release: 2025.8.3

website/docs: 2025.8.3 release notes (#16809)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.github/actions/docker-push-variables/push_vars.py

@@ -1,10 +1,11 @@
 """Helper script to get the actual branch name, docker safe"""
 
 import os
-from importlib.metadata import version as package_version
 from json import dumps
 from time import time
 
+from authentik import authentik_version
+
 # Decide if we should push the image or not
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
@@ -28,7 +29,7 @@ is_release = "dev" not in image_names[0]
 sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
 
 # 2042.1.0 or 2042.1.0-rc1
-version = package_version("authentik")
+version = authentik_version()
 # 2042.1
 version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
 prerelease = "-" in version

.github/workflows/_reusable-docker-build-single.yaml

@@ -49,7 +49,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
           image-arch: ${{ inputs.image_arch }}
@@ -58,8 +58,8 @@ jobs:
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_CORP_USERNAME }}
+          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
         uses: docker/login-action@v3

.github/workflows/_reusable-docker-build.yaml

@@ -54,7 +54,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
   merge-server:
@@ -74,15 +74,15 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_CORP_USERNAME }}
+          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
         uses: docker/login-action@v3

.github/workflows/ci-docs.yml

@@ -81,7 +81,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry

.github/workflows/ci-main.yml

@@ -278,7 +278,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR

.github/workflows/ci-outpost.yml

@@ -90,7 +90,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry

.github/workflows/release-bump-version.yml

@@ -1,168 +0,0 @@
----
-name: Release - Bump version
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: Version
-        required: true
-        type: string
-      release_reason:
-        description: Release reason
-        required: true
-        type: choice
-        options:
-          - bugfix
-          - feature
-          - security
-          - other
-          - prerelease
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-inputs:
-    name: Check inputs validity
-    runs-on: ubuntu-latest
-    steps:
-      - id: check
-        run: |
-          echo "${{ inputs.version }}" | grep -E "^[0-9]{4}\.[0-9]{1,2}\.[0-9]+(-rc[0-9]+)?$"
-          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
-    outputs:
-      major_version: "${{ steps.check.outputs.major_version }}"
-  bump-authentik:
-    name: Bump authentik version
-    needs:
-      - check-inputs
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.version }}"
-      - name: Commit and push
-        run: |
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
-          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
-          git push --follow-tags
-  bump-helm:
-    name: Bump Helm version
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: helm
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/helm"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        run: |
-          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
-          ./scripts/helm-docs.sh
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
-          title: "charts/authentik: bump to ${{ inputs.version }}"
-          body: "charts/authentik: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] ${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com"
-  bump-version:
-    name: Bump version repository
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - check-inputs
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: version
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/version"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump feature version
-        if: "${{ inputs.release_reason == 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Bump feature version
-        if: "${{ inputs.release_reason != 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "version: bump to ${{ inputs.version }}"
-          title: "version: bump to ${{ inputs.version }}"
-          body: "version: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"

.github/workflows/release-publish.yml

@@ -10,6 +10,7 @@ jobs:
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
     permissions:
+      contents: read
       # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
@@ -23,6 +24,7 @@ jobs:
   build-docs:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
@@ -66,6 +68,7 @@ jobs:
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation

.github/workflows/release-tag.yml

@@ -1,39 +1,195 @@
 ---
-name: Release - On tag
+name: Release - Tag new version
 
 on:
-  push:
-    tags:
-      - "version/*"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version
+        required: true
+        type: string
+      release_reason:
+        description: Release reason
+        required: true
+        type: choice
+        options:
+          - bugfix
+          - feature
+          - security
+          - other
+          - prerelease
+
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
 jobs:
-  build:
-    name: Create Release from Tag
+  check-inputs:
+    name: Check inputs validity
+    runs-on: ubuntu-latest
+    steps:
+      - id: check
+        run: |
+          echo "${{ inputs.version }}" | grep -E '^[0-9]{4}\.(0?[1-9]|1[0-2])\.[0-9]+(-rc[0-9]+)?$'
+          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
+      - id: changelog-url
+        run: |
+          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
+          else
+            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
+          fi
+          echo "changelog_url=${changelog_url}" >> "$GITHUB_OUTPUT"
+    outputs:
+      major_version: "${{ steps.check.outputs.major_version }}"
+      changelog_url: "${{ steps.changelog-url.outputs.changelog_url }}"
+  test:
+    name: Pre-release test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - name: Pre-release test
+      - run: make test-docker
+  bump-authentik:
+    name: Bump authentik version
+    needs:
+      - check-inputs
+      - test
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: actions/checkout@v5
+        with:
+          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: Run migrations
+        run: make migrate
+      - name: Bump version
+        run: "make bump version=${{ inputs.version }}"
+      - name: Commit and push
         run: |
-          make test-docker
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
+          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
+          git push --follow-tags
       - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1.1.4
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        uses: softprops/action-gh-release@v2
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ steps.ev.outputs.version }}
+          token: "${{ steps.app-token.outputs.token }}"
+          tag_name: "version/${{ inputs.version }}"
+          name: Release ${{ inputs.version }}
           draft: true
-          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}
+          prerelease: ${{ inputs.release_reason == 'prerelease' }}
+          generate_release_notes: true
+          body: |
+            See ${{ needs.check-inputs.outputs.changelog_url }}
+  bump-helm:
+    name: Bump Helm version
+    if: ${{ inputs.release_reason != 'prerelease' }}
+    needs:
+      - bump-authentik
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          repositories: helm
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: actions/checkout@v5
+        with:
+          repository: "${{ github.repository_owner }}/helm"
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Bump version
+        run: |
+          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
+          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
+          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
+          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
+          ./scripts/helm-docs.sh
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          branch: bump-${{ inputs.version }}
+          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
+          title: "charts/authentik: bump to ${{ inputs.version }}"
+          body: "charts/authentik: bump to ${{ inputs.version }}"
+          delete-branch: true
+          signoff: true
+          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
+  bump-version:
+    name: Bump version repository
+    if: ${{ inputs.release_reason != 'prerelease' }}
+    needs:
+      - check-inputs
+      - bump-authentik
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          repositories: version
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: actions/checkout@v5
+        with:
+          repository: "${{ github.repository_owner }}/version"
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Bump version
+        if: "${{ inputs.release_reason == 'feature' }}"
+        run: |
+          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
+          jq \
+            --arg version "${{ inputs.version }}" \
+            --arg changelog "See ${changelog_url}" \
+            --arg changelog_url "${changelog_url}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+          mv version.new.json version.json
+      - name: Bump version
+        if: "${{ inputs.release_reason != 'feature' }}"
+        run: |
+          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
+          jq \
+            --arg version "${{ inputs.version }}" \
+            --arg changelog "See ${changelog_url}" \
+            --arg changelog_url "${changelog_url}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+          mv version.new.json version.json
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          branch: bump-${{ inputs.version }}
+          commit-message: "version: bump to ${{ inputs.version }}"
+          title: "version: bump to ${{ inputs.version }}"
+          body: "version: bump to ${{ inputs.version }}"
+          delete-branch: true
+          signoff: true
+          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"

CONTRIBUTING.md

@@ -1 +0,0 @@
-website/docs/developer-docs/index.md

CONTRIBUTING.md

@@ -0,0 +1,4 @@
+# Contributing to authentik
+
+Thanks for your interest in contributing! Please see our [contributing guide](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github) for more information.
+

Dockerfile

@@ -175,6 +175,7 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY ./packages/ /ak-root/packages
+RUN  ln -s /ak-root/packages /packages
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
 COPY --from=node-builder /work/web/dist/ /web/dist/
 COPY --from=node-builder /work/web/authentik/ /web/authentik/

README.md

@@ -15,15 +15,16 @@
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
+authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.
 
-Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
+Our [enterprise offering](https://goauthentik.io/pricing) is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.
 
 ## Installation
 
-For small/test setups it is recommended to use Docker Compose; refer to the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github).
-
-For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github).
+- Docker Compose: recommended for small/test setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/docker-compose/).
+- Kubernetes (Helm Chart): recommended for larger setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/kubernetes/) and the Helm chart [repository](https://github.com/goauthentik/helm).
+- AWS CloudFormation: deploy on AWS using our official templates. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/aws/).
+- DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the [app listing](https://marketplace.digitalocean.com/apps/authentik).
 
 ## Screenshots
 
@@ -32,14 +33,20 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 | ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
 | ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
 
-## Development
+## Development and contributions
 
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See the [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/) for information about setting up local build environments, testing your contributions, and our contribution process.
 
 ## Security
 
-See [SECURITY.md](SECURITY.md)
+Please see [SECURITY.md](SECURITY.md).
 
-## Adoption and Contributions
+## Adoption
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Using authentik? We'd love to hear your story and feature your logo. Email us at [hello@goauthentik.io](mailto:hello@goauthentik.io) or open a GitHub Issue/PR!
+
+## License
+
+[![MIT License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
+[![CC BY-SA 4.0](https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey?style=for-the-badge)](website/LICENSE)
+[![authentik EE License](https://img.shields.io/badge/License-EE-orange?style=for-the-badge)](authentik/enterprise/LICENSE)

SECURITY.md

@@ -20,12 +20,33 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2025.4.x  | ✅        |
 | 2025.6.x  | ✅        |
+| 2025.8.x  | ✅        |
 
 ## Reporting a Vulnerability
 
-To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the issue.
+If you discover a potential vulnerability, please report it responsibly through one of the following channels:
+
+- **Email**: [security@goauthentik.io](mailto:security@goauthentik.io)
+- **GitHub**: Submit a private security advisory via our [repository’s advisory portal](https://github.com/goauthentik/authentik/security/advisories/new)
+
+When submitting a report, please include as much detail as possible, such as:
+
+- **Affected version(s)**: The version of authentik where the issue was identified.
+- **Steps to reproduce**: A clear description or proof of concept to help us verify the issue.
+- **Impact assessment**: How the vulnerability could be exploited and its potential effect.
+- **Additional information**: Logs, configuration details (if relevant), or any suggested mitigations.
+
+We kindly ask that you do not disclose the vulnerability publicly until we have confirmed and addressed the issue.
+
+Our team will:
+
+- Acknowledge receipt of your report as quickly as possible.
+- Keep you updated on the investigation and resolution progress.
+
+## Researcher Recognition
+
+We value contributions from the security community. For each valid report, we will publish a dedicated entry on our Security Advisory page that optionally includes the reporter’s name (or preferred alias). Please note that while we do not currently offer monetary bounties, we are committed to giving researchers appropriate credit for their efforts in keeping authentik secure.
 
 ## Severity levels
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.8.0-rc1"
+VERSION = "2025.8.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/v1/tasks.py

@@ -38,6 +38,7 @@ from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.events.logs import capture_logs
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
+from authentik.tasks.apps import PRIORITY_HIGH
 from authentik.tasks.models import Task
 from authentik.tasks.schedules.models import Schedule
 from authentik.tenants.models import Tenant
@@ -111,6 +112,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
 @actor(
     description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
     throws=(DatabaseError, ProgrammingError, InternalError),
+    priority=PRIORITY_HIGH,
 )
 def blueprints_find_dict():
     blueprints = []

authentik/brands/tests.py

@@ -63,28 +63,6 @@ class TestBrands(APITestCase):
             },
         )
 
-    def test_brand_subdomain_same_suffix(self):
-        """Test Current brand API"""
-        Brand.objects.all().delete()
-        Brand.objects.create(domain="bar.baz", branding_title="custom")
-        Brand.objects.create(domain="foo.bar.baz", branding_title="custom")
-        self.assertJSONEqual(
-            self.client.get(
-                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
-            ).content.decode(),
-            {
-                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_title": "custom",
-                "branding_custom_css": "",
-                "matched_domain": "foo.bar.baz",
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-                "flags": self.default_flags,
-            },
-        )
-
     def test_fallback(self):
         """Test fallback brand"""
         Brand.objects.all().delete()

authentik/brands/utils.py

@@ -4,7 +4,6 @@ from typing import Any
 
 from django.db.models import F, Q
 from django.db.models import Value as V
-from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -21,9 +20,9 @@ DEFAULT_BRAND = Brand(domain="fallback")
 def get_brand_for_request(request: HttpRequest) -> Brand:
     """Get brand object for current request"""
     db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()), match_length=Length("domain"))
+        Brand.objects.annotate(host_domain=V(request.get_host()))
         .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("-match_length", "default")
+        .order_by("default")
     )
     brands = list(db_brands.all())
     if len(brands) < 1:

authentik/core/api/users.py

@@ -328,6 +328,12 @@ class SessionUserSerializer(PassiveSerializer):
     original = UserSelfSerializer(required=False)
 
 
+class UserPasswordSetSerializer(PassiveSerializer):
+    """Payload to set a users' password directly"""
+
+    password = CharField(required=True)
+
+
 class UsersFilter(FilterSet):
     """Filter for users"""
 
@@ -585,12 +591,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.reset_user_password")
     @extend_schema(
-        request=inline_serializer(
-            "UserPasswordSetSerializer",
-            {
-                "password": CharField(required=True),
-            },
-        ),
+        request=UserPasswordSetSerializer,
         responses={
             204: OpenApiResponse(description="Successfully changed password"),
             400: OpenApiResponse(description="Bad request"),
@@ -599,9 +600,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     @action(detail=True, methods=["POST"], permission_classes=[])
     def set_password(self, request: Request, pk: int) -> Response:
         """Set password for user"""
+        data = UserPasswordSetSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
         user: User = self.get_object()
         try:
-            user.set_password(request.data.get("password"), request=request)
+            user.set_password(data.validated_data["password"], request=request)
             user.save()
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)

authentik/core/tests/test_users_api.py

@@ -102,6 +102,16 @@ class TestUsersAPI(APITestCase):
         self.admin.refresh_from_db()
         self.assertTrue(self.admin.check_password(new_pw))
 
+    def test_set_password_blank(self):
+        """Test Direct password set"""
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-set-password", kwargs={"pk": self.admin.pk}),
+            data={"password": ""},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(response.content, {"password": ["This field may not be blank."]})
+
     def test_recovery(self):
         """Test user recovery link"""
         flow = create_test_flow(

authentik/events/api/notification_transports.py

@@ -23,6 +23,7 @@ from authentik.events.models import (
 )
 from authentik.events.utils import get_user
 from authentik.rbac.decorators import permission_required
+from authentik.stages.email.models import get_template_choices
 
 
 class NotificationTransportSerializer(ModelSerializer):
@@ -30,6 +31,18 @@ class NotificationTransportSerializer(ModelSerializer):
 
     mode_verbose = SerializerMethodField()
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["email_template"].choices = get_template_choices()
+
+    def validate_email_template(self, value: str) -> str:
+        """Check validity of email template"""
+        choices = get_template_choices()
+        for path, _ in choices:
+            if path == value:
+                return value
+        raise ValidationError(f"Invalid template '{value}' specified.")
+
     def get_mode_verbose(self, instance: NotificationTransport) -> str:
         """Return selected mode with a UI Label"""
         return TransportMode(instance.mode).label
@@ -52,6 +65,8 @@ class NotificationTransportSerializer(ModelSerializer):
             "webhook_url",
             "webhook_mapping_body",
             "webhook_mapping_headers",
+            "email_subject_prefix",
+            "email_template",
             "send_once",
         ]
 

authentik/events/migrations/0012_notificationtransport_email_subject_prefix_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.1.11 on 2025-08-14 13:53
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0011_alter_systemtask_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="notificationtransport",
+            name="email_subject_prefix",
+            field=models.TextField(blank=True, default="authentik Notification: "),
+        ),
+        migrations.AddField(
+            model_name="notificationtransport",
+            name="email_template",
+            field=models.TextField(default="email/event_notification.html"),
+        ),
+    ]

authentik/events/models.py

@@ -41,6 +41,7 @@ from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
+from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tasks.models import TasksModel
 from authentik.tenants.models import Tenant
@@ -295,6 +296,15 @@ class NotificationTransport(TasksModel, SerializerModel):
 
     name = models.TextField(unique=True)
     mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)
+    send_once = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Only send notification once, for example when sending a webhook into a chat channel."
+        ),
+    )
+
+    email_subject_prefix = models.TextField(default="authentik Notification: ", blank=True)
+    email_template = models.TextField(default=EmailTemplates.EVENT_NOTIFICATION)
 
     webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
     webhook_mapping_body = models.ForeignKey(
@@ -319,12 +329,6 @@ class NotificationTransport(TasksModel, SerializerModel):
             "Mapping should return a dictionary of key-value pairs"
         ),
     )
-    send_once = models.BooleanField(
-        default=False,
-        help_text=_(
-            "Only send notification once, for example when sending a webhook into a chat channel."
-        ),
-    )
 
