release: 2021.4.5

lib: don't send 404 errors to sentry
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2026-05-12 18:06:21 +02:00 · 2021-04-29 23:03:09 +02:00 · 2021-04-29 15:27:41 +02:00 · 2021-04-29 15:18:28 +02:00 · 2021-04-28 22:43:40 +02:00 · 2021-04-28 22:43:40 +02:00
124 changed files with 1218 additions and 856 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.4.3
+current_version = 2021.4.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,11 +18,11 @@ jobs:
      - name: Building Docker Image
        run: docker build
          --no-cache
-          -t beryju/authentik:2021.4.3
+          -t beryju/authentik:2021.4.5
          -t beryju/authentik:latest
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik:2021.4.3
+        run: docker push beryju/authentik:2021.4.5
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik:latest
  build-proxy:
@@ -48,11 +48,11 @@ jobs:
          cd outpost/
          docker build \
          --no-cache \
-          -t beryju/authentik-proxy:2021.4.3 \
+          -t beryju/authentik-proxy:2021.4.5 \
          -t beryju/authentik-proxy:latest \
          -f proxy.Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-proxy:2021.4.3
+        run: docker push beryju/authentik-proxy:2021.4.5
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik-proxy:latest
  build-static:
@@ -72,11 +72,11 @@ jobs:
          cd web/
          docker build \
          --no-cache \
-          -t beryju/authentik-static:2021.4.3 \
+          -t beryju/authentik-static:2021.4.5 \
          -t beryju/authentik-static:latest \
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-static:2021.4.3
+        run: docker push beryju/authentik-static:2021.4.5
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik-static:latest
  test-release:
@@ -110,5 +110,5 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          tagName: 2021.4.3
+          tagName: 2021.4.5
          environment: beryjuorg-prod
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -116,18 +116,18 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:1d26f6e7ae3c940cb07119077ac42485dcf99164350da0ab50d0f5ad345800cd",
-                "sha256:3bf3305571f3c8b738a53e9e7dcff59137dffe94670046c084a17f9fa4599ff3"
+                "sha256:1e55df93aa47a84e2a12a639c7f145e16e6e9ef959542d69d5526d50d2e92692",
+                "sha256:eab42daaaf68cdad5b112d31dcb0684162098f6558ba7b64156be44f993525fa"
            ],
            "index": "pypi",
-            "version": "==1.17.53"
+            "version": "==1.17.54"
        },
        "botocore": {
            "hashes": [
-                "sha256:d5e70d17b91c9b5867be7d6de0caa7dde9ed789bed62f03ea9b60718dc9350bf",
-                "sha256:e303500c4e80f6a706602da53daa6f751cfa8f491665c99a24ee732ab6321573"
+                "sha256:20a864fc6570ba11d52532c72c3ccabab5c71a9b4a9418601a313d56f1d2ce5b",
+                "sha256:37ec76ea2df8609540ba6cb0fe360ae1c589d2e1ee91eb642fd767823f3fcedd"
            ],
-            "version": "==1.20.53"
+            "version": "==1.20.54"
        },
        "cachetools": {
            "hashes": [
@@ -1106,10 +1106,10 @@
        },
        "s3transfer": {
            "hashes": [
-                "sha256:35627b86af8ff97e7ac27975fe0a98a312814b46c6333d8a6b889627bcd80994",
-                "sha256:efa5bd92a897b6a8d5c1383828dca3d52d0790e0756d49740563a3fb6ed03246"
+                "sha256:af1af6384bd7fb8208b06480f9be73d0295d965c4c073a5c95ea5b6661dccc18",
+                "sha256:f3dfd791cad2799403e3c8051810a7ca6ee1d2e630e5d2a8f9649d892bdb3db6"
            ],
-            "version": "==0.3.7"
+            "version": "==0.4.0"
        },
        "sentry-sdk": {
            "hashes": [
--- a/README.md
+++ b/README.md
@@ -5,12 +5,12 @@
 ---

 [![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/jg33eMhnj6)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/1?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/1?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
-[![Code Coverage](https://img.shields.io/codecov/c/gh/beryju/authentik?style=flat-square)](https://codecov.io/gh/BeryJu/authentik)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=flat-square)](https://codecov.io/gh/goauthentik/authentik)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=flat-square)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=flat-square)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/BeryJu/authentik?style=flat-square)
+![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=flat-square)

 ## What is authentik?

@@ -31,7 +31,7 @@ Light | Dark

 ## Development

-See [Development Documentation](https://goauthentik.io/docs/development/local-dev-environment)
+See [Development Documentation](https://goauthentik.io/developer-docs/)

 ## Security

--- a/authentik/init.py
+++ b/authentik/init.py
@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.4.3"
+__version__ = "2021.4.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@@ -4,7 +4,7 @@ from celery.schedules import crontab
 CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@@ -23,7 +23,9 @@ URL_FINDER = URLValidator.regex.pattern[1:]
 def update_latest_version(self: MonitoredTask):
    """Update latest version info"""
    try:
-        response = get("https://api.github.com/repos/beryju/authentik/releases/latest")
+        response = get(
+            "https://api.github.com/repos/goauthentik/authentik/releases/latest"
+        )
        response.raise_for_status()
        data = response.json()
        tag_name = data.get("tag_name")
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@@ -196,7 +196,8 @@ info = openapi.Info(
    default_version="v2beta",
    contact=openapi.Contact(email="hello@beryju.org"),
    license=openapi.License(
-        name="GNU GPLv3", url="https://github.com/BeryJu/authentik/blob/master/LICENSE"
+        name="GNU GPLv3",
+        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
    ),
 )
 SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -15,6 +15,8 @@
        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}?v={{ ak_version }}">
+        {% block head_before %}
+        {% endblock %}
        <script src="{% static 'dist/poly.js' %}?v={{ ak_version }}" type="module"></script>
        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
        {% block head %}
--- a/authentik/core/templates/error/generic.html
+++ b/authentik/core/templates/error/generic.html
@@ -12,7 +12,7 @@
 {% endblock %}

 {% block body %}
-<section class="pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+<section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
    <div class="pf-c-empty-state">
        <div class="pf-c-empty-state__content">
            <i class="fas fa-exclamation-circle pf-c-empty-state__icon" aria-hidden="true"></i>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@@ -10,7 +10,7 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-admin>
-    <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@@ -3,6 +3,10 @@
 {% load static %}
 {% load i18n %}

+{% block head_before %}
+<script>ShadyDOM = { force: !navigator.webdriver };</script>
+{% endblock %}
+
 {% block head %}
 <script src="{% static 'dist/FlowInterface.js' %}?v={{ ak_version }}" type="module"></script>
 {% endblock %}
@@ -10,7 +14,7 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-flow-executor>
-    <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
--- a/authentik/flows/transfer/importer.py
+++ b/authentik/flows/transfer/importer.py
@@ -160,7 +160,7 @@ class FlowImporter:
            try:
                model: SerializerModel = apps.get_model(model_app_label, model_name)
            except LookupError:
-                self.logger.error(
+                self.logger.warning(
                    "app or model does not exist", app=model_app_label, model=model_name
                )
                return False
@@ -168,7 +168,7 @@ class FlowImporter:
            try:
                serializer = self._validate_single(entry)
            except EntryInvalidError as exc:
-                self.logger.error("entry not valid", entry=entry, error=exc)
+                self.logger.warning("entry not valid", entry=entry, error=exc)
                return False

            model = serializer.save()
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@@ -14,6 +14,7 @@ from drf_yasg import openapi
 from drf_yasg.utils import no_body, swagger_auto_schema
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
+from sentry_sdk import capture_exception
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.models import USER_ATTRIBUTE_DEBUG
@@ -152,7 +153,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.get(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
-            self._logger.exception(exc)
+            capture_exception(exc)
+            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))

    @swagger_auto_schema(
@@ -180,7 +182,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.post(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
-            self._logger.exception(exc)
+            capture_exception(exc)
+            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))

    def _initiate_plan(self) -> FlowPlan:
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@@ -5,21 +5,39 @@ from aioredis.errors import ConnectionClosedError, ReplyError
 from billiard.exceptions import WorkerLostError
 from botocore.client import ClientError
 from celery.exceptions import CeleryError
+from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
-from django.core.exceptions import DisallowedHost, ValidationError
+from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import InternalError, OperationalError, ProgrammingError
+from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
 from docker.errors import DockerException
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
+from sentry_sdk import Hub
+from sentry_sdk.tracing import Transaction
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException

+from authentik.lib.utils.reflection import class_to_path
+
 LOGGER = get_logger()


+class SentryWSMiddleware(BaseMiddleware):
+    """Sentry Websocket middleweare to set the transaction name based on
+    consumer class path"""
+
+    async def __call__(self, scope, receive, send):
+        transaction: Optional[Transaction] = Hub.current.scope.transaction
+        class_path = class_to_path(self.inner.consumer_class)
+        if transaction:
+            transaction.name = class_path
+        return await self.inner(scope, receive, send)
+
+
 class SentryIgnoredException(Exception):
    """Base Class for all errors that are suppressed, and not sent to sentry."""

@@ -36,7 +54,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        OperationalError,
        InternalError,
        ProgrammingError,
-        DisallowedHost,
+        SuspiciousOperation,
        ValidationError,
        # Redis errors
        RedisConnectionError,
@@ -61,6 +79,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        LDAPException,
        # Docker errors
        DockerException,
+        # End-user errors
+        Http404,
    )
    if "exc_info" in hint:
        _, exc_value, _ = hint["exc_info"]
--- a/authentik/outposts/apps.py
+++ b/authentik/outposts/apps.py
@@ -1,17 +1,8 @@
 """authentik outposts app config"""
 from importlib import import_module
-from os import R_OK, access
-from os.path import expanduser
-from pathlib import Path
-from socket import gethostname
-from urllib.parse import urlparse

-import yaml
 from django.apps import AppConfig
 from django.db import ProgrammingError
-from docker.constants import DEFAULT_UNIX_SOCKET
-from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
-from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger

 LOGGER = get_logger()
@@ -27,49 +18,8 @@ class AuthentikOutpostConfig(AppConfig):
    def ready(self):
        import_module("authentik.outposts.signals")
        try:
-            AuthentikOutpostConfig.init_local_connection()
+            from authentik.outposts.tasks import outpost_local_connection
+
+            outpost_local_connection.delay()
        except ProgrammingError:
            pass
-
-    @staticmethod
-    def init_local_connection():
-        """Check if local kubernetes or docker connections should be created"""
-        from authentik.outposts.models import (
-            DockerServiceConnection,
-            KubernetesServiceConnection,
-        )
-
-        # Explicitly check against token filename, as thats
-        # only present when the integration is enabled
-        if Path(SERVICE_TOKEN_FILENAME).exists():
-            LOGGER.debug("Detected in-cluster Kubernetes Config")
-            if not KubernetesServiceConnection.objects.filter(local=True).exists():
-                LOGGER.debug("Created Service Connection for in-cluster")
-                KubernetesServiceConnection.objects.create(
-                    name="Local Kubernetes Cluster", local=True, kubeconfig={}
-                )
-        # For development, check for the existence of a kubeconfig file
-        kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
-        if Path(kubeconfig_path).exists():
-            LOGGER.debug("Detected kubeconfig")
-            kubeconfig_local_name = f"k8s-{gethostname()}"
-            if not KubernetesServiceConnection.objects.filter(
-                name=kubeconfig_local_name
-            ).exists():
-                LOGGER.debug("Creating kubeconfig Service Connection")
-                with open(kubeconfig_path, "r") as _kubeconfig:
-                    KubernetesServiceConnection.objects.create(
-                        name=kubeconfig_local_name,
-                        kubeconfig=yaml.safe_load(_kubeconfig),
-                    )
-        unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
-        socket = Path(unix_socket_path)
-        if socket.exists() and access(socket, R_OK):
-            LOGGER.debug("Detected local docker socket")
-            if len(DockerServiceConnection.objects.filter(local=True)) == 0:
-                LOGGER.debug("Created Service Connection for docker")
-                DockerServiceConnection.objects.create(
-                    name="Local Docker connection",
-                    local=True,
-                    url=unix_socket_path,
-                )
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@@ -134,7 +134,8 @@ class DockerController(BaseController):
    def down(self):
        try:
            container, _ = self._get_container()
-            container.kill()
+            if container.status == "running":
+                container.kill()
            container.remove()
        except DockerException as exc:
            raise ControllerException from exc
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -201,7 +201,7 @@ class DockerServiceConnection(OutpostServiceConnection):
                )
            client.containers.list()
        except DockerException as exc:
-            LOGGER.error(exc)
+            LOGGER.warning(exc)
            raise ServiceConnectionInvalid from exc
        return client

--- a/authentik/outposts/settings.py
+++ b/authentik/outposts/settings.py
@@ -9,7 +9,7 @@ CELERY_BEAT_SCHEDULE = {
    },
    "outposts_service_connection_check": {
        "task": "authentik.outposts.tasks.outpost_service_connection_monitor",
-        "schedule": crontab(minute=0, hour="*"),
+        "schedule": crontab(minute="*/60"),
        "options": {"queue": "authentik_scheduled"},
    },
    "outpost_token_ensurer": {
@@ -17,4 +17,9 @@ CELERY_BEAT_SCHEDULE = {
        "schedule": crontab(minute="*/5"),
        "options": {"queue": "authentik_scheduled"},
    },
+    "outpost_local_connection": {
+        "task": "authentik.outposts.tasks.outpost_local_connection",
+        "schedule": crontab(minute="*/60"),
+        "options": {"queue": "authentik_scheduled"},
+    },
 }
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@@ -1,11 +1,20 @@
 """outpost tasks"""
+from os import R_OK, access
+from os.path import expanduser
+from pathlib import Path
+from socket import gethostname
 from typing import Any
+from urllib.parse import urlparse

+import yaml
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.db.models.base import Model
 from django.utils.text import slugify
+from docker.constants import DEFAULT_UNIX_SOCKET
+from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
+from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger

 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
@@ -185,3 +194,42 @@ def _outpost_single_update(outpost: Outpost, layer=None):
    for state in OutpostState.for_outpost(outpost):
        LOGGER.debug("sending update", channel=state.uid, outpost=outpost)
        async_to_sync(layer.send)(state.uid, {"type": "event.update"})
+
+
+@CELERY_APP.task()
+def outpost_local_connection():
+    """Checks the local environment and create Service connections."""
+    # Explicitly check against token filename, as thats
+    # only present when the integration is enabled
+    if Path(SERVICE_TOKEN_FILENAME).exists():
+        LOGGER.debug("Detected in-cluster Kubernetes Config")
+        if not KubernetesServiceConnection.objects.filter(local=True).exists():
+            LOGGER.debug("Created Service Connection for in-cluster")
+            KubernetesServiceConnection.objects.create(
+                name="Local Kubernetes Cluster", local=True, kubeconfig={}
+            )
+    # For development, check for the existence of a kubeconfig file
+    kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
+    if Path(kubeconfig_path).exists():
+        LOGGER.debug("Detected kubeconfig")
+        kubeconfig_local_name = f"k8s-{gethostname()}"
+        if not KubernetesServiceConnection.objects.filter(
+            name=kubeconfig_local_name
+        ).exists():
+            LOGGER.debug("Creating kubeconfig Service Connection")
+            with open(kubeconfig_path, "r") as _kubeconfig:
+                KubernetesServiceConnection.objects.create(
+                    name=kubeconfig_local_name,
+                    kubeconfig=yaml.safe_load(_kubeconfig),
+                )
+    unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
+    socket = Path(unix_socket_path)
+    if socket.exists() and access(socket, R_OK):
+        LOGGER.debug("Detected local docker socket")
+        if len(DockerServiceConnection.objects.filter(local=True)) == 0:
+            LOGGER.debug("Created Service Connection for docker")
+            DockerServiceConnection.objects.create(
+                name="Local Docker connection",
+                local=True,
+                url=unix_socket_path,
+            )
--- a/authentik/providers/oauth2/tests/test_views_authorize.py
+++ b/authentik/providers/oauth2/tests/test_views_authorize.py
@@ -166,7 +166,7 @@ class TestViewsAuthorize(TestCase):
            name="test",
            client_id="test",
            authorization_flow=flow,
-            redirect_uris="http://localhost",
+            redirect_uris="foo://localhost",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
        state = generate_client_id()
@@ -179,7 +179,7 @@ class TestViewsAuthorize(TestCase):
                "response_type": "code",
                "client_id": "test",
                "state": state,
-                "redirect_uri": "http://localhost",
+                "redirect_uri": "foo://localhost",
            },
        )
        response = self.client.get(
@@ -190,7 +190,7 @@ class TestViewsAuthorize(TestCase):
            force_str(response.content),
            {
                "type": ChallengeTypes.REDIRECT.value,
-                "to": f"http://localhost?code={code.code}&state={state}",
+                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )

--- a/authentik/providers/oauth2/tests/test_views_token.py
+++ b/authentik/providers/oauth2/tests/test_views_token.py
@@ -153,10 +153,61 @@ class TestViewsToken(TestCase):
                "redirect_uri": "http://local.invalid",
            },
            HTTP_AUTHORIZATION=f"Basic {header}",
+            HTTP_ORIGIN="http://local.invalid",
        )
        new_token: RefreshToken = (
            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
        )
+        self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
+        self.assertEqual(
+            response["Access-Control-Allow-Origin"], "http://local.invalid"
+        )
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "access_token": new_token.access_token,
+                "refresh_token": new_token.refresh_token,
+                "token_type": "bearer",
+                "expires_in": 600,
+                "id_token": provider.encode(
+                    new_token.id_token.to_dict(),
+                ),
+            },
+        )
+
+    def test_refresh_token_view_invalid_origin(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_client_id(),
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        header = b64encode(
+            f"{provider.client_id}:{provider.client_secret}".encode()
+        ).decode()
+        user = User.objects.get(username="akadmin")
+        token: RefreshToken = RefreshToken.objects.create(
+            provider=provider,
+            user=user,
+            refresh_token=generate_client_id(),
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                "refresh_token": token.refresh_token,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+            HTTP_ORIGIN="http://another.invalid",
+        )
+        new_token: RefreshToken = (
+            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
+        )
+        self.assertNotIn("Access-Control-Allow-Credentials", response)
+        self.assertNotIn("Access-Control-Allow-Origin", response)
        self.assertJSONEqual(
            force_str(response.content),
            {
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@@ -2,10 +2,11 @@
 import re
 from base64 import b64decode
 from binascii import Error
-from typing import Optional
+from typing import Any, Optional
 from urllib.parse import urlparse

 from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger

@@ -26,8 +27,8 @@ class TokenResponse(JsonResponse):
        self["Pragma"] = "no-cache"


-def cors_allow_any(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
-    """Add headers to permit CORS requests from any origin, with or without credentials,
+def cors_allow(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
+    """Add headers to permit CORS requests from allowed_origins, with or without credentials,
    with any headers."""
    origin = request.META.get("HTTP_ORIGIN")
    if not origin:
@@ -161,3 +162,18 @@ def protected_resource_view(scopes: list[str]):
        return view_wrapper

    return wrapper
+
+
+class HttpResponseRedirectScheme(HttpResponseRedirect):
+    """HTTP Response to redirect, can be to a non-http scheme"""
+
+    def __init__(
+        self,
+        redirect_to: str,
+        *args: Any,
+        allowed_schemes: Optional[list[str]] = None,
+        **kwargs: Any,
+    ) -> None:
+        self.allowed_schemes = allowed_schemes or ["http", "https", "ftp"]
+        # pyright: reportGeneralTypeIssues=false
+        super().__init__(redirect_to, *args, **kwargs)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -2,12 +2,12 @@
 from dataclasses import dataclass, field
 from datetime import timedelta
 from typing import Optional
-from urllib.parse import parse_qs, urlencode, urlsplit, urlunsplit
+from urllib.parse import parse_qs, urlencode, urlparse, urlsplit, urlunsplit
 from uuid import uuid4

 from django.http import HttpRequest, HttpResponse
 from django.http.response import Http404, HttpResponseBadRequest, HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect
+from django.shortcuts import get_object_or_404
 from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
@@ -46,6 +46,7 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    ResponseTypes,
 )
+from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 from authentik.providers.oauth2.views.userinfo import UserInfoView
 from authentik.stages.consent.models import ConsentMode, ConsentStage
 from authentik.stages.consent.stage import (
@@ -233,6 +234,11 @@ class OAuthFulfillmentStage(StageView):
    params: OAuthAuthorizationParams
    provider: OAuth2Provider

+    def redirect(self, uri: str) -> HttpResponse:
+        """Redirect using HttpResponseRedirectScheme, compatible with non-http schemes"""
+        parsed = urlparse(uri)
+        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])
+
    # pylint: disable=unused-argument
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """final Stage of an OAuth2 Flow"""
@@ -261,7 +267,7 @@ class OAuthFulfillmentStage(StageView):
                flow=self.executor.plan.flow_pk,
                scopes=", ".join(self.params.scope),
            ).from_http(self.request)
-            return redirect(self.create_response_uri())
+            return self.redirect(self.create_response_uri())
        except (ClientIdError, RedirectUriError) as error:
            error.to_event(application=application).from_http(request)
            self.executor.stage_invalid()
@@ -270,7 +276,7 @@ class OAuthFulfillmentStage(StageView):
        except AuthorizeError as error:
            error.to_event(application=application).from_http(request)
            self.executor.stage_invalid()
-            return redirect(error.create_uri())
+            return self.redirect(error.create_uri())

    def create_response_uri(self) -> str:
        """Create a final Response URI the user is redirected to."""
@@ -304,7 +310,7 @@ class OAuthFulfillmentStage(StageView):
                return urlunsplit(uri)
            raise OAuth2Error()
        except OAuth2Error as error:
-            LOGGER.exception("Error when trying to create response uri", error=error)
+            LOGGER.warning("Error when trying to create response uri", error=error)
            raise AuthorizeError(
                self.params.redirect_uri,
                "server_error",
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@@ -19,7 +19,7 @@ from authentik.providers.oauth2.models import (
    ResponseTypes,
    ScopeMapping,
 )
-from authentik.providers.oauth2.utils import cors_allow_any
+from authentik.providers.oauth2.utils import cors_allow

 LOGGER = get_logger()

@@ -112,5 +112,5 @@ class ProviderInfoView(View):
            OAuth2Provider, pk=application.provider_id
        )
        response = super().dispatch(request, *args, **kwargs)
-        cors_allow_any(request, response, *self.provider.redirect_uris.split("\n"))
+        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
        return response
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -19,7 +19,11 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RefreshToken,
 )
-from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth
+from authentik.providers.oauth2.utils import (
+    TokenResponse,
+    cors_allow,
+    extract_client_auth,
+)

 LOGGER = get_logger()

@@ -154,7 +158,18 @@ class TokenParams:
 class TokenView(View):
    """Generate tokens for clients"""

-    params: TokenParams
+    params: Optional[TokenParams] = None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        response = super().dispatch(request, *args, **kwargs)
+        allowed_origins = []
+        if self.params:
+            allowed_origins = self.params.provider.redirect_uris.split("\n")
+        cors_allow(self.request, response, *allowed_origins)
+        return response
+
+    def options(self, request: HttpRequest) -> HttpResponse:
+        return TokenResponse({})

    def post(self, request: HttpRequest) -> HttpResponse:
        """Generate tokens for clients"""
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@@ -14,7 +14,7 @@ from authentik.providers.oauth2.constants import (
    SCOPE_GITHUB_USER_READ,
 )
 from authentik.providers.oauth2.models import RefreshToken, ScopeMapping
-from authentik.providers.oauth2.utils import TokenResponse, cors_allow_any
+from authentik.providers.oauth2.utils import TokenResponse, cors_allow

 LOGGER = get_logger()

@@ -88,7 +88,7 @@ class UserInfoView(View):
        allowed_origins = []
        if self.token:
            allowed_origins = self.token.provider.redirect_uris.split("\n")
-        cors_allow_any(self.request, response, *allowed_origins)
+        cors_allow(self.request, response, *allowed_origins)
        return response

    def options(self, request: HttpRequest) -> HttpResponse:
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -337,7 +337,7 @@ if CONFIG.y("postgresql.s3_backup"):

 # Sentry integration
 _ERROR_REPORTING = CONFIG.y_bool("error_reporting.enabled", False)
-if not DEBUG and _ERROR_REPORTING:
+if _ERROR_REPORTING:
    # pylint: disable=abstract-class-instantiated
    sentry_init(
        dsn="https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
--- a/authentik/root/websocket.py
+++ b/authentik/root/websocket.py
@@ -2,10 +2,13 @@
 from channels.auth import AuthMiddlewareStack
 from django.urls import path

