith("3.1"):
+                        components.append(
+                            create_enum_component(f"Null{enum_suffix}", schema={"type": "null"})
+                        )
+                    else:
+                        components.append(
+                            create_enum_component(f"Null{enum_suffix}", schema={"enum": [None]})
+                        )
+
+            # undo OAS 3.1 type list NULL construction as we cover
+            # this in a separate component already
+            if spectacular_settings.OAS_VERSION.startswith("3.1") and isinstance(
+                enum_schema["type"], list
+            ):
+                enum_schema["type"] = [t for t in enum_schema["type"] if t != "null"][0]
+
+            if len(components) == 1:
+                prop_schema.update(components[0].ref)
+            else:
+                prop_schema.update({"oneOf": [c.ref for c in components]})
+
+            patch_target = props[prop_name]  # noqa: PLR1733
+            if is_array:
+                patch_target = patch_target["items"]
+
+            # Replace existing schema information with reference
+            patch_target.clear()
+            patch_target.update(safe_ref(prop_schema))
+
+    # sort again with additional components
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+
+    # remove remaining ids that were not part of this hook (operation parameters mainly)
+    postprocess_schema_enum_id_removal(result, generator)
+
+    return result
+
+
+# Fixed version of `load_enum_name_overrides()` with a LRU cache based on language
+# *and* enum overrides.
+# Without this, API generation breaks if there is more than 1 API present (such as in split APIs)
+# Original source: drf-spectacular/drf_spectacular/plumbing.py
+def load_enum_name_overrides():
+    cache_key = get_language() or ""
+
+    for k, v in sorted(spectacular_settings.ENUM_NAME_OVERRIDES.items()):
+        cache_key += f";{k}:{v}"
+
+    return _load_enum_name_overrides(cache_key)
+
+
+# Original source: drf-spectacular/drf_spectacular/plumbing.py
+# Only change: cache_key argument instead of language.
+@functools.lru_cache
+def _load_enum_name_overrides(cache_key):
+    overrides = {}
+    for name, _choices in spectacular_settings.ENUM_NAME_OVERRIDES.items():
+        choices = _choices
+        if isinstance(choices, str):
+            choices = deep_import_string(choices)
+        if not choices:
+            warn(
+                f"unable to load choice override for {name} from ENUM_NAME_OVERRIDES. "
+                f"please check module path string."
+            )
+            continue
+        if inspect.isclass(choices) and issubclass(choices, Choices):
+            choices = choices.choices
+        if inspect.isclass(choices) and issubclass(choices, Enum):
+            choices = [(c.value, c.name) for c in choices]
+        normalized_choices = []
+        for choice in choices:
+            # Allow None values in the simple values list case
+            if isinstance(choice, str) or choice is None:
+                # TODO warning
+                normalized_choices.append((choice, choice))  # simple choice list
+            elif isinstance(choice[1], (list, tuple)):
+                normalized_choices.extend(choice[1])  # categorized nested choices
+            else:
+                normalized_choices.append(choice)  # normal 2-tuple form
+
+        # Get all of choice values that should be used in the hash, blank and
+        # None values get excluded in the post-processing hook for enum overrides,
+        # so we do the same here to ensure the hashes match
+        hashable_values = [
+            (value, label) for value, label in normalized_choices if value not in ["", None]
+        ]
+        overrides[list_hash(hashable_values)] = name
+
+    if len(spectacular_settings.ENUM_NAME_OVERRIDES) != len(overrides):
+        error(
+            "ENUM_NAME_OVERRIDES has duplication issues. Encountered multiple names "
+            "for the same choice set. Enum naming might be unexpected."
+        )
+    return overrides
--- a/authentik/api/v3/schema/pagination.py
+++ b/authentik/api/v3/schema/pagination.py
@@ -0,0 +1,32 @@
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_basic_type,
+    build_object_type,
+)
+from drf_spectacular.types import OpenApiTypes
+
+PAGINATION = ResolvedComponent(
+    name="Pagination",
+    type=ResolvedComponent.SCHEMA,
+    object="Pagination",
+    schema=build_object_type(
+        properties={
+            "next": build_basic_type(OpenApiTypes.NUMBER),
+            "previous": build_basic_type(OpenApiTypes.NUMBER),
+            "count": build_basic_type(OpenApiTypes.NUMBER),
+            "current": build_basic_type(OpenApiTypes.NUMBER),
+            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
+            "start_index": build_basic_type(OpenApiTypes.NUMBER),
+            "end_index": build_basic_type(OpenApiTypes.NUMBER),
+        },
+        required=[
+            "next",
+            "previous",
+            "count",
+            "current",
+            "total_pages",
+            "start_index",
+            "end_index",
+        ],
+    ),
+)
--- a/authentik/api/v3/schema/query.py
+++ b/authentik/api/v3/schema/query.py
@@ -1,10 +1,17 @@
+from typing import Any
+
 from django.utils.translation import gettext_lazy as _
+from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
    ResolvedComponent,
    build_basic_type,
    build_parameter_type,
 )
 from drf_spectacular.types import OpenApiTypes
+from structlog.stdlib import get_logger
+
+LOGGER = get_logger()
+

 QUERY_PARAMS = {
    "ordering": ResolvedComponent(
@@ -63,3 +70,18 @@ QUERY_PARAMS = {
        ),
    ),
 }
+
+
+def postprocess_schema_query_params(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    LOGGER.debug("Deduplicating query parameters")
+    for path in result["paths"].values():
+        for method in path.values():
+            for idx, param in enumerate(method.get("parameters", [])):
+                if param["name"] not in QUERY_PARAMS:
+                    continue
+                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
+    return result
--- a/authentik/api/v3/schema/response.py
+++ b/authentik/api/v3/schema/response.py
@@ -1,12 +1,22 @@
+from typing import Any
+
 from django.utils.translation import gettext_lazy as _
+from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
    ResolvedComponent,
    build_array_type,
    build_basic_type,
    build_object_type,
 )
+from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
+from structlog.stdlib import get_logger
+
+from authentik.api.v3.schema.pagination import PAGINATION
+from authentik.api.v3.schema.query import QUERY_PARAMS
+
+LOGGER = get_logger()

 GENERIC_ERROR = ResolvedComponent(
    name="GenericError",
@@ -57,28 +67,40 @@ VALIDATION_ERROR_RESPONSE = ResolvedComponent(
        "description": "",
    },
 )
-PAGINATION = ResolvedComponent(
-    name="Pagination",
-    type=ResolvedComponent.SCHEMA,
-    object="Pagination",
-    schema=build_object_type(
-        properties={
-            "next": build_basic_type(OpenApiTypes.NUMBER),
-            "previous": build_basic_type(OpenApiTypes.NUMBER),
-            "count": build_basic_type(OpenApiTypes.NUMBER),
-            "current": build_basic_type(OpenApiTypes.NUMBER),
-            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
-            "start_index": build_basic_type(OpenApiTypes.NUMBER),
-            "end_index": build_basic_type(OpenApiTypes.NUMBER),
-        },
-        required=[
-            "next",
-            "previous",
-            "count",
-            "current",
-            "total_pages",
-            "start_index",
-            "end_index",
-        ],
-    ),
-)
+
+
+def postprocess_schema_register(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Register custom schema components"""
+    LOGGER.debug("Registering custom schemas")
+    generator.registry.register_on_missing(PAGINATION)
+    generator.registry.register_on_missing(GENERIC_ERROR)
+    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
+    generator.registry.register_on_missing(VALIDATION_ERROR)
+    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
+    for query in QUERY_PARAMS.values():
+        generator.registry.register_on_missing(query)
+    return result
+
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Default error responses"""
+    LOGGER.debug("Adding default error responses")
+    for path in result["paths"].values():
+        for method in path.values():
+            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
+            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
+
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+
+    # This is a workaround for authentik/stages/prompt/stage.py
+    # since the serializer PromptChallengeResponse
+    # accepts dynamic keys
+    for component in result["components"]["schemas"]:
+        if component == "PromptChallengeResponseRequest":
+            comp = result["components"]["schemas"][component]
+            comp["additionalProperties"] = {}
+    return result
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -1,24 +1,60 @@
 """Serializer mixin for managed models"""

+from typing import cast
+
+from django.conf import settings
+from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, DateTimeField
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    FileField,
+)
+from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet

+from authentik.api.validation import validate
 from authentik.blueprints.models import BlueprintInstance
+from authentik.blueprints.v1.common import Blueprint
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.models import User
+from authentik.events.logs import LogEventSerializer
 from authentik.rbac.decorators import permission_required