     def send(self, notification: "Notification") -> list[str]:
         """Send notification to user, called from async task"""
@@ -462,7 +466,6 @@ class NotificationTransport(TasksModel, SerializerModel):
                 notification=notification,
             )
             return None
-        subject_prefix = "authentik Notification: "
         context = {
             "key_value": {
                 "user_email": notification.user.email,
@@ -490,10 +493,10 @@ class NotificationTransport(TasksModel, SerializerModel):
                 "from": self.name,
             }
         mail = TemplateEmailMessage(
-            subject=subject_prefix + context["title"],
+            subject=self.email_subject_prefix + context["title"],
             to=[(notification.user.name, notification.user.email)],
             language=notification.user.locale(),
-            template_name="email/event_notification.html",
+            template_name=self.email_template,
             template_context=context,
         )
         send_mail.send_with_options(args=(mail.__dict__,), rel_obj=self)

authentik/events/tests/test_transports.py

@@ -5,10 +5,12 @@ from unittest.mock import PropertyMock, patch
 from django.core import mail
 from django.core.mail.backends.locmem import EmailBackend
 from django.test import TestCase
+from django.urls import reverse
 from requests_mock import Mocker
 
 from authentik import authentik_full_version
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.events.api.notification_transports import NotificationTransportSerializer
 from authentik.events.models import (
     Event,
     Notification,
@@ -18,6 +20,7 @@ from authentik.events.models import (
     TransportMode,
 )
 from authentik.lib.generators import generate_id
+from authentik.stages.email.models import get_template_choices
 
 
 class TestEventTransports(TestCase):
@@ -138,3 +141,76 @@ class TestEventTransports(TestCase):
             self.assertEqual(len(mail.outbox), 1)
             self.assertEqual(mail.outbox[0].subject, "authentik Notification: custom_foo")
             self.assertIn(self.notification.body, mail.outbox[0].alternatives[0][0])
+
+    def test_transport_email_custom_template(self):
+        """Test email transport with custom template"""
+        transport: NotificationTransport = NotificationTransport.objects.create(
+            name=generate_id(),
+            mode=TransportMode.EMAIL,
+            email_template="email/event_notification.html",
+        )
+        with patch(
+            "authentik.stages.email.models.EmailStage.backend_class",
+            PropertyMock(return_value=EmailBackend),
+        ):
+            transport.send(self.notification)
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertIn(self.notification.body, mail.outbox[0].alternatives[0][0])
+
+    def test_transport_email_custom_subject_prefix(self):
+        """Test email transport with custom subject prefix"""
+        transport: NotificationTransport = NotificationTransport.objects.create(
+            name=generate_id(),
+            mode=TransportMode.EMAIL,
+            email_subject_prefix="[CUSTOM] ",
+        )
+        with patch(
+            "authentik.stages.email.models.EmailStage.backend_class",
+            PropertyMock(return_value=EmailBackend),
+        ):
+            transport.send(self.notification)
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "[CUSTOM] custom_foo")
+
+    def test_transport_email_validation(self):
+        """Test email transport template validation"""
+
+        # Test valid template
+        serializer = NotificationTransportSerializer(
+            data={
+                "name": generate_id(),
+                "mode": TransportMode.EMAIL,
+                "email_template": "email/event_notification.html",
+            }
+        )
+        self.assertTrue(serializer.is_valid())
+
+        # Test invalid template - should fail due to choices validation
+        serializer = NotificationTransportSerializer(
+            data={
+                "name": generate_id(),
+                "mode": TransportMode.EMAIL,
+                "email_template": "invalid/template.html",
+            }
+        )
+        self.assertFalse(serializer.is_valid())
+        self.assertIn("email_template", serializer.errors)
+
+    def test_templates_api_endpoint(self):
+        """Test templates API endpoint returns valid templates"""
+        self.client.force_login(self.user)
+        response = self.client.get(reverse("authentik_api:emailstage-templates"))
+        self.assertEqual(response.status_code, 200)
+
+        data = response.json()
+        self.assertIsInstance(data, list)
+
+        # Check that we have at least the default templates
+        template_names = [item["name"] for item in data]
+        self.assertIn("email/event_notification.html", template_names)
+
+        # Verify all templates are valid choices
+        valid_choices = dict(get_template_choices())
+        for template in data:
+            self.assertIn(template["name"], valid_choices)
+            self.assertEqual(template["description"], valid_choices[template["name"]])

authentik/lib/default.yml

@@ -154,6 +154,7 @@ worker:
   consumer_listen_timeout: "seconds=30"
   task_max_retries: 20
   task_default_time_limit: "minutes=10"
+  lock_purge_interval: "minutes=1"
   task_purge_interval: "days=1"
   task_expiration: "days=30"
   scheduler_interval: "seconds=60"

authentik/lib/logging.py

@@ -43,7 +43,9 @@ def structlog_configure():
             structlog.stdlib.PositionalArgumentsFormatter(),
             structlog.processors.TimeStamper(fmt="iso", utc=False),
             structlog.processors.StackInfoRenderer(),
-            structlog.processors.dict_tracebacks,
+            structlog.processors.ExceptionRenderer(
+                structlog.processors.ExceptionDictTransformer(show_locals=CONFIG.get_bool("debug"))
+            ),
             structlog.stdlib.ProcessorFormatter.wrap_for_formatter,
         ],
         logger_factory=structlog.stdlib.LoggerFactory(),
@@ -65,7 +67,14 @@ def get_logger_config():
             "json": {
                 "()": structlog.stdlib.ProcessorFormatter,
                 "processor": structlog.processors.JSONRenderer(sort_keys=True),
-                "foreign_pre_chain": LOG_PRE_CHAIN + [structlog.processors.dict_tracebacks],
+                "foreign_pre_chain": LOG_PRE_CHAIN
+                + [
+                    structlog.processors.ExceptionRenderer(
+                        structlog.processors.ExceptionDictTransformer(
+                            show_locals=CONFIG.get_bool("debug")
+                        )
+                    ),
+                ],
             },
             "console": {
                 "()": structlog.stdlib.ProcessorFormatter,

authentik/lib/sentry.py

@@ -22,6 +22,7 @@ from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
+from sentry_sdk.integrations.dramatiq import DramatiqIntegration
 from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
@@ -109,11 +110,12 @@ def sentry_init(**sentry_init_kwargs):
         dsn=CONFIG.get("error_reporting.sentry_dsn"),
         integrations=[
             ArgvIntegration(),
-            StdlibIntegration(),
             DjangoIntegration(transaction_style="function_name", cache_spans=True),
+            DramatiqIntegration(),
             RedisIntegration(),
-            ThreadingIntegration(propagate_hub=True),
             SocketIntegration(),
+            StdlibIntegration(),
+            ThreadingIntegration(propagate_hub=True),
         ],
         before_send=before_send,
         traces_sampler=traces_sampler,

authentik/lib/sync/outgoing/api.py

@@ -1,4 +1,5 @@
 from dramatiq.actor import Actor
+from dramatiq.results.errors import ResultFailure
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, ChoiceField
@@ -110,9 +111,13 @@ class OutgoingSyncProviderStatusMixin:
                 "override_dry_run": params.validated_data["override_dry_run"],
                 "pk": params.validated_data["sync_object_id"],
             },
+            retries=0,
             rel_obj=provider,
         )
-        msg.get_result(block=True)
+        try:
+            msg.get_result(block=True)
+        except ResultFailure:
+            pass
         task: Task = msg.options["task"]
         task.refresh_from_db()
         return Response(SyncObjectResultSerializer(instance={"messages": task._messages}).data)

authentik/lib/sync/outgoing/tasks.py

@@ -20,6 +20,7 @@ from authentik.lib.sync.outgoing.exceptions import (
     TransientSyncException,
 )
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
+from authentik.lib.utils.errors import exception_to_dict
 from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.tasks.models import Task
 
@@ -164,16 +165,17 @@ class SyncTasks:
             except BadRequestSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, obj=obj)
                 task.warning(
-                    f"Failed to sync {obj._meta.verbose_name} {str(obj)} due to error: {str(exc)}",
+                    f"Failed to sync {str(obj)} due to error: {str(exc)}",
                     arguments=exc.args[1:],
                     obj=sanitize_item(obj),
+                    exception=exception_to_dict(exc),
                 )
             except TransientSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, user=obj)
                 task.warning(
-                    f"Failed to sync {obj._meta.verbose_name} {str(obj)} due to "
-                    "transient error: {str(exc)}",
+                    f"Failed to sync {str(obj)} due to " f"transient error: {str(exc)}",
                     obj=sanitize_item(obj),
+                    exception=exception_to_dict(exc),
                 )
             except StopSync as exc:
                 self.logger.warning("Stopping sync", exc=exc)

authentik/outposts/models.py

@@ -76,6 +76,7 @@ class OutpostConfig:
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
     kubernetes_ingress_class_name: str | None = field(default=None)
+    kubernetes_ingress_path_type: str | None = field(default=None)
     kubernetes_httproute_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_httproute_parent_refs: list[dict[str, str]] = field(default_factory=list)
     kubernetes_service_type: str = field(default="ClusterIP")
@@ -151,7 +152,7 @@ class OutpostServiceConnection(ScheduledModel, models.Model):
 
         state = cache.get(self.state_key, None)
         if not state:
-            outpost_service_connection_monitor.send_with_options(args=(self.pk), rel_obj=self)
+            outpost_service_connection_monitor.send_with_options(args=(self.pk,), rel_obj=self)
             return OutpostServiceConnectionState("", False)
         return state
 

authentik/policies/apps.py

@@ -26,7 +26,6 @@ HIST_POLICIES_EXECUTION_TIME = Histogram(
         "binding_order",
         "binding_target_type",
         "binding_target_name",
-        "object_pk",
         "object_type",
         "mode",
     ],

authentik/policies/engine.py

@@ -86,7 +86,6 @@ class PolicyEngine:
             binding_order=binding.order,
             binding_target_type=binding.target_type,
             binding_target_name=binding.target_name,
-            object_pk=str(self.request.obj.pk),
             object_type=class_to_path(self.request.obj.__class__),
             mode="cache_retrieve",
         ).time():

authentik/policies/password/models.py

@@ -103,7 +103,7 @@ class PasswordPolicy(Policy):
         if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
             LOGGER.debug("password failed", check="static", reason="amount_lowercase")
             return PolicyResult(False, self.error_message)
-        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_lowercase:
+        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_uppercase:
             LOGGER.debug("password failed", check="static", reason="amount_uppercase")
             return PolicyResult(False, self.error_message)
         if self.amount_symbols > 0:

authentik/policies/process.py

@@ -131,7 +131,6 @@ class PolicyProcess(PROCESS_CLASS):
                 binding_order=self.binding.order,
                 binding_target_type=self.binding.target_type,
                 binding_target_name=self.binding.target_name,
-                object_pk=str(self.request.obj.pk) if self.request.obj else "",
                 object_type=class_to_path(self.request.obj.__class__) if self.request.obj else "",
                 mode="execute_process",
             ).time(),

authentik/providers/oauth2/migrations/0028_migrate_session.py

@@ -11,7 +11,8 @@ def migrate_sessions(apps, schema_editor, model):
     AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
     db_alias = schema_editor.connection.alias
 
-    for obj in Model.objects.using(db_alias).all():
+    objs = list(Model.objects.using(db_alias).select_related("old_session").all())
+    for obj in objs:
         if not obj.old_session:
             continue
         obj.session = (

authentik/providers/oauth2/signals.py

@@ -23,7 +23,12 @@ def user_session_deleted_oauth_backchannel_logout_and_tokens_removal(
 
     backchannel_logout_notification_dispatch.send(
         revocations=[
-            (token.provider_id, token.id_token.iss, token.session.user.uid)
+            (
+                token.provider_id,
+                token.id_token.iss,
+                token.id_token.sub,
+                instance.session.session_key,
+            )
             for token in access_tokens
         ],
     )

authentik/providers/oauth2/tasks.py

@@ -14,13 +14,19 @@ LOGGER = get_logger()
 
 
 @actor(description=_("Send a back-channel logout request to the registered client"))
-def send_backchannel_logout_request(provider_pk: int, iss: str, sub: str = None) -> bool:
+def send_backchannel_logout_request(
+    provider_pk: int,
+    iss: str,
+    sub: str | None = None,
+    session_key: str | None = None,
+) -> bool:
     """Send a back-channel logout request to the registered client
 
     Args:
         provider_pk: The OAuth2 provider's primary key
         iss: The issuer URL for the logout token
         sub: The subject identifier to include in the logout token
+        session_key: The authentik session key to hash and include in the logout token
 
     Returns:
         bool: True if the request was sent successfully, False otherwise
@@ -33,11 +39,10 @@ def send_backchannel_logout_request(provider_pk: int, iss: str, sub: str = None)
         return
 
     # Generate the logout token
-    logout_token = create_logout_token(iss, provider, None, sub)
+    logout_token = create_logout_token(provider, iss, sub, session_key)
 
     # Get the back-channel logout URI from the provider's dedicated backchannel_logout_uri field
     # Back-channel logout requires explicit configuration - no fallback to redirect URIs
-
     backchannel_logout_uri = provider.backchannel_logout_uri
     if not backchannel_logout_uri:
         self.info("No back-channel logout URI found for provider")
@@ -60,9 +65,9 @@ def send_backchannel_logout_request(provider_pk: int, iss: str, sub: str = None)
 def backchannel_logout_notification_dispatch(revocations: list, **kwargs):
     """Handle backchannel logout notifications dispatched via signal"""
     for revocation in revocations:
-        provider_pk, iss, sub = revocation
+        provider_pk, iss, sub, session_key = revocation
         provider = OAuth2Provider.objects.filter(pk=provider_pk).first()
         send_backchannel_logout_request.send_with_options(
-            args=(provider_pk, iss, sub),
+            args=(provider_pk, iss, sub, session_key),
             rel_obj=provider,
         )

authentik/providers/oauth2/utils.py

@@ -4,17 +4,18 @@ import re
 import uuid
 from base64 import b64decode
 from binascii import Error
-from time import time
 from typing import Any
 from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
+from django.utils.timezone import now
 from structlog.stdlib import get_logger
 
 from authentik.core.middleware import CTX_AUTH_VIA, KEY_USER
 from authentik.events.models import Event, EventAction
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.errors import BearerTokenError
 from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
@@ -217,23 +218,25 @@ class HttpResponseRedirectScheme(HttpResponseRedirect):
 
 
 def create_logout_token(
-    iss: str,
     provider: OAuth2Provider,
-    session_key: str | None = None,
+    iss: str,
     sub: str | None = None,
+    session_key: str | None = None,
 ) -> str:
     """Create a logout token for Back-Channel Logout
 
     As per https://openid.net/specs/openid-connect-backchannel-1_0.html
     """
 
-    LOGGER.debug("Creating logout token", provider=provider, session_key=session_key, sub=sub)
+    LOGGER.debug("Creating logout token", provider=provider, sub=sub)
 
+    _now = now()
     # Create the logout token payload
     payload = {
         "iss": str(iss),
         "aud": provider.client_id,
-        "iat": int(time()),
+        "iat": int(_now.timestamp()),
+        "exp": int((_now + timedelta_from_string(provider.access_token_validity)).timestamp()),
         "jti": str(uuid.uuid4()),
         "events": {
             "http://schemas.openid.net/event/backchannel-logout": {},