+from authentik.lib.sentry import SentryWSMiddleware
 from authentik.outposts.channels import OutpostConsumer
 from authentik.root.messages.consumer import MessageConsumer

 websocket_urlpatterns = [
-    path("ws/outpost/<uuid:pk>/", OutpostConsumer.as_asgi()),
-    path("ws/client/", AuthMiddlewareStack(MessageConsumer.as_asgi())),
+    path("ws/outpost/<uuid:pk>/", SentryWSMiddleware(OutpostConsumer.as_asgi())),
+    path(
+        "ws/client/", AuthMiddlewareStack(SentryWSMiddleware(MessageConsumer.as_asgi()))
+    ),
 ]
--- a/authentik/sources/ldap/settings.py
+++ b/authentik/sources/ldap/settings.py
@@ -8,7 +8,7 @@ AUTHENTICATION_BACKENDS = [
 CELERY_BEAT_SCHEDULE = {
    "sources_ldap_sync": {
        "task": "authentik.sources.ldap.tasks.ldap_sync_all",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/sources/oauth/clients/base.py
+++ b/authentik/sources/oauth/clients/base.py
@@ -40,8 +40,11 @@ class BaseOAuthClient:

    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
        "Fetch user profile information."
+        profile_url = self.source.type.profile_url or ""
+        if self.source.type.urls_customizable and self.source.profile_url:
+            profile_url = self.source.profile_url
        try:
-            response = self.do_request("get", self.source.profile_url, token=token)
+            response = self.do_request("get", profile_url, token=token)
            response.raise_for_status()
        except RequestException as exc:
            LOGGER.warning("Unable to fetch user profile", exc=exc)
@@ -60,16 +63,16 @@ class BaseOAuthClient:
        args.update(additional)
        params = urlencode(args)
        LOGGER.info("redirect args", **args)
-        base_url = self.source.type.authorization_url
-        if self.source.authorization_url:
-            base_url = self.source.authorization_url
-        if base_url == "":
+        authorization_url = self.source.type.authorization_url or ""
+        if self.source.type.urls_customizable and self.source.authorization_url:
+            authorization_url = self.source.authorization_url
+        if authorization_url == "":
            Event.new(
                EventAction.CONFIGURATION_ERROR,
                source=self.source,
                message="Source has an empty authorization URL.",
            ).save()
-        return f"{base_url}?{params}"
+        return f"{authorization_url}?{params}"

    def parse_raw_token(self, raw_token: str) -> dict[str, Any]:
        "Parse token and secret from raw token response."
--- a/authentik/sources/oauth/clients/oauth1.py
+++ b/authentik/sources/oauth/clients/oauth1.py
@@ -28,8 +28,8 @@ class OAuthClient(BaseOAuthClient):
        if raw_token is not None and verifier is not None:
            token = self.parse_raw_token(raw_token)
            try:
-                access_token_url: str = self.source.type.access_token_url or ""
-                if self.source.access_token_url:
+                access_token_url = self.source.type.access_token_url or ""
+                if self.source.type.urls_customizable and self.source.access_token_url:
                    access_token_url = self.source.access_token_url
                response = self.do_request(
                    "post",
@@ -51,8 +51,8 @@ class OAuthClient(BaseOAuthClient):
        "Fetch the OAuth request token. Only required for OAuth 1.0."
        callback = self.request.build_absolute_uri(self.callback)
        try:
-            request_token_url: str = self.source.type.request_token_url or ""
-            if self.source.request_token_url:
+            request_token_url = self.source.type.request_token_url or ""
+            if self.source.type.urls_customizable and self.source.request_token_url:
                request_token_url = self.source.request_token_url
            response = self.do_request(
                "post",
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@@ -57,7 +57,7 @@ class OAuth2Client(BaseOAuthClient):
            return None
        try:
            access_token_url = self.source.type.access_token_url or ""
-            if self.source.access_token_url:
+            if self.source.type.urls_customizable and self.source.access_token_url:
                access_token_url = self.source.access_token_url
            response = self.session.request(
                "post",
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@@ -1,5 +1,5 @@
 """AzureAD OAuth2 Views"""
-from typing import Any
+from typing import Any, Optional
 from uuid import UUID

 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
@@ -10,8 +10,11 @@ from authentik.sources.oauth.views.callback import OAuthCallback
 class AzureADOAuthCallback(OAuthCallback):
    """AzureAD OAuth2 Callback"""

-    def get_user_id(self, source: OAuthSource, info: dict[str, Any]) -> str:
-        return str(UUID(info.get("objectId")).int)
+    def get_user_id(self, source: OAuthSource, info: dict[str, Any]) -> Optional[str]:
+        try:
+            return str(UUID(info.get("objectId")).int)
+        except TypeError:
+            return None

    def get_user_enroll_context(
        self,
--- a/authentik/sources/oauth/views/base.py
+++ b/authentik/sources/oauth/views/base.py
@@ -2,12 +2,15 @@
 from typing import Optional, Type

 from django.http.request import HttpRequest
+from structlog.stdlib import get_logger

 from authentik.sources.oauth.clients.base import BaseOAuthClient
 from authentik.sources.oauth.clients.oauth1 import OAuthClient
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.models import OAuthSource

+LOGGER = get_logger()
+

 # pylint: disable=too-few-public-methods
 class OAuthClientMixin:
@@ -22,6 +25,9 @@ class OAuthClientMixin:
        if self.client_class is not None:
            # pylint: disable=not-callable
            return self.client_class(source, self.request, **kwargs)
-        if source.request_token_url:
-            return OAuthClient(source, self.request, **kwargs)
-        return OAuth2Client(source, self.request, **kwargs)
+        if source.type.request_token_url or source.request_token_url:
+            client = OAuthClient(source, self.request, **kwargs)
+        else:
+            client = OAuth2Client(source, self.request, **kwargs)
+        LOGGER.debug("Using client for oauth request", client=client)
+        return client
--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@@ -39,13 +39,13 @@ from authentik.sources.saml.processors.constants import (
 from authentik.sources.saml.processors.request import SESSION_REQUEST_ID
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from authentik.stages.user_login.stage import DEFAULT_BACKEND

 LOGGER = get_logger()
 if TYPE_CHECKING:
    from xml.etree.ElementTree import Element  # nosec

 CACHE_SEEN_REQUEST_ID = "authentik_saml_seen_ids_%s"
-DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"


 class ResponseProcessor:
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@@ -68,7 +68,7 @@ def send_mail(
                messages=["Successfully sent Mail."],
            )
        )
-    except (SMTPException, ConnectionError) as exc:
+    except (SMTPException, ConnectionError, ValueError) as exc:
        LOGGER.debug("Error sending email, retrying...", exc=exc)
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
        raise exc
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@@ -1,5 +1,6 @@
 """Identification stage logic"""
 from dataclasses import asdict
+from time import sleep
 from typing import Optional

 from django.db.models import Q
@@ -46,6 +47,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
        """Validate that user exists"""
        pre_user = self.stage.get_user(value)
        if not pre_user:
+            sleep(0.150)
            LOGGER.debug("invalid_login", identifier=value)
            raise ValidationError("Failed to authenticate.")
        self.pre_user = pre_user
@@ -68,7 +70,7 @@ class IdentificationStageView(ChallengeStageView):
            else:
                model_field += "__exact"
            query |= Q(**{model_field: uid_value})
-        users = User.objects.filter(query)
+        users = User.objects.filter(query, is_active=True)
        if users.exists():
            LOGGER.debug("Found user", user=users.first(), query=query)
            return users.first()
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@@ -1,8 +1,11 @@
 """invitation stage logic"""
+from typing import Optional
+
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404

 from authentik.flows.stage import StageView
+from authentik.flows.views import SESSION_KEY_GET
 from authentik.stages.invitation.models import Invitation, InvitationStage
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
@@ -14,16 +17,26 @@ INVITATION_IN_EFFECT = "invitation_in_effect"
 class InvitationStageView(StageView):
    """Finalise Authentication flow by logging the user in"""

+    def get_token(self) -> Optional[str]:
+        """Get token from saved get-arguments or prompt_data"""
+        if INVITATION_TOKEN_KEY in self.request.session.get(SESSION_KEY_GET, {}):
+            return self.request.session[SESSION_KEY_GET][INVITATION_TOKEN_KEY]
+        if INVITATION_TOKEN_KEY in self.executor.plan.context.get(
+            PLAN_CONTEXT_PROMPT, {}
+        ):
+            return self.executor.plan.context[PLAN_CONTEXT_PROMPT][INVITATION_TOKEN_KEY]
+        return None
+
    def get(self, request: HttpRequest) -> HttpResponse:
        """Apply data to the current flow based on a URL"""
        stage: InvitationStage = self.executor.current_stage
-        if INVITATION_TOKEN_KEY not in request.GET:
+        token = self.get_token()
+        if not token:
            # No Invitation was given, raise error or continue
            if stage.continue_flow_without_invitation:
                return self.executor.stage_ok()
            return self.executor.stage_invalid()

-        token = request.GET[INVITATION_TOKEN_KEY]
        invite: Invitation = get_object_or_404(Invitation, pk=token)
        self.executor.plan.context[PLAN_CONTEXT_PROMPT] = invite.fixed_data
        self.executor.plan.context[INVITATION_IN_EFFECT] = True
--- a/authentik/stages/invitation/tests.py
+++ b/authentik/stages/invitation/tests.py
@@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch
 from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils.encoding import force_str
+from django.utils.http import urlencode
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase

@@ -94,15 +95,11 @@ class TestUserLoginStage(TestCase):
        self.stage.continue_flow_without_invitation = False
        self.stage.save()

-    def test_with_invitation(self):
+    def test_with_invitation_get(self):
        """Test with invitation, check data in session"""
        plan = FlowPlan(
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
-        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[
-            PLAN_CONTEXT_AUTHENTICATION_BACKEND
-        ] = "django.contrib.auth.backends.ModelBackend"
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
@@ -116,9 +113,39 @@ class TestUserLoginStage(TestCase):
            base_url = reverse(
                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
            )
-            response = self.client.get(
-                base_url + f"?{INVITATION_TOKEN_KEY}={invite.pk.hex}"
+            args = urlencode({INVITATION_TOKEN_KEY: invite.pk.hex})
+            response = self.client.get(base_url + f"?query={args}")
+
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        self.assertEqual(plan.context[PLAN_CONTEXT_PROMPT], data)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content),
+            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+        )
+
+    def test_with_invitation_prompt_data(self):
+        """Test with invitation, check data in session"""
+        data = {"foo": "bar"}
+        invite = Invitation.objects.create(
+            created_by=get_anonymous_user(), fixed_data=data
+        )
+
+        plan = FlowPlan(
+            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
+        )
+        plan.context[PLAN_CONTEXT_PROMPT] = {INVITATION_TOKEN_KEY: invite.pk.hex}
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        with patch("authentik.flows.views.FlowExecutorView.cancel", MagicMock()):
+            base_url = reverse(
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
            )
+            response = self.client.get(base_url)

        session = self.client.session
        plan: FlowPlan = session[SESSION_KEY_PLAN]
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -11,6 +11,7 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND

 LOGGER = get_logger()
+DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"


 class UserLoginStageView(StageView):
@@ -23,12 +24,9 @@ class UserLoginStageView(StageView):
            messages.error(request, message)
            LOGGER.debug(message)
            return self.executor.stage_invalid()
-        if PLAN_CONTEXT_AUTHENTICATION_BACKEND not in self.executor.plan.context:
-            message = _("Pending user has no backend.")
-            messages.error(request, message)
-            LOGGER.debug(message)
-            return self.executor.stage_invalid()
-        backend = self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND]
+        backend = self.executor.plan.context.get(
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND, DEFAULT_BACKEND
+        )
        login(
            self.request,
            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@@ -1,4 +1,5 @@
 """login tests"""
+from time import sleep
 from unittest.mock import patch

 from django.test import Client, TestCase
@@ -12,7 +13,6 @@ from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests.test_views import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views import SESSION_KEY_PLAN
-from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.user_login.models import UserLoginStage


@@ -38,9 +38,6 @@ class TestUserLoginStage(TestCase):
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[
-            PLAN_CONTEXT_AUTHENTICATION_BACKEND
-        ] = "django.contrib.auth.backends.ModelBackend"
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
@@ -55,6 +52,31 @@ class TestUserLoginStage(TestCase):
            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
        )

+    def test_expiry(self):
+        """Test with expiry"""
+        self.stage.session_duration = "seconds=2"
+        self.stage.save()
+        plan = FlowPlan(
+            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
+        )
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content),
+            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+        )
+        self.assertNotEqual(list(self.client.session.keys()), [])
+        sleep(3)
+        self.client.session.clear_expired()
+        self.assertEqual(list(self.client.session.keys()), [])
+
    @patch(
        "authentik.flows.views.to_stage_response",
        TO_STAGE_RESPONSE_MOCK,
@@ -82,32 +104,3 @@ class TestUserLoginStage(TestCase):
                "type": ChallengeTypes.NATIVE.value,
            },
        )
-
-    @patch(
-        "authentik.flows.views.to_stage_response",
-        TO_STAGE_RESPONSE_MOCK,
-    )
-    def test_without_backend(self):
-        """Test a plan with pending user, without backend, resulting in a denied"""
-        plan = FlowPlan(
-            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
-        )
-        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
-            force_str(response.content),
-            {
-                "component": "ak-stage-access-denied",
-                "error_message": None,
-                "title": "",
-                "type": ChallengeTypes.NATIVE.value,
-            },
-        )
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -369,8 +369,6 @@ stages:
                coverage-unittest/unittest.xml
              mergeTestResults: true
          - task: CmdLine@2
-            env:
-              CODECOV_TOKEN: $(CODECOV_TOKEN)
            inputs:
              script: bash <(curl -s https://codecov.io/bash)
  - stage: Build
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,7 @@ services:
    networks:
      - internal
  server:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.3}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.5}
    restart: unless-stopped
    command: server
    environment:
@@ -48,7 +48,7 @@ services:
    env_file:
      - .env
  worker:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.3}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.5}
    restart: unless-stopped
    command: worker
    networks:
@@ -68,7 +68,7 @@ services:
    env_file:
      - .env
  static:
-    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.3}
+    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.5}
    restart: unless-stopped
    networks:
      - internal
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -3,9 +3,9 @@ description: authentik is an open-source Identity Provider focused on flexibilit
 name: authentik
 home: https://goauthentik.io
 sources:
-  - https://github.com/BeryJu/authentik
-version: "2021.4.3"
-icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
+  - https://github.com/goauthentik/authentik
+version: "2021.4.5"
+icon: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.svg
 dependencies:
  - name: postgresql
    version: 9.4.1
--- a/helm/README.md
+++ b/helm/README.md
@@ -4,7 +4,7 @@
 |-----------------------------------|-------------------------|-------------|
 | image.name                        | beryju/authentik        | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
-| image.tag                         | 2021.4.3                | Image tag |
+| image.tag                         | 2021.4.5                | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
 | workerReplicas                    | 1                       | Replicas for the Worker deployment |
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -5,7 +5,7 @@ image:
  name: beryju/authentik
  name_static: beryju/authentik-static
  name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-  tag: 2021.4.3
+  tag: 2021.4.5
  pullPolicy: IfNotPresent

 serverReplicas: 1
--- a/outpost/README.md
+++ b/outpost/README.md
@@ -1,6 +1,6 @@
 # authentik outpost

-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/3?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=3)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/3?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=8)
 ![Docker pulls (proxy)](https://img.shields.io/docker/pulls/beryju/authentik-proxy.svg?style=flat-square)

 Reverse Proxy based on [oauth2_proxy](https://github.com/oauth2-proxy/oauth2-proxy), completely managed and monitored by authentik.
--- a/outpost/pkg/ak/api.go
+++ b/outpost/pkg/ak/api.go
@@ -31,8 +31,7 @@ type APIController struct {

 	Server Outpost

-	lastBundleHash string
-	logger         *log.Entry
+	logger *log.Entry

 	reloadOffset time.Duration

@@ -71,18 +70,12 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 		logger: log,

 		reloadOffset: time.Duration(rand.Intn(10)) * time.Second,
-
-		lastBundleHash: "",
 	}
 	ac.logger.Debugf("HA Reload offset: %s", ac.reloadOffset)
 	ac.initWS(akURL, outpost.Pk)
 	return ac
 }

-func (a *APIController) GetLastBundleHash() string {
-	return a.lastBundleHash
-}
-
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()
--- a/outpost/pkg/ak/api_update.go
+++ b/outpost/pkg/ak/api_update.go
@@ -1,10 +1,6 @@
 package ak

 import (
-	"crypto/sha512"
-	"encoding/hex"
-	"encoding/json"
-
 	"goauthentik.io/outpost/pkg/client/outposts"
 	"goauthentik.io/outpost/pkg/models"
 )
@@ -15,16 +11,5 @@ func (a *APIController) Update() ([]*models.ProxyOutpostConfig, error) {
 		a.logger.WithError(err).Error("Failed to fetch providers")
 		return nil, err
 	}
-	// Check provider hash to see if anything is changed
-	hasher := sha512.New()
-	out, err := json.Marshal(providers.Payload.Results)
-	if err != nil {
-		return nil, nil
-	}
-	hash := hex.EncodeToString(hasher.Sum(out))
-	if hash == a.lastBundleHash {
-		return nil, nil
-	}
-	a.lastBundleHash = hash
 	return providers.Payload.Results, nil
 }
--- a/outpost/pkg/ak/api_ws.go
+++ b/outpost/pkg/ak/api_ws.go
@@ -15,9 +15,9 @@ import (
 	"goauthentik.io/outpost/pkg"
 )

-func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) {
+func (ac *APIController) initWS(akURL url.URL, outpostUUID strfmt.UUID) {
 	pathTemplate := "%s://%s/ws/outpost/%s/"
-	scheme := strings.ReplaceAll(pbURL.Scheme, "http", "ws")
+	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")

 	authHeader := fmt.Sprintf("Bearer %s", ac.token)

@@ -37,7 +37,7 @@ func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) {
 			InsecureSkipVerify: strings.ToLower(value) == "true",
 		},
 	}
-	ws.Dial(fmt.Sprintf(pathTemplate, scheme, pbURL.Host, outpostUUID.String()), header)
+	ws.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, outpostUUID.String()), header)

 	ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID.String()).Debug("connecting to authentik")

--- a/outpost/pkg/proxy/middleware.go
+++ b/outpost/pkg/proxy/middleware.go
@@ -107,7 +107,7 @@ func (h loggingHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	duration := float64(time.Since(t)) / float64(time.Millisecond)
 	h.logger.WithFields(log.Fields{
 		"host":              req.RemoteAddr,
-		"vhost":             req.Host,
+		"vhost":             getHost(req),
 		"request_protocol":  req.Proto,
 		"runtime":           fmt.Sprintf("%0.3f", duration),
 		"method":            req.Method,
--- a/outpost/pkg/proxy/oauth.go
+++ b/outpost/pkg/proxy/oauth.go
@@ -161,7 +161,7 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	redirectURI := p.GetRedirectURI(req.Host)
+	redirectURI := p.GetRedirectURI(getHost(req))
 	http.Redirect(rw, req, p.provider.GetLoginURL(redirectURI, fmt.Sprintf("%v:%v", nonce, redirect)), http.StatusFound)
 }

@@ -184,7 +184,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 		return
 	}

-	session, err := p.redeemCode(req.Context(), req.Host, req.Form.Get("code"))
+	session, err := p.redeemCode(req.Context(), getHost(req), req.Form.Get("code"))
 	if err != nil {
 		p.logger.Errorf("Error redeeming code during OAuth2 callback: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", "Internal Error")
--- a/outpost/pkg/proxy/server.go
+++ b/outpost/pkg/proxy/server.go
@@ -42,7 +42,8 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(204)
 		return
 	}
-	handler, ok := s.Handlers[r.Host]
+	host := getHost(r)
+	handler, ok := s.Handlers[host]
 	if !ok {
 		// If we only have one handler, host name switching doesn't matter
 		if len(s.Handlers) == 1 {
@@ -56,7 +57,7 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		for k := range s.Handlers {
 			hostKeys = append(hostKeys, k)
 		}
-		s.logger.WithField("host", r.Host).WithField("known-hosts", strings.Join(hostKeys, ", ")).Debug("Host header does not match any we know of")
+		s.logger.WithField("host", host).WithField("known-hosts", strings.Join(hostKeys, ", ")).Debug("Host header does not match any we know of")
 		w.WriteHeader(404)
 		return
 	}
--- a/outpost/pkg/proxy/utils.go
+++ b/outpost/pkg/proxy/utils.go
@@ -0,0 +1,12 @@
+package proxy
+
+import "net/http"
+
+var xForwardedHost = http.CanonicalHeaderKey("X-Forwarded-Host")
+
+func getHost(req *http.Request) string {
+	if req.Header.Get(xForwardedHost) != "" {
+		return req.Header.Get(xForwardedHost)
+	}
+	return req.Host
+}
--- a/outpost/pkg/version.go
+++ b/outpost/pkg/version.go
@@ -1,3 +1,3 @@
 package pkg

-const VERSION = "2021.4.3"
+const VERSION = "2021.4.5"
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -5,7 +5,7 @@ info:
    email: hello@beryju.org
  license:
    name: GNU GPLv3
-    url: https://github.com/BeryJu/authentik/blob/master/LICENSE
+    url: https://github.com/goauthentik/authentik/blob/master/LICENSE
  version: v2beta
 basePath: /api/v2beta
 consumes:
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@@ -13,13 +13,13 @@ from selenium.webdriver.common.by import By
 from authentik import __version__
 from authentik.core.models import Application
 from authentik.flows.models import Flow
-from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.models import (
    DockerServiceConnection,
    Outpost,
    OutpostConfig,
    OutpostType,
 )
+from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.models import ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry

@@ -117,7 +117,7 @@ class TestProviderProxyConnect(ChannelsLiveServerTestCase):
    @object_manager
    def test_proxy_connectivity(self):
        """Test proxy connectivity over websocket"""
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        proxy: ProxyProvider = ProxyProvider.objects.create(
            name="proxy_provider",
            authorization_flow=Flow.objects.get(
--- a/tests/e2e/test_source_oauth.py
+++ b/tests/e2e/test_source_oauth.py
@@ -4,6 +4,7 @@ from sys import platform
 from time import sleep
 from typing import Any, Optional
 from unittest.case import skipUnless
+from unittest.mock import Mock, patch

 from django.test import override_settings
 from docker.models.containers import Container
@@ -22,12 +23,31 @@ from authentik.providers.oauth2.generators import (
    generate_client_secret,
 )
 from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.manager import SourceType
+from authentik.sources.oauth.types.twitter import TwitterOAuthCallback
 from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry

 CONFIG_PATH = "/tmp/dex.yml"  # nosec
 LOGGER = get_logger()


+class OAUth1Type(SourceType):
+    """Twitter Type definition"""
+
+    callback_view = TwitterOAuthCallback
+    name = "Twitter"
+    slug = "twitter"
+
+    request_token_url = "http://localhost:5000/oauth/request_token"  # nosec
+    access_token_url = "http://localhost:5000/oauth/access_token"  # nosec
+    authorization_url = "http://localhost:5000/oauth/authorize"
+    profile_url = "http://localhost:5000/api/me"
+    urls_customizable = False
+
+
+SOURCE_TYPE_MOCK = Mock(return_value=OAUth1Type())
+
+
@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestSourceOAuth2(SeleniumTestCase):
    """test OAuth Source flow"""
@@ -291,10 +311,6 @@ class TestSourceOAuth1(SeleniumTestCase):
            authentication_flow=authentication_flow,
            enrollment_flow=enrollment_flow,
            provider_type="twitter",
-            request_token_url="http://localhost:5000/oauth/request_token",
-            access_token_url="http://localhost:5000/oauth/access_token",
-            authorization_url="http://localhost:5000/oauth/authorize",
-            profile_url="http://localhost:5000/api/me",
            consumer_key=self.client_id,
            consumer_secret=self.client_secret,
        )
@@ -304,6 +320,10 @@ class TestSourceOAuth1(SeleniumTestCase):
    @apply_migration("authentik_flows", "0008_default_flows")
    @apply_migration("authentik_flows", "0009_source_flows")
    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
+    @patch(
+        "authentik.sources.oauth.types.manager.SourceTypeManager.find_type",
+        SOURCE_TYPE_MOCK,
+    )
    @object_manager
    def test_oauth_enroll(self):
        """test OAuth Source With With OIDC"""
--- a/tests/integration/test_outpost_docker.py
+++ b/tests/integration/test_outpost_docker.py
@@ -12,9 +12,9 @@ from docker.types.healthcheck import Healthcheck
 from authentik import __version__
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.controllers.docker import DockerController
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostType
+from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.models import ProxyProvider