+def get_blueprints():
+    if settings.DEBUG:
+        return blueprints_find_dict()
+    return blueprints_find_dict.send().get_result(block=True)
+
+
+class BlueprintUploadSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    file = FileField(required=False)
+    path = CharField(required=False)
+
+    def validate_path(self, path: str) -> str:
+        """Ensure the path (if set) specified is retrievable"""
+        if path == "":
+            return path
+        files: list[dict] = get_blueprints()
+        if path not in [file["path"] for file in files]:
+            raise ValidationError(_("Blueprint file does not exist"))
+        return path
+
+
 class ManagedSerializer:
    """Managed Serializer"""

@@ -39,7 +75,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        """Ensure the path (if set) specified is retrievable"""
        if path == "" or path.startswith(OCI_PREFIX):
            return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = get_blueprints()
        if path not in [file["path"] for file in files]:
            raise ValidationError(_("Blueprint file does not exist"))
        return path
@@ -88,6 +124,33 @@ class BlueprintInstanceSerializer(ModelSerializer):
        }


+def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
+    """Check for individual permissions for each model in a blueprint"""
+    for entry in blueprint.entries:
+        full_model = entry.get_model(blueprint)
+        app, __, model = full_model.partition(".")
+        perms = [
+            f"{app}.add_{model}",
+            f"{app}.change_{model}",
+            f"{app}.delete_{model}",
+        ]
+        if explicit_action:
+            perms = [f"{app}.{explicit_action}_{model}"]
+        for perm in perms:
+            if not user.has_perm(perm):
+                raise PermissionDenied(
+                    {
+                        entry.id: _(
+                            "User lacks permission to create {model}".format_map(
+                                {
+                                    "model": full_model,
+                                }
+                            )
+                        )
+                    }
+                )
+
+
 class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    """Blueprint instances"""

@@ -97,6 +160,12 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    filterset_fields = ["name", "path"]
    ordering = ["name"]

+    class BlueprintImportResultSerializer(PassiveSerializer):
+        """Logs of an attempted blueprint import"""
+
+        logs = LogEventSerializer(many=True, read_only=True)
+        success = BooleanField(read_only=True)
+
    @extend_schema(
        responses={
            200: ListSerializer(
@@ -115,7 +184,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def available(self, request: Request) -> Response:
        """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = get_blueprints()
        return Response(files)

    @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -131,3 +200,53 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
        blueprint = self.get_object()
        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
        return self.retrieve(request, *args, **kwargs)
+
+    @extend_schema(
+        request={"multipart/form-data": BlueprintUploadSerializer},
+        responses={
+            204: BlueprintImportResultSerializer,
+            400: BlueprintImportResultSerializer,
+        },
+    )
+    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
+    @validate(
+        BlueprintUploadSerializer,
+    )
+    def import_(self, request: Request, body: BlueprintUploadSerializer) -> Response:
+        """Import blueprint from .yaml file and apply it once, without creating an instance"""
+        string_contents = ""
+        if body.validated_data.get("file"):
+            file = cast(InMemoryUploadedFile, body.validated_data["file"])
+            string_contents = file.read().decode()
+        elif body.validated_data.get("path"):
+            string_contents = BlueprintInstance(
+                path=body.validated_data.get("path")
+            ).retrieve_file()
+        else:
+            raise ValidationError("Either path or file must be set")
+        importer = Importer.from_string(string_contents)
+
+        check_blueprint_perms(importer.blueprint, request.user)
+
+        valid, logs = importer.validate()
+
+        import_response = self.BlueprintImportResultSerializer(
+            data={
+                "logs": [],
+                "success": False,
+            }
+        )
+        import_response.is_valid(raise_exception=True)
+
+        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
+        import_response.initial_data["success"] = valid
+        import_response.is_valid()
+        if not valid:
+            return Response(data=import_response.initial_data, status=200)
+
+        successful = importer.apply()
+        import_response.initial_data["success"] = successful
+        import_response.is_valid()
+        if not successful:
+            return Response(data=import_response.initial_data, status=200)
+        return Response(data=import_response.initial_data, status=200)
--- a/authentik/blueprints/management/commands/apply_blueprint.py
+++ b/authentik/blueprints/management/commands/apply_blueprint.py
@@ -1,5 +1,7 @@
 """Apply blueprint from commandline"""

+from sys import exit as sys_exit
+
 from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger

@@ -26,7 +28,7 @@ class Command(BaseCommand):
                        self.stderr.write("Blueprint invalid")
                        for log in logs:
                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
-                        raise RuntimeError("Blueprint invalid")
+                        sys_exit(1)
                    importer.apply()

    def add_arguments(self, parser):
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -25,6 +25,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -47,7 +48,12 @@ class ApplicationSerializer(ModelSerializer):
    """Application Serializer"""

    launch_url = SerializerMethodField()
-    provider_obj = ProviderSerializer(source="get_provider", required=False, read_only=True)
+    provider_obj = ProviderSerializer(
+        source="get_provider",
+        required=False,
+        read_only=True,
+        allow_null=True,
+    )
    backchannel_providers_obj = ProviderSerializer(
        source="backchannel_providers", required=False, read_only=True, many=True
    )
@@ -163,6 +169,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
            request.user = user
        for application in paginated_apps:
            engine = PolicyEngine(application, request.user, request)
+            engine.empty_result = AppAccessWithoutBindings.get()
            engine.build()
            if engine.passing:
                applications.append(application)
@@ -220,6 +227,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
            if not for_user:
                raise ValidationError({"for_user": "User not found"})
        engine = PolicyEngine(application, for_user, request)
+        engine.empty_result = AppAccessWithoutBindings.get()
        engine.use_cache = False
        with capture_logs() as logs:
            engine.build()
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -124,7 +124,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
    """Token Viewset"""

    lookup_field = "identifier"
-    queryset = Token.objects.all()
+    queryset = Token.objects.including_expired().all()
    serializer_class = TokenSerializer
    search_fields = [
        "identifier",
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@@ -2,9 +2,8 @@

 from django.apps import apps
 from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -13,6 +12,7 @@ from rest_framework.views import APIView
 from yaml import ScalarNode

 from authentik.api.validation import validate
+from authentik.blueprints.api import check_blueprint_perms
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
@@ -165,21 +165,7 @@ class TransactionalApplicationView(APIView):
    def put(self, request: Request, body: TransactionApplicationSerializer) -> Response:
        """Convert data into a blueprint, validate it and apply it"""
        blueprint: Blueprint = body.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
+        check_blueprint_perms(blueprint, request.user, explicit_action="add")
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@@ -1,7 +1,20 @@
 """authentik core app config"""

+from django.utils.translation import gettext_lazy as _
+
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.tasks.schedules.common import ScheduleSpec
+from authentik.tenants.flags import Flag
+
+
+class AppAccessWithoutBindings(Flag[bool], key="core_default_app_access"):
+
+    default = True
+    visibility = "none"
+    description = _(
+        "Configure if applications without any policy/group/user bindings "
+        "should be accessible to any user."
+    )


 class AuthentikCoreConfig(ManagedAppConfig):
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@@ -81,7 +81,7 @@ class TokenBackend(InbuiltBackend):
            User().set_password(password, request=request)
            return None

-        tokens = Token.filter_not_expired(
+        tokens = Token.objects.filter(
            user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
        )
        if not tokens.exists():
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -2,7 +2,7 @@

 import re
 import traceback
-from datetime import datetime, timedelta
+from datetime import datetime
 from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Self
@@ -16,7 +16,7 @@ from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
-from django.db.models import Q, QuerySet, options
+from django.db.models import Manager, Q, QuerySet, options
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -45,6 +45,7 @@ from authentik.lib.models import (
    SerializerModel,
 )
 from authentik.lib.utils.inheritance import get_deepest_child
+from authentik.lib.utils.reflection import class_to_path
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -517,7 +518,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
    @property
    def ak_groups(self):
        """This is a proxy for a renamed, deprecated field."""
-        from authentik.events.models import Event, EventAction
+        from authentik.events.models import Event

        deprecation = "authentik.core.models.User.ak_groups"
        replacement = "authentik.core.models.User.groups"
@@ -544,21 +545,9 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
            cause=cause,
            stacktrace=stacktrace,
        )
-        if not Event.filter_not_expired(
-            action=EventAction.CONFIGURATION_WARNING,
-            context__deprecation=deprecation,
-            context__cause=cause,
-        ).exists():
-            event = Event.new(
-                EventAction.CONFIGURATION_WARNING,
-                deprecation=deprecation,
-                replacement=replacement,
-                message=message_event,
-                cause=cause,
-            )
-            event.expires = datetime.now() + timedelta(days=30)
-            event.save()
-
+        Event.log_deprecation(
+            deprecation, message=message_event, cause=cause, replacement=replacement
+        )
        return self.groups

    def set_password(self, raw_password, signal=True, sender=None, request=None):
@@ -1096,12 +1085,24 @@ class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
        unique_together = (("group", "source"),)