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -127,6 +127,9 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                 and self.controller.outpost.config.kubernetes_ingress_secret_name
             ):
                 tls_hosts.append(external_host_name.hostname)
+            path_type = "Prefix"
+            if self.controller.outpost.config.kubernetes_ingress_path_type:
+                path_type = self.controller.outpost.config.kubernetes_ingress_path_type
             if proxy_provider.mode in [
                 ProxyMode.FORWARD_SINGLE,
                 ProxyMode.FORWARD_DOMAIN,
@@ -143,7 +146,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                                     ),
                                 ),
                                 path="/outpost.goauthentik.io",
-                                path_type="Prefix",
+                                path_type=path_type,
                             )
                         ]
                     ),
@@ -161,7 +164,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                                     ),
                                 ),
                                 path="/",
-                                path_type="Prefix",
+                                path_type=path_type,
                             )
                         ]
                     ),

authentik/providers/rac/migrations/0007_migrate_session.py

@@ -13,7 +13,7 @@ def migrate_sessions(apps, schema_editor):
     for token in ConnectionToken.objects.using(db_alias).all():
         token.session = (
             AuthenticatedSession.objects.using(db_alias)
-            .filter(session_key=token.old_session.session_key)
+            .filter(session__session_key=token.old_session.session_key)
             .first()
         )
         if token.session:

authentik/providers/scim/clients/exceptions.py

@@ -27,3 +27,8 @@ class SCIMRequestException(TransientSyncException):
         except ValidationError:
             pass
         return self._message
+
+    def __str__(self):
+        if self._response:
+            return self._response.text
+        return super().__str__()

authentik/root/settings.py

@@ -4,7 +4,6 @@ import importlib
 from collections import OrderedDict
 from hashlib import sha512
 from pathlib import Path
-from tempfile import gettempdir
 
 import orjson
 from sentry_sdk import set_tag
@@ -368,6 +367,9 @@ DRAMATIQ = {
     "broker_class": "authentik.tasks.broker.Broker",
     "channel_prefix": "authentik",
     "task_model": "authentik.tasks.models.Task",
+    "lock_purge_interval": timedelta_from_string(
+        CONFIG.get("worker.lock_purge_interval")
+    ).total_seconds(),
     "task_purge_interval": timedelta_from_string(
         CONFIG.get("worker.task_purge_interval")
     ).total_seconds(),
@@ -424,7 +426,6 @@ DRAMATIQ = {
         (
             "authentik.tasks.middleware.MetricsMiddleware",
             {
-                "multiproc_dir": str(Path(gettempdir()) / "authentik_prometheus_tmp"),
                 "prefix": "authentik",
             },
         ),

authentik/sources/ldap/sync/membership.py

@@ -5,6 +5,7 @@ from typing import Any
 
 from django.db.models import Q
 from ldap3 import SUBTREE
+from ldap3.utils.conv import escape_filter_chars
 
 from authentik.core.models import Group, User
 from authentik.sources.ldap.models import LDAP_DISTINGUISHED_NAME, LDAP_UNIQUENESS, LDAPSource
@@ -52,7 +53,8 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
         for group in page_data:
             if self._source.lookup_groups_from_user:
                 group_dn = group.get("dn", {})
-                group_filter = f"({self._source.group_membership_field}={group_dn})"
+                escaped_dn = escape_filter_chars(group_dn)
+                group_filter = f"({self._source.group_membership_field}={escaped_dn})"
                 group_members = self._source.connection().extend.standard.paged_search(
                     search_base=self.base_dn_users,
                     search_filter=group_filter,

authentik/sources/ldap/tests/test_sync.py

@@ -4,6 +4,8 @@ from unittest.mock import MagicMock, patch
 
 from django.db.models import Q
 from django.test import TestCase
+from ldap3.core.exceptions import LDAPInvalidFilterError
+from ldap3.utils.conv import escape_filter_chars
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Group, User
@@ -519,3 +521,89 @@ class LDAPSyncTests(TestCase):
 
         self.assertFalse(User.objects.filter(username__startswith="not-in-the-source").exists())
         self.assertFalse(Group.objects.filter(name__startswith="not-in-the-source").exists())
+
+    def test_membership_sync_special_chars_in_group_dn(self):
+        """Test membership synchronization with special characters in group DN"""
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.lookup_groups_from_user = True
+        self.source.group_membership_field = "memberOf"
+
+        # Mock connection with group DN containing special characters
+        mock_conn = MagicMock()
+
+        # Simulate group with special characters in DN: parentheses, backslashes, asterisks
+        special_group_dn = "cn=test(group),ou=groups,dc=example,dc=com"
+        backslash_group_dn = "cn=test\\group,ou=groups,dc=example,dc=com"
+        asterisk_group_dn = "cn=test*group,ou=groups,dc=example,dc=com"
+
+        # Mock the paged_search method that would be called with the filter
+        mock_standard = MagicMock()
+        mock_conn.extend.standard = mock_standard
+
+        # Test case 1: Group DN with parentheses
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", return_value=mock_conn):
+            membership_sync = MembershipLDAPSynchronizer(self.source, Task())
+
+            # Simulate group data with special characters in DN
+            page_data = [{"dn": special_group_dn}]
+
+            # This should not raise LDAPInvalidFilterError anymore
+            try:
+                membership_sync.sync(page_data)
+                # Verify that the filter was properly escaped
+                # The call should have been made with escaped characters
+                mock_standard.paged_search.assert_called()
+                call_args = mock_standard.paged_search.call_args
+                search_filter = call_args[1]["search_filter"]
+                # The parentheses should be escaped as \28 and \29
+                self.assertIn("\\28", search_filter)  # Escaped (
+                self.assertIn("\\29", search_filter)  # Escaped )
+            except LDAPInvalidFilterError:
+                self.fail("LDAPInvalidFilterError should not be raised with escaped filter")
+
+        # Test case 2: Group DN with backslashes
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", return_value=mock_conn):
+            membership_sync = MembershipLDAPSynchronizer(self.source, Task())
+            page_data = [{"dn": backslash_group_dn}]
+
+            try:
+                membership_sync.sync(page_data)
+                call_args = mock_standard.paged_search.call_args
+                search_filter = call_args[1]["search_filter"]
+                # The backslash should be escaped as \5c
+                self.assertIn("\\5c", search_filter)  # Escaped \
+            except LDAPInvalidFilterError:
+                self.fail("LDAPInvalidFilterError should not be raised with escaped filter")
+
+        # Test case 3: Group DN with asterisks
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", return_value=mock_conn):
+            membership_sync = MembershipLDAPSynchronizer(self.source, Task())
+            page_data = [{"dn": asterisk_group_dn}]
+
+            try:
+                membership_sync.sync(page_data)
+                call_args = mock_standard.paged_search.call_args
+                search_filter = call_args[1]["search_filter"]
+                # The asterisk should be escaped as \2a
+                self.assertIn("\\2a", search_filter)  # Escaped *
+            except LDAPInvalidFilterError:
+                self.fail("LDAPInvalidFilterError should not be raised with escaped filter")
+
+    def test_escape_filter_chars_function(self):
+        """Test the escape_filter_chars function directly"""
+
+        # Test various special characters that need escaping
+        test_cases = [
+            ("test(group)", "test\\28group\\29"),  # parentheses
+            ("test\\group", "test\\5cgroup"),  # backslash
+            ("test*group", "test\\2agroup"),  # asterisk
+            ("test(*)group", "test\\28\\2a\\29group"),  # multiple special chars
+            ("normalgroup", "normalgroup"),  # no special chars
+            ("", ""),  # empty string
+        ]
+
+        for input_str, expected in test_cases:
+            with self.subTest(input_str=input_str):
+                result = escape_filter_chars(input_str)
+                self.assertEqual(result, expected)

authentik/sources/oauth/types/entra_id.py

@@ -96,7 +96,11 @@ class EntraIDType(SourceType):
         }
 
     def get_base_group_properties(self, source, group_id, **kwargs):
-        raw_group = kwargs["info"]["raw_groups"][group_id]
+        raw_groups = kwargs["info"]["raw_groups"]
+        if group_id in raw_groups:
+            name = raw_groups[group_id]["displayName"]
+        else:
+            name = group_id
         return {
-            "name": raw_group["displayName"],
+            "name": name,
         }

authentik/stages/authenticator_email/models.py

@@ -15,18 +15,10 @@ from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.stages.authenticator.models import SideChannelDevice
+from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 
 
-class EmailTemplates(models.TextChoices):
-    """Templates used for rendering the Email"""
-
-    EMAIL_OTP = (
-        "email/email_otp.html",
-        _("Email OTP"),
-    )  # nosec
-
-
 class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
     """Use Email-based authentication instead of authenticator-based."""
 

authentik/stages/authenticator_email/stage.py

@@ -142,6 +142,11 @@ class AuthenticatorEmailStageView(ChallengeStageView):
         user = self.get_pending_user()
 
         stage: AuthenticatorEmailStage = self.executor.current_stage
+        # For the moment we only allow one email device per user
+        if EmailDevice.objects.filter(Q(user=user), stage=stage.pk).exists():
+            return self.executor.stage_invalid(
+                _("The user already has an email address registered for MFA.")
+            )
         if SESSION_KEY_EMAIL_DEVICE not in self.request.session:
             device = EmailDevice(user=user, confirmed=False, stage=stage, name="Email Device")
             valid_secs: int = timedelta_from_string(stage.token_expiry).total_seconds()

authentik/stages/authenticator_email/tests.py

@@ -108,6 +108,17 @@ class TestAuthenticatorEmailStage(FlowTestCase):
     )
     def test_stage_submit(self):
         """Test stage email submission"""
+        # test fail because of existing device
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+        )
+        self.assertStageResponse(
+            response,
+            self.flow,
+            self.user,
+            component="ak-stage-access-denied",
+        )
+        self.device.delete()
         # Initialize the flow
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
@@ -232,6 +243,7 @@ class TestAuthenticatorEmailStage(FlowTestCase):
     def test_challenge_generation(self):
         """Test challenge generation"""
         # Test with masked email
+        self.device.delete()
         response = self.client.get(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
         )

authentik/stages/email/management/commands/test_email.py

@@ -35,7 +35,12 @@ class Command(TenantCommand):
             template_context={},
         )
         try:
-            send_mail(message.__dict__, stage.pk)
+            if not stage.use_global_settings:
+                message.from_email = stage.from_address
+
+            send_mail.send(message.__dict__, stage.pk).get_result(block=True)
+
+            self.stdout.write(self.style.SUCCESS(f"Test email sent to {options['to']}"))
         finally:
             if delete_stage:
                 stage.delete()

authentik/stages/email/models.py

@@ -32,6 +32,14 @@ class EmailTemplates(models.TextChoices):
         "email/account_confirmation.html",
         _("Account Confirmation"),
     )
+    EMAIL_OTP = (
+        "email/email_otp.html",
+        _("Email OTP"),
+    )  # nosec
+    EVENT_NOTIFICATION = (
+        "email/event_notification.html",
+        _("Event Notification"),
+    )
 
 
 def get_template_choices():

authentik/stages/email/tests/test_management_commands.py

@@ -0,0 +1,66 @@
+"""Test email management commands"""
+
+from unittest.mock import patch
+
+from django.core import mail
+from django.core.mail.backends.locmem import EmailBackend
+from django.core.management import call_command
+from django.test import TestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.stages.email.models import EmailStage
+
+
+class TestEmailManagementCommands(TestCase):
+    """Test email management commands"""
+
+    def setUp(self):
+        self.user = create_test_admin_user()
+
+    def test_test_email_command_with_stage(self):
+        """Test test_email command with specified stage"""
+        EmailStage.objects.create(
+            name="test-stage",
+            from_address="test@authentik.local",
+            host="localhost",
+            port=25,
+        )
+
+        with patch("authentik.stages.email.models.EmailStage.backend_class", EmailBackend):
+            call_command("test_email", "test@example.com", stage="test-stage")
+
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "authentik Test-Email")
+            self.assertEqual(mail.outbox[0].to, ["test@example.com"])
+
+    def test_test_email_command_with_global_settings(self):
+        """Test test_email command with global settings"""
+        # Mock the backend to use Django's locmem backend
+        with patch("authentik.stages.email.models.EmailStage.backend_class", EmailBackend):
+            call_command("test_email", "test@example.com")
+
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "authentik Test-Email")
+            self.assertEqual(mail.outbox[0].to, ["test@example.com"])
+
+    def test_test_email_command_invalid_stage(self):
+        """Test test_email command with invalid stage"""
+        call_command("test_email", "test@example.com", stage="nonexistent")
+
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_test_email_command_with_custom_from(self):
+        """Test test_email command respects custom from address"""
+        EmailStage.objects.create(
+            name="test-stage",
+            from_address="custom@authentik.local",
+            host="localhost",
+            port=25,
+        )
+
+        with patch("authentik.stages.email.models.EmailStage.backend_class", EmailBackend):
+            call_command("test_email", "test@example.com", stage="test-stage")
+
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].from_email, "custom@authentik.local")
+            self.assertEqual(mail.outbox[0].to, ["test@example.com"])

authentik/stages/email/tests/test_templates.py

@@ -54,7 +54,7 @@ class TestEmailStageTemplates(FlowTestCase):
             chmod(file2, 0o000)  # Remove all permissions so we can't read the file
             choices = get_template_choices()
             self.assertEqual(choices[-1][0], Path(file).name)
-            self.assertEqual(len(choices), 3)
+            self.assertEqual(len(choices), 5)
             unlink(file)
             unlink(file2)
 

authentik/tasks/apps.py

@@ -2,6 +2,8 @@ from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 
+PRIORITY_HIGH = 1000
+
 
 class AuthentikTasksConfig(ManagedAppConfig):
     name = "authentik.tasks"

authentik/tasks/middleware.py

@@ -14,6 +14,7 @@ from django_redis import get_redis_connection
 from dramatiq.broker import Broker
 from dramatiq.message import Message
 from dramatiq.middleware import Middleware
+from psycopg.errors import Error
 from redis.exceptions import RedisError
 from structlog.stdlib import get_logger
 
@@ -26,6 +27,7 @@ from authentik.tenants.utils import get_current_tenant
 
 LOGGER = get_logger()
 HEALTHCHECK_LOGGER = get_logger("authentik.worker").bind()
+DB_ERRORS = (OperationalError, Error, RedisError)
 
 
 class TenantMiddleware(Middleware):
@@ -100,10 +102,15 @@ class MessagesMiddleware(Middleware):
             TaskStatus.ERROR,
             exception,
         )
+        event_kwargs = {
+            "actor": task.actor_name,
+        }
+        if task.rel_obj:
+            event_kwargs["rel_obj"] = task.rel_obj
         Event.new(
             EventAction.SYSTEM_TASK_EXCEPTION,
             message=f"Task {task.actor_name} encountered an error",
-            actor=task.actor_name,
+            **event_kwargs,
         ).with_exception(exception).save()
 
     def after_skip_message(self, broker: Broker, message: Message):
@@ -151,7 +158,6 @@ class DescriptionMiddleware(Middleware):
 
 
 class _healthcheck_handler(BaseHTTPRequestHandler):
-
     def log_request(self, code="-", size="-"):
         HEALTHCHECK_LOGGER.info(
             self.path,
@@ -171,7 +177,7 @@ class _healthcheck_handler(BaseHTTPRequestHandler):
             redis_conn = get_redis_connection()
             redis_conn.ping()
             self.send_response(200)
-        except (OperationalError, RedisError):  # pragma: no cover
+        except DB_ERRORS:  # pragma: no cover
             self.send_response(503)
         self.send_header("Content-Type", "text/plain; charset=utf-8")
         self.send_header("Content-Length", "0")
@@ -212,6 +218,14 @@ class WorkerStatusMiddleware(Middleware):
             hostname=socket.gethostname(),
             version=authentik_full_version(),
         )
+        while True:
+            try:
+                WorkerStatusMiddleware.keep(status)
+            except DB_ERRORS:  # pragma: no cover
+                sleep(10)
+                pass
+
+    def keep(status: WorkerStatus):
         lock_id = f"goauthentik.io/worker/status/{status.pk}"
         with pglock.advisory(lock_id, side_effect=pglock.Raise):
             while True:

authentik/tasks/schedules/api.py

@@ -107,7 +107,6 @@ class ScheduleViewSet(
         "rel_obj_content_type__app_label",
         "rel_obj_content_type__model",
         "rel_obj_id",
-        "description",
     )
     filterset_class = ScheduleFilter
     ordering = (

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.8.0-rc1 Blueprint schema",
+    "title": "authentik 2025.8.3 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -6753,6 +6753,15 @@
                     "title": "Webhook mapping headers",
                     "description": "Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs"
                 },
+                "email_subject_prefix": {
+                    "type": "string",
+                    "title": "Email subject prefix"
+                },
+                "email_template": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Email template"
+                },
                 "send_once": {
                     "type": "boolean",
                     "title": "Send once",

blueprints/system/bootstrap.yaml

@@ -5,7 +5,7 @@ metadata:
     blueprints.goauthentik.io/system-bootstrap: "true"
     blueprints.goauthentik.io/system: "true"
     blueprints.goauthentik.io/description: |
-      This blueprint configures the default admin user and group, and configures them for the [Automated install](https://goauthentik.io/docs/installation/automated-install).
+      This blueprint configures the default admin user and group, and configures them for the [Automated install](https://docs.goauthentik.io/docs/install-config/automated-install?utm_source=bootstrap_blueprint).
 context:
   username: akadmin
   group_name: authentik Admins

docker-compose.yml

@@ -48,7 +48,7 @@ services:
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
     ports:
     - ${COMPOSE_PORT_HTTP:-9000}:9000
     - ${COMPOSE_PORT_HTTPS:-9443}:9443
@@ -72,7 +72,7 @@ services:
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
     restart: unless-stopped
     user: root
     volumes:

internal/constants/VERSION

@@ -1 +1 @@
-2025.8.0-rc1
+2025.8.3

lifecycle/ak

@@ -2,6 +2,10 @@
 set -e -o pipefail
 MODE_FILE="${TMPDIR}/authentik-mode"
 
+if [[ -z "${PROMETHEUS_MULTIPROC_DIR}" ]]; then
+    export PROMETHEUS_MULTIPROC_DIR="${TMPDIR:-/tmp}/authentik_prometheus_tmp"
+fi
+
 function log {
     printf '{"event": "%s", "level": "info", "logger": "bootstrap"}\n' "$@" >/dev/stderr
 }
@@ -31,7 +35,7 @@ function check_if_root {
         GROUP="authentik:${GROUP_NAME}"
     fi
     # Fix permissions of certs and media
-    chown -R authentik:authentik /media /certs
+    chown -R authentik:authentik /media /certs "${PROMETHEUS_MULTIPROC_DIR}"
     chmod ug+rwx /media
     chmod ug+rx /certs
     exec chpst -u authentik:$GROUP env HOME=/authentik $1
@@ -68,6 +72,8 @@ function prepare_debug {
     chown authentik:authentik /unittest.xml
 }
 