@@ -53,7 +53,7 @@ class OutpostDockerTests(TestCase):
        self.ssl_folder = mkdtemp()
        self.container = self._start_container(self.ssl_folder)
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        self.provider: ProxyProvider = ProxyProvider.objects.create(
            name="test",
            internal_host="http://localhost",
--- a/tests/integration/test_outpost_kubernetes.py
+++ b/tests/integration/test_outpost_kubernetes.py
@@ -3,11 +3,11 @@ from django.test import TestCase

 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
-from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.controllers.k8s.base import NeedsUpdate
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
+from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.models import ProxyProvider


@@ -17,7 +17,7 @@ class OutpostKubernetesTests(TestCase):
    def setUp(self):
        super().setUp()
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        self.provider: ProxyProvider = ProxyProvider.objects.create(
            name="test",
            internal_host="http://localhost",
--- a/tests/integration/test_proxy_docker.py
+++ b/tests/integration/test_proxy_docker.py
@@ -12,8 +12,8 @@ from docker.types.healthcheck import Healthcheck
 from authentik import __version__
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostType
+from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.controllers.docker import DockerController
 from authentik.providers.proxy.models import ProxyProvider

@@ -53,7 +53,7 @@ class TestProxyDocker(TestCase):
        self.ssl_folder = mkdtemp()
        self.container = self._start_container(self.ssl_folder)
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        self.provider: ProxyProvider = ProxyProvider.objects.create(
            name="test",
            internal_host="http://localhost",
--- a/tests/integration/test_proxy_kubernetes.py
+++ b/tests/integration/test_proxy_kubernetes.py
@@ -3,8 +3,8 @@ import yaml
 from django.test import TestCase

 from authentik.flows.models import Flow
-from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
+from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
 from authentik.providers.proxy.models import ProxyProvider

@@ -14,7 +14,7 @@ class TestProxyKubernetes(TestCase):

    def setUp(self):
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()

    def test_kubernetes_controller_static(self):
        """Test Kubernetes Controller"""
--- a/web/nginx.conf
+++ b/web/nginx.conf
@@ -81,7 +81,7 @@ http {
        location /static/ {
            expires 31d;
            add_header Cache-Control "public, no-transform";
-            add_header X-authentik-version "2021.4.3";
+            add_header X-authentik-version "2021.4.5";
            add_header Vary X-authentik-version;
        }

--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -26,19 +26,19 @@
            "integrity": "sha512-3eJJ841uKxeV8dcN/2yGEUy+RfgQspPEgQat85umsE1rotuquQ2AbIub4S6j7c50a2d+4myc+zSlnXeIHrOnhQ=="
        },
        "@babel/core": {
-            "version": "7.13.15",
-            "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.13.15.tgz",
-            "integrity": "sha512-6GXmNYeNjS2Uz+uls5jalOemgIhnTMeaXo+yBUA72kC2uX/8VW6XyhVIo2L8/q0goKQA3EVKx0KOQpVKSeWadQ==",
+            "version": "7.13.16",
+            "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.13.16.tgz",
+            "integrity": "sha512-sXHpixBiWWFti0AV2Zq7avpTasr6sIAu7Y396c608541qAU2ui4a193m0KSQmfPSKFZLnQ3cvlKDOm3XkuXm3Q==",
            "requires": {
                "@babel/code-frame": "^7.12.13",
-                "@babel/generator": "^7.13.9",
-                "@babel/helper-compilation-targets": "^7.13.13",
+                "@babel/generator": "^7.13.16",
+                "@babel/helper-compilation-targets": "^7.13.16",
                "@babel/helper-module-transforms": "^7.13.14",
-                "@babel/helpers": "^7.13.10",
-                "@babel/parser": "^7.13.15",
+                "@babel/helpers": "^7.13.16",
+                "@babel/parser": "^7.13.16",
                "@babel/template": "^7.12.13",
                "@babel/traverse": "^7.13.15",
-                "@babel/types": "^7.13.14",
+                "@babel/types": "^7.13.16",
                "convert-source-map": "^1.7.0",
                "debug": "^4.1.0",
                "gensync": "^1.0.0-beta.2",
@@ -55,6 +55,32 @@
                        "@babel/highlight": "^7.12.13"
                    }
                },
+                "@babel/compat-data": {
+                    "version": "7.13.15",
+                    "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.13.15.tgz",
+                    "integrity": "sha512-ltnibHKR1VnrU4ymHyQ/CXtNXI6yZC0oJThyW78Hft8XndANwi+9H+UIklBDraIjFEJzw8wmcM427oDd9KS5wA=="
+                },
+                "@babel/generator": {
+                    "version": "7.13.16",
+                    "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.13.16.tgz",
+                    "integrity": "sha512-grBBR75UnKOcUWMp8WoDxNsWCFl//XCK6HWTrBQKTr5SV9f5g0pNOjdyzi/DTBv12S9GnYPInIXQBTky7OXEMg==",
+                    "requires": {
+                        "@babel/types": "^7.13.16",
+                        "jsesc": "^2.5.1",
+                        "source-map": "^0.5.0"
+                    }
+                },
+                "@babel/helper-compilation-targets": {
+                    "version": "7.13.16",
+                    "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.13.16.tgz",
+                    "integrity": "sha512-3gmkYIrpqsLlieFwjkGgLaSHmhnvlAYzZLlYVjlW+QwI+1zE17kGxuJGmIqDQdYp56XdmGeD+Bswx0UTyG18xA==",
+                    "requires": {
+                        "@babel/compat-data": "^7.13.15",
+                        "@babel/helper-validator-option": "^7.12.17",
+                        "browserslist": "^4.14.5",
+                        "semver": "^6.3.0"
+                    }
+                },
                "@babel/helper-validator-identifier": {
                    "version": "7.12.11",
                    "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.12.11.tgz",
@@ -71,25 +97,34 @@
                    }
                },
                "@babel/parser": {
-                    "version": "7.13.15",
-                    "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.13.15.tgz",
-                    "integrity": "sha512-b9COtcAlVEQljy/9fbcMHpG+UIW9ReF+gpaxDHTlZd0c6/UU9ng8zdySAW9sRTzpvcdCHn6bUcbuYUgGzLAWVQ=="
+                    "version": "7.13.16",
+                    "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.13.16.tgz",
+                    "integrity": "sha512-6bAg36mCwuqLO0hbR+z7PHuqWiCeP7Dzg73OpQwsAB1Eb8HnGEz5xYBzCfbu+YjoaJsJs+qheDxVAuqbt3ILEw=="
                },
                "@babel/traverse": {
-                    "version": "7.13.15",
-                    "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.15.tgz",
-                    "integrity": "sha512-/mpZMNvj6bce59Qzl09fHEs8Bt8NnpEDQYleHUPZQ3wXUMvXi+HJPLars68oAbmp839fGoOkv2pSL2z9ajCIaQ==",
+                    "version": "7.13.17",
+                    "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.17.tgz",
+                    "integrity": "sha512-BMnZn0R+X6ayqm3C3To7o1j7Q020gWdqdyP50KEoVqaCO2c/Im7sYZSmVgvefp8TTMQ+9CtwuBp0Z1CZ8V3Pvg==",
                    "requires": {
                        "@babel/code-frame": "^7.12.13",
-                        "@babel/generator": "^7.13.9",
+                        "@babel/generator": "^7.13.16",
                        "@babel/helper-function-name": "^7.12.13",
                        "@babel/helper-split-export-declaration": "^7.12.13",
-                        "@babel/parser": "^7.13.15",
-                        "@babel/types": "^7.13.14",
+                        "@babel/parser": "^7.13.16",
+                        "@babel/types": "^7.13.17",
                        "debug": "^4.1.0",
                        "globals": "^11.1.0"
                    }
                },
+                "@babel/types": {
+                    "version": "7.13.17",
+                    "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.13.17.tgz",
+                    "integrity": "sha512-RawydLgxbOPDlTLJNtoIypwdmAy//uQIzlKt2+iBiJaRlVuI6QLUxVAyWGNfOzp8Yu4L4lLIacoCyTNtpb4wiA==",
+                    "requires": {
+                        "@babel/helper-validator-identifier": "^7.12.11",
+                        "to-fast-properties": "^2.0.0"
+                    }
+                },
                "globals": {
                    "version": "11.12.0",
                    "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
@@ -355,13 +390,87 @@
            }
        },
        "@babel/helpers": {
-            "version": "7.13.10",
-            "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.13.10.tgz",
-            "integrity": "sha512-4VO883+MWPDUVRF3PhiLBUFHoX/bsLTGFpFK/HqvvfBZz2D57u9XzPVNFVBTc0PW/CWR9BXTOKt8NF4DInUHcQ==",
+            "version": "7.13.17",
+            "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.13.17.tgz",
+            "integrity": "sha512-Eal4Gce4kGijo1/TGJdqp3WuhllaMLSrW6XcL0ulyUAQOuxHcCafZE8KHg9857gcTehsm/v7RcOx2+jp0Ryjsg==",
            "requires": {
                "@babel/template": "^7.12.13",
-                "@babel/traverse": "^7.13.0",
-                "@babel/types": "^7.13.0"
+                "@babel/traverse": "^7.13.17",
+                "@babel/types": "^7.13.17"
+            },
+            "dependencies": {
+                "@babel/code-frame": {
+                    "version": "7.12.13",
+                    "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.12.13.tgz",
+                    "integrity": "sha512-HV1Cm0Q3ZrpCR93tkWOYiuYIgLxZXZFVG2VgK+MBWjUqZTundupbfx2aXarXuw5Ko5aMcjtJgbSs4vUGBS5v6g==",
+                    "requires": {
+                        "@babel/highlight": "^7.12.13"
+                    }
+                },
+                "@babel/generator": {
+                    "version": "7.13.16",
+                    "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.13.16.tgz",
+                    "integrity": "sha512-grBBR75UnKOcUWMp8WoDxNsWCFl//XCK6HWTrBQKTr5SV9f5g0pNOjdyzi/DTBv12S9GnYPInIXQBTky7OXEMg==",
+                    "requires": {
+                        "@babel/types": "^7.13.16",
+                        "jsesc": "^2.5.1",
+                        "source-map": "^0.5.0"
+                    }
+                },
+                "@babel/helper-validator-identifier": {
+                    "version": "7.12.11",
+                    "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.12.11.tgz",
+                    "integrity": "sha512-np/lG3uARFybkoHokJUmf1QfEvRVCPbmQeUQpKow5cQ3xWrV9i3rUHodKDJPQfTVX61qKi+UdYk8kik84n7XOw=="
+                },
+                "@babel/highlight": {
+                    "version": "7.13.10",
+                    "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.13.10.tgz",
+                    "integrity": "sha512-5aPpe5XQPzflQrFwL1/QoeHkP2MsA4JCntcXHRhEsdsfPVkvPi2w7Qix4iV7t5S/oC9OodGrggd8aco1g3SZFg==",
+                    "requires": {
+                        "@babel/helper-validator-identifier": "^7.12.11",
+                        "chalk": "^2.0.0",
+                        "js-tokens": "^4.0.0"
+                    }
+                },
+                "@babel/parser": {
+                    "version": "7.13.16",
+                    "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.13.16.tgz",
+                    "integrity": "sha512-6bAg36mCwuqLO0hbR+z7PHuqWiCeP7Dzg73OpQwsAB1Eb8HnGEz5xYBzCfbu+YjoaJsJs+qheDxVAuqbt3ILEw=="
+                },
+                "@babel/traverse": {
+                    "version": "7.13.17",
+                    "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.17.tgz",
+                    "integrity": "sha512-BMnZn0R+X6ayqm3C3To7o1j7Q020gWdqdyP50KEoVqaCO2c/Im7sYZSmVgvefp8TTMQ+9CtwuBp0Z1CZ8V3Pvg==",
+                    "requires": {
+                        "@babel/code-frame": "^7.12.13",
+                        "@babel/generator": "^7.13.16",
+                        "@babel/helper-function-name": "^7.12.13",
+                        "@babel/helper-split-export-declaration": "^7.12.13",
+                        "@babel/parser": "^7.13.16",
+                        "@babel/types": "^7.13.17",
+                        "debug": "^4.1.0",
+                        "globals": "^11.1.0"
+                    }
+                },
+                "@babel/types": {
+                    "version": "7.13.17",
+                    "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.13.17.tgz",
+                    "integrity": "sha512-RawydLgxbOPDlTLJNtoIypwdmAy//uQIzlKt2+iBiJaRlVuI6QLUxVAyWGNfOzp8Yu4L4lLIacoCyTNtpb4wiA==",
+                    "requires": {
+                        "@babel/helper-validator-identifier": "^7.12.11",
+                        "to-fast-properties": "^2.0.0"
+                    }
+                },
+                "globals": {
+                    "version": "11.12.0",
+                    "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
+                    "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA=="
+                },
+                "source-map": {
+                    "version": "0.5.7",
+                    "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
+                    "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w="
+                }
            }
        },
        "@babel/highlight": {
@@ -1336,86 +1445,28 @@
            }
        },
        "@lingui/babel-plugin-extract-messages": {
-            "version": "3.8.9",
-            "resolved": "https://registry.npmjs.org/@lingui/babel-plugin-extract-messages/-/babel-plugin-extract-messages-3.8.9.tgz",
-            "integrity": "sha512-zPpSl89nvUrLyGHfVosZHCP9fylfCfkEMc29wGdjE6f0U+frJ59NRLilWMy7xaE8uz97cD5vkhYaaF1wnavhxA==",
+            "version": "3.8.10",
+            "resolved": "https://registry.npmjs.org/@lingui/babel-plugin-extract-messages/-/babel-plugin-extract-messages-3.8.10.tgz",
+            "integrity": "sha512-16EnNRb1HXNjdDLMY3xS7jh0wKA00x21LC1CIKRAki80u92jvkSMOJYk+lD6yhdrcl0dH5OMAbdluAm1+rpEPw==",
            "requires": {
                "@babel/generator": "^7.11.6",
                "@babel/runtime": "^7.11.2",
-                "@lingui/conf": "^3.8.9",
+                "@lingui/conf": "^3.8.10",
                "mkdirp": "^1.0.4"
-            },
-            "dependencies": {
-                "@lingui/conf": {
-                    "version": "3.8.9",
-                    "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.9.tgz",
-                    "integrity": "sha512-r0RGchwiALjCE6CSOtOKbOqVrNg1EQ78AXjyvbrtJoPWVlChDasWCckXEF0BSnsoZaRP6nQCAI+dsQiGW1deWg==",
-                    "requires": {
-                        "@babel/runtime": "^7.11.2",
-                        "@endemolshinegroup/cosmiconfig-typescript-loader": "^3.0.2",
-                        "chalk": "^4.1.0",
-                        "cosmiconfig": "^7.0.0",
-                        "jest-validate": "^26.5.2",
-                        "lodash.get": "^4.4.2"
-                    }
-                },
-                "ansi-styles": {
-                    "version": "4.3.0",
-                    "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-                    "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-                    "requires": {
-                        "color-convert": "^2.0.1"
-                    }
-                },
-                "chalk": {
-                    "version": "4.1.0",
-                    "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.0.tgz",
-                    "integrity": "sha512-qwx12AxXe2Q5xQ43Ac//I6v5aXTipYrSESdOgzrN+9XjgEpyjpKuvSGaN4qE93f7TQTlerQQ8S+EQ0EyDoVL1A==",
-                    "requires": {
-                        "ansi-styles": "^4.1.0",
-                        "supports-color": "^7.1.0"
-                    }
-                },
-                "color-convert": {
-                    "version": "2.0.1",
-                    "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
-                    "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-                    "requires": {
-                        "color-name": "~1.1.4"
-                    }
-                },
-                "color-name": {
-                    "version": "1.1.4",
-                    "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
-                    "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
-                },
-                "has-flag": {
-                    "version": "4.0.0",
-                    "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
-                    "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ=="
-                },
-                "supports-color": {
-                    "version": "7.2.0",
-                    "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
-                    "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
-                    "requires": {
-                        "has-flag": "^4.0.0"
-                    }
-                }
            }
        },
        "@lingui/cli": {
-            "version": "3.8.9",
-            "resolved": "https://registry.npmjs.org/@lingui/cli/-/cli-3.8.9.tgz",
-            "integrity": "sha512-UccLtfwrTjXrZcTxpqA4ggYhuUMbXZtzbUVks8nDVt3emVqU56C3VMvVD8WKXLL8Qmq9cEDXPwIZy7IKRL4mEQ==",
+            "version": "3.8.10",
+            "resolved": "https://registry.npmjs.org/@lingui/cli/-/cli-3.8.10.tgz",
+            "integrity": "sha512-YLkT5e6JRwVcXEwLD0++/m1p/wvRQbLj/+m8geXfrcFfrsQyT3uhHNZRFK0GdsjyDslSqJYbalYibJUbgC2sOA==",
            "requires": {
                "@babel/generator": "^7.11.6",
                "@babel/parser": "^7.11.5",
                "@babel/plugin-syntax-jsx": "^7.10.4",
                "@babel/runtime": "^7.11.2",
                "@babel/types": "^7.11.5",
-                "@lingui/babel-plugin-extract-messages": "^3.8.9",
-                "@lingui/conf": "^3.8.9",
+                "@lingui/babel-plugin-extract-messages": "^3.8.10",
+                "@lingui/conf": "^3.8.10",
                "babel-plugin-macros": "^3.0.1",
                "bcp-47": "^1.0.7",
                "chalk": "^4.1.0",
@@ -1442,19 +1493,6 @@
                "ramda": "^0.27.1"
            },
            "dependencies": {
-                "@lingui/conf": {
-                    "version": "3.8.9",
-                    "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.9.tgz",
-                    "integrity": "sha512-r0RGchwiALjCE6CSOtOKbOqVrNg1EQ78AXjyvbrtJoPWVlChDasWCckXEF0BSnsoZaRP6nQCAI+dsQiGW1deWg==",
-                    "requires": {
-                        "@babel/runtime": "^7.11.2",
-                        "@endemolshinegroup/cosmiconfig-typescript-loader": "^3.0.2",
-                        "chalk": "^4.1.0",
-                        "cosmiconfig": "^7.0.0",
-                        "jest-validate": "^26.5.2",
-                        "lodash.get": "^4.4.2"
-                    }
-                },
                "ansi-styles": {
                    "version": "4.3.0",
                    "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
@@ -1531,9 +1569,9 @@
            }
        },
        "@lingui/conf": {
-            "version": "3.8.9",
-            "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.9.tgz",
-            "integrity": "sha512-r0RGchwiALjCE6CSOtOKbOqVrNg1EQ78AXjyvbrtJoPWVlChDasWCckXEF0BSnsoZaRP6nQCAI+dsQiGW1deWg==",
+            "version": "3.8.10",
+            "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.10.tgz",
+            "integrity": "sha512-4KdH+23WXZ5g+LRlvvise3z3mdd41zLgqSJ/PUCMGk60RfElvTrTdxpnm2tOF/2hr+OyGCQEy6kLq606y639qw==",
            "requires": {
                "@babel/runtime": "^7.11.2",
                "@endemolshinegroup/cosmiconfig-typescript-loader": "^3.0.2",
@@ -1589,9 +1627,9 @@
            }
        },
        "@lingui/core": {
-            "version": "3.8.9",
-            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.8.9.tgz",
-            "integrity": "sha512-QmEfgukR7w/4/4USZT0LGNt7Yq/RgirFl4088wEta0vgroidxaCRgUXr8RXcdFVjTdtG5dc86JTEj4inZECKvg==",
+            "version": "3.8.10",
+            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.8.10.tgz",
+            "integrity": "sha512-1OzZW8iP5yAXxz49pY/WZ1acLvkekd6HgDh8zH3jMA2Hbig2jk6VGVERMO7lwEwJiyEuxaQpe8fRrhCTB7wA3A==",
            "requires": {
                "@babel/runtime": "^7.11.2",
                "make-plural": "^6.2.2",
@@ -1599,12 +1637,12 @@
            }
        },
        "@lingui/macro": {
-            "version": "3.8.9",
-            "resolved": "https://registry.npmjs.org/@lingui/macro/-/macro-3.8.9.tgz",
-            "integrity": "sha512-9LhlbkJ9wOtOLhlaVRLHCRL55S5wOFyyqEhUM+ujUmCskTmMmXzjnRsw5f11nJTK1JJETMT/VlUB5/p7D7Edkw==",
+            "version": "3.8.10",
+            "resolved": "https://registry.npmjs.org/@lingui/macro/-/macro-3.8.10.tgz",
+            "integrity": "sha512-oZZ/F7HsNQkDsnHFroxzGFuEIXM624H72RIj8j2ClpR64nt+xYDxXYC6TYFicQLtBGcKKBTBoM+zbDaoIv74qQ==",
            "requires": {
                "@babel/runtime": "^7.11.2",
-                "@lingui/conf": "^3.8.9",
+                "@lingui/conf": "^3.8.10",
                "ramda": "^0.27.1"
            }
        },
@@ -1828,13 +1866,13 @@
            }
        },
        "@sentry/browser": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.2.5.tgz",
-            "integrity": "sha512-nlvaE+D7oaj4MxoY9ikw+krQDOjftnDYJQnOwOraXPk7KYM6YwmkakLuE+x/AkaH3FQVTQF330VAa9d6SWETlA==",
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.3.0.tgz",
+            "integrity": "sha512-Rse9j5XwN9n7GnfW1mNscTS4YQ0oiBNJcaSk3Mw/vQT872Wh60yKyx5wxAw5GujFZI0NgdyPlZwZ/tGQwirRxA==",
            "requires": {
-                "@sentry/core": "6.2.5",
-                "@sentry/types": "6.2.5",
-                "@sentry/utils": "6.2.5",
+                "@sentry/core": "6.3.0",
+                "@sentry/types": "6.3.0",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@@ -1846,14 +1884,14 @@
            }
        },
        "@sentry/core": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.2.5.tgz",
-            "integrity": "sha512-I+AkgIFO6sDUoHQticP6I27TT3L+i6TUS03in3IEtpBcSeP2jyhlxI8l/wdA7gsBqUPdQ4GHOOaNgtFIcr8qag==",
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.3.0.tgz",
+            "integrity": "sha512-voot/lJ9gRXB6bx6tVqbEbD6jOd4Sx6Rfmm6pzfpom9C0q+fjIZTatTLq8GdXj8DzxaH1MBDSwtaq/eC3NqYpA==",
            "requires": {
-                "@sentry/hub": "6.2.5",
-                "@sentry/minimal": "6.2.5",
-                "@sentry/types": "6.2.5",
-                "@sentry/utils": "6.2.5",
+                "@sentry/hub": "6.3.0",
+                "@sentry/minimal": "6.3.0",
+                "@sentry/types": "6.3.0",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@@ -1865,12 +1903,12 @@
            }
        },
        "@sentry/hub": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.2.5.tgz",
-            "integrity": "sha512-YlEFdEhcfqpl2HC+/dWXBsBJEljyMzFS7LRRjCk8QANcOdp9PhwQjwebUB4/ulOBjHPP2WZk7fBBd/IKDasTUg==",
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.0.tgz",
+            "integrity": "sha512-lAnW3Om66t9IR+t1wya1NpOF9lGbvYG6Ca8wxJJGJ1t2PxKwyxpZKzRx0q8M1QFhlZ5cETCzxmM7lBEZ4QVCBg==",
            "requires": {
-                "@sentry/types": "6.2.5",
-                "@sentry/utils": "6.2.5",
+                "@sentry/types": "6.3.0",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@@ -1882,12 +1920,12 @@
            }
        },
        "@sentry/minimal": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.2.5.tgz",
-            "integrity": "sha512-RKP4Qx3p7Cv0oX1cPKAkNVFYM7p2k1t32cNk1+rrVQS4hwlJ7Eg6m6fsqsO+85jd6Ne/FnyYsfo9cDD3ImTlWQ==",
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.0.tgz",
+            "integrity": "sha512-ZdPUwdPQkaKroy67NkwQRqmnfKyd/C1OyouM9IqYKyBjAInjOijwwc/Rd91PMHalvCOGfp1scNZYbZ+YFs/qQQ==",
            "requires": {
-                "@sentry/hub": "6.2.5",
-                "@sentry/types": "6.2.5",
+                "@sentry/hub": "6.3.0",
+                "@sentry/types": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@@ -1899,17 +1937,51 @@
            }
        },
        "@sentry/tracing": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.2.5.tgz",
-            "integrity": "sha512-j/hM0BoHxfrNLxPeEJ5Vq4R34hO/TOHMEpLR3FdnunBXbsmjoKMMygIkPxnpML5XWtvukAehbwpDXldwMYz83w==",
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.3.0.tgz",
+            "integrity": "sha512-3UNGgQOrDKBoDqLc4vt+0n27Zv3lbNEoCbBydq4IvGfuYq7ozWMsaTcelsotMsd4ckDuOEh8V/nJTqrDjvL76g==",
            "requires": {
-                "@sentry/hub": "6.2.5",
-                "@sentry/minimal": "6.2.5",
-                "@sentry/types": "6.2.5",
-                "@sentry/utils": "6.2.5",
+                "@sentry/hub": "6.3.0",
+                "@sentry/minimal": "6.3.0",
+                "@sentry/types": "6.3.0",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
+                "@sentry/hub": {
+                    "version": "6.3.0",
+                    "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.0.tgz",
+                    "integrity": "sha512-lAnW3Om66t9IR+t1wya1NpOF9lGbvYG6Ca8wxJJGJ1t2PxKwyxpZKzRx0q8M1QFhlZ5cETCzxmM7lBEZ4QVCBg==",
+                    "requires": {
+                        "@sentry/types": "6.3.0",
+                        "@sentry/utils": "6.3.0",
+                        "tslib": "^1.9.3"
+                    }
+                },
+                "@sentry/minimal": {
+                    "version": "6.3.0",
+                    "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.0.tgz",
+                    "integrity": "sha512-ZdPUwdPQkaKroy67NkwQRqmnfKyd/C1OyouM9IqYKyBjAInjOijwwc/Rd91PMHalvCOGfp1scNZYbZ+YFs/qQQ==",
+                    "requires": {
+                        "@sentry/hub": "6.3.0",
+                        "@sentry/types": "6.3.0",
+                        "tslib": "^1.9.3"
+                    }
+                },
+                "@sentry/types": {
+                    "version": "6.3.0",
+                    "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.0.tgz",
+                    "integrity": "sha512-xWyCYDmFPjS5ex60kxOOHbHEs4vs00qHbm0iShQfjl4OSg9S2azkcWofDmX8Xbn0FSOUXgdPCjNJW1B0bPVhCA=="
+                },
+                "@sentry/utils": {
+                    "version": "6.3.0",
+                    "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.0.tgz",
+                    "integrity": "sha512-NZzw4oLelgvCsVBG2e+ZtFtaBvgA7rZYtcGFbZTphhAlYoJ6JMCQUzYk0iwJK79yR1quh510x4UE0jynvvToWg==",
+                    "requires": {
+                        "@sentry/types": "6.3.0",
+                        "tslib": "^1.9.3"
+                    }
+                },
                "tslib": {
                    "version": "1.14.1",
                    "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
@@ -1918,16 +1990,16 @@
            }
        },
        "@sentry/types": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.2.5.tgz",
-            "integrity": "sha512-1Sux6CLYrV9bETMsGP/HuLFLouwKoX93CWzG8BjMueW+Di0OGxZphYjXrGuDs8xO8bAKEVGCHgVQdcB2jevS0w=="
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.0.tgz",
+            "integrity": "sha512-xWyCYDmFPjS5ex60kxOOHbHEs4vs00qHbm0iShQfjl4OSg9S2azkcWofDmX8Xbn0FSOUXgdPCjNJW1B0bPVhCA=="
        },
        "@sentry/utils": {
-            "version": "6.2.5",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.2.5.tgz",
-            "integrity": "sha512-fJoLUZHrd5MPylV1dT4qL74yNFDl1Ur/dab+pKNSyvnHPnbZ/LRM7aJ8VaRY/A7ZdpRowU+E14e/Yeem2c6gtQ==",
+            "version": "6.3.0",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.0.tgz",
+            "integrity": "sha512-NZzw4oLelgvCsVBG2e+ZtFtaBvgA7rZYtcGFbZTphhAlYoJ6JMCQUzYk0iwJK79yR1quh510x4UE0jynvvToWg==",
            "requires": {
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@@ -2231,6 +2303,11 @@
            "resolved": "https://registry.npmjs.org/@webcomponents/shadycss/-/shadycss-1.10.2.tgz",
            "integrity": "sha512-9Iseu8bRtecb0klvv+WXZOVZatsRkbaH7M97Z+f+Pt909R4lDfgUODAnra23DOZTpeMTAkVpf4m/FZztN7Ox1A=="
        },
+        "@webcomponents/webcomponentsjs": {
+            "version": "2.5.0",
+            "resolved": "https://registry.npmjs.org/@webcomponents/webcomponentsjs/-/webcomponentsjs-2.5.0.tgz",
+            "integrity": "sha512-C0l51MWQZ9kLzcxOZtniOMohpIFdCLZum7/TEHv3XWFc1Fvt5HCpbSX84x8ltka/JuNKcuiDnxXFkiB2gaePcg=="
+        },
        "acorn": {
            "version": "7.4.1",
            "resolved": "https://registry.npmjs.org/acorn/-/acorn-7.4.1.tgz",
@@ -2775,9 +2852,9 @@
            "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4="
        },
        "codemirror": {
-            "version": "5.60.0",
-            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.60.0.tgz",
-            "integrity": "sha512-AEL7LhFOlxPlCL8IdTcJDblJm8yrAGib7I+DErJPdZd4l6imx8IMgKK3RblVgBQqz3TZJR4oknQ03bz+uNjBYA=="
+            "version": "5.61.0",
+            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.61.0.tgz",
+            "integrity": "sha512-D3wYH90tYY1BsKlUe0oNj2JAhQ9TepkD51auk3N7q+4uz7A/cgJ5JsWHreT0PqieW1QhOuqxQ2reCXV1YXzecg=="
        },
        "collection-visit": {
            "version": "1.0.0",
@@ -2921,9 +2998,9 @@
            }
        },
        "date-fns": {
-            "version": "2.20.1",
-            "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.20.1.tgz",
-            "integrity": "sha512-8P5M8Kxbnovd0zfvOs7ipkiVJ3/zZQ0F/nrBW4x5E+I0uAZVZ80h6CKd24fSXQ5TLK5hXMtI4yb2O5rEZdUt2A=="
+            "version": "2.21.1",
+            "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.21.1.tgz",
+            "integrity": "sha512-m1WR0xGiC6j6jNFAyW4Nvh4WxAi4JF4w9jRJwSI8nBmNcyZXPcP9VUQG+6gHQXAmqaGEKDKhOqAtENDC941UkA=="
        },
        "debug": {
            "version": "4.3.1",
--- a/web/package.json
+++ b/web/package.json
@@ -35,34 +35,35 @@
        ]
    },
    "dependencies": {
-        "@babel/core": "^7.13.15",
+        "@babel/core": "^7.13.16",
        "@babel/plugin-proposal-decorators": "^7.13.15",
        "@babel/plugin-transform-runtime": "^7.13.15",
        "@babel/preset-env": "^7.13.15",
        "@babel/preset-typescript": "^7.13.0",
        "@fortawesome/fontawesome-free": "^5.15.3",
-        "@lingui/cli": "^3.8.9",
-        "@lingui/core": "^3.8.9",
-        "@lingui/macro": "^3.8.9",
+        "@lingui/cli": "^3.8.10",
+        "@lingui/core": "^3.8.10",
+        "@lingui/macro": "^3.8.10",
        "@patternfly/patternfly": "^4.96.2",
        "@polymer/iron-form": "^3.0.1",
        "@polymer/paper-input": "^3.2.1",
        "@rollup/plugin-babel": "^5.3.0",
        "@rollup/plugin-replace": "^2.4.2",
        "@rollup/plugin-typescript": "^8.2.1",
-        "@sentry/browser": "^6.2.5",
-        "@sentry/tracing": "^6.2.5",
+        "@sentry/browser": "^6.3.0",
+        "@sentry/tracing": "^6.3.0",
        "@types/chart.js": "^2.9.32",
        "@types/codemirror": "0.0.109",
        "@types/grecaptcha": "^3.0.1",
        "@typescript-eslint/eslint-plugin": "^4.22.0",
        "@typescript-eslint/parser": "^4.22.0",
+        "@webcomponents/webcomponentsjs": "^2.5.0",
        "authentik-api": "file:api",
        "babel-plugin-macros": "^3.0.1",
        "base64-js": "^1.5.1",
        "chart.js": "^3.1.1",
        "chartjs-adapter-moment": "^1.0.0",
-        "codemirror": "^5.60.0",
+        "codemirror": "^5.61.0",
        "construct-style-sheets-polyfill": "^2.4.16",
        "eslint": "^7.24.0",
        "eslint-config-google": "^0.14.0",
--- a/web/poly.ts
+++ b/web/poly.ts
@@ -0,0 +1,2 @@
+import "construct-style-sheets-polyfill";
+import "@webcomponents/webcomponentsjs";
--- a/web/rollup.config.js
+++ b/web/rollup.config.js
@@ -76,9 +76,7 @@ export default [
    },
    // Polyfills (imported first)
    {
-        input: [
-            "construct-style-sheets-polyfill"
-        ],
+        input: "./poly.ts",
        output: [
            {
                format: "iife",
--- a/web/security.txt
+++ b/web/security.txt
@@ -1,4 +1,4 @@
 Contact: mailto:security@beryju.org
 Expires: Sat, 1 Jan 2022 00:00 +0200
 Preferred-Languages: en, de
-Policy: https://github.com/BeryJu/authentik/blob/master/SECURITY.md
+Policy: https://github.com/goauthentik/authentik/blob/master/SECURITY.md
--- a/web/src/api/Config.ts
+++ b/web/src/api/Config.ts
@@ -1,4 +1,4 @@
-import { Configuration, Middleware, ResponseContext } from "authentik-api";
+import { Config, Configuration, Middleware, ResponseContext, RootApi } from "authentik-api";
 import { getCookie } from "../utils";
 import { API_DRAWER_MIDDLEWARE } from "../elements/notifications/APIDrawer";
 import { MessageMiddleware } from "../elements/messages/Middleware";
@@ -12,6 +12,14 @@ export class LoggingMiddleware implements Middleware {