+class ExpiringManager(Manager):
+    """Manager for expiring objects which filters out expired objects by default"""
+
+    def get_queryset(self):
+        return QuerySet(self.model, using=self._db).exclude(expires__lt=now(), expiring=True)
+
+    def including_expired(self):
+        return QuerySet(self.model, using=self._db)
+
+
 class ExpiringModel(models.Model):
    """Base Model which can expire, and is automatically cleaned up."""

    expires = models.DateTimeField(default=None, null=True)
    expiring = models.BooleanField(default=True)

+    objects = ExpiringManager()
+
    class Meta:
        abstract = True
        indexes = [
@@ -1125,7 +1126,23 @@ class ExpiringModel(models.Model):
    def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:
        """Filer for tokens which are not expired yet or are not expiring,
        and match filters in `kwargs`"""
-        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
+        from authentik.events.models import Event
+
+        deprecation_id = f"{class_to_path(cls)}.filter_not_expired"
+
+        Event.log_deprecation(
+            deprecation_id,
+            message=(
+                ".filter_not_expired() is deprecated as the default lookup now excludes "
+                "expired objects."
+            ),
+        )
+
+        for obj in (
+            cls.objects.including_expired()
+            .filter(**kwargs)
+            .filter(Q(expires__lt=now(), expiring=True))
+        ):
            obj.delete()
        return cls.objects.filter(**kwargs)

--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@@ -24,7 +24,8 @@ from authentik.root.ws.consumer import build_device_group

 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
+# Arguments: credentials: dict[str, any], request: HttpRequest,
+#            stage: Stage, context: dict[str, any]
 login_failed = Signal()

 LOGGER = get_logger()
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@@ -27,7 +27,10 @@ def clean_expired_models():
    for cls in ExpiringModel.__subclasses__():
        cls: ExpiringModel
        objects = (
-            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
+            cls.objects.including_expired()
+            .all()
+            .exclude(expiring=False)
+            .exclude(expiring=True, expires__gt=now())
        )
        amount = objects.count()
        for obj in chunked_queryset(objects):
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@@ -9,6 +9,8 @@ from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import Provider, Source, Token
+from authentik.events.models import Event, EventAction
+from authentik.lib.generators import generate_id
 from authentik.lib.utils.reflection import all_subclasses


@@ -29,6 +31,22 @@ class TestModels(TestCase):
            freeze.tick(timedelta(seconds=1))
            self.assertFalse(token.is_expired)

+    def test_filter_not_expired_warning(self):
+        """Test filter_not_expired's deprecation message"""
+        id = generate_id()
+        Token.objects.create(
+            expires=now() - timedelta(hours=1),
+            expiring=True,
+            user=get_anonymous_user(),
+            identifier=id,
+        )
+        self.assertFalse(Token.filter_not_expired(identifier=id).exists())
+        event = Event.objects.filter(action=EventAction.CONFIGURATION_WARNING).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(
+            event.context["deprecation"], "authentik.core.models.Token.filter_not_expired"
+        )
+

 def source_tester_factory(test_model: type[Source]) -> Callable:
    """Test source"""
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@@ -173,7 +173,7 @@ class TestTokenAPI(APITestCase):

    def test_list(self):
        """Test Token List (Test normal authentication)"""
-        Token.objects.all().delete()
+        Token.objects.including_expired().all().delete()
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
@@ -185,7 +185,7 @@ class TestTokenAPI(APITestCase):

    def test_list_with_permission(self):
        """Test Token List (Test with `view_token` permission)"""
-        Token.objects.all().delete()
+        Token.objects.including_expired().all().delete()
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
--- a/authentik/core/tests/test_token_auth.py
+++ b/authentik/core/tests/test_token_auth.py
@@ -1,6 +1,9 @@
 """Test token auth"""

+from datetime import timedelta
+
 from django.test import TestCase
+from django.utils.timezone import now

 from authentik.core.auth import TokenBackend
 from authentik.core.models import Token, TokenIntents, User
@@ -28,6 +31,15 @@ class TestTokenAuth(TestCase):
            TokenBackend().authenticate(self.request, "test-user", self.token.key), self.user
        )

+    def test_token_auth_expired(self):
+        """Test auth with token"""
+        self.token.expiring = True
+        self.token.expires = now() - timedelta(hours=1)
+        self.token.save()
+        self.assertEqual(
+            TokenBackend().authenticate(self.request, "test-user", self.token.key), None
+        )
+
    def test_token_auth_none(self):
        """Test auth with token (non-existent user)"""
        self.assertIsNone(
--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@@ -114,15 +114,16 @@ def certificate_discovery():
    discovered = 0
    for file in glob(CONFIG.get("cert_discovery_dir") + "/**", recursive=True):
        path = Path(file)
-        if not path.exists():
-            continue
-        if path.is_dir():
+        if not path.exists() or path.is_dir():
            continue
        # For certbot setups, we want to ignore archive.
        if "archive" in file:
            continue
-        # Support certbot's directory structure
-        if path.name in ["fullchain.pem", "privkey.pem"]:
+        # Handle additionalOutputFormats from cert-manager gracefully
+        if path.name in ["ca.crt", "tls-combined.pem", "key.der"]:
+            continue
+        # Support certbot & kubernetes.io/tls directory structure
+        if path.name in ["fullchain.pem", "privkey.pem", "tls.crt", "tls.key"]:
            cert_name = path.parent.name
        else:
            cert_name = path.name.replace(path.suffix, "")
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@@ -355,6 +355,16 @@ class TestCrypto(APITestCase):
            subject_alt_names=[],
            validity_days=3,
        )
+
+        name3 = generate_id()
+        builder3 = CertificateBuilder(name3)
+        with self.assertRaises(ValueError):
+            builder3.save()
+        builder3.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
+
        with TemporaryDirectory() as temp_dir:
            with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
                _cert.write(builder.certificate)
@@ -365,6 +375,8 @@ class TestCrypto(APITestCase):
                _cert.write(builder2.certificate)
            with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
                _key.write(builder2.private_key)
+            with open(f"{temp_dir}/tls-combined.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder3.certificate)
            with CONFIG.patch("cert_discovery_dir", temp_dir):
                certificate_discovery.send()
        keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
@@ -376,6 +388,9 @@ class TestCrypto(APITestCase):
        self.assertTrue(
            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
        )
+        self.assertFalse(
+            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "tls-combined").exists()
+        )

    def test_discovery_updating_same_private_key(self):
        """Test certificate discovery updating certs with matching private keys"""
--- a/authentik/endpoints/api/devices.py
+++ b/authentik/endpoints/api/devices.py
@@ -97,7 +97,7 @@ class DeviceViewSet(
    def summary(self, request: Request) -> Response:
        delta = now() - timedelta(hours=24)
        unreachable = (
-            Device.filter_not_expired()
+            Device.objects.all()
            .annotate(
                latest_snapshot=Subquery(
                    DeviceFactSnapshot.objects.filter(connection__device=OuterRef("pk"))
@@ -110,7 +110,7 @@ class DeviceViewSet(
            .count()
        )
        data = {
-            "total_count": Device.filter_not_expired().count(),
+            "total_count": Device.objects.all().count(),
            "unreachable_count": unreachable,
            # Currently not supported
            "outdated_agent_count": 0,
--- a/authentik/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/endpoints/connectors/agent/api/connectors.py
@@ -65,7 +65,9 @@ class AgentConnectorSerializer(ConnectorSerializer):
 class MDMConfigSerializer(PassiveSerializer):

    platform = ChoiceField(choices=OSFamily.choices)
-    enrollment_token = PrimaryKeyRelatedField(queryset=EnrollmentToken.objects.all())
+    enrollment_token = PrimaryKeyRelatedField(
+        queryset=EnrollmentToken.objects.including_expired().all()
+    )

    def validate_platform(self, platform: OSFamily) -> OSFamily:
        if platform not in [OSFamily.iOS, OSFamily.macOS, OSFamily.windows]:
@@ -136,7 +138,7 @@ class AgentConnectorViewSet(
            device=device,
            connector=token.connector,
        )
-        DeviceToken.objects.filter(device=connection).delete()
+        DeviceToken.objects.including_expired().filter(device=connection).delete()
        token = DeviceToken.objects.create(device=connection, expiring=False)
        return Response(
            {
--- a/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
+++ b/authentik/endpoints/connectors/agent/api/enrollment_tokens.py
@@ -18,7 +18,10 @@ from authentik.rbac.decorators import permission_required
 class EnrollmentTokenSerializer(ModelSerializer):

    device_group_obj = DeviceAccessGroupSerializer(
-        source="device_group", read_only=True, required=False
+        source="device_group",
+        read_only=True,
+        required=False,
+        allow_null=True,
    )

    def __init__(self, *args, **kwargs) -> None:
--- a/authentik/endpoints/connectors/agent/auth.py
+++ b/authentik/endpoints/connectors/agent/auth.py
@@ -34,9 +34,11 @@ class AgentEnrollmentAuth(BaseAuthentication):
    def authenticate(self, request: Request) -> tuple[User, Any] | None:
        auth = get_authorization_header(request)
        key = validate_auth(auth)
-        token = EnrollmentToken.filter_not_expired(key=key).first()
+        token = EnrollmentToken.objects.filter(key=key).first()
        if not token:
            raise PermissionDenied()
+        if not token.connector.enabled:
+            raise PermissionDenied()
        CTX_AUTH_VIA.set("endpoint_token_enrollment")
        return (DeviceUser(), token)