+mkdir -p "${PROMETHEUS_MULTIPROC_DIR}"
+
 if [[ "$(python -m authentik.lib.config debugger 2>/dev/null)" == "True" ]]; then
     prepare_debug
 fi

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.8.0-rc1
+    Default: 2025.8.3
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

lifecycle/gunicorn.conf.py

@@ -33,15 +33,12 @@ wait_for_db()
 _tmp = Path(gettempdir())
 worker_class = "lifecycle.worker.DjangoUvicornWorker"
 worker_tmp_dir = str(_tmp.joinpath("authentik_gunicorn_tmp"))
-prometheus_tmp_dir = str(_tmp.joinpath("authentik_prometheus_tmp"))
 
 os.makedirs(worker_tmp_dir, exist_ok=True)
-os.makedirs(prometheus_tmp_dir, exist_ok=True)
 
 bind = f"unix://{str(_tmp.joinpath('authentik-core.sock'))}"
 
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "authentik.root.settings")
-os.environ.setdefault("PROMETHEUS_MULTIPROC_DIR", prometheus_tmp_dir)
 
 preload_app = True
 

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.8.0-rc1",
+    "version": "2025.8.3",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2025.8.0-rc1",
+            "version": "2025.8.3",
             "dependencies": {
                 "@eslint/js": "^9.31.0",
                 "@typescript-eslint/eslint-plugin": "^8.38.0",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.8.0-rc1",
+    "version": "2025.8.3",
     "private": true,
     "type": "module",
     "dependencies": {

packages/django-dramatiq-postgres/django_dramatiq_postgres/broker.py

@@ -237,6 +237,9 @@ class _PostgresConsumer(Consumer):
         # Override because dramatiq doesn't allow us setting this manually
         self.timeout = Conf().worker["consumer_listen_timeout"]
 
+        self.lock_purge_interval = timezone.timedelta(seconds=Conf().lock_purge_interval)
+        self.lock_purge_last_run = timezone.now()
+
         self.task_purge_interval = timezone.timedelta(seconds=Conf().task_purge_interval)
         self.task_purge_last_run = timezone.now() - self.task_purge_interval
 
@@ -378,6 +381,8 @@ class _PostgresConsumer(Consumer):
             # Force creation of listen connection
             _ = self.listen_connection
 
+        self._purge_locks()
+
         processing = len(self.in_processing)
         if processing >= self.prefetch:
             # Wait and don't consume the message, other worker will be faster
@@ -415,24 +420,26 @@ class _PostgresConsumer(Consumer):
                 )
 
         # No message to process
-        self._purge_locks()
         self._auto_purge()
         self._scheduler()
 
         return None
 
     def _purge_locks(self):
+        if timezone.now() - self.lock_purge_last_run < self.lock_purge_interval:
+            return
         while True:
             try:
                 message_id = self.unlock_queue.get(block=False)
             except Empty:
-                return
+                break
             self.logger.debug("Unlocking message", message_id=message_id)
             with self.connection.cursor() as cursor:
                 cursor.execute(
                     "SELECT pg_advisory_unlock(%s)", (self._get_message_lock_id(message_id),)
                 )
             self.unlock_queue.task_done()
+        self.lock_purge_last_run = timezone.now()
 
     def _auto_purge(self):
         if timezone.now() - self.task_purge_last_run < self.task_purge_interval:
@@ -444,6 +451,7 @@ class _PostgresConsumer(Consumer):
             result_expiry__lte=timezone.now(),
         ).delete()
         self.logger.info("Purged messages in all queues", count=count)
+        self.task_purge_last_run = timezone.now()
 
     def _scheduler(self):
         if not self.scheduler:
@@ -451,6 +459,7 @@ class _PostgresConsumer(Consumer):
         if timezone.now() - self.scheduler_last_run < self.scheduler_interval:
             return
         self.scheduler.run()
+        self.schedule_last_run = timezone.now()
 
     @raise_connection_error
     def close(self):
@@ -465,4 +474,7 @@ class _PostgresConsumer(Consumer):
                 if self._listen_connection is not None:
                     conn = self._listen_connection
                     self._listen_connection = None
-                    conn.close()
+                    try:
+                        conn.close()
+                    except DatabaseError:
+                        pass

packages/django-dramatiq-postgres/django_dramatiq_postgres/conf.py

@@ -56,6 +56,10 @@ class Conf:
     def task_model(self) -> str:
         return self.conf["task_model"]
 
+    @property
+    def lock_purge_interval(self) -> int:
+        return self.conf.get("lock_purge_interval", 60)
+
     @property
     def task_purge_interval(self) -> int:
         # 24 hours

packages/django-dramatiq-postgres/django_dramatiq_postgres/middleware.py

@@ -26,7 +26,7 @@ class HTTPServer(BaseHTTPServer):
         self.socket.close()
 
         host, port = self.server_address[:2]
-        if host == "0.0.0.0":  # nosec
+        if host == "0.0.0.0" and socket.has_dualstack_ipv6():  # nosec
             host = "::"  # nosec
 
         # Strip IPv6 brackets
@@ -36,7 +36,9 @@ class HTTPServer(BaseHTTPServer):
         self.server_address = (host, port)
 
         self.address_family = (
-            socket.AF_INET6 if isinstance(ip_address(host), IPv6Address) else socket.AF_INET
+            socket.AF_INET6
+            if socket.has_dualstack_ipv6() and isinstance(ip_address(host), IPv6Address)
+            else socket.AF_INET
         )
 
         self.socket = socket.create_server(
@@ -141,7 +143,6 @@ class MetricsMiddleware(Middleware):
     def __init__(
         self,
         prefix: str,
-        multiproc_dir: str,
         labels: list[str] | None = None,
     ):
         super().__init__()
@@ -151,9 +152,6 @@ class MetricsMiddleware(Middleware):
         self.delayed_messages = set()
         self.message_start_times = {}
 
-        os.makedirs(multiproc_dir, exist_ok=True)
-        os.environ.setdefault("PROMETHEUS_MULTIPROC_DIR", multiproc_dir)
-
     @property
     def forks(self):
         from django_dramatiq_postgres.forks import worker_metrics

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.8.0-rc1"
+version = "2025.8.3"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@@ -12,7 +12,7 @@ dependencies = [
   "dacite==1.9.2",
   "deepmerge==2.0",
   "defusedxml==0.7.1",
-  "django==5.1.11",
+  "django==5.1.12",
   "django-countries==7.6.1",
   "django-cte==2.0.0",
   "django-dramatiq-postgres",

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.8.0-rc1
+  version: 2025.8.3
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -6057,7 +6057,8 @@ paths:
   /core/users/{id}/recovery_email/:
     post:
       operationId: core_users_recovery_email_create
-      description: Send an email with a temporary link that a user can use to recover their account
+      description: Send an email with a temporary link that a user can use to recover
+        their account
       parameters:
       - in: query
         name: email_stage
@@ -49344,6 +49345,10 @@ components:
           nullable: true
           description: Configure additional headers to be sent. Mapping should return
             a dictionary of key-value pairs
+        email_subject_prefix:
+          type: string
+        email_template:
+          type: string
         send_once:
           type: boolean
           description: Only send notification once, for example when sending a webhook
@@ -49383,6 +49388,11 @@ components:
           nullable: true
           description: Configure additional headers to be sent. Mapping should return
             a dictionary of key-value pairs
+        email_subject_prefix:
+          type: string
+        email_template:
+          type: string
+          minLength: 1
         send_once:
           type: boolean
           description: Only send notification once, for example when sending a webhook
@@ -54480,6 +54490,11 @@ components:
           nullable: true
           description: Configure additional headers to be sent. Mapping should return
             a dictionary of key-value pairs
+        email_subject_prefix:
+          type: string
+        email_template:
+          type: string
+          minLength: 1
         send_once:
           type: boolean
           description: Only send notification once, for example when sending a webhook
@@ -61864,6 +61879,7 @@ components:
       - object_pk
     UserPasswordSetRequest:
       type: object
+      description: Payload to set a users' password directly
       properties:
         password:
           type: string

uv.lock

@@ -1,5 +1,5 @@
 version = 1
-revision = 2
+revision = 3
 requires-python = "==3.13.*"
 
 [manifest]
@@ -159,7 +159,7 @@ wheels = [
 
 [[package]]
 name = "authentik"
-version = "2025.8.0rc1"
+version = "2025.8.3"
 source = { editable = "." }
 dependencies = [
     { name = "argon2-cffi" },
@@ -266,7 +266,7 @@ requires-dist = [
     { name = "dacite", specifier = "==1.9.2" },
     { name = "deepmerge", specifier = "==2.0" },
     { name = "defusedxml", specifier = "==0.7.1" },
-    { name = "django", specifier = "==5.1.11" },
+    { name = "django", specifier = "==5.1.12" },
     { name = "django-countries", specifier = "==7.6.1" },
     { name = "django-cte", specifier = "==2.0.0" },
     { name = "django-dramatiq-postgres", editable = "packages/django-dramatiq-postgres" },
@@ -899,16 +899,16 @@ wheels = [
 
 [[package]]
 name = "django"
-version = "5.1.11"
+version = "5.1.12"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "sqlparse" },
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/83/80/bf0f9b0aa434fca2b46fc6a31c39b08ea714b87a0a72a16566f053fb05a8/django-5.1.11.tar.gz", hash = "sha256:3bcdbd40e4d4623b5e04f59c28834323f3086df583058e65ebce99f9982385ce", size = 10734926, upload-time = "2025-06-10T10:12:48.229Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/f0/99/a951d93a27a5bc59fb96edbcdbc03fb9bfac51177f1bc0110888de85af3f/django-5.1.12.tar.gz", hash = "sha256:8a8991b1ec052ef6a44fefd1ef336ab8daa221287bcb91a4a17d5e1abec5bbcc", size = 10737777, upload-time = "2025-09-03T13:09:45.855Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/59/91/2972ce330c6c0bd5b3200d4c2ad5cbf47eecff5243220c5a56444d3267a0/django-5.1.11-py3-none-any.whl", hash = "sha256:e48091f364007068728aca938e7450fbfe3f2217079bfd2b8af45122585acf64", size = 8277453, upload-time = "2025-06-10T10:12:42.236Z" },
+    { url = "https://files.pythonhosted.org/packages/1e/1c/a9520c8263e980b0b9933c9b5ce8f22c9ddf007b062e4eb428b557ff0932/django-5.1.12-py3-none-any.whl", hash = "sha256:9eb695636cea3601b65690f1596993c042206729afb320ca0960b55f8ed4477b", size = 8277454, upload-time = "2025-09-03T13:09:30.997Z" },
 ]
 
 [[package]]
@@ -1499,15 +1499,15 @@ wheels = [
 
 [[package]]
 name = "h2"
-version = "4.2.0"
+version = "4.3.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "hpack" },
     { name = "hyperframe" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/1b/38/d7f80fd13e6582fb8e0df8c9a653dcc02b03ca34f4d72f34869298c5baf8/h2-4.2.0.tar.gz", hash = "sha256:c8a52129695e88b1a0578d8d2cc6842bbd79128ac685463b887ee278126ad01f", size = 2150682, upload-time = "2025-02-02T07:43:51.815Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/1d/17/afa56379f94ad0fe8defd37d6eb3f89a25404ffc71d4d848893d270325fc/h2-4.3.0.tar.gz", hash = "sha256:6c59efe4323fa18b47a632221a1888bd7fde6249819beda254aeca909f221bf1", size = 2152026, upload-time = "2025-08-23T18:12:19.778Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d0/9e/984486f2d0a0bd2b024bf4bc1c62688fcafa9e61991f041fb0e2def4a982/h2-4.2.0-py3-none-any.whl", hash = "sha256:479a53ad425bb29af087f3458a61d30780bc818e4ebcf01f0b536ba916462ed0", size = 60957, upload-time = "2025-02-01T11:02:26.481Z" },
+    { url = "https://files.pythonhosted.org/packages/69/b2/119f6e6dcbd96f9069ce9a2665e0146588dc9f88f29549711853645e736a/h2-4.3.0-py3-none-any.whl", hash = "sha256:c438f029a25f7945c69e0ccf0fb951dc3f73a5f6412981daee861431b70e2bdd", size = 61779, upload-time = "2025-08-23T18:12:17.779Z" },
 ]
 
 [[package]]

web/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/web",
-    "version": "2025.8.0-rc1",
+    "version": "2025.8.3",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/web",
-            "version": "2025.8.0-rc1",
+            "version": "2025.8.3",
             "license": "MIT",
             "workspaces": [
                 "./packages/*"
@@ -23,7 +23,7 @@
                 "@floating-ui/dom": "^1.7.3",
                 "@formatjs/intl-listformat": "^7.7.11",
                 "@fortawesome/fontawesome-free": "^7.0.0",
-                "@goauthentik/api": "^2025.8.0-rc1-1755026430",
+                "@goauthentik/api": "^2025.10.0-rc1-1755254677",
                 "@goauthentik/core": "^1.0.0",
                 "@goauthentik/esbuild-plugin-live-reload": "^1.1.0",
                 "@goauthentik/eslint-config": "^1.0.5",
@@ -1509,9 +1509,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2025.8.0-rc1-1755026430",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.8.0-rc1-1755026430.tgz",
-            "integrity": "sha512-nkXlhnI8ILnpnSqseklRHRWsq9kBCT0CPU/7MotO3kQwl54Ze4j8HAMGNJNLr1VjuKuG5m/qt6SQseXLnazb+w=="
+            "version": "2025.10.0-rc1-1755254677",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.10.0-rc1-1755254677.tgz",
+            "integrity": "sha512-hq+xGPtwaeptEDn92Y40Yb4e7yL2KVvuqy2kWAZLPtr/r9ML82vzNYCfW6bFNPnopDRizjOBIzlD3gNP/2rs8Q=="
         },
         "node_modules/@goauthentik/core": {
             "resolved": "packages/core",

web/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/web",
-    "version": "2025.8.0-rc1",
+    "version": "2025.8.3",
     "license": "MIT",
     "private": true,
     "scripts": {
@@ -94,7 +94,7 @@
         "@floating-ui/dom": "^1.7.3",
         "@formatjs/intl-listformat": "^7.7.11",
         "@fortawesome/fontawesome-free": "^7.0.0",
-        "@goauthentik/api": "^2025.8.0-rc1-1755026430",
+        "@goauthentik/api": "^2025.10.0-rc1-1755254677",
         "@goauthentik/core": "^1.0.0",
         "@goauthentik/esbuild-plugin-live-reload": "^1.1.0",
         "@goauthentik/eslint-config": "^1.0.5",

web/src/admin/admin-overview/AdminOverviewPage.ts

@@ -66,7 +66,7 @@ export class AdminOverviewPage extends AdminOverviewBase {
     quickActions: QuickAction[] = [
         [msg("Create a new application"), paramURL("/core/applications", { createWizard: true })],
         [msg("Check the logs"), paramURL("/events/log")],
-        [msg("Explore integrations"), "https://goauthentik.io/integrations/", true],
+        [msg("Explore integrations"), "https://integrations.goauthentik.io/", true],
         [msg("Manage users"), paramURL("/identity/users")],
         [
             msg("Check the release notes"),

web/src/admin/admin-settings/AdminSettingsForm.ts

@@ -8,15 +8,19 @@ import "#elements/forms/Radio";
 import "#elements/forms/SearchSelect/index";
 import "#elements/utils/TimeDeltaHelp";
 import "./AdminSettingsFooterLinks.js";
+import "#elements/CodeMirror";
 
 import { akFooterLinkInput, IFooterLinkInput } from "./AdminSettingsFooterLinks.js";
 
 import { DEFAULT_CONFIG } from "#common/api/config";
 
+import { CodeMirrorMode } from "#elements/CodeMirror";
 import { Form } from "#elements/forms/Form";
 
 import { AdminApi, FooterLink, Settings, SettingsRequest } from "@goauthentik/api";
 
+import YAML from "yaml";
+
 import { msg } from "@lit/localize";
 import { css, CSSResult, html, TemplateResult } from "lit";
 import { customElement, property } from "lit/decorators.js";
@@ -29,23 +33,7 @@ const DEFAULT_REPUTATION_UPPER_LIMIT = 5;
 
 @customElement("ak-admin-settings-form")
 export class AdminSettingsForm extends Form<SettingsRequest> {
-    //
-    // Custom property accessors in Lit 2 require a manual call to requestUpdate(). See:
-    // https://lit.dev/docs/v2/components/properties/#accessors-custom
-    //
-    set settings(value: Settings | undefined) {
-        this._settings = value;
-        this.requestUpdate();
-    }
-
-    @property({ type: Object })
-    get settings() {
-        return this._settings;
-    }
-
-    private _settings?: Settings;
-
-    static styles: CSSResult[] = [
+    public static styles: CSSResult[] = [
         ...super.styles,
         PFList,
         css`
@@ -55,25 +43,35 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
         `,
     ];
 