 }

+let globalConfigPromise: Promise<Config>;
+export function config(): Promise<Config> {
+    if (!globalConfigPromise) {
+        globalConfigPromise = new RootApi(DEFAULT_CONFIG).rootConfigList();
+    }
+    return globalConfigPromise;
+}
+
 export const DEFAULT_CONFIG = new Configuration({
    basePath: "/api/v2beta",
    headers: {
--- a/web/src/api/Sentry.ts
+++ b/web/src/api/Sentry.ts
@@ -2,12 +2,12 @@ import * as Sentry from "@sentry/browser";
 import { Integrations } from "@sentry/tracing";
 import { VERSION } from "../constants";
 import { SentryIgnoredError } from "../common/errors";
-import { Config, RootApi } from "authentik-api";
 import { me } from "./Users";
-import { DEFAULT_CONFIG } from "./Config";
+import { config } from "./Config";
+import { Config } from "authentik-api";

-export function configureSentry(): Promise<Config> {
-    return new RootApi(DEFAULT_CONFIG).rootConfigList().then((config) => {
+export function configureSentry(canDoPpi: boolean = false): Promise<Config> {
+    return config().then((config) => {
        if (config.errorReportingEnabled) {
            Sentry.init({
                dsn: "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
@@ -19,10 +19,24 @@ export function configureSentry(): Promise<Config> {
                ],
                tracesSampleRate: 0.6,
                environment: config.errorReportingEnvironment,
-                beforeSend(event: Sentry.Event, hint: Sentry.EventHint) {
+                beforeSend: async (event: Sentry.Event, hint: Sentry.EventHint): Promise<Sentry.Event | null> => {
                    if (hint.originalException instanceof SentryIgnoredError) {
                        return null;
                    }
+                    if (hint.originalException instanceof Error) {
+                        if (hint.originalException.name == 'NetworkError') {
+                            return null;
+                        }
+                    }
+                    if (hint.originalException instanceof Response) {
+                        const response = hint.originalException as Response;
+                        // We only care about server errors
+                        if (response.status < 500) {
+                            return null;
+                        }
+                        const body = await response.json();
+                        event.message = `${response.status} ${response.url}: ${JSON.stringify(body)}`
+                    }
                    if (event.exception) {
                        me().then(user => {
                            Sentry.showReportDialog({
@@ -38,7 +52,7 @@ export function configureSentry(): Promise<Config> {
                },
            });
            console.debug("authentik/config: Sentry enabled.");
-            if (config.errorReportingSendPii) {
+            if (config.errorReportingSendPii && canDoPpi) {
                me().then(user => {
                    Sentry.setUser({ email: user.user.email });
                    console.debug("authentik/config: Sentry with PII enabled.");
--- a/web/src/api/Users.ts
+++ b/web/src/api/Users.ts
@@ -1,15 +1,21 @@
 import { CoreApi, SessionUser } from "authentik-api";
 import { DEFAULT_CONFIG } from "./Config";

-let _globalMePromise: Promise<SessionUser>;
+let globalMePromise: Promise<SessionUser>;
 export function me(): Promise<SessionUser> {
-    if (!_globalMePromise) {
-        _globalMePromise = new CoreApi(DEFAULT_CONFIG).coreUsersMe().catch((ex) => {
+    if (!globalMePromise) {
+        globalMePromise = new CoreApi(DEFAULT_CONFIG).coreUsersMe().catch((ex) => {
+            const defaultUser: SessionUser = {
+                user: {
+                    username: "",
+                    name: ""
+                }
+            };
            if (ex.status === 401 || ex.status === 403) {
                window.location.assign("/");
            }
-            return ex;
+            return defaultUser;
        });
    }
-    return _globalMePromise;
+    return globalMePromise;
 }
--- a/web/src/authentik.css
+++ b/web/src/authentik.css
@@ -97,9 +97,12 @@ html > form > input {
 body {
    background-color: var(--ak-dark-background) !important;
 }
-.ak-initial-load h1 {
+.ak-static-page h1 {
    color: var(--ak-dark-foreground);
 }
+.form-help-text {
+    color: var(--pf-global--Color--100);
+}

@media (prefers-color-scheme: dark) {
    :root {
@@ -239,6 +242,9 @@ body {
    .pf-c-check__label {
        color: var(--ak-dark-foreground);
    }
+    .form-help-text {
+        color: var(--ak-dark-foreground);
+    }
    /* inputs help text */
    .pf-c-form__helper-text:not(.pf-m-error) {
        color: var(--ak-dark-foreground);
--- a/web/src/constants.ts
+++ b/web/src/constants.ts
@@ -3,11 +3,11 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.4.3";
+export const VERSION = "2021.4.5";
 export const PAGE_SIZE = 20;
 export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_TOGGLE = "ak-notification-toggle";
 export const EVENT_SIDEBAR_TOGGLE = "ak-sidebar-toggle";
 export const EVENT_API_DRAWER_REFRESH = "ak-api-drawer-refresh";
-export const TITLE_SUFFIX = "authentik";
+export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
--- a/web/src/elements/PageHeader.ts
+++ b/web/src/elements/PageHeader.ts
@@ -4,7 +4,8 @@ import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import AKGlobal from "../authentik.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
-import { EVENT_SIDEBAR_TOGGLE, TITLE_SUFFIX } from "../constants";
+import { EVENT_SIDEBAR_TOGGLE, TITLE_DEFAULT } from "../constants";
+import { config } from "../api/Config";

@customElement("ak-page-header")
 export class PageHeader extends LitElement {
@@ -17,11 +18,13 @@ export class PageHeader extends LitElement {

    @property()
    set header(value: string) {
-        if (value !== "") {
-            document.title = `${value} - ${TITLE_SUFFIX}`;
-        } else {
-            document.title = TITLE_SUFFIX;
-        }
+        config().then(config => {
+            if (value !== "") {
+                document.title = `${value} - ${config.brandingTitle}`;
+            } else {
+                document.title = config.brandingTitle || TITLE_DEFAULT;
+            }
+        });
        this._header = value;
    }

@@ -41,7 +44,7 @@ export class PageHeader extends LitElement {
                flex-direction: row;
                min-height: 114px;
            }
-            button.sidebar-trigger {
+            button.pf-c-button.pf-m-plain.sidebar-trigger {
                background-color: var(--pf-c-page__main-section--m-light--BackgroundColor);
                border-radius: 0px;
            }
--- a/web/src/elements/sidebar/SidebarBrand.ts
+++ b/web/src/elements/sidebar/SidebarBrand.ts
@@ -41,7 +41,7 @@ export class SidebarBrand extends LitElement {
    }

    firstUpdated(): void {
-        configureSentry().then((c) => {this.config = c;});
+        configureSentry(true).then((c) => {this.config = c;});
    }

    render(): TemplateResult {
--- a/web/src/flows/FlowExecutor.ts
+++ b/web/src/flows/FlowExecutor.ts
@@ -36,13 +36,14 @@ import { AuthenticatorValidateStageChallenge } from "./stages/authenticator_vali
 import { WebAuthnAuthenticatorRegisterChallenge } from "./stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage";
 import { CaptchaChallenge } from "./stages/captcha/CaptchaStage";
 import { StageHost } from "./stages/base";
-import { Challenge, ChallengeTypeEnum, Config, FlowsApi, RootApi } from "authentik-api";
-import { DEFAULT_CONFIG } from "../api/Config";
+import { Challenge, ChallengeTypeEnum, Config, FlowsApi } from "authentik-api";
+import { config, DEFAULT_CONFIG } from "../api/Config";
 import { ifDefined } from "lit-html/directives/if-defined";
 import { until } from "lit-html/directives/until";
 import { AccessDeniedChallenge } from "./access_denied/FlowAccessDenied";
 import { PFSize } from "../elements/Spinner";
-import { TITLE_SUFFIX } from "../constants";
+import { TITLE_DEFAULT } from "../constants";
+import { configureSentry } from "../api/Sentry";

@customElement("ak-flow-executor")
 export class FlowExecutor extends LitElement implements StageHost {
@@ -98,11 +99,13 @@ export class FlowExecutor extends LitElement implements StageHost {
    }

    private postUpdate(): void {
-        if (this.challenge?.title) {
-            document.title = `${this.challenge.title} - ${TITLE_SUFFIX}`;
-        } else {
-            document.title = TITLE_SUFFIX;
-        }
+        config().then(config => {
+            if (this.challenge?.title) {
+                document.title = `${this.challenge.title} - ${config.brandingTitle}`;
+            } else {
+                document.title = config.brandingTitle || TITLE_DEFAULT;
+            }
+        });
    }

    submit<T>(formData?: T): Promise<void> {
@@ -124,7 +127,7 @@ export class FlowExecutor extends LitElement implements StageHost {
    }

    firstUpdated(): void {
-        new RootApi(DEFAULT_CONFIG).rootConfigList().then((config) => {
+        configureSentry().then((config) => {
            this.config = config;
        });
        this.loading = true;
--- a/web/src/flows/stages/identification/IdentificationStage.ts
+++ b/web/src/flows/stages/identification/IdentificationStage.ts
@@ -149,7 +149,6 @@ export class IdentificationStage extends BaseStage {
                </p>` : html``}
                ${this.challenge.recovery_url ? html`
                <p class="pf-c-login__main-footer-band-item">
-                    ${t`Need an account?`}
                    <a id="recovery" href="${this.challenge.recovery_url}">${t`Forgot username or password?`}</a>
                </p>` : html``}
            </div>`;
--- a/web/src/interfaces/admin/index.html
+++ b/web/src/interfaces/admin/index.html
@@ -18,7 +18,7 @@
    <body>
        <ak-message-container></ak-message-container>
        <ak-interface-admin>
-            <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+            <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
                <div class="pf-c-empty-state" style="height: 100vh;">
                    <div class="pf-c-empty-state__content">
                        <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="Loading...">
--- a/web/src/interfaces/flow/index.html
+++ b/web/src/interfaces/flow/index.html
@@ -10,6 +10,7 @@
        <link rel="stylesheet" type="text/css" href="/static/dist/empty-state.css">
        <link rel="stylesheet" type="text/css" href="/static/dist/spinner.css">
        <link rel="stylesheet" type="text/css" href="/static/dist/authentik.css">
+        <script>ShadyDOM = { force: !navigator.webdriver };</script>
        <script src="/static/dist/poly.js" type="module"></script>
        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
        <script src="/static/dist/FlowInterface.js" type="module"></script>
@@ -18,7 +19,7 @@
    <body>
        <ak-message-container></ak-message-container>
        <ak-flow-executor>
-            <section class="ak-initial-load pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+            <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
                <div class="pf-c-empty-state" style="height: 100vh;">
                    <div class="pf-c-empty-state__content">
                        <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="Loading...">
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -13,7 +13,7 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"

-#: src/pages/policies/BoundPoliciesList.ts:55
+#: src/pages/policies/BoundPoliciesList.ts:59
 msgid "-"
 msgstr "-"

@@ -64,7 +64,7 @@ msgstr "API Requests"
 msgid "API request failed"
 msgstr "API request failed"

-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:87
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:88
 msgid "Access Key"
 msgstr "Access Key"

@@ -105,8 +105,8 @@ msgstr "Additional group DN, prepended to the Base DN."
 msgid "Additional user DN, prepended to the Base DN."
 msgstr "Additional user DN, prepended to the Base DN."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:131
-#: src/pages/providers/proxy/ProxyProviderForm.ts:128
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
+#: src/pages/providers/proxy/ProxyProviderForm.ts:130
 #: src/pages/providers/saml/SAMLProviderForm.ts:117
 #: src/pages/sources/saml/SAMLSourceForm.ts:134
 msgid "Advanced protocol settings"
@@ -125,7 +125,7 @@ msgstr "Affected model:"
 msgid "Alert"
 msgstr "Alert"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:153
 msgid "Algorithm used to sign the JWT Tokens."
 msgstr "Algorithm used to sign the JWT Tokens."

@@ -259,7 +259,7 @@ msgstr "Attempted to log in as {0}"
 msgid "Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded."
 msgstr "Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded."

-#: src/pages/groups/GroupForm.ts:135
+#: src/pages/groups/GroupForm.ts:134
 #: src/pages/stages/invitation/InvitationForm.ts:52
 #: src/pages/users/UserForm.ts:77
 msgid "Attributes"
@@ -293,7 +293,7 @@ msgid "Authorization Code"
 msgstr "Authorization Code"

 #: src/pages/sources/oauth/OAuthSourceForm.ts:66
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:95
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:96
 msgid "Authorization URL"
 msgstr "Authorization URL"

@@ -342,19 +342,19 @@ msgstr "Backup status"
 msgid "Base DN"
 msgstr "Base DN"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:204
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
 msgid "Based on the Hashed User ID"
 msgstr "Based on the Hashed User ID"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:210
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:209
 msgid "Based on the User's Email. This is recommended over the UPN method."
 msgstr "Based on the User's Email. This is recommended over the UPN method."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:212
 msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 msgstr "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:207
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:206
 msgid "Based on the username"
 msgstr "Based on the username"

@@ -405,7 +405,7 @@ msgstr "Cached Flows"
 msgid "Cached Policies"
 msgstr "Cached Policies"

-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:79
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:80
 msgid "Callback URL"
 msgstr "Callback URL"

@@ -426,7 +426,7 @@ msgid "Case insensitive matching"
 msgstr "Case insensitive matching"

 #: src/pages/crypto/CertificateKeyPairForm.ts:51
-#: src/pages/providers/proxy/ProxyProviderForm.ts:132
+#: src/pages/providers/proxy/ProxyProviderForm.ts:134
 msgid "Certificate"
 msgstr "Certificate"

@@ -472,7 +472,7 @@ msgstr "Change your password"
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:135
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:129
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:113
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:132
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:133
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:119
 #: src/pages/users/UserViewPage.ts:185
 msgid "Changelog"
@@ -596,7 +596,7 @@ msgstr "Configure WebAuthn"
 msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 msgstr "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:242
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:241
 msgid "Configure how the issuer field of the ID Token should be filled."
 msgstr "Configure how the issuer field of the ID Token should be filled."