@@ -48,9 +50,11 @@ class AgentAuth(BaseAuthentication):
        key = validate_auth(auth, format="bearer+agent")
        if not key:
            return None
-        device_token = DeviceToken.filter_not_expired(key=key).first()
+        device_token = DeviceToken.objects.filter(key=key).first()
        if not device_token:
            raise PermissionDenied()
+        if not device_token.device.connector.enabled:
+            raise PermissionDenied()
        if device_token.device.device.is_expired:
            raise PermissionDenied()
        CTX_AUTH_VIA.set("endpoint_token")
@@ -87,7 +91,7 @@ class DeviceAuthFedAuthentication(BaseAuthentication):
        if not raw_token:
            LOGGER.warning("Missing token")
            return None
-        device = Device.filter_not_expired(name=request.query_params.get("device")).first()
+        device = Device.objects.filter(name=request.query_params.get("device")).first()
        if not device:
            LOGGER.warning("Couldn't find device")
            return None
--- a/authentik/endpoints/connectors/agent/stage.py
+++ b/authentik/endpoints/connectors/agent/stage.py
@@ -53,11 +53,11 @@ class EndpointAgentChallengeResponse(ChallengeResponse):
        except PyJWTError as exc:
            self.stage.logger.warning("Could not parse response", exc=exc)
            raise ValidationError("Invalid challenge response") from None
-        device = Device.filter_not_expired(identifier=raw["iss"]).first()
+        device = Device.objects.filter(identifier=raw["iss"]).first()
        if not device:
            self.stage.logger.warning("Could not find device for challenge")
            raise ValidationError("Invalid challenge response")
-        for token in DeviceToken.filter_not_expired(
+        for token in DeviceToken.objects.filter(
            device__device=device,
            device__connector=self.stage.executor.current_stage.connector,
        ).values_list("key", flat=True):
--- a/authentik/endpoints/connectors/agent/tests/test_agent_api.py
+++ b/authentik/endpoints/connectors/agent/tests/test_agent_api.py
@@ -58,6 +58,16 @@ class TestAgentAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

+    def test_enroll_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.post(
+            reverse("authentik_api:agentconnector-enroll"),
+            data={"device_serial": generate_id(), "device_name": "bar"},
+            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
    def test_enroll_token_delete(self):
        response = self.client.post(
            reverse("authentik_api:agentconnector-enroll"),
@@ -79,7 +89,7 @@ class TestAgentAPI(APITestCase):
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 200)
-        device = Device.filter_not_expired(identifier=ident).first()
+        device = Device.objects.filter(identifier=ident).first()
        self.assertIsNotNone(device)
        self.assertEqual(device.access_group, device_group)

@@ -94,7 +104,7 @@ class TestAgentAPI(APITestCase):
            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
        )
        self.assertEqual(response.status_code, 403)
-        self.assertFalse(Device.filter_not_expired(identifier=dev_id).exists())
+        self.assertFalse(Device.objects.filter(identifier=dev_id).exists())

    @reconcile_app("authentik_crypto")
    def test_config(self):
@@ -104,6 +114,16 @@ class TestAgentAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

+    @reconcile_app("authentik_crypto")
+    def test_config_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.get(
+            reverse("authentik_api:agentconnector-agent-config"),
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
    def test_check_in(self):
        response = self.client.post(
            reverse("authentik_api:agentconnector-check-in"),
@@ -112,6 +132,16 @@ class TestAgentAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 204)

+    def test_check_in_disabled(self):
+        self.connector.enabled = False
+        self.connector.save()
+        response = self.client.post(
+            reverse("authentik_api:agentconnector-check-in"),
+            data=CHECK_IN_DATA_VALID,
+            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
+        )
+        self.assertEqual(response.status_code, 403)
+
    def test_check_in_token_expired(self):
        self.device_token.expiring = True
        self.device_token.expires = now() - timedelta(hours=1)
--- a/authentik/endpoints/models.py
+++ b/authentik/endpoints/models.py
@@ -54,7 +54,7 @@ class Device(InternallyManagedMixin, ExpiringModel, AttributesMixin, PolicyBindi
    def facts(self) -> DeviceFactSnapshot:
        data = {}
        last_updated = datetime.fromtimestamp(0, UTC)
-        for snapshot_data, snapshort_created in DeviceFactSnapshot.filter_not_expired(
+        for snapshot_data, snapshort_created in DeviceFactSnapshot.objects.filter(
            snapshot_id__in=Subquery(
                DeviceFactSnapshot.objects.filter(
                    connection__connector=OuterRef("connection__connector"), connection__device=self
--- a/authentik/endpoints/stage.py
+++ b/authentik/endpoints/stage.py
@@ -1,4 +1,4 @@
-from authentik.endpoints.models import EndpointStage, StageMode
+from authentik.endpoints.models import Connector, EndpointStage, StageMode
 from authentik.flows.stage import StageView

 PLAN_CONTEXT_ENDPOINT_CONNECTOR = "endpoint_connector"
@@ -8,7 +8,10 @@ class EndpointStageView(StageView):

    def _get_inner(self) -> StageView | None:
        stage: EndpointStage = self.executor.current_stage
-        inner_stage: type[StageView] | None = stage.connector.stage
+        connector: Connector = stage.connector
+        if not connector.enabled:
+            return None
+        inner_stage: type[StageView] | None = connector.stage
        if not inner_stage:
            return None
        return inner_stage(self.executor, request=self.request)
--- a/authentik/endpoints/tasks.py
+++ b/authentik/endpoints/tasks.py
@@ -17,7 +17,7 @@ def endpoints_sync(connector_pk: Any):
    connector: Connector | None = (
        Connector.objects.filter(pk=connector_pk).select_subclasses().first()
    )
-    if not connector:
+    if not connector or not connector.enabled:
        return
    controller = connector.controller
    ctrl = controller(connector)
--- a/authentik/enterprise/audit/apps.py
+++ b/authentik/enterprise/audit/apps.py
@@ -1,6 +1,7 @@
 """Enterprise app config"""

 from django.conf import settings
+from django.utils.translation import gettext_lazy as _

 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.tenants.flags import Flag
@@ -9,6 +10,9 @@ from authentik.tenants.flags import Flag
 class AuditIncludeExpandedDiff(Flag[bool], key="enterprise_audit_include_expanded_diff"):
    default = False
    visibility = "none"
+    description = _(
+        "Include additional information in audit logs, may incur a performance penalty."
+    )


 class AuthentikEnterpriseAuditConfig(EnterpriseConfig):
--- a/authentik/enterprise/endpoints/connectors/agent/views/apple_nonce.py
+++ b/authentik/enterprise/endpoints/connectors/agent/views/apple_nonce.py
@@ -17,7 +17,7 @@ class NonceView(View):

    def post(self, request: HttpRequest, *args, **kwargs):
        raw_token = unquote(self.request.POST.get("x-ak-device-token"))
-        device_token = DeviceToken.filter_not_expired(key=raw_token).first()
+        device_token = DeviceToken.objects.filter(key=raw_token).first()
        if not device_token:
            return HttpResponseBadRequest()
        nonce = AppleNonce.objects.create(
--- a/authentik/enterprise/endpoints/connectors/agent/views/apple_register.py
+++ b/authentik/enterprise/endpoints/connectors/agent/views/apple_register.py
@@ -106,7 +106,7 @@ class RegisterUserView(APIView):
    def post(self, request: Request, body: AgentPSSOUserRegistration) -> Response:
        device_token: DeviceToken = request.auth
        conn: AgentDeviceConnection = device_token.device
-        user_token = DeviceAuthenticationToken.filter_not_expired(
+        user_token = DeviceAuthenticationToken.objects.filter(
            device=conn.device,
            token=body.validated_data["user_auth"],
            device_token=device_token,
--- a/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py
+++ b/authentik/enterprise/endpoints/connectors/agent/views/apple_token.py
@@ -96,7 +96,7 @@ class TokenView(View):
        self.remote_nonce = decoded.get("nonce")