+    @property({ attribute: false })
+    public settings!: Settings;
+
     getSuccessMessage(): string {
         return msg("Successfully updated settings.");
     }
 
-    async send(data: SettingsRequest): Promise<Settings> {
+    async send(settingsRequest: SettingsRequest): Promise<Settings> {
+        settingsRequest.flags ??= this.settings.flags;
+
         const result = await new AdminApi(DEFAULT_CONFIG).adminSettingsUpdate({
-            settingsRequest: data,
+            settingsRequest,
         });
+
         this.dispatchEvent(new CustomEvent("ak-admin-setting-changed"));
+
         return result;
     }
 
     renderForm(): TemplateResult {
+        const { settings } = this;
+
         return html`
             <ak-text-input
                 name="avatars"
                 label=${msg("Avatars")}
-                value="${ifDefined(this._settings?.avatars)}"
+                value="${ifDefined(settings.avatars)}"
                 input-hint="code"
+                required
                 .bighelp=${html`
                     <p class="pf-c-form__helper-text">
                         ${msg(
@@ -133,27 +131,26 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                         )}
                     </p>
                 `}
-                required
             >
             </ak-text-input>
             <ak-switch-input
                 name="defaultUserChangeName"
                 label=${msg("Allow users to change name")}
-                ?checked="${this._settings?.defaultUserChangeName}"
+                ?checked=${settings.defaultUserChangeName}
                 help=${msg("Enable the ability for users to change their name.")}
             >
             </ak-switch-input>
             <ak-switch-input
                 name="defaultUserChangeEmail"
                 label=${msg("Allow users to change email")}
-                ?checked="${this._settings?.defaultUserChangeEmail}"
+                ?checked=${settings.defaultUserChangeEmail}
                 help=${msg("Enable the ability for users to change their email.")}
             >
             </ak-switch-input>
             <ak-switch-input
                 name="defaultUserChangeUsername"
                 label=${msg("Allow users to change username")}
-                ?checked="${this._settings?.defaultUserChangeUsername}"
+                ?checked=${settings.defaultUserChangeUsername}
                 help=${msg("Enable the ability for users to change their username.")}
             >
             </ak-switch-input>
@@ -162,7 +159,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Event retention")}
                 input-hint="code"
                 required
-                value="${ifDefined(this._settings?.eventRetention)}"
+                value="${ifDefined(settings.eventRetention)}"
                 .bighelp=${html`<p class="pf-c-form__helper-text">
                         ${msg("Duration after which events will be deleted from the database.")}
                     </p>
@@ -184,19 +181,19 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Reputation: lower limit")}
                 required
                 name="reputationLowerLimit"
-                value="${this._settings?.reputationLowerLimit ?? DEFAULT_REPUTATION_LOWER_LIMIT}"
+                value="${settings.reputationLowerLimit ?? DEFAULT_REPUTATION_LOWER_LIMIT}"
                 help=${msg("Reputation cannot decrease lower than this value. Zero or negative.")}
             ></ak-number-input>
             <ak-number-input
                 label=${msg("Reputation: upper limit")}
                 required
                 name="reputationUpperLimit"
-                value="${this._settings?.reputationUpperLimit ?? DEFAULT_REPUTATION_UPPER_LIMIT}"
+                value="${settings.reputationUpperLimit ?? DEFAULT_REPUTATION_UPPER_LIMIT}"
                 help=${msg("Reputation cannot increase higher than this value. Zero or positive.")}
             ></ak-number-input>
             <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks">
                 <ak-array-input
-                    .items=${this._settings?.footerLinks ?? []}
+                    .items=${settings.footerLinks ?? []}
                     .newItem=${() => ({ name: "", href: "" })}
                     .row=${(f?: FooterLink) =>
                         akFooterLinkInput({
@@ -215,7 +212,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-switch-input
                 name="gdprCompliance"
                 label=${msg("GDPR compliance")}
-                ?checked="${this._settings?.gdprCompliance}"
+                ?checked=${settings.gdprCompliance}
                 help=${msg(
                     "When enabled, all the events caused by a user will be deleted upon the user's deletion.",
                 )}
@@ -224,14 +221,14 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
             <ak-switch-input
                 name="impersonation"
                 label=${msg("Impersonation")}
-                ?checked="${this._settings?.impersonation}"
+                ?checked=${settings.impersonation}
                 help=${msg("Globally enable/disable impersonation.")}
             >
             </ak-switch-input>
             <ak-switch-input
                 name="impersonationRequireReason"
                 label=${msg("Require reason for impersonation")}
-                ?checked="${this._settings?.impersonationRequireReason}"
+                ?checked=${settings.impersonationRequireReason}
                 help=${msg("Require administrators to provide a reason for impersonating a user.")}
             >
             </ak-switch-input>
@@ -240,7 +237,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Default token duration")}
                 input-hint="code"
                 required
-                value="${ifDefined(this._settings?.defaultTokenDuration)}"
+                value="${ifDefined(settings.defaultTokenDuration)}"
                 .bighelp=${html`<p class="pf-c-form__helper-text">
                         ${msg("Default duration for generated tokens")}
                     </p>
@@ -251,9 +248,19 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                 label=${msg("Default token length")}
                 required
                 name="defaultTokenLength"
-                value="${this._settings?.defaultTokenLength ?? 60}"
+                value="${settings.defaultTokenLength ?? 60}"
                 help=${msg("Default length of generated tokens")}
             ></ak-number-input>
+            <ak-form-element-horizontal label=${msg("Flags")} name="flags" required>
+                <ak-codemirror
+                    mode=${CodeMirrorMode.YAML}
+                    value="${YAML.stringify(settings.flags ?? {})}"
+                >
+                </ak-codemirror>
+                <p class="pf-c-form__helper-text">
+                    ${msg("Modify flags to opt into new authentik behaviours early.")}
+                </p>
+            </ak-form-element-horizontal>
         `;
     }
 }

web/src/admin/crypto/CertificateKeyPairForm.ts

@@ -53,15 +53,15 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                 name="certificateData"
                 input-hint="code"
                 placeholder="-----BEGIN CERTIFICATE-----"
-                required
-                ?revealed=${this.instance === undefined}
+                ?required=${!this.instance}
+                ?revealed=${!this.instance}
                 help=${msg("PEM-encoded Certificate data.")}
             ></ak-secret-textarea-input>
             <ak-secret-textarea-input
                 label=${msg("Private Key")}
                 name="keyData"
                 input-hint="code"
-                ?revealed=${this.instance === undefined}
+                ?revealed=${!this.instance}
                 help=${msg(
                     "Optional Private Key. If this is set, you can use this keypair for encryption.",
                 )}

web/src/admin/enterprise/EnterpriseLicenseForm.ts

@@ -66,7 +66,7 @@ export class EnterpriseLicenseForm extends ModelForm<License, string> {
             </ak-form-element-horizontal>
             <ak-secret-textarea-input
                 name="key"
-                ?revealed=${this.instance === undefined}
+                ?revealed=${!this.instance}
                 label=${msg("License key")}
                 input-hint="code"
             >

web/src/admin/events/TransportForm.ts

@@ -14,6 +14,8 @@ import {
     NotificationWebhookMapping,
     PropertymappingsApi,
     PropertymappingsNotificationListRequest,
+    StagesApi,
+    TypeCreate,
 } from "@goauthentik/api";
 
 import { msg } from "@lit/localize";
@@ -33,10 +35,18 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                 return transport;
             });
     }
+    async load(): Promise<void> {
+        this.templates = await new StagesApi(DEFAULT_CONFIG).stagesEmailTemplatesList();
+    }
+
+    templates?: TypeCreate[];
 
     @property({ type: Boolean })
     showWebhook = false;
 
+    @property({ type: Boolean })
+    showEmail = false;
+
     getSuccessMessage(): string {
         return this.instance
             ? msg("Successfully updated transport.")
@@ -56,18 +66,28 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
     }
 
     onModeChange(mode: string | undefined): void {
-        if (
-            mode === NotificationTransportModeEnum.Webhook ||
-            mode === NotificationTransportModeEnum.WebhookSlack
-        ) {
-            this.showWebhook = true;
-        } else {
-            this.showWebhook = false;
+        // Reset all flags
+        this.showWebhook = false;
+        this.showEmail = false;
+
+        switch (mode) {
+            case NotificationTransportModeEnum.Webhook:
+            case NotificationTransportModeEnum.WebhookSlack:
+                this.showWebhook = true;
+                break;
+            case NotificationTransportModeEnum.Email:
+                this.showEmail = true;
+                break;
+            case NotificationTransportModeEnum.Local:
+            default:
+                // Both flags remain false
+                break;
         }
     }
 
     renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} required name="name">
+        return html`
+            <ak-form-element-horizontal label=${msg("Name")} required name="name">
                 <input
                     type="text"
                     value="${ifDefined(this.instance?.name)}"
@@ -75,6 +95,26 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                     required
                 />
             </ak-form-element-horizontal>
+            <ak-form-element-horizontal name="sendOnce">
+                <label class="pf-c-switch">
+                    <input
+                        class="pf-c-switch__input"
+                        type="checkbox"
+                        ?checked=${this.instance?.sendOnce ?? false}
+                    />
+                    <span class="pf-c-switch__toggle">
+                        <span class="pf-c-switch__toggle-icon">
+                            <i class="fas fa-check" aria-hidden="true"></i>
+                        </span>
+                    </span>
+                    <span class="pf-c-switch__label">${msg("Send once")}</span>
+                </label>
+                <p class="pf-c-form__helper-text">
+                    ${msg(
+                        "Only send notification once, for example when sending a webhook into a chat channel.",
+                    )}
+                </p>
+            </ak-form-element-horizontal>
             <ak-form-element-horizontal label=${msg("Mode")} required name="mode">
                 <ak-radio
                     @change=${(ev: CustomEvent<{ value: NotificationTransportModeEnum }>) => {
@@ -109,7 +149,7 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                 value="${this.instance?.webhookUrl || ""}"
                 input-hint="code"
                 ?hidden=${!this.showWebhook}
-                required
+                ?required=${this.showWebhook}
             >
             </ak-hidden-text-input>
             <ak-form-element-horizontal
@@ -178,26 +218,39 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                 >
                 </ak-search-select>
             </ak-form-element-horizontal>
-            <ak-form-element-horizontal name="sendOnce">
-                <label class="pf-c-switch">
-                    <input
-                        class="pf-c-switch__input"
-                        type="checkbox"
-                        ?checked=${this.instance?.sendOnce ?? false}
-                    />
-                    <span class="pf-c-switch__toggle">
-                        <span class="pf-c-switch__toggle-icon">
-                            <i class="fas fa-check" aria-hidden="true"></i>
-                        </span>
-                    </span>
-                    <span class="pf-c-switch__label">${msg("Send once")}</span>
-                </label>
-                <p class="pf-c-form__helper-text">
-                    ${msg(
-                        "Only send notification once, for example when sending a webhook into a chat channel.",
-                    )}
-                </p>
-            </ak-form-element-horizontal>`;
+            <ak-form-element-horizontal
+                ?hidden=${!this.showEmail}
+                ?required=${this.showEmail}
+                label=${msg("Email Subject Prefix")}
+                name="emailSubjectPrefix"
+            >
+                <input
+                    type="text"
+                    value="${this.instance?.emailSubjectPrefix || "authentik Notification: "}"
+                    class="pf-c-form-control"
+                    ?hidden=${!this.showEmail}
+                    ?required=${this.showEmail}
+                />
+            </ak-form-element-horizontal>
+            <ak-form-element-horizontal
+                ?hidden=${!this.showEmail}
+                ?required=${this.showEmail}
+                label=${msg("Email Template")}
+                name="emailTemplate"
+            >
+                <select name="users" class="pf-c-form-control">
+                    ${this.templates?.map((template) => {
+                        const selected =
+                            this.instance?.emailTemplate === template.name ||
+                            (!this.instance?.emailTemplate &&
+                                template.name === "email/event_notification.html");
+                        return html`<option value=${ifDefined(template.name)} ?selected=${selected}>
+                            ${template.description}
+                        </option>`;
+                    })}
+                </select>
+            </ak-form-element-horizontal>
+        `;
     }
 }
 

web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts

@@ -75,7 +75,6 @@ export class PropertyMappingProviderRACForm extends BasePropertyMappingForm<RACP
                             type="text"
                             value="${ifDefined(this.instance?.staticSettings.username)}"
                             class="pf-c-form-control"
-                            required
                         />
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
@@ -86,7 +85,6 @@ export class PropertyMappingProviderRACForm extends BasePropertyMappingForm<RACP
                             type="password"
                             value="${ifDefined(this.instance?.staticSettings.password)}"
                             class="pf-c-form-control"
-                            required
                         />
                     </ak-form-element-horizontal>
                 </div>
@@ -137,11 +135,7 @@ export class PropertyMappingProviderRACForm extends BasePropertyMappingForm<RACP
             </ak-form-group>
             <ak-form-group label="${msg("Advanced settings")}">
                 <div class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Expression")}
-                        required
-                        name="expression"
-                    >
+                    <ak-form-element-horizontal label=${msg("Expression")} name="expression">
                         <ak-codemirror
                             mode=${CodeMirrorMode.Python}
                             value="${ifDefined(this.instance?.expression)}"

web/src/admin/sources/kerberos/KerberosSourceForm.ts

@@ -259,7 +259,7 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                     <ak-secret-textarea-input
                         name="syncKeytab"
                         label=${msg("Sync keytab")}
-                        ?revealed=${this.instance === undefined}
+                        ?revealed=${!this.instance}
                         help=${msg(
                             "Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
                         )}
@@ -287,7 +287,7 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                     <ak-secret-textarea-input
                         name="spnegoKeytab"
                         label=${msg("SPNEGO keytab")}
-                        ?revealed=${this.instance === undefined}
+                        ?revealed=${!this.instance}
                         help=${msg(
                             "Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
                         )}

web/src/admin/sources/oauth/OAuthSourceForm.ts

@@ -442,8 +442,8 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
                         name="consumerSecret"
                         input-hint="code"
                         help=${msg("Also known as Client Secret.")}
-                        required
-                        ?revealed=${this.instance === undefined}
+                        ?required=${!this.instance}
+                        ?revealed=${!this.instance}
                     ></ak-secret-textarea-input>
                     <ak-form-element-horizontal label=${msg("Scopes")} name="additionalScopes">
                         <input
@@ -530,9 +530,8 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced settings")} </span>
-                <div slot="body" class="pf-c-form">
+            <ak-form-group label=${msg("Advanced settings")}>
+                <div class="pf-c-form">
                     <ak-form-element-horizontal
                         label=${msg("Policy engine mode")}
                         required

web/src/admin/sources/plex/PlexSourceForm.ts

@@ -414,9 +414,8 @@ export class PlexSourceForm extends WithCapabilitiesConfig(BaseSourceForm<PlexSo
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced settings")} </span>
-                <div slot="body" class="pf-c-form">
+            <ak-form-group label=${msg("Advanced settings")}>
+                <div class="pf-c-form">
                     <ak-form-element-horizontal
                         label=${msg("Policy engine mode")}
                         required

web/src/admin/sources/saml/SAMLSourceForm.ts

@@ -574,9 +574,8 @@ export class SAMLSourceForm extends WithCapabilitiesConfig(BaseSourceForm<SAMLSo
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced settings")} </span>
-                <div slot="body" class="pf-c-form">
+            <ak-form-group label=${msg("Advanced settings")}>
+                <div class="pf-c-form">
                     <ak-form-element-horizontal
                         label=${msg("Policy engine mode")}
                         required

web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts

@@ -16,6 +16,7 @@ import {
     FlowsInstancesListDesignationEnum,
     FlowsInstancesListRequest,
     StagesApi,
+    TypeCreate,
 } from "@goauthentik/api";
 
 import { msg } from "@lit/localize";
@@ -33,6 +34,12 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
         return stage;
     }
 
+    async load(): Promise<void> {
+        this.templates = await new StagesApi(DEFAULT_CONFIG).stagesEmailTemplatesList();
+    }
+
+    templates?: TypeCreate[];
+
     @property({ type: Boolean })
     showConnectionSettings = false;
 
@@ -262,6 +269,28 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal label=${msg("Template")} name="template">
+                        <select
+                            class="pf-c-form-control"
+                            ?disabled=${!this.templates || this.templates.length === 0}
+                        >
+                            ${this.templates && this.templates.length > 0
+                                ? this.templates.map((template: TypeCreate) => {
+                                      return html`<option
+                                          value="${template.name}"
+                                          ?selected=${this.instance?.template === template.name ||
+                                          (!this.instance?.template &&
+                                              template.name === "email/email_otp.html")}
+                                      >
+                                          ${template.description}
+                                      </option>`;
+                                  })
+                                : html`<option value="">${msg("Loading templates...")}</option>`}
+                        </select>
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Template used for the verification email.")}
+                        </p>
+                    </ak-form-element-horizontal>
                 </div>
             </ak-form-group>`;
     }

web/src/common/purify.ts

@@ -20,6 +20,22 @@ export const EscapeTrustPolicy = trustedTypes.createPolicy("authentik-escape", {
     },
 });
 