@@ -604,7 +604,7 @@ msgstr "Configure how the issuer field of the ID Token should be filled."
 msgid "Configure settings relevant to your user profile."
 msgstr "Configure settings relevant to your user profile."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:217
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
 msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 msgstr "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."

@@ -660,8 +660,8 @@ msgstr "Consumer secret"
 #: src/pages/events/EventInfo.ts:79
 #: src/pages/events/EventInfo.ts:148
 #: src/pages/events/EventInfo.ts:167
-#: src/pages/policies/PolicyTestForm.ts:74
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:63
+#: src/pages/policies/PolicyTestForm.ts:75
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:65
 msgid "Context"
 msgstr "Context"

@@ -708,15 +708,15 @@ msgstr "Copy Key"
 #: src/pages/flows/BoundStagesList.ts:167
 #: src/pages/flows/FlowListPage.ts:109
 #: src/pages/flows/FlowListPage.ts:117
-#: src/pages/groups/GroupListPage.ts:91
-#: src/pages/groups/GroupListPage.ts:99
+#: src/pages/groups/GroupListPage.ts:90
+#: src/pages/groups/GroupListPage.ts:98
 #: src/pages/outposts/OutpostListPage.ts:101
 #: src/pages/outposts/OutpostListPage.ts:109
 #: src/pages/outposts/ServiceConnectionListPage.ts:110
 #: src/pages/outposts/ServiceConnectionListPage.ts:119
-#: src/pages/policies/BoundPoliciesList.ts:158
-#: src/pages/policies/BoundPoliciesList.ts:185
-#: src/pages/policies/BoundPoliciesList.ts:206
+#: src/pages/policies/BoundPoliciesList.ts:162
+#: src/pages/policies/BoundPoliciesList.ts:189
+#: src/pages/policies/BoundPoliciesList.ts:210
 #: src/pages/policies/PolicyListPage.ts:124
 #: src/pages/policies/PolicyListPage.ts:133
 #: src/pages/property-mappings/PropertyMappingListPage.ts:113
@@ -747,10 +747,10 @@ msgstr "Create"
 msgid "Create Application"
 msgstr "Create Application"

-#: src/pages/policies/BoundPoliciesList.ts:161
-#: src/pages/policies/BoundPoliciesList.ts:166
-#: src/pages/policies/BoundPoliciesList.ts:209
-#: src/pages/policies/BoundPoliciesList.ts:214
+#: src/pages/policies/BoundPoliciesList.ts:165
+#: src/pages/policies/BoundPoliciesList.ts:170
+#: src/pages/policies/BoundPoliciesList.ts:213
+#: src/pages/policies/BoundPoliciesList.ts:218
 msgid "Create Binding"
 msgstr "Create Binding"

@@ -762,7 +762,7 @@ msgstr "Create Certificate-Key Pair"
 msgid "Create Flow"
 msgstr "Create Flow"

-#: src/pages/groups/GroupListPage.ts:94
+#: src/pages/groups/GroupListPage.ts:93
 msgid "Create Group"
 msgstr "Create Group"

@@ -786,7 +786,7 @@ msgstr "Create Notification Transport"
 msgid "Create Outpost"
 msgstr "Create Outpost"

-#: src/pages/policies/BoundPoliciesList.ts:176
+#: src/pages/policies/BoundPoliciesList.ts:180
 msgid "Create Policy"
 msgstr "Create Policy"

@@ -819,7 +819,7 @@ msgstr "Create provider"
 #: src/pages/applications/ApplicationForm.ts:123
 #: src/pages/flows/BoundStagesList.ts:149
 #: src/pages/outposts/ServiceConnectionListPage.ts:122
-#: src/pages/policies/BoundPoliciesList.ts:188
+#: src/pages/policies/BoundPoliciesList.ts:192
 #: src/pages/policies/PolicyListPage.ts:136
 #: src/pages/property-mappings/PropertyMappingListPage.ts:125
 #: src/pages/providers/ProviderListPage.ts:119
@@ -873,7 +873,7 @@ msgstr "Define how notifications are sent to users, like Email or Webhook."
 #: src/pages/events/RuleListPage.ts:82
 #: src/pages/events/TransportListPage.ts:86
 #: src/pages/flows/FlowListPage.ts:86
-#: src/pages/groups/GroupListPage.ts:82
+#: src/pages/groups/GroupListPage.ts:81
 #: src/pages/outposts/OutpostListPage.ts:87
 #: src/pages/outposts/ServiceConnectionListPage.ts:101
 #: src/pages/policies/PolicyListPage.ts:115
@@ -895,7 +895,7 @@ msgid "Delete Authorization Code"
 msgstr "Delete Authorization Code"

 #: src/pages/flows/BoundStagesList.ts:91
-#: src/pages/policies/BoundPoliciesList.ts:145
+#: src/pages/policies/BoundPoliciesList.ts:149
 msgid "Delete Binding"
 msgstr "Delete Binding"

@@ -1010,7 +1010,7 @@ msgstr "Download"
 msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
 msgstr "Dummy stage used for testing. Shows a simple continue button and always passes."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:235
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:234
 msgid "Each provider has a different issuer, based on the application slug."
 msgstr "Each provider has a different issuer, based on the application slug."

@@ -1021,7 +1021,7 @@ msgstr "Each provider has a different issuer, based on the application slug."
 #: src/pages/events/RuleListPage.ts:70
 #: src/pages/events/TransportListPage.ts:74
 #: src/pages/flows/FlowListPage.ts:74
-#: src/pages/groups/GroupListPage.ts:70
+#: src/pages/groups/GroupListPage.ts:69
 #: src/pages/outposts/OutpostListPage.ts:75
 #: src/pages/outposts/ServiceConnectionListPage.ts:89
 #: src/pages/policies/PolicyListPage.ts:90
@@ -1032,7 +1032,7 @@ msgstr "Each provider has a different issuer, based on the application slug."
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:121
 #: src/pages/sources/SourcesListPage.ts:82
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:105
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:124
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:125
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:111
 #: src/pages/stages/StageListPage.ts:98
 #: src/pages/stages/prompt/PromptListPage.ts:75
@@ -1043,15 +1043,15 @@ msgid "Edit"
 msgstr "Edit"

 #: src/pages/flows/BoundStagesList.ts:79
-#: src/pages/policies/BoundPoliciesList.ts:133
+#: src/pages/policies/BoundPoliciesList.ts:137
 msgid "Edit Binding"
 msgstr "Edit Binding"

-#: src/pages/policies/BoundPoliciesList.ts:92
+#: src/pages/policies/BoundPoliciesList.ts:96
 msgid "Edit Group"
 msgstr "Edit Group"

-#: src/pages/policies/BoundPoliciesList.ts:77
+#: src/pages/policies/BoundPoliciesList.ts:81
 msgid "Edit Policy"
 msgstr "Edit Policy"

@@ -1059,7 +1059,7 @@ msgstr "Edit Policy"
 msgid "Edit Stage"
 msgstr "Edit Stage"

-#: src/pages/policies/BoundPoliciesList.ts:107
+#: src/pages/policies/BoundPoliciesList.ts:111
 msgid "Edit User"
 msgstr "Edit User"

@@ -1079,7 +1079,7 @@ msgstr "Email"
 msgid "Email address"
 msgstr "Email address"

-#: src/flows/stages/identification/IdentificationStage.ts:151
+#: src/flows/stages/identification/IdentificationStage.ts:150
 msgid "Email or Username"
 msgstr "Email or Username"

@@ -1104,8 +1104,8 @@ msgstr "Enable Static Tokens"
 msgid "Enable TOTP"
 msgstr "Enable TOTP"

-#: src/pages/policies/BoundPoliciesList.ts:37
-#: src/pages/policies/PolicyBindingForm.ts:198
+#: src/pages/policies/BoundPoliciesList.ts:41
+#: src/pages/policies/PolicyBindingForm.ts:199
 #: src/pages/sources/ldap/LDAPSourceForm.ts:69
 #: src/pages/sources/oauth/OAuthSourceForm.ts:115
 #: src/pages/sources/saml/SAMLSourceForm.ts:69
@@ -1247,10 +1247,10 @@ msgstr "Export"
 msgid "Expression"
 msgstr "Expression"

-#: src/pages/policies/expression/ExpressionPolicyForm.ts:84
-#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:70
-#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:80
-#: src/pages/property-mappings/PropertyMappingScopeForm.ts:77
+#: src/pages/policies/expression/ExpressionPolicyForm.ts:85
+#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:71
+#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:81
+#: src/pages/property-mappings/PropertyMappingScopeForm.ts:78
 msgid "Expression using Python."
 msgstr "Expression using Python."

@@ -1262,7 +1262,7 @@ msgstr "External Applications which use authentik as Identity-Provider, utilizin
 msgid "External Host"
 msgstr "External Host"

-#: src/pages/providers/proxy/ProxyProviderForm.ts:118
+#: src/pages/providers/proxy/ProxyProviderForm.ts:119
 msgid "External host"
 msgstr "External host"

@@ -1382,7 +1382,7 @@ msgstr "Force the user to configure an authenticator"
 msgid "Forgot password?"
 msgstr "Forgot password?"

-#: src/flows/stages/identification/IdentificationStage.ts:125
+#: src/flows/stages/identification/IdentificationStage.ts:124
 msgid "Forgot username or password?"
 msgstr "Forgot username or password?"

@@ -1420,9 +1420,9 @@ msgid "Go to previous page"
 msgstr "Go to previous page"

 #: src/pages/events/RuleForm.ts:65
-#: src/pages/groups/GroupListPage.ts:75
-#: src/pages/policies/PolicyBindingForm.ts:132
-#: src/pages/policies/PolicyBindingForm.ts:160
+#: src/pages/groups/GroupListPage.ts:74
+#: src/pages/policies/PolicyBindingForm.ts:125
+#: src/pages/policies/PolicyBindingForm.ts:161
 msgid "Group"
 msgstr "Group"

@@ -1442,7 +1442,7 @@ msgstr "Group object filter"
 msgid "Group users together and give them permissions based on the membership."
 msgstr "Group users together and give them permissions based on the membership."

-#: src/pages/policies/BoundPoliciesList.ts:49
+#: src/pages/policies/BoundPoliciesList.ts:53
 msgid "Group {0}"
 msgstr "Group {0}"

@@ -1451,7 +1451,7 @@ msgstr "Group {0}"
 msgid "Groups"
 msgstr "Groups"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:150
 msgid "HS256 (Symmetric Encryption)"
 msgstr "HS256 (Symmetric Encryption)"

@@ -1476,7 +1476,7 @@ msgid "Hide managed mappings"
 msgstr "Hide managed mappings"

 #: src/pages/events/RuleForm.ts:93
-#: src/pages/groups/GroupForm.ts:132
+#: src/pages/groups/GroupForm.ts:131
 #: src/pages/outposts/OutpostForm.ts:98
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
 #: src/pages/providers/saml/SAMLProviderForm.ts:177
@@ -1552,11 +1552,11 @@ msgstr "Import certificates of external providers or create certificates to sign
 msgid "In case you can't access any other method."
 msgstr "In case you can't access any other method."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:227
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
 msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 msgstr "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:224
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:223
 msgid "Include claims in id_token"
 msgstr "Include claims in id_token"

@@ -1572,7 +1572,7 @@ msgstr "Internal application name, used in URLs."
 msgid "Internal host"
 msgstr "Internal host"

-#: src/pages/providers/proxy/ProxyProviderForm.ts:112
+#: src/pages/providers/proxy/ProxyProviderForm.ts:113
 msgid "Internal host SSL Validation"
 msgstr "Internal host SSL Validation"

@@ -1600,15 +1600,15 @@ msgstr "Is superuser"
 msgid "Issuer"
 msgstr "Issuer"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:230
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
 msgid "Issuer mode"
 msgstr "Issuer mode"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:142
 msgid "JWT Algorithm"
 msgstr "JWT Algorithm"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:196
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
 msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 msgstr "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."

@@ -1665,8 +1665,8 @@ msgid "Library"
 msgstr "Library"

 #: src/elements/table/Table.ts:120
-#: src/flows/FlowExecutor.ts:164
-#: src/flows/FlowExecutor.ts:210
+#: src/flows/FlowExecutor.ts:167
+#: src/flows/FlowExecutor.ts:213
 #: src/flows/access_denied/FlowAccessDenied.ts:27
 #: src/flows/stages/authenticator_static/AuthenticatorStaticStage.ts:43
 #: src/flows/stages/authenticator_totp/AuthenticatorTOTPStage.ts:33
@@ -1677,7 +1677,7 @@ msgstr "Library"
 #: src/flows/stages/consent/ConsentStage.ts:28
 #: src/flows/stages/dummy/DummyStage.ts:27
 #: src/flows/stages/email/EmailStage.ts:26
-#: src/flows/stages/identification/IdentificationStage.ts:134
+#: src/flows/stages/identification/IdentificationStage.ts:133
 #: src/flows/stages/password/PasswordStage.ts:31
 #: src/flows/stages/prompt/PromptStage.ts:126
 #: src/pages/applications/ApplicationViewPage.ts:43
@@ -1694,23 +1694,23 @@ msgstr "Loading"
 #: src/pages/flows/StageBindingForm.ts:89
 #: src/pages/flows/StageBindingForm.ts:106
 #: src/pages/groups/GroupForm.ts:77
-#: src/pages/groups/GroupForm.ts:128
+#: src/pages/groups/GroupForm.ts:127
 #: src/pages/outposts/OutpostForm.ts:74
 #: src/pages/outposts/OutpostForm.ts:96
 #: src/pages/outposts/ServiceConnectionDockerForm.ts:87
 #: src/pages/outposts/ServiceConnectionDockerForm.ts:104
-#: src/pages/policies/PolicyBindingForm.ts:156
-#: src/pages/policies/PolicyBindingForm.ts:172
-#: src/pages/policies/PolicyBindingForm.ts:188
-#: src/pages/policies/PolicyTestForm.ts:70
+#: src/pages/policies/PolicyBindingForm.ts:157
+#: src/pages/policies/PolicyBindingForm.ts:173
+#: src/pages/policies/PolicyBindingForm.ts:189
+#: src/pages/policies/PolicyTestForm.ts:71
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:88
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:59
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:61
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:194
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:193
 #: src/pages/providers/proxy/ProxyProviderForm.ts:92
-#: src/pages/providers/proxy/ProxyProviderForm.ts:143
+#: src/pages/providers/proxy/ProxyProviderForm.ts:145
 #: src/pages/providers/saml/SAMLProviderForm.ts:71
 #: src/pages/providers/saml/SAMLProviderForm.ts:133
 #: src/pages/providers/saml/SAMLProviderForm.ts:149
@@ -1752,7 +1752,7 @@ msgstr "Log the currently pending user in."
 msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
 msgstr "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."

-#: src/flows/stages/identification/IdentificationStage.ts:146
+#: src/flows/stages/identification/IdentificationStage.ts:145
 msgid "Login to continue to {0}."
 msgstr "Login to continue to {0}."

@@ -1803,7 +1803,7 @@ msgid "Members"
 msgstr "Members"

 #: src/pages/events/EventInfo.ts:174
-#: src/pages/policies/PolicyTestForm.ts:43
+#: src/pages/policies/PolicyTestForm.ts:44
 #: src/pages/system-tasks/SystemTaskListPage.ts:80
 msgid "Messages"
 msgstr "Messages"
@@ -1889,7 +1889,7 @@ msgstr "Monitor"
 #: src/pages/sources/ldap/LDAPSourceForm.ts:54
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:64
 #: src/pages/sources/oauth/OAuthSourceForm.ts:100
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:63
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:64
 #: src/pages/sources/saml/SAMLSourceForm.ts:54
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:66
 #: src/pages/stages/StageListPage.ts:65
@@ -1930,7 +1930,6 @@ msgid "NameID Property Mapping"
 msgstr "NameID Property Mapping"

 #: src/flows/stages/identification/IdentificationStage.ts:119
-#: src/flows/stages/identification/IdentificationStage.ts:124
 msgid "Need an account?"
 msgstr "Need an account?"

@@ -1939,11 +1938,11 @@ msgid "New version available!"
 msgstr "New version available!"

 #: src/pages/crypto/CertificateKeyPairListPage.ts:61
-#: src/pages/groups/GroupListPage.ts:58
+#: src/pages/groups/GroupListPage.ts:57
 #: src/pages/groups/MemberSelectModal.ts:57
 #: src/pages/outposts/ServiceConnectionListPage.ts:64
-#: src/pages/policies/BoundPoliciesList.ts:118
-#: src/pages/policies/PolicyTestForm.ts:38
+#: src/pages/policies/BoundPoliciesList.ts:122
+#: src/pages/policies/PolicyTestForm.ts:39
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:108
 #: src/pages/tokens/TokenListPage.ts:56
 #: src/pages/user-settings/tokens/UserTokenList.ts:83
@@ -1960,7 +1959,7 @@ msgstr "No Applications available."
 msgid "No Events found."
 msgstr "No Events found."

-#: src/pages/policies/BoundPoliciesList.ts:151
+#: src/pages/policies/BoundPoliciesList.ts:155
 msgid "No Policies bound."
 msgstr "No Policies bound."

@@ -1989,7 +1988,7 @@ msgstr "No form found"
 msgid "No matching events could be found."
 msgstr "No matching events could be found."

-#: src/pages/policies/BoundPoliciesList.ts:153
+#: src/pages/policies/BoundPoliciesList.ts:157
 msgid "No policies are currently bound to this object."
 msgstr "No policies are currently bound to this object."

@@ -2161,8 +2160,8 @@ msgstr "Optionally set the 'FriendlyName' value of the Assertion attribute."

 #: src/pages/flows/BoundStagesList.ts:38
 #: src/pages/flows/StageBindingForm.ts:110
-#: src/pages/policies/BoundPoliciesList.ts:38
-#: src/pages/policies/PolicyBindingForm.ts:203
+#: src/pages/policies/BoundPoliciesList.ts:42
+#: src/pages/policies/PolicyBindingForm.ts:204
 #: src/pages/stages/prompt/PromptForm.ts:119
 #: src/pages/stages/prompt/PromptListPage.ts:49
 msgid "Order"
@@ -2199,7 +2198,7 @@ msgstr "Outposts are deployments of authentik components to support different en
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:56
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:58
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:56
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:55
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:56
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:58
 #: src/pages/users/UserViewPage.ts:74
 msgid "Overview"
@@ -2219,7 +2218,7 @@ msgid "Pass policy?"
 msgstr "Pass policy?"

 #: src/pages/events/EventInfo.ts:173
-#: src/pages/policies/PolicyTestForm.ts:35
+#: src/pages/policies/PolicyTestForm.ts:36
 msgid "Passing"
 msgstr "Passing"

@@ -2254,7 +2253,6 @@ msgid "Please enter your password"
 msgstr "Please enter your password"

 #: src/interfaces/AdminInterface.ts:26
-#: src/pages/admin-overview/AdminOverviewPage.ts:48
 #: src/pages/flows/FlowListPage.ts:50
 #: src/pages/policies/PolicyListPage.ts:38
 msgid "Policies"
@@ -2264,24 +2262,28 @@ msgstr "Policies"
 msgid "Policies without binding exist."
 msgstr "Policies without binding exist."

-#: src/pages/policies/PolicyBindingForm.ts:124
-#: src/pages/policies/PolicyBindingForm.ts:147
+#: src/pages/policies/PolicyBindingForm.ts:108
+#: src/pages/policies/PolicyBindingForm.ts:117
+#: src/pages/policies/PolicyBindingForm.ts:148
 #: src/pages/policies/PolicyListPage.ts:108
 msgid "Policy"
 msgstr "Policy"

-#: src/pages/policies/BoundPoliciesList.ts:36
+#: src/pages/applications/ApplicationViewPage.ts:134
+#: src/pages/flows/FlowViewPage.ts:101
+msgid "Policy / Group / User Bindings"
+msgstr "Policy / Group / User Bindings"
+
+#: src/pages/policies/BoundPoliciesList.ts:40
 msgid "Policy / User / Group"
 msgstr "Policy / User / Group"

-#: src/pages/applications/ApplicationViewPage.ts:134
-#: src/pages/flows/FlowViewPage.ts:101
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:143
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:144
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:150
 msgid "Policy Bindings"
 msgstr "Policy Bindings"

-#: src/pages/policies/BoundPoliciesList.ts:138
+#: src/pages/policies/BoundPoliciesList.ts:142
 msgid "Policy binding"
 msgstr "Policy binding"

@@ -2292,7 +2294,7 @@ msgstr "Policy binding"
 msgid "Policy engine mode"
 msgstr "Policy engine mode"

-#: src/pages/policies/BoundPoliciesList.ts:46
+#: src/pages/policies/BoundPoliciesList.ts:50
 msgid "Policy {0}"
 msgstr "Policy {0}"

@@ -2318,7 +2320,7 @@ msgstr "Post binding"
 msgid "Post binding (auto-submit)"
 msgstr "Post binding (auto-submit)"

-#: src/flows/FlowExecutor.ts:252
+#: src/flows/FlowExecutor.ts:255
 msgid "Powered by authentik"
 msgstr "Powered by authentik"

@@ -2399,7 +2401,7 @@ msgid "Provider"
 msgstr "Provider"

 #: src/pages/applications/ApplicationListPage.ts:61
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:71
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:72
 msgid "Provider Type"
 msgstr "Provider Type"

@@ -2408,13 +2410,16 @@ msgid "Provider type"
 msgstr "Provider type"

 #: src/interfaces/AdminInterface.ts:20
-#: src/pages/admin-overview/AdminOverviewPage.ts:46
 #: src/pages/outposts/OutpostForm.ts:82
 #: src/pages/outposts/OutpostListPage.ts:51
 #: src/pages/providers/ProviderListPage.ts:34
 msgid "Providers"
 msgstr "Providers"

+#: src/pages/admin-overview/AdminOverviewPage.ts:46
+msgid "Providers without application"
+msgstr "Providers without application"
+
 #: src/pages/outposts/OutpostForm.ts:57
 msgid "Proxy"
 msgstr "Proxy"
@@ -2435,7 +2440,7 @@ msgstr "Public key, acquired from https://www.google.com/recaptcha/intro/v3.html
 msgid "Publisher"
 msgstr "Publisher"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:146
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:147
 msgid "RS256 (Asymmetric Encryption)"
 msgstr "RS256 (Asymmetric Encryption)"

@@ -2507,7 +2512,7 @@ msgstr "Refresh Code"
 msgid "Register device"
 msgstr "Register device"

-#: src/pages/providers/proxy/ProxyProviderForm.ts:151
+#: src/pages/providers/proxy/ProxyProviderForm.ts:153
 msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
 msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."

@@ -2556,7 +2561,7 @@ msgid "Resources"
 msgstr "Resources"

 #: src/pages/events/EventInfo.ts:171
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:34
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:36
 msgid "Result"
 msgstr "Result"

@@ -2569,7 +2574,7 @@ msgstr "Retry Task"
 msgid "Retry authentication"
 msgstr "Retry authentication"

-#: src/flows/FlowExecutor.ts:142
+#: src/flows/FlowExecutor.ts:145
 msgid "Return"
 msgstr "Return"

@@ -2632,7 +2637,7 @@ msgstr "SMTP Username"
 msgid "SSO URL"
 msgstr "SSO URL"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:238
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:237
 msgid "Same identifier is used for all providers"
 msgstr "Same identifier is used for all providers"

@@ -2646,7 +2651,7 @@ msgstr "Scope which the client can specify to access these properties."

 #: src/elements/oauth/UserCodeList.ts:31
 #: src/elements/oauth/UserRefreshList.ts:31
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:155
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:156
 msgid "Scopes"
 msgstr "Scopes"

@@ -2658,10 +2663,10 @@ msgstr "Search..."
 msgid "Secret:"
 msgstr "Secret:"

-#: src/pages/policies/expression/ExpressionPolicyForm.ts:86
-#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:72
-#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:82
-#: src/pages/property-mappings/PropertyMappingScopeForm.ts:79
+#: src/pages/policies/expression/ExpressionPolicyForm.ts:87
+#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:73
+#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:83
+#: src/pages/property-mappings/PropertyMappingScopeForm.ts:80
 msgid "See documentation for a list of all variables."
 msgstr "See documentation for a list of all variables."