        # Check that the nonce hasn't been used before
-        nonce = AppleNonce.filter_not_expired(nonce=decoded["request_nonce"]).first()
+        nonce = AppleNonce.objects.filter(nonce=decoded["request_nonce"]).first()
        if not nonce:
            raise ValidationError("Invalid nonce")
        self.nonce = nonce
--- a/authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py
+++ b/authentik/enterprise/endpoints/connectors/agent/views/auth_interactive.py
@@ -3,6 +3,7 @@ from hmac import compare_digest

 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseBadRequest, QueryDict

+from authentik.common.oauth.constants import QS_LOGIN_HINT
 from authentik.endpoints.connectors.agent.auth import (
    agent_auth_issue_token,
    check_device_policies,
@@ -14,7 +15,7 @@ from authentik.enterprise.policy import EnterprisePolicyAccessView
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_DEVICE, FlowPlanner
-from authentik.flows.stage import StageView
+from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme

 QS_AGENT_IA_TOKEN = "ak-auth-ia-token"  # nosec
@@ -29,7 +30,7 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):

    def resolve_provider_application(self):
        auth_token = (
-            DeviceAuthenticationToken.filter_not_expired(identifier=self.kwargs["token_uuid"])
+            DeviceAuthenticationToken.objects.filter(identifier=self.kwargs["token_uuid"])
            .prefetch_related()
            .first()
        )
@@ -64,14 +65,14 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):

        planner = FlowPlanner(self.connector.authorization_flow)
        planner.allow_empty_flows = True
+        context = {
+            PLAN_CONTEXT_DEVICE: self.device,
+            PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
+        }
+        if QS_LOGIN_HINT in request.GET:
+            context[PLAN_CONTEXT_PENDING_USER_IDENTIFIER] = request.GET[QS_LOGIN_HINT]
        try:
-            plan = planner.plan(
-                self.request,
-                {
-                    PLAN_CONTEXT_DEVICE: self.device,
-                    PLAN_CONTEXT_DEVICE_AUTH_TOKEN: self.auth_token,
-                },
-            )
+            plan = planner.plan(self.request, context)
        except FlowNonApplicableException:
            return self.handle_no_permission_authenticated()
        plan.append_stage(in_memory_stage(AgentAuthFulfillmentStage))
@@ -84,7 +85,6 @@ class AgentInteractiveAuth(EnterprisePolicyAccessView):


 class AgentAuthFulfillmentStage(StageView):
-
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        device: Device = self.executor.plan.context.pop(PLAN_CONTEXT_DEVICE)
        auth_token: DeviceAuthenticationToken = self.executor.plan.context.pop(
--- a/authentik/enterprise/providers/ssf/tasks.py
+++ b/authentik/enterprise/providers/ssf/tasks.py
@@ -8,6 +8,7 @@ from dramatiq.actor import actor
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger

+from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import User
 from authentik.enterprise.providers.ssf.models import (
    DeliveryMethods,
@@ -68,6 +69,7 @@ def _check_app_access(stream: Stream, event_data: dict) -> bool:
    if not user:
        return True
    engine = PolicyEngine(stream.provider.backchannel_application, user)
+    engine.empty_result = AppAccessWithoutBindings.get()
    engine.use_cache = False
    engine.build()
    return engine.passing
--- a/authentik/enterprise/providers/ssf/views/auth.py
+++ b/authentik/enterprise/providers/ssf/views/auth.py
@@ -25,7 +25,7 @@ class SSFTokenAuth(BaseAuthentication):

    def check_token(self, key: str) -> Token | None:
        """Check that a token exists, is not expired, and is assigned to the correct provider"""
-        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
+        token = Token.objects.filter(key=key, intent=TokenIntents.INTENT_API).first()
        if not token:
            return None
        provider: SSFProvider = token.ssfprovider_set.first()
@@ -39,7 +39,7 @@ class SSFTokenAuth(BaseAuthentication):
        """Check JWT-based authentication, this supports tokens issued either by providers
        configured directly in the provider, and by providers assigned to the application
        that the SSF provider is a backchannel provider of."""
-        token = AccessToken.filter_not_expired(token=jwt, revoked=False).first()
+        token = AccessToken.objects.filter(token=jwt, revoked=False).first()
        if not token:
            return None
        ssf_provider = SSFProvider.objects.filter(
--- a/authentik/enterprise/search/settings.py
+++ b/authentik/enterprise/search/settings.py
@@ -1,11 +1,11 @@
 SPECTACULAR_SETTINGS = {
    "POSTPROCESSING_HOOKS": [
-        "authentik.api.schema.postprocess_schema_register",
-        "authentik.api.schema.postprocess_schema_responses",
-        "authentik.api.schema.postprocess_schema_query_params",
-        "authentik.api.schema.postprocess_schema_remove_unused",
+        "authentik.api.v3.schema.response.postprocess_schema_register",
+        "authentik.api.v3.schema.response.postprocess_schema_responses",
+        "authentik.api.v3.schema.query.postprocess_schema_query_params",
+        "authentik.api.v3.schema.cleanup.postprocess_schema_remove_unused",
        "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
-        "drf_spectacular.hooks.postprocess_schema_enums",
+        "authentik.api.v3.schema.enum.postprocess_schema_enums",
    ],
 }

--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@@ -9,30 +9,49 @@ from django.db.models import DateTimeField as DjangoDateTimeField
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
 from django.db.models.functions import TruncHour
 from django.db.models.query_utils import Q
+from django.utils.text import slugify
 from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ChoiceField, DateTimeField, DictField, IntegerField
+from rest_framework.fields import (
+    CharField,
+    ChoiceField,
+    DateTimeField,
+    DictField,
+    IntegerField,
+    ListField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

+from authentik.api.validation import validate
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.reflection import ConditionalInheritance
+from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
+
+AGGR_MAX_AGE = timedelta(days=90)


 class EventVolumeSerializer(PassiveSerializer):
-    """Count of events of action created on day"""
+    """Count of events of action created on day for a single event action"""

    action = ChoiceField(choices=EventAction.choices)
    time = DateTimeField()
    count = IntegerField()


+class EventStatsSerializer(PassiveSerializer):
+    """Count of unique users in events and aggregated counts per specified deltas"""
+
+    unique_users = IntegerField()
+    count_step = DictField()
+
+
 class EventSerializer(ModelSerializer):
    """Event Serializer"""

@@ -84,6 +103,11 @@ class EventsFilter(django_filters.FilterSet):
        lookup_expr="authorized_application__pk",
        label="Context Authorized application",
    )
+    context_device = django_filters.CharFilter(
+        field_name="context",
+        lookup_expr="device__pk",
+        label="Context Device Primary Key",
+    )
    action = django_filters.CharFilter(
        field_name="action",
        lookup_expr="icontains",
@@ -123,6 +147,16 @@ class EventViewSet(
 ):
    """Event Read-Only Viewset"""

+    class EventVolumeParameters(PassiveSerializer):
+        history_days = IntegerField(default=7, required=False)
+
+    class EventStatsParameters(PassiveSerializer):
+        count_steps = ListField(
+            child=CharField(validators=[timedelta_string_validator]),
+            required=True,
+            help_text="Timedelta, format of 'weeks=3;days=2;hours=3,seconds=2'",
+        )
+
    queryset = Event.objects.all()
    serializer_class = EventSerializer
    ordering = ["-created"]
@@ -225,24 +259,16 @@ class EventViewSet(