+/**
+ * Trusted types policy that removes all HTML content.
+ *
+ *
+ * @returns {TrustedHTML} All remaining text content.
+ */
+export const StripHTMLTrustPolicy = trustedTypes.createPolicy("authentik-strip-html", {
+    createHTML: (untrustedHTML: string) => {
+        return DOMPurify.sanitize(untrustedHTML, {
+            RETURN_TRUSTED_TYPE: false,
+            ALLOWED_TAGS: [],
+            ALLOWED_ATTR: [],
+        });
+    },
+});
+
 /**
  * Trusted types policy, stripping all HTML content.
  *
@@ -105,7 +121,9 @@ export function renderStaticHTMLUnsafe(untrustedHTML: unknown): string {
 
     render(untrustedHTML, container);
 
-    const result = container.innerHTML;
-
+    const result = container.innerHTML
+        // Remove all comments as they can interfere with the styles.
+        .replaceAll("<!---->", "")
+        .replaceAll(/<!--\?lit\$\d+\$-->/g, "");
     return result;
 }

web/src/components/ak-search-ql/index.ts

@@ -1,14 +1,18 @@
 import "#elements/buttons/Dropdown";
 
-import { AKElement } from "#elements/Base";
+import { StripHTMLTrustPolicy } from "#common/purify";
+import { rootInterface } from "#common/theme";
+
+import { FormAssociated, FormAssociatedElement } from "#elements/forms/form-associated-element";
 import { PaginatedResponse } from "#elements/table/Table";
 
 import DjangoQL, { Introspections } from "@mrmarble/djangoql-completion";
 
 import { msg } from "@lit/localize";
-import { css, CSSResult, html, nothing, TemplateResult } from "lit";
-import { customElement, property, query, state } from "lit/decorators.js";
+import { css, CSSResult, html, LitElement, nothing, PropertyValues, TemplateResult } from "lit";
+import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
+import { createRef, ref, Ref } from "lit/directives/ref.js";
 
 import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
 import PFSearchInput from "@patternfly/patternfly/components/SearchInput/search-input.css";
@@ -25,40 +29,26 @@ export class QL extends DjangoQL {
     textareaResize() {}
 }
 
-@customElement("ak-search-ql")
-export class QLSearch extends AKElement {
-    @property()
-    value?: string;
+/**
+ * Given an array or length, return logical index of the element at the given delta.
+ * This is effectively a modulo loop, allowing for positive and negative deltas.
+ */
+function torusIndex(lengthLike: number | ArrayLike<number>, delta: number): number {
+    const length = typeof lengthLike === "number" ? lengthLike : lengthLike.length;
 
-    @query("[name=search]")
-    searchElement?: HTMLTextAreaElement;
-
-    @state()
-    menuOpen = false;
-
-    @property()
-    onSearch?: (value: string) => void;
-
-    @state()
-    selected?: number;
-
-    @state()
-    cursorX: number = 0;
-
-    @state()
-    cursorY: number = 0;
-
-    ql?: QL;
-    canvas?: CanvasRenderingContext2D;
-
-    set apiResponse(value: PaginatedResponse<unknown> | undefined) {
-        if (!value || !value.autocomplete || !this.ql) {
-            return;
-        }
-        this.ql.loadIntrospections(value.autocomplete as unknown as Introspections);
+    if (delta < 0) {
+        return (length + delta) % length;
     }
 
-    static styles: CSSResult[] = [
+    return ((delta % length) + length) % length;
+}
+
+@customElement("ak-search-ql")
+export class QLSearch extends FormAssociatedElement<string> implements FormAssociated {
+    declare anchorRef: Ref<HTMLTextAreaElement>;
+    declare anchor: HTMLTextAreaElement | null;
+
+    public static styles: CSSResult[] = [
         PFBase,
         PFFormControl,
         PFSearchInput,
@@ -66,207 +56,409 @@ export class QLSearch extends AKElement {
             ::-webkit-search-cancel-button {
                 display: none;
             }
+
             .ql.pf-c-form-control {
-                font-family: monospace;
+                --input-height: 2.25em;
+
+                height: var(--input-height);
+                min-height: var(--input-height);
+                max-height: calc(var(--input-height) * 6);
                 resize: vertical;
-                height: 2.25em;
             }
+
             .selected {
                 background-color: var(--pf-c-search-input__menu-item--hover--BackgroundColor);
             }
-            :host([theme="dark"]) .pf-c-search-input__menu {
-                --pf-c-search-input__menu--BackgroundColor: var(--ak-dark-background-light-ish);
-                color: var(--ak-dark-foreground);
-            }
-            :host([theme="dark"]) .pf-c-search-input__menu-item {
-                --pf-c-search-input__menu-item--Color: var(--ak-dark-foreground);
-            }
-            :host([theme="dark"]) .pf-c-search-input__menu-item:hover {
-                --pf-c-search-input__menu-item--BackgroundColor: var(--ak-dark-background-lighter);
-            }
-            :host([theme="dark"]) .pf-c-search-input__menu-list-item.selected {
-                --pf-c-search-input__menu-item--hover--BackgroundColor: var(
-                    --ak-dark-background-light
-                );
-            }
-            :host([theme="dark"]) .pf-c-search-input__text::before {
-                border: 0;
+
+            :host([theme="dark"]) {
+                .pf-c-search-input__menu {
+                    --pf-c-search-input__menu--BackgroundColor: var(--ak-dark-background-light-ish);
+                    color: var(--ak-dark-foreground);
+                }
+
+                .pf-c-search-input__menu-item {
+                    --pf-c-search-input__menu-item--Color: var(--ak-dark-foreground);
+                }
+
+                .pf-c-search-input__menu-item:hover {
+                    --pf-c-search-input__menu-item--BackgroundColor: var(
+                        --ak-dark-background-lighter
+                    );
+                }
+
+                .pf-c-search-input__menu-list-item.selected {
+                    --pf-c-search-input__menu-item--hover--BackgroundColor: var(
+                        --ak-dark-background-light
+                    );
+                }
+
+                .pf-c-search-input__text::before {
+                    border: 0;
+                }
             }
+
             .pf-c-search-input__menu {
                 position: fixed;
                 min-width: 0;
+                overflow-y: auto;
+                max-height: 50vh;
             }
         `,
     ];
 
-    firstUpdated() {
-        if (!this.searchElement) {
+    //#region Properties
+
+    @property({ type: Boolean })
+    public open = false;
+
+    @property({ type: Number, attribute: false })
+    public selectionIndex = -1;
+
+    #value = "";
+
+    @property({ type: String })
+    public get value(): string {
+        return this.#value;
+    }
+
+    public set value(value: unknown) {
+        const parsed = typeof value === "string" ? value : "";
+
+        this.setFormValue(parsed.trim(), parsed);
+        this.#value = parsed;
+
+        if (this.anchor) {
+            this.anchor.value = this.#value;
+        }
+    }
+
+    //#endregion
+
+    //#region State
+
+    #menuRef = createRef<HTMLDivElement>();
+
+    #ql: QL | null = null;
+    #ctx: OffscreenCanvasRenderingContext2D | null = null;
+    #letterWidth = -1;
+    #scrollContainer: HTMLElement | null = null;
+
+    public set apiResponse(value: PaginatedResponse<unknown> | undefined) {
+        if (!value?.autocomplete || !this.#ql) {
             return;
         }
-        this.ql = new QL({
+
+        this.#ql.loadIntrospections(value.autocomplete as unknown as Introspections);
+    }
+
+    //#endregion
+
+    //#region Lifecycle
+
+    public override connectedCallback() {
+        super.connectedCallback();
+
+        this.internals.ariaAutoComplete = "list";
+        this.internals.role = "combobox";
+        this.internals.ariaHasPopup = "listbox";
+
+        this.#scrollContainer =
+            rootInterface<LitElement>().renderRoot.querySelector("#main-content");
+
+        this.#scrollContainer?.addEventListener("scroll", this.#updateDropdownPosition, {
+            passive: true,
+        });
+
+        this.tabIndex = 0;
+    }
+
+    public override disconnectedCallback() {
+        super.disconnectedCallback();
+
+        this.#scrollContainer?.removeEventListener("scroll", this.#updateDropdownPosition);
+    }
+
+    public formStateRestoreCallback(state: string) {
+        this.value = state;
+    }
+
+    public formResetCallback() {
+        this.value = "";
+    }
+
+    public toJSON() {
+        return this.value;
+    }
+
+    public override updated(changedProperties: PropertyValues<this>) {
+        if (changedProperties.has("open")) {
+            this.internals.ariaExpanded = this.open ? "true" : "false";
+        }
+
+        if (changedProperties.has("selectionIndex")) {
+            const id = `suggestion-${this.selectionIndex}`;
+
+            this.setAttribute("aria-activedescendant", this.selectionIndex === -1 ? "" : id);
+
+            this.renderRoot.querySelector(`#${id}`)?.scrollIntoView({
+                behavior: "auto",
+                block: "nearest",
+            });
+        }
+    }
+
+    public override firstUpdated() {
+        const textarea = this.anchorRef.value;
+
+        if (!textarea) return;
+
+        this.#ql = new QL({
             completionEnabled: true,
             introspections: {
                 current_model: "",
                 models: {},
             },
-            selector: this.searchElement,
+            selector: textarea,
             autoResize: false,
         });
-        const canvas = document.createElement("canvas");
-        const context = canvas.getContext("2d");
-        if (!context) {
+
+        const canvas = new OffscreenCanvas(300, 150);
+        this.#ctx = canvas.getContext("2d");
+
+        if (!this.#ctx) {
             console.error("authentik/ql: failed to get canvas context");
             return;
         }
-        context.font = window.getComputedStyle(this.searchElement).font;
-        this.canvas = context;
-    }
 
-    refreshCompletions() {
-        this.value = this.searchElement?.value;
-        if (!this.ql) {
-            return;
-        }
-        this.ql.generateSuggestions();
-        if (this.ql.suggestions.length < 1 || this.ql.loading) {
-            this.menuOpen = false;
-            return;
-        }
-        this.menuOpen = true;
-        this.updateDropdownPosition();
-        this.requestUpdate();
-    }
+        this.#ctx.font = window.getComputedStyle(textarea).font;
 
-    updateDropdownPosition() {
-        if (!this.searchElement) {
-            return;
-        }
-        const bcr = this.getBoundingClientRect();
         // We need the width of a letter to measure x; we use a monospaced font but still
         // check the length for `m` as its the widest ASCII char
-        const metrics = this.canvas?.measureText("m");
-        const letterWidth = Math.ceil(metrics?.width || 0) + 1;
+        const metrics = this.#ctx?.measureText("m");
+        this.#letterWidth = Math.ceil(metrics?.width || 0) + 1;
+    }
+
+    //#endregion
+
+    //#region Completions
+
+    #refreshCompletions = () => {
+        if (this.anchor) {
+            this.value = this.anchor.value;
+        }
+
+        if (!this.#ql) {
+            return;
+        }
+
+        this.#ql.generateSuggestions();
+
+        if (this.#ql.suggestions.length < 1 || this.#ql.loading) {
+            this.open = false;
+            return;
+        }
+
+        this.open = true;
+
+        this.requestUpdate();
+
+        requestAnimationFrame(this.#updateDropdownPosition);
+    };
+
+    #updateDropdownPosition = () => {
+        const anchor = this.anchorRef.value;
+        const menu = this.#menuRef.value;
+
+        if (!anchor || !menu) return;
+
+        const bcr = this.getBoundingClientRect();
+        const style = window.getComputedStyle(anchor);
 
         // Mostly static variables for padding, font line-height and how many
-        const lineHeight = parseInt(window.getComputedStyle(this.searchElement).lineHeight, 10);
-        const paddingTop = parseInt(window.getComputedStyle(this.searchElement).paddingTop, 10);
-        const paddingLeft = parseInt(window.getComputedStyle(this.searchElement).paddingLeft, 10);
-        const paddingRight = parseInt(window.getComputedStyle(this.searchElement).paddingRight, 10);
+        const lineHeight = parseInt(style.lineHeight, 10);
+        const paddingTop = parseInt(style.paddingTop, 10);
+        const paddingLeft = parseInt(style.paddingLeft, 10);
+        const paddingRight = parseInt(style.paddingRight, 10);
+
         const actualInnerWidth = bcr.width - paddingLeft - paddingRight;
 
         let relX = 0;
         let relY = 1;
         let letterIndex = 0;
 
-        this.searchElement.value.split(" ").some((word, idx) => {
+        for (const word of anchor.value.split(" ")) {
             letterIndex += word.length;
-            const newRelX = relX + word.length * letterWidth;
+            const newRelX = relX + word.length * this.#letterWidth;
+
             if (newRelX > actualInnerWidth) {
                 relY += 1;
-                if (letterIndex > this.searchElement!.selectionStart) {
+
+                if (letterIndex > anchor.selectionStart) {
                     relX =
-                        letterWidth * word.length -
-                        (letterIndex - this.searchElement!.selectionStart) * letterWidth;
-                    return true;
+                        this.#letterWidth * word.length -
+                        (letterIndex - anchor.selectionStart) * this.#letterWidth;
+
+                    break;
                 }
-                relX = word.length * letterWidth;
+
+                relX = word.length * this.#letterWidth;
             } else {
                 relX = newRelX + 1;
             }
-        });
+        }
 
-        this.cursorX = bcr.x + paddingLeft + relX;
-        this.cursorY = bcr.y + paddingTop + relY * lineHeight;
-    }
+        const x = bcr.x + paddingLeft + relX;
+        const y = bcr.y + paddingTop + relY * lineHeight;
+
+        Object.assign(menu.style, {
+            left: `${x}px`,
+            top: `${y}px`,
+        } satisfies Partial<CSSStyleDeclaration>);
+    };
+
+    //#endregion
+
+    //#region Event Listeners
+
+    #keydownListener = (event: KeyboardEvent) => {
+        this.#updateDropdownPosition();
+
+        const suggestionsLength = this.#ql?.suggestions.length;
+
+        if (event.key === "Enter" && !this.open && this.form) {
+            const submitEvent = new SubmitEvent("submit", {
+                submitter: this,
+                bubbles: true,
+                composed: true,
+                cancelable: true,
+            });
+
+            this.form.dispatchEvent(submitEvent);
 
-    onKeyDown(ev: KeyboardEvent) {
-        this.updateDropdownPosition();
-        if (ev.key === "Enter" && ev.metaKey && this.onSearch && this.searchElement) {
-            this.onSearch(this.searchElement?.value);
             return;
         }
-        if (!this.menuOpen) return;
-        switch (ev.key) {
+
+        if (event.key === "ArrowDown") {
+            event.preventDefault();
+
+            if (this.open && suggestionsLength) {
+                if (this.selectionIndex === -1) {
+                    this.selectionIndex = 0;
+                } else {
+                    this.selectionIndex = torusIndex(suggestionsLength, this.selectionIndex + 1);
+                }
+
+                this.#refreshCompletions();
+
+                return;
+            }
+
+            this.selectionIndex = 0;
+            this.#refreshCompletions();
+
+            return;
+        }
+
+        if (!this.open) return;
+
+        switch (event.key) {
             case "ArrowUp":
-                if (this.ql?.suggestions.length) {
-                    if (this.selected === undefined) {
-                        this.selected = this.ql?.suggestions.length - 1;
-                    } else if (this.selected === 0) {
-                        this.selected = undefined;
+                if (suggestionsLength) {
+                    if (this.selectionIndex === -1) {
+                        this.selectionIndex = suggestionsLength - 1;
                     } else {
-                        this.selected -= 1;
+                        this.selectionIndex = torusIndex(
+                            suggestionsLength,
+                            this.selectionIndex - 1,
+                        );
                     }
-                    this.refreshCompletions();
-                    ev.preventDefault();
+
+                    this.#refreshCompletions();
+                    event.preventDefault();
                 }
-                break;
-            case "ArrowDown":
-                if (this.ql?.suggestions.length) {
-                    if (this.selected === undefined) {
-                        this.selected = 0;
-                    } else if (this.selected < this.ql?.suggestions.length - 1) {
-                        this.selected += 1;
-                    } else {
-                        this.selected = undefined;
-                    }
-                    this.refreshCompletions();
-                    ev.preventDefault();
-                }
-                break;
+
+                return;
+
             case "Tab":
-                if (this.selected) {
-                    this.ql?.selectCompletion(this.selected);
-                    ev.preventDefault();
+                if (this.selectionIndex) {
+                    this.#ql?.selectCompletion(this.selectionIndex);
+                    event.preventDefault();
                 }
-                break;
+
+                return;
             case "Enter":
                 // Technically this is a textarea, due to automatic multi-line feature,
                 // but other than that it should look and behave like a normal input.
                 // So expected behavior when pressing Enter is to submit the form,
                 // not to add a new line.
-                if (this.selected !== undefined) {
-                    this.ql?.selectCompletion(this.selected);
+                if (this.selectionIndex !== -1) {
+                    this.#ql?.selectCompletion(this.selectionIndex);
+                    this.selectionIndex = 0;
                 }
-                ev.preventDefault();
-                break;
-            case "Escape":
-                this.menuOpen = false;
-                break;
-            case "Shift": // Shift
-            case "Control": // Ctrl
-            case "Alt": // Alt
-            case "Meta": // Windows Key or Cmd on Mac
-                // Control keys shouldn't trigger completion popup
-                break;
-        }
-    }
 