@@ -2750,19 +2755,19 @@ msgstr "Session not valid on or after current time + this value (Format: hours=1
 msgid "Session valid not on or after"
 msgstr "Session valid not on or after"

-#: src/pages/providers/proxy/ProxyProviderForm.ts:161
+#: src/pages/providers/proxy/ProxyProviderForm.ts:163
 msgid "Set HTTP-Basic Authentication"
 msgstr "Set HTTP-Basic Authentication"

-#: src/pages/providers/proxy/ProxyProviderForm.ts:164
+#: src/pages/providers/proxy/ProxyProviderForm.ts:166
 msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr "Set a custom HTTP-Basic Authentication header based on values from authentik."

 #: src/pages/groups/GroupForm.ts:139
 #: src/pages/outposts/OutpostForm.ts:109
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts:73
-#: src/pages/policies/PolicyTestForm.ts:78
-#: src/pages/users/UserForm.ts:81
+#: src/pages/policies/PolicyTestForm.ts:79
+#: src/pages/users/UserForm.ts:82
 msgid "Set custom attributes using YAML or JSON."
 msgstr "Set custom attributes using YAML or JSON."

@@ -2804,7 +2809,7 @@ msgstr "Signing keypair"
 msgid "Single Prompts that can be used for Prompt Stages."
 msgstr "Single Prompts that can be used for Prompt Stages."

-#: src/pages/providers/proxy/ProxyProviderForm.ts:148
+#: src/pages/providers/proxy/ProxyProviderForm.ts:150
 msgid "Skip path regex"
 msgstr "Skip path regex"

@@ -2817,7 +2822,7 @@ msgstr "Skip path regex"
 msgid "Slug"
 msgstr "Slug"

-#: src/flows/FlowExecutor.ts:135
+#: src/flows/FlowExecutor.ts:138
 msgid "Something went wrong! Please try again later."
 msgstr "Something went wrong! Please try again later."

@@ -2942,7 +2947,7 @@ msgstr "Stop impersonation"
 msgid "Subject"
 msgstr "Subject"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:199
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
 msgid "Subject mode"
 msgstr "Subject mode"

@@ -2971,7 +2976,7 @@ msgid "Successfully created application."
 msgstr "Successfully created application."

 #: src/pages/flows/StageBindingForm.ts:39
-#: src/pages/policies/PolicyBindingForm.ts:72
+#: src/pages/policies/PolicyBindingForm.ts:64
 msgid "Successfully created binding."
 msgstr "Successfully created binding."

@@ -3089,8 +3094,8 @@ msgstr "Successfully imported flow."
 msgid "Successfully imported provider."
 msgstr "Successfully imported provider."

-#: src/pages/policies/PolicyTestForm.ts:29
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:29
+#: src/pages/policies/PolicyTestForm.ts:30
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:31
 msgid "Successfully sent test-request."
 msgstr "Successfully sent test-request."

@@ -3099,7 +3104,7 @@ msgid "Successfully updated application."
 msgstr "Successfully updated application."

 #: src/pages/flows/StageBindingForm.ts:36
-#: src/pages/policies/PolicyBindingForm.ts:69
+#: src/pages/policies/PolicyBindingForm.ts:61
 msgid "Successfully updated binding."
 msgstr "Successfully updated binding."

@@ -3301,35 +3306,43 @@ msgstr "Text: Simple Text input"
 msgid "The URL \"{0}\" was not found."
 msgstr "The URL \"{0}\" was not found."

+#: src/pages/providers/proxy/ProxyProviderForm.ts:123
+msgid "The external URL you'll access the outpost at."
+msgstr "The external URL you'll access the outpost at."
+
 #: src/pages/policies/dummy/DummyPolicyForm.ts:90
 msgid "The policy takes a random time to execute. This controls the minimum time it will take."
 msgstr "The policy takes a random time to execute. This controls the minimum time it will take."

+#: src/pages/flows/BoundStagesList.ts:102
+msgid "These bindings control if this stage will be applied to the flow."
+msgstr "These bindings control if this stage will be applied to the flow."
+
 #: src/pages/events/RuleListPage.ts:109
 msgid ""
-"These policies control upon which events this rule triggers. Bindings to\n"
+"These bindings control upon which events this rule triggers. Bindings to\n"
 "groups/users are checked against the user of the event."
 msgstr ""
-"These policies control upon which events this rule triggers. Bindings to\n"
+"These bindings control upon which events this rule triggers. Bindings to\n"
 "groups/users are checked against the user of the event."

-#: src/pages/flows/BoundStagesList.ts:102
-msgid "These policies control when this stage will be applied to the flow."
-msgstr "These policies control when this stage will be applied to the flow."
+#: src/pages/flows/FlowViewPage.ts:103
+msgid "These bindings control which users can access this flow."
+msgstr "These bindings control which users can access this flow."
+
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:146
+#: src/pages/sources/saml/SAMLSourceViewPage.ts:152
+msgid ""
+"These bindings control which users can access this source.\n"
+"You can only use policies here as access is checked before the user is authenticated."
+msgstr ""
+"These bindings control which users can access this source.\n"
+"You can only use policies here as access is checked before the user is authenticated."

 #: src/pages/applications/ApplicationViewPage.ts:136
 msgid "These policies control which users can access this application."
 msgstr "These policies control which users can access this application."

-#: src/pages/flows/FlowViewPage.ts:103
-msgid "These policies control which users can access this flow."
-msgstr "These policies control which users can access this flow."
-
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:145
-#: src/pages/sources/saml/SAMLSourceViewPage.ts:152
-msgid "These policies control which users can access this source."
-msgstr "These policies control which users can access this source."
-
 #: src/pages/stages/invitation/InvitationStageForm.ts:53
 msgid "This stage can be included in enrollment flows to accept invitations."
 msgstr "This stage can be included in enrollment flows to accept invitations."
@@ -3354,8 +3367,8 @@ msgstr "Time offset when temporary users should be deleted. This only applies if
 msgid "Time-based One-Time Passwords"
 msgstr "Time-based One-Time Passwords"

-#: src/pages/policies/BoundPoliciesList.ts:39
-#: src/pages/policies/PolicyBindingForm.ts:209
+#: src/pages/policies/BoundPoliciesList.ts:43
+#: src/pages/policies/PolicyBindingForm.ts:210
 #: src/pages/stages/email/EmailStageForm.ts:101
 msgid "Timeout"
 msgstr "Timeout"
@@ -3370,7 +3383,7 @@ msgid "Token"
 msgstr "Token"

 #: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:174
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:103
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:104
 msgid "Token URL"
 msgstr "Token URL"

@@ -3382,7 +3395,7 @@ msgstr "Token count"
 msgid "Token expiry"
 msgstr "Token expiry"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:135
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
 msgid "Token validity"
 msgstr "Token validity"

@@ -3453,6 +3466,10 @@ msgstr "URL used by authentik to retrieve tokens."
 msgid "URL used to request the initial token. This URL is only required for OAuth 1."
 msgstr "URL used to request the initial token. This URL is only required for OAuth 1."

+#: src/pages/admin-overview/AdminOverviewPage.ts:48
+msgid "Unbound policies"
+msgstr "Unbound policies"
+
 #: src/pages/flows/FlowForm.ts:73
 msgid "Unenrollment"
 msgstr "Unenrollment"
@@ -3477,13 +3494,13 @@ msgstr "Up-to-date!"
 #: src/pages/flows/BoundStagesList.ts:53
 #: src/pages/flows/BoundStagesList.ts:71
 #: src/pages/flows/FlowListPage.ts:66
-#: src/pages/groups/GroupListPage.ts:62
+#: src/pages/groups/GroupListPage.ts:61
 #: src/pages/outposts/OutpostListPage.ts:67
 #: src/pages/outposts/ServiceConnectionListPage.ts:76
-#: src/pages/policies/BoundPoliciesList.ts:64
-#: src/pages/policies/BoundPoliciesList.ts:84
-#: src/pages/policies/BoundPoliciesList.ts:99
-#: src/pages/policies/BoundPoliciesList.ts:125
+#: src/pages/policies/BoundPoliciesList.ts:68
+#: src/pages/policies/BoundPoliciesList.ts:88
+#: src/pages/policies/BoundPoliciesList.ts:103
+#: src/pages/policies/BoundPoliciesList.ts:129
 #: src/pages/policies/PolicyListPage.ts:77
 #: src/pages/property-mappings/PropertyMappingListPage.ts:66
 #: src/pages/providers/ProviderListPage.ts:73
@@ -3492,7 +3509,7 @@ msgstr "Up-to-date!"
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:111
 #: src/pages/sources/SourcesListPage.ts:69
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:95
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:114
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:115
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:101
 #: src/pages/stages/StageListPage.ts:85
 #: src/pages/stages/prompt/PromptListPage.ts:67
@@ -3512,7 +3529,7 @@ msgstr "Update"
 msgid "Update Application"
 msgstr "Update Application"

-#: src/pages/policies/BoundPoliciesList.ts:128
+#: src/pages/policies/BoundPoliciesList.ts:132
 msgid "Update Binding"
 msgstr "Update Binding"

@@ -3524,8 +3541,8 @@ msgstr "Update Certificate-Key Pair"
 msgid "Update Flow"
 msgstr "Update Flow"

-#: src/pages/groups/GroupListPage.ts:65
-#: src/pages/policies/BoundPoliciesList.ts:87
+#: src/pages/groups/GroupListPage.ts:64
+#: src/pages/policies/BoundPoliciesList.ts:91
 msgid "Update Group"
 msgstr "Update Group"

@@ -3541,7 +3558,7 @@ msgstr "Update Notification Rule"
 msgid "Update Notification Transport"
 msgstr "Update Notification Transport"

-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:117
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:118
 msgid "Update OAuth Source"
 msgstr "Update OAuth Source"

@@ -3577,7 +3594,7 @@ msgstr "Update Stage binding"
 msgid "Update Token"
 msgstr "Update Token"

-#: src/pages/policies/BoundPoliciesList.ts:102
+#: src/pages/policies/BoundPoliciesList.ts:106
 #: src/pages/users/UserListPage.ts:71
 #: src/pages/users/UserViewPage.ts:142
 msgid "Update User"
@@ -3589,7 +3606,7 @@ msgstr "Update details"

 #: src/pages/flows/BoundStagesList.ts:56
 #: src/pages/outposts/ServiceConnectionListPage.ts:79
-#: src/pages/policies/BoundPoliciesList.ts:67
+#: src/pages/policies/BoundPoliciesList.ts:71
 #: src/pages/policies/PolicyListPage.ts:80
 #: src/pages/property-mappings/PropertyMappingListPage.ts:69
 #: src/pages/providers/ProviderListPage.ts:76
@@ -3599,6 +3616,10 @@ msgstr "Update details"
 msgid "Update {0}"
 msgstr "Update {0}"

+#: src/pages/providers/proxy/ProxyProviderForm.ts:107
+msgid "Upstream host that the requests are forwarded to."
+msgstr "Upstream host that the requests are forwarded to."
+
 #: src/pages/stages/email/EmailStageForm.ts:96
 msgid "Use SSL"
 msgstr "Use SSL"
@@ -3623,10 +3644,10 @@ msgstr "Use global settings"
 #: src/elements/events/UserEvents.ts:36
 #: src/pages/events/EventInfo.ts:83
 #: src/pages/events/EventListPage.ts:44
-#: src/pages/policies/PolicyBindingForm.ts:140
-#: src/pages/policies/PolicyBindingForm.ts:176
-#: src/pages/policies/PolicyTestForm.ts:60
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:49
+#: src/pages/policies/PolicyBindingForm.ts:133
+#: src/pages/policies/PolicyBindingForm.ts:177
+#: src/pages/policies/PolicyTestForm.ts:61
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:51
 #: src/pages/tokens/TokenListPage.ts:45
 #: src/pages/user-settings/tokens/UserTokenList.ts:72
 #: src/pages/users/UserListPage.ts:88
@@ -3667,7 +3688,7 @@ msgstr "User object filter"
 msgid "User password writeback"
 msgstr "User password writeback"

-#: src/pages/policies/BoundPoliciesList.ts:52
+#: src/pages/policies/BoundPoliciesList.ts:56
 #: src/pages/users/UserViewPage.ts:63
 msgid "User {0}"
 msgstr "User {0}"
@@ -3722,11 +3743,11 @@ msgstr "Using flow"
 msgid "Using source"
 msgstr "Using source"

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:123
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:124
 msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
 msgstr "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."

-#: src/pages/providers/proxy/ProxyProviderForm.ts:115
+#: src/pages/providers/proxy/ProxyProviderForm.ts:116
 msgid "Validate SSL Certificates of upstream servers."
 msgstr "Validate SSL Certificates of upstream servers."

@@ -3841,7 +3862,7 @@ msgstr "When selected, incoming assertion's Signatures will be validated against
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
 msgstr "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."

-#: src/flows/FlowExecutor.ts:131
+#: src/flows/FlowExecutor.ts:134
 msgid "Whoops!"
 msgstr "Whoops!"

@@ -3866,11 +3887,11 @@ msgid "X509 Subject"
 msgstr "X509 Subject"

 #: src/pages/crypto/CertificateKeyPairListPage.ts:61
-#: src/pages/groups/GroupListPage.ts:58
+#: src/pages/groups/GroupListPage.ts:57
 #: src/pages/groups/MemberSelectModal.ts:57
 #: src/pages/outposts/ServiceConnectionListPage.ts:64
-#: src/pages/policies/BoundPoliciesList.ts:118
-#: src/pages/policies/PolicyTestForm.ts:38
+#: src/pages/policies/BoundPoliciesList.ts:122
+#: src/pages/policies/PolicyTestForm.ts:39
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:105
 #: src/pages/tokens/TokenListPage.ts:56
 #: src/pages/user-settings/tokens/UserTokenList.ts:83
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -13,7 +13,7 @@ msgstr ""
 "Language-Team: \n"
 "Plural-Forms: \n"

-#: src/pages/policies/BoundPoliciesList.ts:55
+#: src/pages/policies/BoundPoliciesList.ts:59
 msgid "-"
 msgstr ""

@@ -64,7 +64,7 @@ msgstr ""
 msgid "API request failed"
 msgstr ""

-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:87
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:88
 msgid "Access Key"
 msgstr ""

@@ -105,8 +105,8 @@ msgstr ""
 msgid "Additional user DN, prepended to the Base DN."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:131
-#: src/pages/providers/proxy/ProxyProviderForm.ts:128
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
+#: src/pages/providers/proxy/ProxyProviderForm.ts:130
 #: src/pages/providers/saml/SAMLProviderForm.ts:117
 #: src/pages/sources/saml/SAMLSourceForm.ts:134
 msgid "Advanced protocol settings"
@@ -125,7 +125,7 @@ msgstr ""
 msgid "Alert"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:153
 msgid "Algorithm used to sign the JWT Tokens."
 msgstr ""

@@ -255,7 +255,7 @@ msgstr ""
 msgid "Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded."
 msgstr ""

-#: src/pages/groups/GroupForm.ts:135
+#: src/pages/groups/GroupForm.ts:134
 #: src/pages/stages/invitation/InvitationForm.ts:52
 #: src/pages/users/UserForm.ts:77
 msgid "Attributes"
@@ -289,7 +289,7 @@ msgid "Authorization Code"
 msgstr ""

 #: src/pages/sources/oauth/OAuthSourceForm.ts:66
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:95
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:96
 msgid "Authorization URL"
 msgstr ""

@@ -338,19 +338,19 @@ msgstr ""
 msgid "Base DN"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:204
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:203
 msgid "Based on the Hashed User ID"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:210
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:209
 msgid "Based on the User's Email. This is recommended over the UPN method."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:212
 msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:207
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:206
 msgid "Based on the username"
 msgstr ""

@@ -401,7 +401,7 @@ msgstr ""
 msgid "Cached Policies"
 msgstr ""

-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:79
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:80
 msgid "Callback URL"
 msgstr ""

@@ -422,7 +422,7 @@ msgid "Case insensitive matching"
 msgstr ""

 #: src/pages/crypto/CertificateKeyPairForm.ts:51
-#: src/pages/providers/proxy/ProxyProviderForm.ts:132
+#: src/pages/providers/proxy/ProxyProviderForm.ts:134
 msgid "Certificate"
 msgstr ""

@@ -468,7 +468,7 @@ msgstr ""
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:135
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:129
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:113
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:132
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:133
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:119
 #: src/pages/users/UserViewPage.ts:185
 msgid "Changelog"
@@ -590,7 +590,7 @@ msgstr ""
 msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:242
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:241
 msgid "Configure how the issuer field of the ID Token should be filled."
 msgstr ""

@@ -598,7 +598,7 @@ msgstr ""
 msgid "Configure settings relevant to your user profile."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:217
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:216
 msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
 msgstr ""

@@ -654,8 +654,8 @@ msgstr ""
 #: src/pages/events/EventInfo.ts:79
 #: src/pages/events/EventInfo.ts:148
 #: src/pages/events/EventInfo.ts:167
-#: src/pages/policies/PolicyTestForm.ts:74
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:63
+#: src/pages/policies/PolicyTestForm.ts:75
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:65
 msgid "Context"
 msgstr ""

@@ -702,15 +702,15 @@ msgstr ""
 #: src/pages/flows/BoundStagesList.ts:167
 #: src/pages/flows/FlowListPage.ts:109
 #: src/pages/flows/FlowListPage.ts:117
-#: src/pages/groups/GroupListPage.ts:91
-#: src/pages/groups/GroupListPage.ts:99
+#: src/pages/groups/GroupListPage.ts:90
+#: src/pages/groups/GroupListPage.ts:98
 #: src/pages/outposts/OutpostListPage.ts:101
 #: src/pages/outposts/OutpostListPage.ts:109
 #: src/pages/outposts/ServiceConnectionListPage.ts:110
 #: src/pages/outposts/ServiceConnectionListPage.ts:119
-#: src/pages/policies/BoundPoliciesList.ts:158
-#: src/pages/policies/BoundPoliciesList.ts:185
-#: src/pages/policies/BoundPoliciesList.ts:206
+#: src/pages/policies/BoundPoliciesList.ts:162
+#: src/pages/policies/BoundPoliciesList.ts:189
+#: src/pages/policies/BoundPoliciesList.ts:210
 #: src/pages/policies/PolicyListPage.ts:124
 #: src/pages/policies/PolicyListPage.ts:133
 #: src/pages/property-mappings/PropertyMappingListPage.ts:113
@@ -741,10 +741,10 @@ msgstr ""
 msgid "Create Application"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:161
-#: src/pages/policies/BoundPoliciesList.ts:166
-#: src/pages/policies/BoundPoliciesList.ts:209
-#: src/pages/policies/BoundPoliciesList.ts:214
+#: src/pages/policies/BoundPoliciesList.ts:165
+#: src/pages/policies/BoundPoliciesList.ts:170
+#: src/pages/policies/BoundPoliciesList.ts:213
+#: src/pages/policies/BoundPoliciesList.ts:218
 msgid "Create Binding"
 msgstr ""

@@ -756,7 +756,7 @@ msgstr ""
 msgid "Create Flow"
 msgstr ""

-#: src/pages/groups/GroupListPage.ts:94
+#: src/pages/groups/GroupListPage.ts:93
 msgid "Create Group"
 msgstr ""

@@ -780,7 +780,7 @@ msgstr ""
 msgid "Create Outpost"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:176
+#: src/pages/policies/BoundPoliciesList.ts:180
 msgid "Create Policy"
 msgstr ""

@@ -813,7 +813,7 @@ msgstr ""
 #: src/pages/applications/ApplicationForm.ts:123
 #: src/pages/flows/BoundStagesList.ts:149
 #: src/pages/outposts/ServiceConnectionListPage.ts:122
-#: src/pages/policies/BoundPoliciesList.ts:188
+#: src/pages/policies/BoundPoliciesList.ts:192
 #: src/pages/policies/PolicyListPage.ts:136
 #: src/pages/property-mappings/PropertyMappingListPage.ts:125
 #: src/pages/providers/ProviderListPage.ts:119
@@ -867,7 +867,7 @@ msgstr ""
 #: src/pages/events/RuleListPage.ts:82
 #: src/pages/events/TransportListPage.ts:86
 #: src/pages/flows/FlowListPage.ts:86
-#: src/pages/groups/GroupListPage.ts:82
+#: src/pages/groups/GroupListPage.ts:81
 #: src/pages/outposts/OutpostListPage.ts:87
 #: src/pages/outposts/ServiceConnectionListPage.ts:101
 #: src/pages/policies/PolicyListPage.ts:115
@@ -889,7 +889,7 @@ msgid "Delete Authorization Code"
 msgstr ""

 #: src/pages/flows/BoundStagesList.ts:91
-#: src/pages/policies/BoundPoliciesList.ts:145
+#: src/pages/policies/BoundPoliciesList.ts:149
 msgid "Delete Binding"
 msgstr ""

@@ -1002,7 +1002,7 @@ msgstr ""
 msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:235
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:234
 msgid "Each provider has a different issuer, based on the application slug."
 msgstr ""

@@ -1013,7 +1013,7 @@ msgstr ""
 #: src/pages/events/RuleListPage.ts:70
 #: src/pages/events/TransportListPage.ts:74
 #: src/pages/flows/FlowListPage.ts:74
-#: src/pages/groups/GroupListPage.ts:70
+#: src/pages/groups/GroupListPage.ts:69
 #: src/pages/outposts/OutpostListPage.ts:75
 #: src/pages/outposts/ServiceConnectionListPage.ts:89
 #: src/pages/policies/PolicyListPage.ts:90
@@ -1024,7 +1024,7 @@ msgstr ""
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:121
 #: src/pages/sources/SourcesListPage.ts:82
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:105
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:124
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:125
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:111
 #: src/pages/stages/StageListPage.ts:98
 #: src/pages/stages/prompt/PromptListPage.ts:75
@@ -1035,15 +1035,15 @@ msgid "Edit"
 msgstr ""

 #: src/pages/flows/BoundStagesList.ts:79
-#: src/pages/policies/BoundPoliciesList.ts:133
+#: src/pages/policies/BoundPoliciesList.ts:137
 msgid "Edit Binding"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:92
+#: src/pages/policies/BoundPoliciesList.ts:96
 msgid "Edit Group"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:77
+#: src/pages/policies/BoundPoliciesList.ts:81
 msgid "Edit Policy"
 msgstr ""

@@ -1051,7 +1051,7 @@ msgstr ""
 msgid "Edit Stage"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:107
+#: src/pages/policies/BoundPoliciesList.ts:111
 msgid "Edit User"
 msgstr ""

@@ -1071,7 +1071,7 @@ msgstr ""
 msgid "Email address"
 msgstr ""

-#: src/flows/stages/identification/IdentificationStage.ts:151
+#: src/flows/stages/identification/IdentificationStage.ts:150
 msgid "Email or Username"
 msgstr ""

@@ -1096,8 +1096,8 @@ msgstr ""
 msgid "Enable TOTP"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:37
-#: src/pages/policies/PolicyBindingForm.ts:198
+#: src/pages/policies/BoundPoliciesList.ts:41
+#: src/pages/policies/PolicyBindingForm.ts:199
 #: src/pages/sources/ldap/LDAPSourceForm.ts:69
 #: src/pages/sources/oauth/OAuthSourceForm.ts:115
 #: src/pages/sources/saml/SAMLSourceForm.ts:69
@@ -1239,10 +1239,10 @@ msgstr ""
 msgid "Expression"
 msgstr ""

-#: src/pages/policies/expression/ExpressionPolicyForm.ts:84
-#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:70
-#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:80
-#: src/pages/property-mappings/PropertyMappingScopeForm.ts:77
+#: src/pages/policies/expression/ExpressionPolicyForm.ts:85
+#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:71
+#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:81
+#: src/pages/property-mappings/PropertyMappingScopeForm.ts:78
 msgid "Expression using Python."
 msgstr ""

@@ -1254,7 +1254,7 @@ msgstr ""
 msgid "External Host"
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:118
+#: src/pages/providers/proxy/ProxyProviderForm.ts:119
 msgid "External host"
 msgstr ""

@@ -1374,7 +1374,7 @@ msgstr ""
 msgid "Forgot password?"
 msgstr ""

-#: src/flows/stages/identification/IdentificationStage.ts:125
+#: src/flows/stages/identification/IdentificationStage.ts:124
 msgid "Forgot username or password?"
 msgstr ""

@@ -1412,9 +1412,9 @@ msgid "Go to previous page"
 msgstr ""