    @extend_schema(
        responses={200: EventVolumeSerializer(many=True)},
-        parameters=[
-            OpenApiParameter(
-                "history_days",
-                type=OpenApiTypes.NUMBER,
-                location=OpenApiParameter.QUERY,
-                required=False,
-                default=7,
-            ),
-        ],
+        parameters=[EventVolumeParameters],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
-    def volume(self, request: Request) -> Response:
+    @validate(EventVolumeParameters, "query")
+    def volume(self, request: Request, query: EventVolumeParameters) -> Response:
        """Get event volume for specified filters and timeframe"""
        queryset: QuerySet[Event] = self.filter_queryset(self.get_queryset())
-        delta = timedelta(days=7)
-        time_delta = request.query_params.get("history_days", 7)
-        if time_delta:
-            delta = timedelta(days=min(int(time_delta), 60))
+        delta = timedelta(days=query.validated_data.get("history_days", 7))
+        if delta.total_seconds() > AGGR_MAX_AGE.total_seconds():
+            delta = AGGR_MAX_AGE
        return Response(
            queryset.filter(created__gte=now() - delta)
            .annotate(hour=TruncHour("created"))
@@ -257,6 +283,40 @@ class EventViewSet(
            .order_by("time", "action")
        )

+    @extend_schema(
+        responses={200: EventStatsSerializer()},
+        parameters=[EventStatsParameters],
+        filters=True,
+    )
+    @action(detail=False, methods=["GET"], pagination_class=None)
+    @validate(EventStatsParameters, "query")
+    def stats(self, request: Request, query: EventStatsParameters) -> Response:
+        """Get event stats for specified filters and count steps"""
+        _now = now()
+        aggrs = {
+            "unique_users": Count("user__pk", distinct=True),
+        }
+        largest_delta = 0
+        for step in query.validated_data.get("count_steps"):
+            delta = timedelta_from_string(step)
+            if delta.total_seconds() > AGGR_MAX_AGE.total_seconds():
+                delta = AGGR_MAX_AGE
+            largest_delta = max(largest_delta, delta.total_seconds())
+            aggrs[slugify(step).replace("-", "_")] = Count(
+                "event_uuid", filter=Q(created__gte=_now - delta)
+            )
+        data = (
+            self.filter_queryset(self.get_queryset())
+            .filter(created__gte=now() - timedelta(days=60))
+            .aggregate(**aggrs)
+        )
+        return Response(
+            {
+                "unique_users": data.pop("unique_users"),
+                "count_step": data,
+            }
+        )
+
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def actions(self, request: Request) -> Response:
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -12,6 +12,7 @@ from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.apps import apps
 from django.db import models
+from django.db.models import Q
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@@ -250,6 +251,28 @@ class Event(SerializerModel, ExpiringModel):
        self.save()
        return self

+    @staticmethod
+    def log_deprecation(
+        identifier: str, message: str, cause: str | None = None, expiry_days=30, **kwargs
+    ):
+        query = Q(
+            action=EventAction.CONFIGURATION_WARNING,
+            context__deprecation=identifier,
+        )
+        if cause:
+            query &= Q(context__cause=cause)
+        if Event.objects.filter(query).exists():
+            return
+        event = Event.new(
+            EventAction.CONFIGURATION_WARNING,
+            deprecation=identifier,
+            message=message,
+            cause=cause,
+            **kwargs,
+        )
+        event.expires = now() + timedelta(days=expiry_days)
+        event.save()
+
    def save(self, *args, **kwargs):
        if self._state.adding:
            LOGGER.info(
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@@ -93,11 +93,13 @@ def on_login_failed(
    credentials: dict[str, str],
    request: HttpRequest,
    stage: Stage | None = None,
+    context: dict[str, Any] | None = None,
    **kwargs,
 ):
    """Failed Login, authentik custom event"""
    user = User.objects.filter(username=credentials.get("username")).first()
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
+    context = context or {}
+    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **context).from_http(
        request, user
    )

--- a/authentik/events/tests/test_api.py
+++ b/authentik/events/tests/test_api.py
@@ -1,8 +1,12 @@
 """Event API tests"""

+from datetime import timedelta
 from json import loads

 from django.urls import reverse
+from django.utils.datastructures import MultiValueDict
+from django.utils.http import urlencode
+from django.utils.timezone import now
 from rest_framework.test import APITestCase

 from authentik.core.tests.utils import create_test_admin_user
@@ -91,3 +95,52 @@ class TestEventsAPI(APITestCase):
            },
        )
        self.assertEqual(response.status_code, 400)
+
+    def test_volume(self):
+        Event.objects.all().delete()
+        Event.new(EventAction.LOGIN).set_user(self.user).save()
+        evt = Event.new(EventAction.LOGIN).set_user(self.user)
+        evt.created = now() - timedelta(days=6)
+        evt.save()
+        res = self.client.get(
+            reverse("authentik_api:event-volume")
+            + "?"
+            + urlencode(
+                {
+                    "action": EventAction.LOGIN,
+                }
+            )
+        )
+        self.assertEqual(res.status_code, 200)
+        data = loads(res.content)
+        self.assertEqual(len(data), 1)
+
+    def test_stats(self):
+        Event.objects.all().delete()
+        Event.new(EventAction.LOGIN).set_user(self.user).save()
+        evt = Event.new(EventAction.LOGIN).set_user(self.user)
+        evt.created = now() - timedelta(days=6)
+        evt.save()
+        res = self.client.get(
+            reverse("authentik_api:event-stats")
+            + "?"
+            + urlencode(
+                MultiValueDict({"count_steps": ["hours=24", "days=7", "days=240"]}), doseq=True
+            )
+        )
+        self.assertEqual(res.status_code, 200, res.content)
+        self.assertJSONEqual(
+            res.content, {"unique_users": 1, "count_step": {"hours24": 2, "days7": 2, "days240": 2}}
+        )
+
+    def test_stats_invalid(self):
+        res = self.client.get(
+            reverse("authentik_api:event-stats")
+            + "?"
+            + urlencode({"count_steps": "24d"}, doseq=True)
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content,
+            {"count_steps": {"0": ["24d is not in the correct format of 'hours=3;minutes=1'."]}},
+        )
--- a/authentik/events/tests/test_event.py
+++ b/authentik/events/tests/test_event.py
@@ -207,3 +207,9 @@ class TestEvents(TestCase):
                "username": user.username,
            },
        )
+
+    def test_invalid_string(self):
+        """Test creating an event with invalid unicode string data"""
+        event = Event.new("unittest", foo="foo bar \u0000 baz")
+        event.save()
+        self.assertEqual(event.context["foo"], "foo bar  baz")
--- a/authentik/events/utils.py
+++ b/authentik/events/utils.py
@@ -36,6 +36,10 @@ ALLOWED_SPECIAL_KEYS = re.compile(
 )


+def cleanse_str(raw: Any) -> str:
+    return str(raw).replace("\u0000", "")
+
+
 def cleanse_item(key: str, value: Any) -> Any:
    """Cleanse a single item"""
    if isinstance(value, dict):
@@ -66,7 +70,7 @@ def cleanse_dict(source: dict[Any, Any]) -> dict[Any, Any]:

 def model_to_dict(model: Model) -> dict[str, Any]:
    """Convert model to dict"""
-    name = str(model)
+    name = cleanse_str(model)
    if hasattr(model, "name"):
        name = model.name
    return {
@@ -133,11 +137,11 @@ def sanitize_item(value: Any) -> Any:  # noqa: PLR0911, PLR0912
    if isinstance(value, ASN):
        return ASN_CONTEXT_PROCESSOR.asn_to_dict(value)
    if isinstance(value, Path):
-        return str(value)
+        return cleanse_str(value)
    if isinstance(value, Exception):
-        return str(value)
+        return cleanse_str(value)
    if isinstance(value, YAMLTag):
-        return str(value)
+        return cleanse_str(value)
    if isinstance(value, Enum):
        return value.value
    if isinstance(value, type):
@@ -161,7 +165,7 @@ def sanitize_item(value: Any) -> Any:  # noqa: PLR0911, PLR0912
            raise ValueError("JSON can't represent timezone-aware times.")
        return value.isoformat()
    if isinstance(value, timedelta):
-        return str(value.total_seconds())
+        return cleanse_str(value.total_seconds())
    if callable(value):
        return {
            "type": "callable",
@@ -174,8 +178,8 @@ def sanitize_item(value: Any) -> Any:  # noqa: PLR0911, PLR0912
    try:
        return DjangoJSONEncoder().default(value)
    except TypeError:
-        return str(value)
-    return str(value)
+        return cleanse_str(value)
+    return cleanse_str(value)


 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@@ -7,15 +7,18 @@ from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, FileField, ReadOnlyField, SerializerMethodField
-from rest_framework.parsers import MultiPartParser
+from rest_framework.fields import (
+    BooleanField,
+    FileField,
+    ReadOnlyField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.exporter import FlowExporter
-from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    CacheSerializer,
@@ -24,7 +27,6 @@ from authentik.core.api.utils import (
    PassiveSerializer,
    ThemedUrlsSerializer,
 )
-from authentik.events.logs import LogEventSerializer
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
@@ -106,13 +108,6 @@ class FlowSetSerializer(FlowSerializer):
        ]