-    renderMenu() {
-        if (!this.menuOpen || !this.ql) {
+                event.preventDefault();
+
+                return;
+            case "Escape":
+                this.open = false;
+                return;
+        }
+    };
+
+    #blurListener = ({ relatedTarget }: FocusEvent) => {
+        if (relatedTarget instanceof Node && this.renderRoot.contains(relatedTarget)) {
+            return;
+        }
+
+        this.open = false;
+    };
+
+    #focusListener = () => {
+        this.selectionIndex = this.selectionIndex === -1 ? 0 : this.selectionIndex;
+
+        this.#refreshCompletions();
+    };
+
+    //#endregion
+
+    //#region Render
+
+    protected renderMenu() {
+        if (!this.open || !this.#ql) {
             return nothing;
         }
+
         return html`
-            <div
-                class="pf-c-search-input__menu"
-                style="left: ${this.cursorX}px; top: ${this.cursorY}px;"
-            >
-                <ul class="pf-c-search-input__menu-list">
-                    ${this.ql.suggestions.map((suggestion, idx) => {
+            <div ${ref(this.#menuRef)} class="pf-c-search-input__menu">
+                <ul
+                    class="pf-c-search-input__menu-list"
+                    role="listbox"
+                    id="ql-suggestions"
+                    aria-label=${msg("Query suggestions")}
+                >
+                    ${this.#ql.suggestions.map((suggestion, idx) => {
+                        // Cast to string to sooth Lit Analyzer's primitive type rule.
+                        const label = `${StripHTMLTrustPolicy.createHTML(suggestion.suggestionText)}`;
+
                         return html`<li
-                            class="pf-c-search-input__menu-list-item ${this.selected === idx
+                            role="option"
+                            id="suggestion-${idx}"
+                            aria-selected=${this.selectionIndex === idx ? "true" : "false"}
+                            class="pf-c-search-input__menu-list-item ${this.selectionIndex === idx
                                 ? "selected"
                                 : ""}"
                         >
                             <button
                                 class="pf-c-search-input__menu-item"
                                 type="button"
+                                aria-label=${label}
                                 @click=${() => {
-                                    this.ql?.selectCompletion(idx);
-                                    this.refreshCompletions();
+                                    this.#ql?.selectCompletion(idx);
+                                    this.#refreshCompletions();
                                 }}
                             >
-                                <span class="pf-c-search-input__menu-item-text"
-                                    >${suggestion.text}</span
+                                <span class="pf-c-search-input__menu-item-text pf-m-monospace">
+                                    ${suggestion.text}</span
                                 >
                             </button>
                         </li>`;
@@ -276,25 +468,33 @@ export class QLSearch extends AKElement {
         `;
     }
 
-    render(): TemplateResult {
+    public override render(): TemplateResult {
         return html`<div class="pf-c-search-input">
             <div class="pf-c-search-input__bar">
                 <span class="pf-c-search-input__text">
                     <textarea
-                        class="pf-c-form-control ql"
+                        ${ref(this.anchorRef)}
+                        class="pf-c-form-control pf-m-monospace ql"
                         name="search"
+                        autocomplete="off"
+                        aria-controls="ql-suggestions"
+                        ?required=${this.required}
                         placeholder=${msg("Search...")}
                         spellcheck="false"
-                        @input=${(ev: InputEvent) => this.refreshCompletions()}
-                        @keydown=${this.onKeyDown}
+                        @input=${this.#refreshCompletions}
+                        @focus=${this.#focusListener}
+                        @blur=${this.#blurListener}
+                        @keydown=${this.#keydownListener}
                     >
-${ifDefined(this.value)}</textarea
+${ifDefined(this.#value)}</textarea
                     >
                 </span>
             </div>
             ${this.renderMenu()}
         </div>`;
     }
+
+    //#endregion
 }
 
 declare global {

web/src/elements/ak-list-select/ak-list-select.ts

@@ -154,11 +154,17 @@ export class ListSelect extends AKElement implements IListSelect {
         return elementCount === 0 ? -1 : checkIndex();
     }
 
+    /**
+     * Highlight the currently focused item.
+     *
+     * @todo
+     * This doesn't quite work as intended, but this component will likely
+     * be refined after the PatternFly upgrade.
+     */
     private highlightFocusedItem() {
         this.displayedElements.forEach((item) => {
             item.classList.remove("ak-highlight-item");
             item.removeAttribute("aria-selected");
-            item.tabIndex = -1;
         });
         const currentElement = this.currentElement;
         if (!currentElement) {
@@ -168,7 +174,6 @@ export class ListSelect extends AKElement implements IListSelect {
         // This is currently a radio emulation; "selected" is true here.
         // If this were a checkbox emulation (i.e. multi), "checked" would be appropriate.
         currentElement.setAttribute("aria-selected", "true");
-        currentElement.scrollIntoView({ block: "center", behavior: "smooth" });
     }
 
     @bound

web/src/elements/cards/stories/QuickActionsCard.stories.ts

@@ -9,7 +9,7 @@ import { html } from "lit";
 const ACTIONS: QuickAction[] = [
     ["Create a new application", "/core/applications"],
     ["Check the logs", "/events/log"],
-    ["Explore integrations", "https://goauthentik.io/integrations/", true],
+    ["Explore integrations", "https://integrations.goauthentik.io/", true],
     ["Manage users", "/identity/users"],
     ["Check the release notes", "https://goauthentik.io/docs/releases/", true],
 ];

web/src/elements/cards/tests/QuickActionCard.test.ts

@@ -11,7 +11,7 @@ import { html } from "lit";
 const ACTIONS: QuickAction[] = [
     ["Create a new application", "/core/applications"],
     ["Check the logs", "/events/log"],
-    ["Explore integrations", "https://goauthentik.io/integrations/", true],
+    ["Explore integrations", "https://integrations.goauthentik.io/", true],
     ["Manage users", "/identity/users"],
     ["Check the release notes", "https://goauthentik.io/docs/releases/", true],
 ];

web/src/elements/forms/Form.ts

@@ -18,7 +18,7 @@ import { instanceOfValidationError } from "@goauthentik/api";
 
 import { snakeCase } from "change-case";
 
-import { msg } from "@lit/localize";
+import { msg, str } from "@lit/localize";
 import { css, CSSResult, html, nothing, TemplateResult } from "lit";
 import { property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
@@ -246,6 +246,8 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
         return createFileMap<T>(this.shadowRoot?.querySelectorAll("ak-form-element-horizontal"));
     }
 
+    //#region Validation
+
     public checkValidity(): boolean {
         return !!this.form?.checkValidity?.();
     }
@@ -261,6 +263,10 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
         return reportValidityDeep(form);
     }
 
+    //#endregion
+
+    //#region Submission
+
     /**
      * Convert the elements of the form to JSON.[4]
      */
@@ -273,6 +279,7 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
 
         return serializeForm<T>(elements);
     }
+
     /**
      * Serialize and send the form to the destination. The `send()` method must be overridden for
      * this to work. If processing the data results in an error, we catch the error, distribute
@@ -310,6 +317,8 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
                 let errorMessage = pluckErrorDetail(error);
                 let focused = false;
 
+                //#region Validation errors
+
                 if (instanceOfValidationError(parsedError)) {
                     // assign all input-related errors to their elements
                     const elements =
@@ -346,6 +355,23 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
 
                     if (parsedError.nonFieldErrors) {
                         this.nonFieldErrors = parsedError.nonFieldErrors;
+                    } else if (!focused) {
+                        // It's possible that the API has returned a field error that we're
+                        // not aware of. We can still show the error message, to at least
+                        // give the user some feedback.
+                        for (const [fieldName, fieldErrors] of Object.entries(parsedError)) {
+                            if (Array.isArray(fieldErrors)) {
+                                this.nonFieldErrors = [
+                                    msg(str`${fieldName}: ${fieldErrors.join(", ")}`),
+                                ];
+                                break;
+                            }
+                        }
+
+                        console.error(
+                            "authentik/forms: API rejected the form submission due to an invalid field that doesn't appear to be in the form. This is likely a bug in authentik.",
+                            parsedError,
+                        );
                     }
 
                     errorMessage = msg("Invalid update request.");
@@ -357,6 +383,8 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
                     }
                 }
 
+                //#endregion
+
                 showMessage({
                     message: errorMessage,
                     level: MessageLevel.error,
@@ -369,6 +397,8 @@ export abstract class Form<T = Record<string, unknown>> extends AKElement {
 
     //#endregion
 
+    //#endregion
+
     //#region Render
 
     public renderFormWrapper(): TemplateResult {

web/src/elements/forms/form-associated-element.ts

@@ -0,0 +1,216 @@
+import { AKElement } from "#elements/Base";
+
+import { Jsonifiable } from "type-fest";
+
+import { msg } from "@lit/localize";
+import { LitElement } from "lit";
+import { property } from "lit/decorators.js";
+import { createRef, Ref } from "lit/directives/ref.js";
+
+/**
+ * A subset of form associated {@linkcode ElementInternals} properties.
+ *
+ * @see {@linkcode FormAssociatedElement} for usage.
+ */
+export interface FormAssociated
+    extends Pick<
+        ElementInternals,
+        | "form"
+        | "validity"
+        | "validationMessage"
+        | "willValidate"
+        | "labels"
+        | "checkValidity"
+        | "reportValidity"
+    > {
+    /**
+     * The name of the input, provided to the form.
+     */
+    readonly name: string | null;
+
+    /**
+     * The type of the input, provided to the form.
+     */
+    readonly type: string;
+
+    /**
+     * Whether or not the input is required.
+     */
+    required?: boolean;
+
+    /**
+     * Whether or not the input is read-only.
+     */
+    readonly?: boolean;
+
+    /**
+     * A JSON representation of the value.
+     */
+    toJSON(): Jsonifiable;
+}
+
+export type FormValue = File | string | FormData | null;
+
+/**
+ * A base element which provides reactive properties and methods for interacting with a parent form.
+ *
+ * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/ElementInternals | MDN}
+ */
+export abstract class FormAssociatedElement<
+        V extends FormValue = string,
+        T extends Jsonifiable = V extends string ? V : Jsonifiable,
+        S extends FormValue = V,
+    >
+    extends AKElement
+    implements FormAssociated
+{
+    static shadowRootOptions = { ...LitElement.shadowRootOptions, delegatesFocus: true };
+
+    public static readonly formAssociated = true;
+
+    /**
+     * The internals of the element.
+     *
+     * @protected
+     * @see {@linkcode FormAssociated}
+     */
+    protected internals = this.attachInternals();
+
+    //#region Reactive Properties
+
+    @property({ type: Boolean })
+    public get required() {
+        return this.internals.ariaRequired === "true";
+    }
+
+    public set required(value: boolean) {
+        this.internals.ariaRequired = value ? "true" : "false";
+    }
+
+    @property({ type: Boolean, attribute: "readonly" })
+    public get readOnly() {
+        return this.internals.ariaReadOnly === "true";
+    }
+
+    public set readOnly(value: boolean) {
+        this.internals.ariaReadOnly = value ? "true" : "false";
+    }
+
+    @property({ type: Boolean })
+    public get disabled() {
+        return this.internals.ariaDisabled === "true";
+    }
+
+    public set disabled(value: boolean) {
+        this.internals.ariaDisabled = value ? "true" : "false";
+    }
+
+    //#endregion
+
+    //#region Aliased Properties
+
+    public get form(): HTMLFormElement | null {
+        return this.internals.form;
+    }
+
+    public get name() {
+        return this.getAttribute("name");
+    }
+
+    public get type() {
+        return this.localName;
+    }
+
+    public get validity() {
+        return this.internals.validity;
+    }
+
+    public get validationMessage() {
+        return this.internals.validationMessage;
+    }
+
+    public get willValidate() {
+        return this.internals.willValidate;
+    }
+
+    public get labels() {
+        return this.internals.labels;
+    }
+
+    //#endregion
+
+    //#region Values
+
+    /**
+     * A reference to an element that is focusable when validation fails.
+     */
+    protected anchorRef: Ref<HTMLElement>;
+
+    /**
+     * The element that is focusable when validation fails.
+     */
+    declare protected anchor: HTMLElement | null;
+
+    /**
+     * Set the value of the form.
+     *
+     * @param value The value visible to the form during submission.
+     * @param state The value as provided by the user.
+     */
+    protected setFormValue(value: V, state?: S) {
+        this.internals.setFormValue(value, state);
+
+        if (this.required) {
+            if (value) {
+                this.internals.setValidity({});
+            } else {
+                this.internals.setValidity(
+                    {
+                        valueMissing: true,
+                    },
+                    msg("This field is required."),
+                    this.anchorRef.value,
+                );
+            }
+        }
+    }
+
+    public abstract toJSON(): T;
+
+    //#endregion
+
+    //#region Validation
+
+    public checkValidity = this.internals.checkValidity.bind(this.internals);
+    public reportValidity = this.internals.reportValidity.bind(this.internals);
+
+    //#endregion
+
+    /**
+     * Set the validity state of the form.
+     *
+     * @param flags The validity state flags.
+     * @param message The validation message.
+     * @param element The element to set the validity state on.
+     */
+    protected setValidity(flags: ValidityStateFlags = {}, message?: string, element?: HTMLElement) {
+        this.internals.setValidity(flags, message, element ?? this.anchorRef.value);
+    }
+
+    //#endregion
+
+    public constructor() {
+        super();
+        this.anchorRef = createRef<HTMLElement>();
+
+        // We define the getter here to allow the base type to be extended,
+        // letting the subclasses define a more accurate HTMLElement type.
+        Object.defineProperty(this, "anchor", {
+            get() {
+                return this.anchorRef.value || null;
+            },
+            enumerable: true,
+            configurable: true,
+        });
+    }
+}

web/src/elements/forms/types.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @file Type definitions for form-associated elements.
+ *
+ * While these types are part of the HTML standard, they're not yet defined
+ * in the TypeScript standard library, so we define them here.
+ *
+ * @expires 2026-01-01
+ */
+
+/**
+ * Callbacks for form-associated elements.
+ */
+interface HTMLElement {
+    /**
+     * A callback invoked when the browser autofilling sets a value.
+     */
+    formStateRestoreCallback?(state: FormValue, mode: "autocomplete"): void;
+    /**
+     * A callback invoked when the browser restores a value from a previous session.
+     */
+    formStateRestoreCallback?(state: FormValue, mode: "restore"): void;
+    /**
+     * A callback invoked when the browser restores a value from a previous session.
+     */
+    formStateRestoreCallback?(state: FormValue, mode: "restore" | "autocomplete"): void;
+
+    /**
+     * A callback that is invoked when the form is reset.
+     */
+    formResetCallback?(): void;
+
+    /**
+     * A callback that is invoked when the element's disabled state changes.
+     */
+    formDisabledCallback?(disabled: boolean): void;
+
+    /**
+     * A callback that is invoked when the element is associated with a form.
+     */
+    formAssociatedCallback?(form: HTMLFormElement): void;
+}

web/src/elements/table/Table.ts

@@ -124,8 +124,8 @@ export abstract class Table<T extends object>
     @property({ type: String })
     public order?: string;
 
-    @property({ type: String })
-    public search: string = "";
+    @property({ type: String, attribute: false })
+    public search?: string;
 
     @property({ type: Boolean })
     public checkbox = false;
@@ -547,11 +547,11 @@ export abstract class Table<T extends object>
         return html`<div class="pf-c-toolbar__group pf-m-search-filter ${isQL ? "ql" : ""}">
             <ak-table-search
                 class="pf-c-toolbar__item pf-m-search-filter ${isQL ? "ql" : ""}"
-                value=${ifDefined(this.search)}
+                .defaultValue=${this.search}
                 label=${ifDefined(this.searchLabel)}
                 placeholder=${ifDefined(this.searchPlaceholder)}
                 .onSearch=${this.#searchListener}
-                ?supportsQL=${this.supportsQL}
+                .supportsQL=${this.supportsQL}
                 .apiResponse=${this.data}
             >
             </ak-table-search>

web/src/elements/table/TableSearch.ts

@@ -8,6 +8,7 @@ import { msg } from "@lit/localize";
 import { css, CSSResult, html, TemplateResult } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
+import { createRef, ref } from "lit/directives/ref.js";
 