 #: src/pages/events/RuleForm.ts:65
-#: src/pages/groups/GroupListPage.ts:75
-#: src/pages/policies/PolicyBindingForm.ts:132
-#: src/pages/policies/PolicyBindingForm.ts:160
+#: src/pages/groups/GroupListPage.ts:74
+#: src/pages/policies/PolicyBindingForm.ts:125
+#: src/pages/policies/PolicyBindingForm.ts:161
 msgid "Group"
 msgstr ""

@@ -1434,7 +1434,7 @@ msgstr ""
 msgid "Group users together and give them permissions based on the membership."
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:49
+#: src/pages/policies/BoundPoliciesList.ts:53
 msgid "Group {0}"
 msgstr ""

@@ -1443,7 +1443,7 @@ msgstr ""
 msgid "Groups"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:150
 msgid "HS256 (Symmetric Encryption)"
 msgstr ""

@@ -1468,7 +1468,7 @@ msgid "Hide managed mappings"
 msgstr ""

 #: src/pages/events/RuleForm.ts:93
-#: src/pages/groups/GroupForm.ts:132
+#: src/pages/groups/GroupForm.ts:131
 #: src/pages/outposts/OutpostForm.ts:98
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
 #: src/pages/providers/saml/SAMLProviderForm.ts:177
@@ -1544,11 +1544,11 @@ msgstr ""
 msgid "In case you can't access any other method."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:227
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
 msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:224
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:223
 msgid "Include claims in id_token"
 msgstr ""

@@ -1564,7 +1564,7 @@ msgstr ""
 msgid "Internal host"
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:112
+#: src/pages/providers/proxy/ProxyProviderForm.ts:113
 msgid "Internal host SSL Validation"
 msgstr ""

@@ -1592,15 +1592,15 @@ msgstr ""
 msgid "Issuer"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:230
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
 msgid "Issuer mode"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:142
 msgid "JWT Algorithm"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:196
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
 msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
 msgstr ""

@@ -1657,8 +1657,8 @@ msgid "Library"
 msgstr ""

 #: src/elements/table/Table.ts:120
-#: src/flows/FlowExecutor.ts:164
-#: src/flows/FlowExecutor.ts:210
+#: src/flows/FlowExecutor.ts:167
+#: src/flows/FlowExecutor.ts:213
 #: src/flows/access_denied/FlowAccessDenied.ts:27
 #: src/flows/stages/authenticator_static/AuthenticatorStaticStage.ts:43
 #: src/flows/stages/authenticator_totp/AuthenticatorTOTPStage.ts:33
@@ -1669,7 +1669,7 @@ msgstr ""
 #: src/flows/stages/consent/ConsentStage.ts:28
 #: src/flows/stages/dummy/DummyStage.ts:27
 #: src/flows/stages/email/EmailStage.ts:26
-#: src/flows/stages/identification/IdentificationStage.ts:134
+#: src/flows/stages/identification/IdentificationStage.ts:133
 #: src/flows/stages/password/PasswordStage.ts:31
 #: src/flows/stages/prompt/PromptStage.ts:126
 #: src/pages/applications/ApplicationViewPage.ts:43
@@ -1686,23 +1686,23 @@ msgstr ""
 #: src/pages/flows/StageBindingForm.ts:89
 #: src/pages/flows/StageBindingForm.ts:106
 #: src/pages/groups/GroupForm.ts:77
-#: src/pages/groups/GroupForm.ts:128
+#: src/pages/groups/GroupForm.ts:127
 #: src/pages/outposts/OutpostForm.ts:74
 #: src/pages/outposts/OutpostForm.ts:96
 #: src/pages/outposts/ServiceConnectionDockerForm.ts:87
 #: src/pages/outposts/ServiceConnectionDockerForm.ts:104
-#: src/pages/policies/PolicyBindingForm.ts:156
-#: src/pages/policies/PolicyBindingForm.ts:172
-#: src/pages/policies/PolicyBindingForm.ts:188
-#: src/pages/policies/PolicyTestForm.ts:70
+#: src/pages/policies/PolicyBindingForm.ts:157
+#: src/pages/policies/PolicyBindingForm.ts:173
+#: src/pages/policies/PolicyBindingForm.ts:189
+#: src/pages/policies/PolicyTestForm.ts:71
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:88
 #: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:59
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:61
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:194
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:193
 #: src/pages/providers/proxy/ProxyProviderForm.ts:92
-#: src/pages/providers/proxy/ProxyProviderForm.ts:143
+#: src/pages/providers/proxy/ProxyProviderForm.ts:145
 #: src/pages/providers/saml/SAMLProviderForm.ts:71
 #: src/pages/providers/saml/SAMLProviderForm.ts:133
 #: src/pages/providers/saml/SAMLProviderForm.ts:149
@@ -1744,7 +1744,7 @@ msgstr ""
 msgid "Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP."
 msgstr ""

-#: src/flows/stages/identification/IdentificationStage.ts:146
+#: src/flows/stages/identification/IdentificationStage.ts:145
 msgid "Login to continue to {0}."
 msgstr ""

@@ -1795,7 +1795,7 @@ msgid "Members"
 msgstr ""

 #: src/pages/events/EventInfo.ts:174
-#: src/pages/policies/PolicyTestForm.ts:43
+#: src/pages/policies/PolicyTestForm.ts:44
 #: src/pages/system-tasks/SystemTaskListPage.ts:80
 msgid "Messages"
 msgstr ""
@@ -1881,7 +1881,7 @@ msgstr ""
 #: src/pages/sources/ldap/LDAPSourceForm.ts:54
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:64
 #: src/pages/sources/oauth/OAuthSourceForm.ts:100
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:63
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:64
 #: src/pages/sources/saml/SAMLSourceForm.ts:54
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:66
 #: src/pages/stages/StageListPage.ts:65
@@ -1922,7 +1922,6 @@ msgid "NameID Property Mapping"
 msgstr ""

 #: src/flows/stages/identification/IdentificationStage.ts:119
-#: src/flows/stages/identification/IdentificationStage.ts:124
 msgid "Need an account?"
 msgstr ""

@@ -1931,11 +1930,11 @@ msgid "New version available!"
 msgstr ""

 #: src/pages/crypto/CertificateKeyPairListPage.ts:61
-#: src/pages/groups/GroupListPage.ts:58
+#: src/pages/groups/GroupListPage.ts:57
 #: src/pages/groups/MemberSelectModal.ts:57
 #: src/pages/outposts/ServiceConnectionListPage.ts:64
-#: src/pages/policies/BoundPoliciesList.ts:118
-#: src/pages/policies/PolicyTestForm.ts:38
+#: src/pages/policies/BoundPoliciesList.ts:122
+#: src/pages/policies/PolicyTestForm.ts:39
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:108
 #: src/pages/tokens/TokenListPage.ts:56
 #: src/pages/user-settings/tokens/UserTokenList.ts:83
@@ -1952,7 +1951,7 @@ msgstr ""
 msgid "No Events found."
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:151
+#: src/pages/policies/BoundPoliciesList.ts:155
 msgid "No Policies bound."
 msgstr ""

@@ -1981,7 +1980,7 @@ msgstr ""
 msgid "No matching events could be found."
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:153
+#: src/pages/policies/BoundPoliciesList.ts:157
 msgid "No policies are currently bound to this object."
 msgstr ""

@@ -2153,8 +2152,8 @@ msgstr ""

 #: src/pages/flows/BoundStagesList.ts:38
 #: src/pages/flows/StageBindingForm.ts:110
-#: src/pages/policies/BoundPoliciesList.ts:38
-#: src/pages/policies/PolicyBindingForm.ts:203
+#: src/pages/policies/BoundPoliciesList.ts:42
+#: src/pages/policies/PolicyBindingForm.ts:204
 #: src/pages/stages/prompt/PromptForm.ts:119
 #: src/pages/stages/prompt/PromptListPage.ts:49
 msgid "Order"
@@ -2191,7 +2190,7 @@ msgstr ""
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:56
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:58
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:56
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:55
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:56
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:58
 #: src/pages/users/UserViewPage.ts:74
 msgid "Overview"
@@ -2211,7 +2210,7 @@ msgid "Pass policy?"
 msgstr ""

 #: src/pages/events/EventInfo.ts:173
-#: src/pages/policies/PolicyTestForm.ts:35
+#: src/pages/policies/PolicyTestForm.ts:36
 msgid "Passing"
 msgstr ""

@@ -2246,7 +2245,6 @@ msgid "Please enter your password"
 msgstr ""

 #: src/interfaces/AdminInterface.ts:26
-#: src/pages/admin-overview/AdminOverviewPage.ts:48
 #: src/pages/flows/FlowListPage.ts:50
 #: src/pages/policies/PolicyListPage.ts:38
 msgid "Policies"
@@ -2256,24 +2254,28 @@ msgstr ""
 msgid "Policies without binding exist."
 msgstr ""

-#: src/pages/policies/PolicyBindingForm.ts:124
-#: src/pages/policies/PolicyBindingForm.ts:147
+#: src/pages/policies/PolicyBindingForm.ts:108
+#: src/pages/policies/PolicyBindingForm.ts:117
+#: src/pages/policies/PolicyBindingForm.ts:148
 #: src/pages/policies/PolicyListPage.ts:108
 msgid "Policy"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:36
+#: src/pages/applications/ApplicationViewPage.ts:134
+#: src/pages/flows/FlowViewPage.ts:101
+msgid "Policy / Group / User Bindings"
+msgstr ""
+
+#: src/pages/policies/BoundPoliciesList.ts:40
 msgid "Policy / User / Group"
 msgstr ""

-#: src/pages/applications/ApplicationViewPage.ts:134
-#: src/pages/flows/FlowViewPage.ts:101
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:143
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:144
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:150
 msgid "Policy Bindings"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:138
+#: src/pages/policies/BoundPoliciesList.ts:142
 msgid "Policy binding"
 msgstr ""

@@ -2284,7 +2286,7 @@ msgstr ""
 msgid "Policy engine mode"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:46
+#: src/pages/policies/BoundPoliciesList.ts:50
 msgid "Policy {0}"
 msgstr ""

@@ -2310,7 +2312,7 @@ msgstr ""
 msgid "Post binding (auto-submit)"
 msgstr ""

-#: src/flows/FlowExecutor.ts:252
+#: src/flows/FlowExecutor.ts:255
 msgid "Powered by authentik"
 msgstr ""

@@ -2391,7 +2393,7 @@ msgid "Provider"
 msgstr ""

 #: src/pages/applications/ApplicationListPage.ts:61
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:71
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:72
 msgid "Provider Type"
 msgstr ""

@@ -2400,13 +2402,16 @@ msgid "Provider type"
 msgstr ""

 #: src/interfaces/AdminInterface.ts:20
-#: src/pages/admin-overview/AdminOverviewPage.ts:46
 #: src/pages/outposts/OutpostForm.ts:82
 #: src/pages/outposts/OutpostListPage.ts:51
 #: src/pages/providers/ProviderListPage.ts:34
 msgid "Providers"
 msgstr ""

+#: src/pages/admin-overview/AdminOverviewPage.ts:46
+msgid "Providers without application"
+msgstr ""
+
 #: src/pages/outposts/OutpostForm.ts:57
 msgid "Proxy"
 msgstr ""
@@ -2427,7 +2432,7 @@ msgstr ""
 msgid "Publisher"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:146
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:147
 msgid "RS256 (Asymmetric Encryption)"
 msgstr ""

@@ -2499,7 +2504,7 @@ msgstr ""
 msgid "Register device"
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:151
+#: src/pages/providers/proxy/ProxyProviderForm.ts:153
 msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
 msgstr ""

@@ -2548,7 +2553,7 @@ msgid "Resources"
 msgstr ""

 #: src/pages/events/EventInfo.ts:171
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:34
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:36
 msgid "Result"
 msgstr ""

@@ -2561,7 +2566,7 @@ msgstr ""
 msgid "Retry authentication"
 msgstr ""

-#: src/flows/FlowExecutor.ts:142
+#: src/flows/FlowExecutor.ts:145
 msgid "Return"
 msgstr ""

@@ -2624,7 +2629,7 @@ msgstr ""
 msgid "SSO URL"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:238
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:237
 msgid "Same identifier is used for all providers"
 msgstr ""

@@ -2638,7 +2643,7 @@ msgstr ""

 #: src/elements/oauth/UserCodeList.ts:31
 #: src/elements/oauth/UserRefreshList.ts:31
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:155
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:156
 msgid "Scopes"
 msgstr ""

@@ -2650,10 +2655,10 @@ msgstr ""
 msgid "Secret:"
 msgstr ""

-#: src/pages/policies/expression/ExpressionPolicyForm.ts:86
-#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:72
-#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:82
-#: src/pages/property-mappings/PropertyMappingScopeForm.ts:79
+#: src/pages/policies/expression/ExpressionPolicyForm.ts:87
+#: src/pages/property-mappings/PropertyMappingLDAPForm.ts:73
+#: src/pages/property-mappings/PropertyMappingSAMLForm.ts:83
+#: src/pages/property-mappings/PropertyMappingScopeForm.ts:80
 msgid "See documentation for a list of all variables."
 msgstr ""

@@ -2742,19 +2747,19 @@ msgstr ""
 msgid "Session valid not on or after"
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:161
+#: src/pages/providers/proxy/ProxyProviderForm.ts:163
 msgid "Set HTTP-Basic Authentication"
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:164
+#: src/pages/providers/proxy/ProxyProviderForm.ts:166
 msgid "Set a custom HTTP-Basic Authentication header based on values from authentik."
 msgstr ""

 #: src/pages/groups/GroupForm.ts:139
 #: src/pages/outposts/OutpostForm.ts:109
 #: src/pages/outposts/ServiceConnectionKubernetesForm.ts:73
-#: src/pages/policies/PolicyTestForm.ts:78
-#: src/pages/users/UserForm.ts:81
+#: src/pages/policies/PolicyTestForm.ts:79
+#: src/pages/users/UserForm.ts:82
 msgid "Set custom attributes using YAML or JSON."
 msgstr ""

@@ -2796,7 +2801,7 @@ msgstr ""
 msgid "Single Prompts that can be used for Prompt Stages."
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:148
+#: src/pages/providers/proxy/ProxyProviderForm.ts:150
 msgid "Skip path regex"
 msgstr ""

@@ -2809,7 +2814,7 @@ msgstr ""
 msgid "Slug"
 msgstr ""

-#: src/flows/FlowExecutor.ts:135
+#: src/flows/FlowExecutor.ts:138
 msgid "Something went wrong! Please try again later."
 msgstr ""

@@ -2934,7 +2939,7 @@ msgstr ""
 msgid "Subject"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:199
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
 msgid "Subject mode"
 msgstr ""

@@ -2963,7 +2968,7 @@ msgid "Successfully created application."
 msgstr ""

 #: src/pages/flows/StageBindingForm.ts:39
-#: src/pages/policies/PolicyBindingForm.ts:72
+#: src/pages/policies/PolicyBindingForm.ts:64
 msgid "Successfully created binding."
 msgstr ""

@@ -3081,8 +3086,8 @@ msgstr ""
 msgid "Successfully imported provider."
 msgstr ""

-#: src/pages/policies/PolicyTestForm.ts:29
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:29
+#: src/pages/policies/PolicyTestForm.ts:30
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:31
 msgid "Successfully sent test-request."
 msgstr ""

@@ -3091,7 +3096,7 @@ msgid "Successfully updated application."
 msgstr ""

 #: src/pages/flows/StageBindingForm.ts:36
-#: src/pages/policies/PolicyBindingForm.ts:69
+#: src/pages/policies/PolicyBindingForm.ts:61
 msgid "Successfully updated binding."
 msgstr ""

@@ -3293,33 +3298,39 @@ msgstr ""
 msgid "The URL \"{0}\" was not found."
 msgstr ""

+#: src/pages/providers/proxy/ProxyProviderForm.ts:123
+msgid "The external URL you'll access the outpost at."
+msgstr ""
+
 #: src/pages/policies/dummy/DummyPolicyForm.ts:90
 msgid "The policy takes a random time to execute. This controls the minimum time it will take."
 msgstr ""

+#: src/pages/flows/BoundStagesList.ts:102
+msgid "These bindings control if this stage will be applied to the flow."
+msgstr ""
+
 #: src/pages/events/RuleListPage.ts:109
 msgid ""
-"These policies control upon which events this rule triggers. Bindings to\n"
+"These bindings control upon which events this rule triggers. Bindings to\n"
 "groups/users are checked against the user of the event."
 msgstr ""

-#: src/pages/flows/BoundStagesList.ts:102
-msgid "These policies control when this stage will be applied to the flow."
+#: src/pages/flows/FlowViewPage.ts:103
+msgid "These bindings control which users can access this flow."
+msgstr ""
+
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:146
+#: src/pages/sources/saml/SAMLSourceViewPage.ts:152
+msgid ""
+"These bindings control which users can access this source.\n"
+"You can only use policies here as access is checked before the user is authenticated."
 msgstr ""

 #: src/pages/applications/ApplicationViewPage.ts:136
 msgid "These policies control which users can access this application."
 msgstr ""

-#: src/pages/flows/FlowViewPage.ts:103
-msgid "These policies control which users can access this flow."
-msgstr ""
-
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:145
-#: src/pages/sources/saml/SAMLSourceViewPage.ts:152
-msgid "These policies control which users can access this source."
-msgstr ""
-
 #: src/pages/stages/invitation/InvitationStageForm.ts:53
 msgid "This stage can be included in enrollment flows to accept invitations."
 msgstr ""
@@ -3344,8 +3355,8 @@ msgstr ""
 msgid "Time-based One-Time Passwords"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:39
-#: src/pages/policies/PolicyBindingForm.ts:209
+#: src/pages/policies/BoundPoliciesList.ts:43
+#: src/pages/policies/PolicyBindingForm.ts:210
 #: src/pages/stages/email/EmailStageForm.ts:101
 msgid "Timeout"
 msgstr ""
@@ -3360,7 +3371,7 @@ msgid "Token"
 msgstr ""

 #: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:174
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:103
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:104
 msgid "Token URL"
 msgstr ""

@@ -3372,7 +3383,7 @@ msgstr ""
 msgid "Token expiry"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:135
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:136
 msgid "Token validity"
 msgstr ""

@@ -3443,6 +3454,10 @@ msgstr ""
 msgid "URL used to request the initial token. This URL is only required for OAuth 1."
 msgstr ""

+#: src/pages/admin-overview/AdminOverviewPage.ts:48
+msgid "Unbound policies"
+msgstr ""
+
 #: src/pages/flows/FlowForm.ts:73
 msgid "Unenrollment"
 msgstr ""
@@ -3467,13 +3482,13 @@ msgstr ""
 #: src/pages/flows/BoundStagesList.ts:53
 #: src/pages/flows/BoundStagesList.ts:71
 #: src/pages/flows/FlowListPage.ts:66
-#: src/pages/groups/GroupListPage.ts:62
+#: src/pages/groups/GroupListPage.ts:61
 #: src/pages/outposts/OutpostListPage.ts:67
 #: src/pages/outposts/ServiceConnectionListPage.ts:76
-#: src/pages/policies/BoundPoliciesList.ts:64
-#: src/pages/policies/BoundPoliciesList.ts:84
-#: src/pages/policies/BoundPoliciesList.ts:99
-#: src/pages/policies/BoundPoliciesList.ts:125
+#: src/pages/policies/BoundPoliciesList.ts:68
+#: src/pages/policies/BoundPoliciesList.ts:88
+#: src/pages/policies/BoundPoliciesList.ts:103
+#: src/pages/policies/BoundPoliciesList.ts:129
 #: src/pages/policies/PolicyListPage.ts:77
 #: src/pages/property-mappings/PropertyMappingListPage.ts:66
 #: src/pages/providers/ProviderListPage.ts:73
@@ -3482,7 +3497,7 @@ msgstr ""
 #: src/pages/providers/saml/SAMLProviderViewPage.ts:111
 #: src/pages/sources/SourcesListPage.ts:69
 #: src/pages/sources/ldap/LDAPSourceViewPage.ts:95
-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:114
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:115
 #: src/pages/sources/saml/SAMLSourceViewPage.ts:101
 #: src/pages/stages/StageListPage.ts:85
 #: src/pages/stages/prompt/PromptListPage.ts:67
@@ -3502,7 +3517,7 @@ msgstr ""
 msgid "Update Application"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:128
+#: src/pages/policies/BoundPoliciesList.ts:132
 msgid "Update Binding"
 msgstr ""

@@ -3514,8 +3529,8 @@ msgstr ""
 msgid "Update Flow"
 msgstr ""

-#: src/pages/groups/GroupListPage.ts:65
-#: src/pages/policies/BoundPoliciesList.ts:87
+#: src/pages/groups/GroupListPage.ts:64
+#: src/pages/policies/BoundPoliciesList.ts:91
 msgid "Update Group"
 msgstr ""

@@ -3531,7 +3546,7 @@ msgstr ""
 msgid "Update Notification Transport"
 msgstr ""

-#: src/pages/sources/oauth/OAuthSourceViewPage.ts:117
+#: src/pages/sources/oauth/OAuthSourceViewPage.ts:118
 msgid "Update OAuth Source"
 msgstr ""

@@ -3567,7 +3582,7 @@ msgstr ""
 msgid "Update Token"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:102
+#: src/pages/policies/BoundPoliciesList.ts:106
 #: src/pages/users/UserListPage.ts:71
 #: src/pages/users/UserViewPage.ts:142
 msgid "Update User"
@@ -3579,7 +3594,7 @@ msgstr ""

 #: src/pages/flows/BoundStagesList.ts:56
 #: src/pages/outposts/ServiceConnectionListPage.ts:79
-#: src/pages/policies/BoundPoliciesList.ts:67
+#: src/pages/policies/BoundPoliciesList.ts:71
 #: src/pages/policies/PolicyListPage.ts:80
 #: src/pages/property-mappings/PropertyMappingListPage.ts:69
 #: src/pages/providers/ProviderListPage.ts:76
@@ -3589,6 +3604,10 @@ msgstr ""
 msgid "Update {0}"
 msgstr ""

+#: src/pages/providers/proxy/ProxyProviderForm.ts:107
+msgid "Upstream host that the requests are forwarded to."
+msgstr ""
+
 #: src/pages/stages/email/EmailStageForm.ts:96
 msgid "Use SSL"
 msgstr ""
@@ -3613,10 +3632,10 @@ msgstr ""
 #: src/elements/events/UserEvents.ts:36
 #: src/pages/events/EventInfo.ts:83
 #: src/pages/events/EventListPage.ts:44
-#: src/pages/policies/PolicyBindingForm.ts:140
-#: src/pages/policies/PolicyBindingForm.ts:176
-#: src/pages/policies/PolicyTestForm.ts:60
-#: src/pages/property-mappings/PropertyMappingTestForm.ts:49
+#: src/pages/policies/PolicyBindingForm.ts:133
+#: src/pages/policies/PolicyBindingForm.ts:177
+#: src/pages/policies/PolicyTestForm.ts:61
+#: src/pages/property-mappings/PropertyMappingTestForm.ts:51
 #: src/pages/tokens/TokenListPage.ts:45
 #: src/pages/user-settings/tokens/UserTokenList.ts:72
 #: src/pages/users/UserListPage.ts:88
@@ -3657,7 +3676,7 @@ msgstr ""
 msgid "User password writeback"
 msgstr ""

-#: src/pages/policies/BoundPoliciesList.ts:52
+#: src/pages/policies/BoundPoliciesList.ts:56
 #: src/pages/users/UserViewPage.ts:63
 msgid "User {0}"
 msgstr ""
@@ -3712,11 +3731,11 @@ msgstr ""
 msgid "Using source"
 msgstr ""

-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:123
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:124
 msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
 msgstr ""

-#: src/pages/providers/proxy/ProxyProviderForm.ts:115
+#: src/pages/providers/proxy/ProxyProviderForm.ts:116
 msgid "Validate SSL Certificates of upstream servers."
 msgstr ""

@@ -3831,7 +3850,7 @@ msgstr ""
 msgid "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
 msgstr ""

-#: src/flows/FlowExecutor.ts:131
+#: src/flows/FlowExecutor.ts:134
 msgid "Whoops!"
 msgstr ""

@@ -3854,11 +3873,11 @@ msgid "X509 Subject"
 msgstr ""