-class FlowImportResultSerializer(PassiveSerializer):
-    """Logs of an attempted flow import"""
-
-    logs = LogEventSerializer(many=True, read_only=True)
-    success = BooleanField(read_only=True)
-
-
 class FlowViewSet(UsedByMixin, ModelViewSet):
    """Flow Viewset"""

@@ -146,59 +141,6 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        LOGGER.debug("Cleared flow cache", keys=len(keys))
        return Response(status=204)

-    @permission_required(
-        None,
-        [
-            "authentik_flows.add_flow",
-            "authentik_flows.change_flow",
-            "authentik_flows.add_flowstagebinding",
-            "authentik_flows.change_flowstagebinding",
-            "authentik_flows.add_stage",
-            "authentik_flows.change_stage",
-            "authentik_policies.add_policy",
-            "authentik_policies.change_policy",
-            "authentik_policies.add_policybinding",
-            "authentik_policies.change_policybinding",
-            "authentik_stages_prompt.add_prompt",
-            "authentik_stages_prompt.change_prompt",
-        ],
-    )
-    @extend_schema(
-        request={"multipart/form-data": FlowUploadSerializer},
-        responses={
-            204: FlowImportResultSerializer,
-            400: FlowImportResultSerializer,
-        },
-    )
-    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
-    def import_flow(self, request: Request) -> Response:
-        """Import flow from .yaml file"""
-        import_response = FlowImportResultSerializer(
-            data={
-                "logs": [],
-                "success": False,
-            }
-        )
-        import_response.is_valid()
-        file = request.FILES.get("file", None)
-        if not file:
-            return Response(data=import_response.initial_data, status=400)
-
-        importer = Importer.from_string(file.read().decode())
-        valid, logs = importer.validate()
-        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
-        import_response.initial_data["success"] = valid
-        import_response.is_valid()
-        if not valid:
-            return Response(data=import_response.initial_data, status=200)
-
-        successful = importer.apply()
-        import_response.initial_data["success"] = successful
-        import_response.is_valid()
-        if not successful:
-            return Response(data=import_response.initial_data, status=200)
-        return Response(data=import_response.initial_data, status=200)
-
    @permission_required(
        "authentik_flows.export_flow",
        [
--- a/authentik/flows/apps.py
+++ b/authentik/flows/apps.py
@@ -1,5 +1,6 @@
 """authentik flows app config"""

+from django.utils.translation import gettext_lazy as _
 from prometheus_client import Gauge, Histogram

 from authentik.blueprints.apps import ManagedAppConfig
@@ -27,12 +28,14 @@ class RefreshOtherFlowsAfterAuthentication(Flag[bool], key="flows_refresh_others

    default = False
    visibility = "public"
+    description = _("Refresh other tabs after successful authentication.")


 class ContinuousLogin(Flag[bool], key="flows_continuous_login"):

    default = False
    visibility = "public"
+    description = _("Upon successful authentication, re-start authentication in other open tabs.")


 class AuthentikFlowsConfig(ManagedAppConfig):
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@@ -25,6 +25,8 @@

    window.authentik.flow = {
        "layout": "{{ flow.layout }}",
+        "background": "{{ flow.background }}",
+        "title": "{{ flow.title }}",
    };
 </script>
 {% endblock %}
@@ -45,33 +47,23 @@
 {% block body %}
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-
-<div class="pf-c-page__drawer">
-    <div class="pf-c-drawer pf-m-collapsed" id="flow-drawer">
-        <div class="pf-c-drawer__main">
-            <div class="pf-c-drawer__content">
-                <div class="pf-c-drawer__body">
-                        <ak-flow-executor
-                            slug="{{ flow.slug }}"
-                            class="pf-c-login"
-                            data-layout="{{ flow.layout|default:'stacked' }}"
-                            loading
-                        >
-                            {% include "base/placeholder.html" %}
-
-                            <ak-brand-links name="flow-links" slot="footer"></ak-brand-links>
-                        </ak-flow-executor>
-                    </div>
-                </div>
-
-                <ak-flow-inspector
-                    id="flow-inspector"
-                    data-registration="lazy"
-                    class="pf-c-drawer__panel pf-m-width-33"
-                    slug="{{ flow.slug }}"
-                ></ak-flow-inspector>
-            </div>
-        </div>
-    </div>
-</div>
+<ak-drawer id="flow-drawer">
+    <ak-flow-executor
+        slug="{{ flow.slug }}"
+        class="pf-c-login"
+        data-layout="{{ flow.layout|default:'stacked' }}"
+        loading
+    >
+        {% include "base/placeholder.html" %}
+        
+        <ak-brand-links name="flow-links" slot="footer"></ak-brand-links>
+    </ak-flow-executor>
+    
+    <ak-flow-inspector
+        slot="panel"
+        id="flow-inspector"
+        data-registration="lazy"
+        slug="{{ flow.slug }}"
+    ></ak-flow-inspector>
+</ak-drawer>
 {% endblock %}
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@@ -134,7 +134,7 @@ class FlowExecutorView(APIView):

    def _check_flow_token(self, key: str) -> FlowPlan | None:
        """Check if the user is using a flow token to restore a plan"""
-        token: FlowToken | None = FlowToken.filter_not_expired(key=key).first()
+        token: FlowToken | None = FlowToken.objects.filter(key=key).first()
        if not token:
            return None
        plan = None
--- a/authentik/lib/api.py
+++ b/authentik/lib/api.py
@@ -0,0 +1,32 @@
+from django.apps.registry import apps
+from django.db.models import TextChoices
+from django.utils.encoding import force_str
+
+from authentik.blueprints.v1.importer import is_model_allowed
+from authentik.blueprints.v1.meta.registry import BaseMetaModel
+
+
+def app_choices() -> TextChoices:
+    """Get a list of all installed applications that create events.
+    Returns a list of tuples containing (dotted.app.path, name)"""
+    choices = {}
+    for app in apps.get_app_configs():
+        if app.label.startswith("authentik"):
+            choices[app.name] = (app.name, force_str(app.verbose_name))
+    return TextChoices("Apps", choices)
+
+
+def model_choices() -> TextChoices:
+    """Get a list of all installed models
+    Returns a list of tuples containing (dotted.model.path, name)"""
+    choices = {}
+    for model in apps.get_models():
+        if not is_model_allowed(model) or issubclass(model, BaseMetaModel):
+            continue
+        name = f"{model._meta.app_label}.{model._meta.model_name}"
+        choices[name] = (name, force_str(model._meta.verbose_name))
+    return TextChoices("Models", choices)
+
+
+Apps = app_choices()
+Models = model_choices()
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@@ -342,10 +342,10 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        "default": {
            "ENGINE": "psqlextra.backend",
            "HOST": config.get("postgresql.host"),
-            "PORT": config.get("postgresql.port"),
+            "NAME": config.get("postgresql.name"),
            "USER": config.get("postgresql.user"),
            "PASSWORD": config.get("postgresql.password"),
-            "NAME": config.get("postgresql.name"),
+            "PORT": config.get("postgresql.port"),
            "OPTIONS": {
                "sslmode": config.get("postgresql.sslmode"),
                "sslrootcert": config.get("postgresql.sslrootcert"),
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -17,12 +17,11 @@

 postgresql:
  host: localhost
-  port: 5432
-  user: authentik
-  password: "env://POSTGRES_PASSWORD"
  name: authentik
+  user: authentik
+  port: 5432
+  password: "env://POSTGRES_PASSWORD"
  sslmode: disable
-  conn_max_age: 60
  conn_health_checks: false
  use_pool: False
  test:
@@ -74,19 +73,6 @@ log_level: info
 log:
  http_headers:
    - User-Agent
-  rust_log:
-    "console_subscriber": info
-    "h2": info
-    "hyper_util": warn
-    "mio": info
-    "notify": info
-    "reqwest": info
-    "runtime": info
-    "rustls": info
-    "sqlx": info
-    "sqlx_postgres": info
-    "tokio": info
-    "tungstenite": info