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
@@ -16,17 +17,23 @@ import PFToolbar from "@patternfly/patternfly/components/Toolbar/toolbar.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 @customElement("ak-table-search")
-export class TableSearch extends WithLicenseSummary(AKElement) {
-    @property()
-    public value?: string;
+export class TableSearchForm extends WithLicenseSummary(AKElement) {
+    @property({ type: String, reflect: false })
+    public defaultValue?: string;
 
-    @property({ type: Boolean })
+    @property({ type: String })
+    public label = msg("Table Search");
+
+    @property({ type: String })
+    public placeholder = msg("Search...");
+
+    @property({ attribute: false })
     public supportsQL: boolean = false;
 
     @property({ attribute: false })
     public apiResponse?: PaginatedResponse<unknown>;
 
-    @property()
+    @property({ attribute: false })
     public onSearch?: (value: string) => void;
 
     static styles: CSSResult[] = [
@@ -45,25 +52,26 @@ export class TableSearch extends WithLicenseSummary(AKElement) {
         `,
     ];
 
-    public reset = () => {
-        if (!this.onSearch) return;
-        this.value = "";
-        this.onSearch("");
+    #formRef = createRef<HTMLFormElement>();
+
+    public reset = (): void => {
+        this.#formRef.value?.reset();
+
+        this.onSearch?.("");
     };
 
     #submitListener = (event: SubmitEvent) => {
         event.preventDefault();
 
-        if (!this.onSearch) return;
+        const form = this.#formRef.value;
+
+        if (!form || !this.onSearch) return;
+
+        form.reportValidity();
 
-        const form = event.target as HTMLFormElement;
         const data = new FormData(form);
 
-        const value = data.get("search")?.toString().trim();
-
-        if (!value) {
-            return;
-        }
+        const value = data.get("search")?.toString() ?? "";
 
         this.onSearch(value);
     };
@@ -71,27 +79,31 @@ export class TableSearch extends WithLicenseSummary(AKElement) {
     renderInput(): TemplateResult {
         if (this.supportsQL && this.hasEnterpriseLicense) {
             return html`<ak-search-ql
-                .apiResponse=${this.apiResponse}
-                .value=${this.value}
-                .onSearch=${(value: string) => {
-                    if (!this.onSearch) return;
-                    this.onSearch(value);
-                }}
+                aria-label=${ifDefined(this.label)}
                 name="search"
+                required
+                placeholder=${ifDefined(this.placeholder)}
+                value=${ifDefined(this.defaultValue)}
+                .apiResponse=${this.apiResponse}
             ></ak-search-ql>`;
         }
 
         return html`<input
-            class="pf-c-form-control"
+            aria-label=${ifDefined(this.label)}
             name="search"
-            type="search"
-            placeholder=${msg("Search...")}
-            value="${ifDefined(this.value)}"
+            required
+            placeholder=${ifDefined(this.placeholder)}
+            value=${ifDefined(this.defaultValue)}
+            class="pf-c-form-control"
         />`;
     }
 
     render(): TemplateResult {
-        return html`<form class="pf-c-input-group" method="get" @submit=${this.#submitListener}>
+        return html`<form
+            ${ref(this.#formRef)}
+            class="pf-c-input-group"
+            @submit=${this.#submitListener}
+        >
             ${this.renderInput()}
             <button
                 aria-label=${msg("Clear search")}
@@ -110,6 +122,6 @@ export class TableSearch extends WithLicenseSummary(AKElement) {
 
 declare global {
     interface HTMLElementTagNameMap {
-        "ak-table-search": TableSearch;
+        "ak-table-search": TableSearchForm;
     }
 }

web/src/flow/FormStatic.ts

@@ -3,7 +3,6 @@ import { AKElement } from "#elements/Base";
 import { msg } from "@lit/localize";
 import { css, CSSResult, html, nothing } from "lit";
 import { customElement, property } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
 import PFAvatar from "@patternfly/patternfly/components/Avatar/avatar.css";
 
@@ -18,24 +17,44 @@ export class FormStatic extends AKElement {
     static styles: CSSResult[] = [
         PFAvatar,
         css`
-            /* Form with user */
             .form-control-static {
-                margin-top: var(--pf-global--spacer--sm);
+                margin-block-start: var(--pf-global--spacer--sm);
                 display: flex;
                 align-items: center;
                 justify-content: space-between;
-            }
-            .form-control-static .avatar {
-                display: flex;
-                align-items: center;
-            }
-            .form-control-static img {
-                margin-right: var(--pf-global--spacer--xs);
-            }
-            .form-control-static a {
-                padding-top: var(--pf-global--spacer--xs);
-                padding-bottom: var(--pf-global--spacer--xs);
-                line-height: var(--pf-global--spacer--xl);
+                gap: var(--pf-global--spacer--sm);
+
+                .pf-c-avatar {
+                    flex: 0 0 auto;
+                }
+
+                .primary-content {
+                    display: flex;
+                    align-items: center;
+                    flex: 1 1 auto;
+                    gap: 1rem;
+                }
+
+                .username {
+                    flex: 1 1 auto;
+                    text-align: left;
+                    max-width: 20rem;
+                    text-overflow: ellipsis;
+                    overflow-wrap: break-word;
+
+                    display: box;
+                    display: -webkit-box;
+                    line-clamp: 3;
+                    -webkit-line-clamp: 3;
+                    box-orient: vertical;
+                    -webkit-box-orient: vertical;
+                    overflow: hidden;
+                }
+
+                .links {
+                    flex: 0 0 auto;
+                    text-align: right;
+                }
             }
         `,
     ];
@@ -44,17 +63,22 @@ export class FormStatic extends AKElement {
         if (!this.user) {
             return nothing;
         }
+
         return html`
             <div class="form-control-static">
-                <div class="avatar">
-                    <img
-                        class="pf-c-avatar"
-                        src="${ifDefined(this.userAvatar)}"
-                        alt="${msg("User's avatar")}"
-                    />
-                    ${this.user}
+                <div class="primary-content">
+                    ${this.userAvatar
+                        ? html`<img
+                              class="pf-c-avatar"
+                              src=${this.userAvatar}
+                              alt=${msg("User's avatar")}
+                          />`
+                        : nothing}
+                    <div class="username" aria-label=${msg("Username")}>${this.user}</div>
+                </div>
+                <div class="links">
+                    <slot name="link"></slot>
                 </div>
-                <slot name="link"></slot>
             </div>
         `;
     }

web/src/flow/components/ak-flow-card.ts

@@ -33,13 +33,10 @@ export class FlowCard extends AKElement {
         PFLogin,
         PFTitle,
         css`
-            slot[name="footer"],
-            slot[name="footer-band"] {
-                display: flex;
-                flex-wrap: wrap;
-                justify-content: center;
-                flex-basis: 100%;
+            .pf-c-login__main-footer {
+                display: block;
             }
+
             slot[name="footer-band"] {
                 text-align: center;
                 background-color: var(--pf-c-login__main-footer-band--BackgroundColor);

web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts

@@ -24,6 +24,7 @@ export class AuthenticatorValidateStageWebCode extends BaseDeviceStage<
         css`
             .icon-description {
                 display: flex;
+                align-items: center;
             }
             .icon-description i {
                 font-size: 2em;

web/src/flow/stages/authenticator_validate/base.ts

@@ -34,7 +34,7 @@ export class BaseDeviceStage<
         css`
             .pf-c-form__group.pf-m-action {
                 display: flex;
-                gap: 16px;
+                gap: 1rem;
                 margin-top: 0;
                 margin-bottom: calc(var(--pf-c-form__group--m-action--MarginTop) / 2);
                 flex-direction: column;

web/src/flow/stages/captcha/CaptchaStage.ts

@@ -9,7 +9,7 @@ import { ListenerController } from "#elements/utils/listenerController";
 import { randomId } from "#elements/utils/randomId";
 
 import { BaseStage } from "#flow/stages/base";
-import { CaptchaHandler, iframeTemplate } from "#flow/stages/captcha/shared";
+import { CaptchaHandler, CaptchaProvider, iframeTemplate } from "#flow/stages/captcha/shared";
 
 import { CaptchaChallenge, CaptchaChallengeResponseRequest } from "@goauthentik/api";
 
@@ -109,7 +109,7 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
     //#region State
 
     @state()
-    protected activeHandler: CaptchaHandler | null = null;
+    protected activeHandler: CaptchaProvider | null = null;
 
     @state()
     protected error: string | null = null;
@@ -265,7 +265,12 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
 
     //#endregion
 
-    #handlers = new Map<string, CaptchaHandler>([
+    /**
+     * Mapping of captcha provider names to their respective JS API global.
+     *
+     * Note that this is a `Map` to ensure the preferred order of discovering provider globals.
+     */
+    #handlers = new Map<CaptchaProvider, CaptchaHandler>([
         [
             "grecaptcha",
             {
@@ -415,7 +420,7 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
 
     //#endregion
 
-    //#region Listeners
+    //#region Resizing
 
     #loadListener = () => {
         const iframe = this.#iframeRef.value;
@@ -423,17 +428,73 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
 
         if (!iframe || !contentDocument) return;
 
-        const resizeListener: ResizeObserverCallback = () => {
-            if (!this.#iframeRef) return;
+        let synchronizeHeight: () => void;
 
-            const target = contentDocument.getElementById("ak-container");
+        if (this.activeHandler === CaptchaProvider.reCAPTCHA) {
+            // reCAPTCHA's use of nested iframes prevents their internal resize observer from
+            // reporting the correct height back to our iframe, so we have to do it ourselves.
 
-            if (!target) return;
+            synchronizeHeight = () => {
+                if (!this.#iframeRef) return;
 
-            this.iframeHeight = Math.round(target.clientHeight);
-        };
+                const target = contentDocument.getElementById("ak-container");
 
-        const resizeObserver = new ResizeObserver(resizeListener);
+                if (!target) return;
+
+                const innerIFrame = contentDocument.querySelector<HTMLIFrameElement>(
+                    'iframe[style~="height:"]',
+                );
+
+                const innerBottom = innerIFrame?.getBoundingClientRect().bottom ?? 0;
+
+                const actualHeight = Math.max(innerBottom, target.clientHeight);
+
+                this.iframeHeight = Math.round(actualHeight * 1.1);
+
+                if (innerIFrame?.parentElement) {
+                    innerIFrame.parentElement.style.height = `${actualHeight}px`;
+                }
+            };
+
+            // We watch for any newly inserted iframes, as they may alter the height
+            // of the parent iframe...
+            const mutationObserver = new MutationObserver((mutations) => {
+                for (const mutation of mutations) {
+                    if (mutation.type !== "childList") continue;
+
+                    for (const node of mutation.addedNodes as NodeListOf<HTMLElement>) {
+                        if (node.tagName !== "IFRAME") continue;
+
+                        // And then resize the iframe to match the new size.
+                        //
+                        // This doesn't fix the issue entirely since the challenge frame
+                        // doesn't yet know the correct height, but at least the user can
+                        // try to load the challenge again with the correct height.
+
+                        resizeObserver.observe(node as HTMLIFrameElement);
+
+                        requestAnimationFrame(synchronizeHeight);
+                    }
+                }
+            });
+
+            mutationObserver.observe(contentDocument.body, {
+                childList: true,
+                subtree: true,
+            });
+        } else {
+            synchronizeHeight = () => {
+                if (!this.#iframeRef) return;
+
+                const target = contentDocument.getElementById("ak-container");
+
+                if (!target) return;
+
+                this.iframeHeight = Math.round(target.clientHeight);
+            };
+        }
+
+        const resizeObserver = new ResizeObserver(synchronizeHeight);
 
         requestAnimationFrame(() => {
             resizeObserver.observe(contentDocument.body);
@@ -442,22 +503,26 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         });
     };
 
+    //#endregion
+
+    //#region Loading
+
     #scriptLoadListener = async (): Promise<void> => {
         console.debug("authentik/stages/captcha: script loaded");
 
         this.error = null;
         this.#iframeLoaded = false;
 
-        for (const [name, handler] of this.#handlers) {
+        for (const name of this.#handlers.keys()) {
             if (!Object.hasOwn(window, name)) {
                 continue;
             }
 
             try {
-                await this.#run(handler);
+                await this.#run(name);
                 console.debug(`authentik/stages/captcha[${name}]: handler succeeded`);
 
-                this.activeHandler = handler;
+                this.activeHandler = name;
 
                 return;
             } catch (error) {
@@ -469,7 +534,9 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         }
     };
 
-    async #run(handler: CaptchaHandler) {
+    async #run(captchaProvider: CaptchaProvider) {
+        const handler = this.#handlers.get(captchaProvider)!;
+
         if (this.challenge.interactive) {
             const iframe = this.#iframeRef.value;
 
@@ -478,18 +545,44 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
                 return;
             }
 
+            const { contentDocument } = iframe;
+
+            if (!contentDocument) {
+                console.debug(
+                    `authentik/stages/captcha: No iframe content window found, skipping.`,
+                );
+
+                return;
+            }
+
             console.debug(`authentik/stages/captcha: Rendering interactive.`);
 
             const captchaElement = handler.interactive();
-            const template = iframeTemplate(captchaElement, this.challenge.jsUrl);
+            const template = iframeTemplate(captchaElement, {
+                challengeURL: this.challenge.jsUrl,
+                theme: this.activeTheme,
+            });
 
-            URL.revokeObjectURL(this.#iframeSource);
+            if (captchaProvider === CaptchaProvider.reCAPTCHA) {
+                // reCAPTCHA's domain verification can't seem to penetrate the true origin
+                // of the page when loaded from a blob URL, likely due to their double-nested
+                // iframe structure.
+                // We fallback to the deprecated `document.write` to get around this.
+                this.#iframeSource = "about:blank";
+                contentDocument.open();
+                contentDocument.write(template);
+                contentDocument.close();
 
-            const url = URL.createObjectURL(new Blob([template], { type: "text/html" }));
+                // this.#loadListener();
+            } else {
+                URL.revokeObjectURL(this.#iframeSource);
 
-            this.#iframeSource = url;
+                const url = URL.createObjectURL(new Blob([template], { type: "text/html" }));
 
-            iframe.src = url;
+                this.#iframeSource = url;
+
+                iframe.src = url;
+            }
 
             return;
         }

web/src/flow/stages/captcha/shared.ts

@@ -1,7 +1,20 @@
+import type { ResolvedUITheme } from "#common/theme";
+
 import { createDocumentTemplate } from "#elements/utils/iframe";
 
 import { html, TemplateResult } from "lit";
 
+/**
+ * Mapping of captcha provider names to their respective JS API global.
+ */
+export const CaptchaProvider = {
+    reCAPTCHA: "grecaptcha",
+    hCaptcha: "hcaptcha",
+    Turnstile: "turnstile",
+} as const satisfies Record<string, string>;
+
+export type CaptchaProvider = (typeof CaptchaProvider)[keyof typeof CaptchaProvider];
+
 export interface CaptchaHandler {
     interactive(): TemplateResult;
     execute(): Promise<void>;
@@ -9,6 +22,29 @@ export interface CaptchaHandler {
     refresh(): Promise<void>;
 }
 
+const ThemeColor = {
+    dark: "#18191a",
+    light: "#ffffff",
+} as const satisfies Record<ResolvedUITheme, string>;
+
+export function themeMeta(theme: ResolvedUITheme) {
+    switch (theme) {
+        case "dark":
+            return html`
+                <meta name="color-scheme" content="dark" />
+                <meta name="theme-color" content=${ThemeColor.dark} />
+            `;
+        case "light":
+            return html` <meta name="color-scheme" content="light" />
+                <meta name="theme-color" content=${ThemeColor.light} />`;
+    }
+}
+
+export interface IFrameTemplateInit {
+    challengeURL: string;
+    theme: ResolvedUITheme;
+}
+
 /**
  * A container iframe for a hosted Captcha, with an event emitter to monitor
  * when the Captcha forces a resize.
@@ -17,10 +53,17 @@ export interface CaptchaHandler {
  * margin, adding 2rem of height to our container adds padding and prevents scrollbars
  * or hidden rendering.
  */
-export function iframeTemplate(children: TemplateResult, challengeURL: string): string {
+export function iframeTemplate(
+    children: TemplateResult,
+    { challengeURL, theme }: IFrameTemplateInit,
+) {
     return createDocumentTemplate({
-        head: html`<meta charset="UTF-8" />
+        head: html`
+            <meta charset="UTF-8" />
 
+            ${themeMeta(theme)}
+        `,
+        body: html`
             <script>
                 "use strict";
 
@@ -43,6 +86,11 @@ export function iframeTemplate(children: TemplateResult, challengeURL: string):
             </script>
 
             <style>
+                html,
+                body {
+                    background: ${ThemeColor[theme]};
+                }
+
                 body {
                     margin: 0;
                     padding: 0;
@@ -58,8 +106,9 @@ export function iframeTemplate(children: TemplateResult, challengeURL: string):
                     align-items: center;
                     justify-content: center;
                 }
-            </style>`,
-        body: html`${children}
-            <script onload="loadListener()" src="${challengeURL}"></script> `,
+            </style>
+            ${children}
+            <script onload="loadListener()" src="${challengeURL}"></script>
+        `,
     });
 }