 sessions:
  unauthenticated_age: days=1
--- a/authentik/lib/logging.py
+++ b/authentik/lib/logging.py
@@ -41,7 +41,7 @@ def structlog_configure():
            add_process_id,
            add_tenant_information,
            structlog.stdlib.PositionalArgumentsFormatter(),
-            structlog.processors.TimeStamper(fmt="iso", utc=True),
+            structlog.processors.TimeStamper(fmt="iso", utc=False),
            structlog.processors.StackInfoRenderer(),
            structlog.processors.ExceptionRenderer(
                structlog.tracebacks.ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))
--- a/authentik/outposts/controllers/base.py
+++ b/authentik/outposts/controllers/base.py
@@ -58,6 +58,9 @@ class BaseController:
        self.connection = connection
        self.logger = get_logger()
        self.deployment_ports = []
+        self.metrics_ports = [
+            DeploymentPort(9300, "http-metrics", "tcp"),
+        ]

    def up(self):
        """Called by scheduled task to reconcile deployment/service/etc"""
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@@ -185,8 +185,10 @@ class KubernetesObjectReconciler[T]:

        patch = self.get_patch()
        if patch is not None:
-            current_json = ApiClient().sanitize_for_serialization(current)
-
+            try:
+                current_json = ApiClient().sanitize_for_serialization(current)
+            except AttributeError:
+                current_json = asdict(current)
            try:
                if apply_patch(current_json, patch) != current_json:
                    raise NeedsUpdate()
--- a/authentik/outposts/controllers/k8s/service.py
+++ b/authentik/outposts/controllers/k8s/service.py
@@ -2,7 +2,7 @@

 from typing import TYPE_CHECKING

-from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
+from kubernetes.client import CoreV1Api, V1ObjectMeta, V1Service, V1ServicePort, V1ServiceSpec

 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
@@ -84,3 +84,47 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
            reference,
            field_manager=FIELD_MANAGER,
        )
+
+
+class MetricsServiceReconciler(ServiceReconciler):
+    @property
+    def noop(self) -> bool:
+        return self.is_embedded
+
+    @staticmethod
+    def reconciler_name() -> str:
+        return "service-metrics"
+
+    @property
+    def name(self):
+        name_suffix = "-metrics"
+        name = super().name
+        return name[: 63 - len(name_suffix)] + name_suffix
+
+    def get_object_meta(self, **kwargs) -> V1ObjectMeta:
+        meta: V1ObjectMeta = super().get_object_meta(**kwargs)
+        meta.labels["goauthentik.io/service-type"] = "metrics"
+        return meta
+
+    def get_reference_object(self) -> V1Service:
+        """Get deployment object for outpost"""
+        meta = self.get_object_meta(name=self.name)
+        ports = []
+        for port in self.controller.metrics_ports:
+            ports.append(
+                V1ServicePort(
+                    name=port.name,
+                    port=port.port,
+                    protocol=port.protocol.upper(),
+                    target_port=port.inner_port or port.port,
+                )
+            )
+        selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
+        return V1Service(
+            metadata=meta,
+            spec=V1ServiceSpec(
+                ports=ports,
+                selector=selector_labels,
+                type="ClusterIP",
+            ),
+        )
--- a/authentik/outposts/controllers/k8s/service_monitor.py
+++ b/authentik/outposts/controllers/k8s/service_monitor.py
@@ -8,6 +8,8 @@ from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi

 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
+from authentik.outposts.controllers.k8s.service import MetricsServiceReconciler
+from authentik.outposts.controllers.k8s.triggers import NeedsUpdate

 if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController
@@ -55,6 +57,10 @@ class PrometheusServiceMonitor:
    metadata: PrometheusServiceMonitorMetadata
    spec: PrometheusServiceMonitorSpec

+    def to_dict(self):
+        """`to_dict` to conform to how the kubernetes client converts objects to dicts"""
+        return asdict(self)
+

 CRD_NAME = "servicemonitors.monitoring.coreos.com"
 CRD_GROUP = "monitoring.coreos.com"
@@ -74,6 +80,11 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
    def reconciler_name() -> str:
        return "prometheus servicemonitor"

+    def reconcile(self, current: PrometheusServiceMonitor, reference: PrometheusServiceMonitor):
+        if current.spec.selector.matchLabels != reference.spec.selector.matchLabels:
+            raise NeedsUpdate()
+        super().reconcile(current, reference)
+
    @property
    def noop(self) -> bool:
        if not self._crd_exists():
@@ -108,7 +119,9 @@ class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusSe
                    )
                ],
                selector=PrometheusServiceMonitorSpecSelector(
-                    matchLabels=self.get_object_meta(name=self.name).labels,
+                    matchLabels=MetricsServiceReconciler(self.controller)
+                    .get_object_meta(name=self.name)
+                    .labels,
                ),
            ),
        )
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@@ -18,7 +18,7 @@ from authentik.outposts.controllers.base import BaseClient, BaseController, Cont
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
-from authentik.outposts.controllers.k8s.service import ServiceReconciler
+from authentik.outposts.controllers.k8s.service import MetricsServiceReconciler, ServiceReconciler
 from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
 from authentik.outposts.models import (
    KubernetesServiceConnection,
@@ -74,6 +74,7 @@ class KubernetesController(BaseController):
            SecretReconciler.reconciler_name(): SecretReconciler,
            DeploymentReconciler.reconciler_name(): DeploymentReconciler,
            ServiceReconciler.reconciler_name(): ServiceReconciler,
+            MetricsServiceReconciler.reconciler_name(): MetricsServiceReconciler,
            PrometheusServiceMonitorReconciler.reconciler_name(): (
                PrometheusServiceMonitorReconciler
            ),
@@ -82,6 +83,7 @@ class KubernetesController(BaseController):
            SecretReconciler.reconciler_name(),
            DeploymentReconciler.reconciler_name(),
            ServiceReconciler.reconciler_name(),
+            MetricsServiceReconciler.reconciler_name(),
            PrometheusServiceMonitorReconciler.reconciler_name(),
        ]

--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -403,7 +403,7 @@ class Outpost(ScheduledModel, SerializerModel, ManagedModel):
    def token(self) -> Token:
        """Get/create token for auto-generated user"""
        managed = f"goauthentik.io/outpost/{self.token_identifier}"
-        tokens = Token.filter_not_expired(
+        tokens = Token.objects.filter(
            identifier=self.token_identifier,
            intent=TokenIntents.INTENT_API,
            managed=managed,
--- a/authentik/outposts/tests/test_controller_k8s.py
+++ b/authentik/outposts/tests/test_controller_k8s.py
@@ -1,11 +1,16 @@
 """Kubernetes controller tests"""

+from unittest.mock import MagicMock, patch
+
 from django.test import TestCase
+from kubernetes.client import ApiClient
+from yaml import SafeLoader, load_all

 from authentik.blueprints.tests import reconcile_app
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
+from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType

@@ -28,7 +33,7 @@ class KubernetesControllerTests(TestCase):
            self.integration,
            # Pass something not-none as client so we don't
            # attempt to connect to K8s as that's not needed
-            client=self,
+            client=ApiClient(),
        )
        rec = DeploymentReconciler(controller)
        self.assertEqual(rec.name, "ak-outpost-authentik-embedded-outpost")
@@ -42,3 +47,18 @@ class KubernetesControllerTests(TestCase):
        controller.outpost.config = _cfg
        self.assertEqual(rec.name, f"outpost-{controller.outpost.uuid.hex}")
        self.assertLess(len(rec.name), 64)
+
+    def test_static(self):
+        self.controller = KubernetesController(
+            self.outpost,
+            self.integration,
+            # Pass something not-none as client so we don't
+            # attempt to connect to K8s as that's not needed
+            client=ApiClient(),
+        )
+        with patch.object(
+            PrometheusServiceMonitorReconciler, "_crd_exists", MagicMock(return_value=True)
+        ):
+            manifest = self.controller.get_static_deployment()
+        manifests = list(load_all(manifest, Loader=SafeLoader))
+        self.assertEqual(len(manifests), 5)
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@@ -1,4 +1,4 @@
-"""Authentik policies app config
+"""authentik policies app config

 Every system policy should be its own Django app under the `policies` app.
 For example: The 'dummy' policy is available at `authentik.policies.dummy`.
@@ -38,4 +38,3 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
    label = "authentik_policies"
    verbose_name = "authentik Policies"
    default = True
-    mountpoint = "policy/"
--- a/authentik/policies/event_matcher/api.py
+++ b/authentik/policies/event_matcher/api.py
@@ -6,8 +6,9 @@ from rest_framework.fields import ChoiceField
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
+from authentik.lib.api import app_choices, model_choices
 from authentik.policies.api.policies import PolicySerializer
-from authentik.policies.event_matcher.models import EventMatcherPolicy, app_choices, model_choices
+from authentik.policies.event_matcher.models import EventMatcherPolicy


 class EventMatcherPolicySerializer(PolicySerializer):
--- a/Show More
+++ b/Show More