 #: src/pages/crypto/CertificateKeyPairListPage.ts:61
-#: src/pages/groups/GroupListPage.ts:58
+#: src/pages/groups/GroupListPage.ts:57
 #: src/pages/groups/MemberSelectModal.ts:57
 #: src/pages/outposts/ServiceConnectionListPage.ts:64
-#: src/pages/policies/BoundPoliciesList.ts:118
-#: src/pages/policies/PolicyTestForm.ts:38
+#: src/pages/policies/BoundPoliciesList.ts:122
+#: src/pages/policies/PolicyTestForm.ts:39
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts:105
 #: src/pages/tokens/TokenListPage.ts:56
 #: src/pages/user-settings/tokens/UserTokenList.ts:83
--- a/web/src/pages/admin-overview/AdminOverviewPage.ts
+++ b/web/src/pages/admin-overview/AdminOverviewPage.ts
@@ -44,13 +44,13 @@ export class AdminOverviewPage extends LitElement {
                <ak-aggregate-card class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-server" header=${t`Apps with most usage`} style="grid-column-end: span 2;grid-row-end: span 3;">
                    <ak-top-applications-table></ak-top-applications-table>
                </ak-aggregate-card>
-                <ak-admin-status-card-provider class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-plugged" header=${t`Providers`} headerLink="#/core/providers/">
+                <ak-admin-status-card-provider class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-plugged" header=${t`Providers without application`} headerLink="#/core/providers">
                </ak-admin-status-card-provider>
-                <ak-admin-status-card-policy-unbound class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-infrastructure" header=${t`Policies`} headerLink="#/policy/policies">
+                <ak-admin-status-card-policy-unbound class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-infrastructure" header=${t`Unbound policies`} headerLink="#/policy/policies">
                </ak-admin-status-card-policy-unbound>
                <ak-admin-status-card-user-count class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-user" header=${t`Users`} headerLink="#/identity/users">
                </ak-admin-status-card-user-count>
-                <ak-admin-status-version class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-bundle" header=${t`Version`} headerLink="https://github.com/BeryJu/authentik/releases">
+                <ak-admin-status-version class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-bundle" header=${t`Version`} headerLink="https://github.com/goauthentik/authentik/releases">
                </ak-admin-status-version>
                <ak-admin-status-card-workers class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-server" header=${t`Workers`}>
                </ak-admin-status-card-workers>
--- a/web/src/pages/applications/ApplicationViewPage.ts
+++ b/web/src/pages/applications/ApplicationViewPage.ts
@@ -134,7 +134,7 @@ export class ApplicationViewPage extends LitElement {
                        </div>
                    </div>
                </section>
-                <div slot="page-policy-bindings" data-tab-title="${t`Policy Bindings`}" class="pf-c-page__main-section pf-m-no-padding-mobile">
+                <div slot="page-policy-bindings" data-tab-title="${t`Policy / Group / User Bindings`}" class="pf-c-page__main-section pf-m-no-padding-mobile">
                    <div class="pf-c-card">
                        <div class="pf-c-card__title">${t`These policies control which users can access this application.`}</div>
                        <ak-bound-policies-list .target=${this.application.pk}>
--- a/web/src/pages/events/EventInfo.ts
+++ b/web/src/pages/events/EventInfo.ts
@@ -190,7 +190,7 @@ export class EventInfo extends LitElement {
                <ak-expand>${this.defaultResponse()}</ak-expand>`;
        case "update_available":
            return html`<h3>${t`New version available!`}</h3>
-                <a target="_blank" href="https://github.com/BeryJu/authentik/releases/tag/version%2F${this.event.context.new_version}">${this.event.context.new_version}</a>
+                <a target="_blank" href="https://github.com/goauthentik/authentik/releases/tag/version%2F${this.event.context.new_version}">${this.event.context.new_version}</a>
                `;
        // Action types which typically don't record any extra context.
        // If context is not empty, we fall to the default response.
--- a/web/src/pages/events/RuleListPage.ts
+++ b/web/src/pages/events/RuleListPage.ts
@@ -108,7 +108,7 @@ export class RuleListPage extends TablePage<NotificationRule> {
        return html`
        <td role="cell" colspan="4">
            <div class="pf-c-table__expandable-row-content">
-                <p>${t`These policies control upon which events this rule triggers. Bindings to
+                <p>${t`These bindings control upon which events this rule triggers. Bindings to
                groups/users are checked against the user of the event.`}</p>
                <ak-bound-policies-list .target=${item.pk}>
                </ak-bound-policies-list>
--- a/web/src/pages/flows/BoundStagesList.ts
+++ b/web/src/pages/flows/BoundStagesList.ts
@@ -100,7 +100,7 @@ export class BoundStagesList extends Table<FlowStageBinding> {
        <td role="cell" colspan="3">
            <div class="pf-c-table__expandable-row-content">
                <div class="pf-c-content">
-                    <p>${t`These policies control when this stage will be applied to the flow.`}</p>
+                    <p>${t`These bindings control if this stage will be applied to the flow.`}</p>
                    <ak-bound-policies-list .target=${item.policybindingmodelPtrId}>
                    </ak-bound-policies-list>
                </div>
--- a/web/src/pages/flows/FlowViewPage.ts
+++ b/web/src/pages/flows/FlowViewPage.ts
@@ -104,9 +104,9 @@ export class FlowViewPage extends LitElement {
                        </div>
                    </div>
                </div>
-                <div slot="page-policy-bindings" data-tab-title="${t`Policy Bindings`}" class="pf-c-page__main-section pf-m-no-padding-mobile">
+                <div slot="page-policy-bindings" data-tab-title="${t`Policy / Group / User Bindings`}" class="pf-c-page__main-section pf-m-no-padding-mobile">
                    <div class="pf-c-card">
-                        <div class="pf-c-card__title">${t`These policies control which users can access this flow.`}</div>
+                        <div class="pf-c-card__title">${t`These bindings control which users can access this flow.`}</div>
                        <div class="pf-c-card__body">
                            <ak-bound-policies-list .target=${this.flow.policybindingmodelPtrId}>
                            </ak-bound-policies-list>
--- a/web/src/pages/groups/GroupForm.ts
+++ b/web/src/pages/groups/GroupForm.ts
@@ -73,7 +73,6 @@ export class GroupForm extends Form<Group> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`Members`}
-                ?required=${true}
                name="users">
                <div class="pf-c-input-group">
                    <ak-group-member-select-table
@@ -121,6 +120,7 @@ export class GroupForm extends Form<Group> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`Attributes`}
+                ?required=${true}
                name="attributes">
                <ak-codemirror mode="yaml" value="${YAML.stringify(first(this.group?.attributes, {}))}">
                </ak-codemirror>
--- a/web/src/pages/groups/GroupListPage.ts
+++ b/web/src/pages/groups/GroupListPage.ts
@@ -53,7 +53,7 @@ export class GroupListPage extends TablePage<Group> {
        return [
            html`${item.name}`,
            html`${item.parent || "-"}`,
-            html`${item.users?.keys.length}`,
+            html`${Array.from(item.users || []).length}`,
            html`${item.isSuperuser ? t`Yes` : t`No`}`,
            html`
            <ak-forms-modal>
--- a/web/src/pages/outposts/ServiceConnectionDockerForm.ts
+++ b/web/src/pages/outposts/ServiceConnectionDockerForm.ts
@@ -70,7 +70,6 @@ export class ServiceConnectionDockerForm extends Form<DockerServiceConnection> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`TLS Verification Certificate`}
-                ?required=${true}
                name="tlsVerification">
                <select class="pf-c-form-control">
                    <option value="" ?selected=${this.sc?.tlsVerification === undefined}>---------</option>
@@ -86,7 +85,6 @@ export class ServiceConnectionDockerForm extends Form<DockerServiceConnection> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`TLS Authentication Certificate`}
-                ?required=${true}
                name="tlsAuthentication">
                <select class="pf-c-form-control">
                    <option value="" ?selected=${this.sc?.tlsAuthentication === undefined}>---------</option>
--- a/web/src/pages/policies/BoundPoliciesList.ts
+++ b/web/src/pages/policies/BoundPoliciesList.ts
@@ -25,6 +25,9 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
    @property()
    target?: string;

+    @property({type: Boolean})
+    policyOnly = false;
+
    apiEndpoint(page: number): Promise<AKResponse<PolicyBinding>> {
        return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsList({
            target: this.target || "",
@@ -125,7 +128,7 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
                <span slot="header">
                    ${t`Update Binding`}
                </span>
-                <ak-policy-binding-form slot="form" .binding=${item} targetPk=${ifDefined(this.target)}>
+                <ak-policy-binding-form slot="form" .binding=${item} targetPk=${ifDefined(this.target)} ?policyOnly=${this.policyOnly}>
                </ak-policy-binding-form>
                <button slot="trigger" class="pf-c-button pf-m-secondary">
                    ${t`Edit Binding`}
@@ -159,7 +162,7 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
                    <span slot="header">
                        ${t`Create Binding`}
                    </span>
-                    <ak-policy-binding-form slot="form" targetPk=${ifDefined(this.target)}>
+                    <ak-policy-binding-form slot="form" targetPk=${ifDefined(this.target)} ?policyOnly=${this.policyOnly}>
                    </ak-policy-binding-form>
                    <button slot="trigger" class="pf-c-button pf-m-primary">
                        ${t`Create Binding`}
@@ -208,7 +211,7 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
            <span slot="header">
                ${t`Create Binding`}
            </span>
-            <ak-policy-binding-form slot="form" targetPk=${ifDefined(this.target)}>
+            <ak-policy-binding-form slot="form" targetPk=${ifDefined(this.target)} ?policyOnly=${this.policyOnly}>
            </ak-policy-binding-form>
            <button slot="trigger" class="pf-c-button pf-m-secondary">
                ${t`Create Binding`}
--- a/web/src/pages/policies/PolicyBindingForm.ts
+++ b/web/src/pages/policies/PolicyBindingForm.ts
@@ -44,6 +44,9 @@ export class PolicyBindingForm extends Form<PolicyBinding> {
    @property({type: Number})
    policyGroupUser: target = target.policy;

+    @property({type: Boolean})
+    policyOnly = false;
+
    getSuccessMessage(): string {
        if (this.binding) {
            return t`Successfully updated binding.`;
@@ -60,10 +63,6 @@ export class PolicyBindingForm extends Form<PolicyBinding> {
        `);
    }

-    async customValidate(form: PolicyBinding): Promise<PolicyBinding> {
-        return form;
-    }
-
    send = (data: PolicyBinding): Promise<PolicyBinding> => {
        if (this.binding) {
            return new PoliciesApi(DEFAULT_CONFIG).policiesBindingsUpdate({
@@ -105,34 +104,49 @@ export class PolicyBindingForm extends Form<PolicyBinding> {
        });
    }

+    renderModeSelector(): TemplateResult {
+        console.log(this.policyOnly);
+        if (this.policyOnly) {
+            this.policyGroupUser = target.policy;
+            return html`
+                <div class="pf-c-toggle-group__item">
+                    <button class="pf-c-toggle-group__button pf-m-selected" type="button">
+                        <span class="pf-c-toggle-group__text">${t`Policy`}</span>
+                    </button>
+                </div>`;
+        }
+        return html`
+            <div class="pf-c-toggle-group__item">
+                <button class="pf-c-toggle-group__button ${this.policyGroupUser === target.policy ? "pf-m-selected": ""}" type="button" @click=${() => {
+                    this.policyGroupUser = target.policy;
+                }}>
+                    <span class="pf-c-toggle-group__text">${t`Policy`}</span>
+                </button>
+            </div>
+            <div class="pf-c-divider pf-m-vertical" role="separator"></div>
+            <div class="pf-c-toggle-group__item">
+                <button class="pf-c-toggle-group__button ${this.policyGroupUser === target.group ? "pf-m-selected" : ""}" type="button" @click=${() => {
+                    this.policyGroupUser = target.group;
+                }}>
+                    <span class="pf-c-toggle-group__text">${t`Group`}</span>
+                </button>
+            </div>
+            <div class="pf-c-divider pf-m-vertical" role="separator"></div>
+            <div class="pf-c-toggle-group__item">
+                <button class="pf-c-toggle-group__button ${this.policyGroupUser === target.user ? "pf-m-selected" : ""}" type="button" @click=${() => {
+                    this.policyGroupUser = target.user;
+                }}>
+                    <span class="pf-c-toggle-group__text">${t`User`}</span>
+                </button>
+            </div>`;
+    }
+
    renderForm(): TemplateResult {
        return html`<form class="pf-c-form pf-m-horizontal">
            <div class="pf-c-card pf-m-selectable pf-m-selected">
                <div class="pf-c-card__body">
                    <div class="pf-c-toggle-group">
-                        <div class="pf-c-toggle-group__item">
-                            <button class="pf-c-toggle-group__button ${this.policyGroupUser === target.policy ? "pf-m-selected": ""}" type="button" @click=${() => {
-                                this.policyGroupUser = target.policy;
-                            }}>
-                                <span class="pf-c-toggle-group__text">${t`Policy`}</span>
-                            </button>
-                        </div>
-                        <div class="pf-c-divider pf-m-vertical" role="separator"></div>
-                        <div class="pf-c-toggle-group__item">
-                            <button class="pf-c-toggle-group__button ${this.policyGroupUser === target.group ? "pf-m-selected" : ""}" type="button" @click=${() => {
-                                this.policyGroupUser = target.group;
-                            }}>
-                                <span class="pf-c-toggle-group__text">${t`Group`}</span>
-                            </button>
-                        </div>
-                        <div class="pf-c-divider pf-m-vertical" role="separator"></div>
-                        <div class="pf-c-toggle-group__item">
-                            <button class="pf-c-toggle-group__button ${this.policyGroupUser === target.user ? "pf-m-selected" : ""}" type="button" @click=${() => {
-                                this.policyGroupUser = target.user;
-                            }}>
-                                <span class="pf-c-toggle-group__text">${t`User`}</span>
-                            </button>
-                        </div>
+                        ${this.renderModeSelector()}
                    </div>
                </div>
                <div class="pf-c-card__footer">
--- a/web/src/pages/policies/expression/ExpressionPolicyForm.ts
+++ b/web/src/pages/policies/expression/ExpressionPolicyForm.ts
@@ -74,6 +74,7 @@ export class ExpressionPolicyForm extends Form<ExpressionPolicy> {
                <div slot="body" class="pf-c-form">
                    <ak-form-element-horizontal
                        label=${t`Expression`}
+                        ?required=${true}
                        name="expression">
                        <ak-codemirror mode="python" value="${ifDefined(this.policy?.expression)}">
                        </ak-codemirror>
--- a/web/src/pages/property-mappings/PropertyMappingLDAPForm.ts
+++ b/web/src/pages/property-mappings/PropertyMappingLDAPForm.ts
@@ -60,6 +60,7 @@ export class PropertyMappingLDAPForm extends Form<LDAPPropertyMapping> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`Expression`}
+                ?required=${true}
                name="expression">
                <ak-codemirror mode="python" value="${ifDefined(this.mapping?.expression)}">
                </ak-codemirror>
--- a/web/src/pages/property-mappings/PropertyMappingSAMLForm.ts
+++ b/web/src/pages/property-mappings/PropertyMappingSAMLForm.ts
@@ -70,6 +70,7 @@ export class PropertyMappingLDAPForm extends Form<SAMLPropertyMapping> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`Expression`}
+                ?required=${true}
                name="expression">
                <ak-codemirror mode="python" value="${ifDefined(this.mapping?.expression)}">
                </ak-codemirror>
--- a/web/src/pages/property-mappings/PropertyMappingScopeForm.ts
+++ b/web/src/pages/property-mappings/PropertyMappingScopeForm.ts
@@ -67,6 +67,7 @@ export class PropertyMappingScopeForm extends Form<ScopeMapping> {
            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`Expression`}
+                ?required=${true}
                name="expression">
                <ak-codemirror mode="python" value="${ifDefined(this.mapping?.expression)}">
                </ak-codemirror>
--- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
@@ -114,8 +114,9 @@ export class OAuth2ProviderFormPage extends Form<OAuth2Provider> {
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`Redirect URIs/Origins`}
+                        ?required=${true}
                        name="redirectUris">
-                        <textarea class="pf-c-form-control">${this.provider?.redirectUris}</textarea>
+                        <textarea class="pf-c-form-control" required>${this.provider?.redirectUris}</textarea>
                        <p class="pf-c-form__helper-text">
                            ${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
                        </p>
@@ -150,7 +151,6 @@ export class OAuth2ProviderFormPage extends Form<OAuth2Provider> {
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`Scopes`}
-                        ?required=${true}
                        name="propertyMappings">
                        <select class="pf-c-form-control" multiple>
                            ${until(new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsScopeList({
@@ -174,7 +174,6 @@ export class OAuth2ProviderFormPage extends Form<OAuth2Provider> {
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`RSA Key`}
-                        ?required=${true}
                        name="rsaKey">
                        <select class="pf-c-form-control">
                            <option value="" ?selected=${this.provider?.rsaKey === undefined}>---------</option>
--- a/web/src/pages/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/pages/providers/proxy/ProxyProviderForm.ts
@@ -102,6 +102,7 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
                        ?required=${true}
                        name="internalHost">
                        <input type="text" value="${ifDefined(this.provider?.internalHost)}" class="pf-c-form-control" required>
+                        <p class="pf-c-form__helper-text">${t`Upstream host that the requests are forwarded to.`}</p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal name="internalHostSslValidation">
                        <div class="pf-c-check">
@@ -117,6 +118,7 @@ export class ProxyProviderFormPage extends Form<ProxyProvider> {
                        ?required=${true}
                        name="externalHost">
                        <input type="text" value="${ifDefined(this.provider?.externalHost)}" class="pf-c-form-control" required>
+                        <p class="pf-c-form__helper-text">${t`The external URL you'll access the outpost at.`}</p>
                    </ak-form-element-horizontal>
                </div>
            </ak-form-group>
--- a/web/src/pages/sources/oauth/OAuthSourceForm.ts
+++ b/web/src/pages/sources/oauth/OAuthSourceForm.ts
@@ -196,7 +196,7 @@ export class OAuthSourceForm extends Form<OAuthSource> {
                            }).then(flows => {
                                return flows.results.map(flow => {
                                    let selected = this.source?.authenticationFlow === flow.pk;
-                                    if (!this.source?.authenticationFlow && flow.slug === "default-source-authentication") {
+                                    if (!this.source?.pk && !this.source?.authenticationFlow && flow.slug === "default-source-authentication") {
                                        selected = true;
                                    }
                                    return html`<option value=${ifDefined(flow.pk)} ?selected=${selected}>${flow.name} (${flow.slug})</option>`;
@@ -216,7 +216,7 @@ export class OAuthSourceForm extends Form<OAuthSource> {
                            }).then(flows => {
                                return flows.results.map(flow => {
                                    let selected = this.source?.enrollmentFlow === flow.pk;
-                                    if (!this.source?.enrollmentFlow && flow.slug === "default-source-enrollment") {
+                                    if (!this.source?.pk && !this.source?.enrollmentFlow && flow.slug === "default-source-enrollment") {
                                        selected = true;
                                    }
                                    return html`<option value=${ifDefined(flow.pk)} ?selected=${selected}>${flow.name} (${flow.slug})</option>`;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	4e5eeacf0a	release: 2021.4.5	2021-04-29 23:03:09 +02:00
Jens Langhammer	d1d28722d2	lib: don't send 404 errors to sentry Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-29 15:27:41 +02:00
Jens Langhammer	a6e528d209	core: fix text color of error pages not being white Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-29 15:18:28 +02:00
Jens Langhammer	2c70301f56	stages/invitation: accept token from prompt_data Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:43:40 +02:00
Jens Langhammer	07b9923bf6	stages/invitation: fix token not being loaded correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:43:40 +02:00
Jens Langhammer	8b3923200d	web: fix text-colour for form help text Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:43:40 +02:00
Jens Langhammer	3dcd67c1a3	outposts: only kill docker container if its running Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:43:32 +02:00
Jens Langhammer	2a9feafb90	root: add middleware to properly report websocket connection to sentry Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:42:10 +02:00
Jens Langhammer	580e88c6fc	web: ignore network errors for sentry Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:41:55 +02:00
Jens Langhammer	d82c01aa61	web/admin: don't show docker certs as required Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:41:50 +02:00
Jens Langhammer	1af3357826	*: make logger not use .error Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:41:44 +02:00
Jens Langhammer	ed49d7824e	stages/email: catch ValueError when global email settings are invalid Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:41:38 +02:00
Jens Langhammer	378402fcf0	stages/user_login: add tests for explicit session length Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:41:21 +02:00
Jens Langhammer	50f0c11c0b	web/flows: fix redirect loop when sentry is enabled Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:41:21 +02:00
Jens Langhammer	58712828a4	web/flows/identification: fix phrasing account recovery Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:40:16 +02:00
Jens Langhammer	b2b9093c95	web: don't enable ShadyDOM on selenium Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:40:16 +02:00
Jens Langhammer	afa2afe1d4	web/flows: include ShadyDOM, always enable ShadyDOM for flow interface improve compatibility with password managers and iOS Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-28 22:40:16 +02:00
Jens Langhammer	5f58a4566c	release: 2021.4.4	2021-04-24 21:03:29 +02:00
Jens Langhammer	d616bdd5d6	providers/oauth2: add proper support for non-http schemes as redirect URIs closes #772 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-23 16:34:52 +02:00
Jens Langhammer	5112ef9331	web/admin: fix error when updating identification stage Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-23 14:27:23 +02:00
Jens Langhammer	7a49377caf	outpost: check for X-Forwarded-Host to switch context Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-23 14:07:44 +02:00
Jens Langhammer	5b3941a425	outposts: always update bundles and swap maps Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-23 10:08:19 +02:00
Jens Langhammer	c1ab5c5556	web: fix title not being loaded from config Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #770	2021-04-22 23:50:37 +02:00
Jens Langhammer	3282b34431	providers/oauth2: fix TokenView not having CORS headers set even with proper Origin and added tests. closes #771 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 23:48:28 +02:00
Jens Langhammer	392d9bb10b	providers/oauth2: fix misleading name of cors_allow_any Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #771	2021-04-22 23:29:49 +02:00
Jens Langhammer	82f6c515ea	root: fix readme links to az pipelines Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 22:32:38 +02:00
Jens Langhammer	d67d5f73c5	website/docs: fix config options with double-underscores not showing correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 22:31:24 +02:00
Jens Langhammer	799d186510	web/flows: fix Sentry not being loaded correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 20:48:22 +02:00
Jens Langhammer	3983b7fbe4	lib: don't send SuspiciousOperation to sentry Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 20:17:00 +02:00
Jens Langhammer	d75284a587	flows: fix errors which occur during flow execution being sent to sentry malformed Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 20:14:37 +02:00
Jens Langhammer	71e4936dc3	web/admin: fix error when me() returns 403 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 19:52:01 +02:00
Jens Langhammer	9d3b6f7a4d	web: only report http errors for 500 and above Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 19:51:32 +02:00
Jens Langhammer	003df44a34	web/admin: adjust phrasing of cards on overview page Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 14:07:30 +02:00
Jens Langhammer	a7598c6ee5	*: fix more URLs for github org Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 11:06:56 +02:00
Jens Langhammer	0891e43040	web/admin: fix invalid group member count Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 10:36:10 +02:00
Jens Langhammer	1f49aea48d	web/admin: fix mismatched required tags Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-22 10:33:36 +02:00
Jens Langhammer	499b52df6a	root: update urls to github org Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 22:46:48 +02:00
Jens Langhammer	b8a566f4a0	outposts: move local connection check to task, run every 60 minutes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 11:34:48 +02:00
Jens Langhammer	aa0e8edb8b	*: make tasks run every 60 minutes not :00 every hour Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 11:26:17 +02:00
Jens Langhammer	0e35bb18c7	web/admin: fix display for user supseruser status Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 11:18:55 +02:00
dependabot[bot]	4a06ebf4f9	build(deps): bump @sentry/browser from 6.2.5 to 6.3.0 in /web (#766 ) Bumps [@sentry/browser](https://github.com/getsentry/sentry-javascript) from 6.2.5 to 6.3.0. - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-javascript/compare/6.2.5...6.3.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-04-21 11:13:37 +02:00
Jens Langhammer	11584af425	website/docs: add note for nextcloud Reverse proxy and extension closes #750 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 10:22:43 +02:00
dependabot[bot]	a31da9e1d3	build(deps): bump @babel/core from 7.13.15 to 7.13.16 in /web (#764 ) Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.13.15 to 7.13.16. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.13.16/packages/babel-core) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-04-21 10:18:45 +02:00
dependabot[bot]	8d6d49834b	build(deps): bump codemirror from 5.60.0 to 5.61.0 in /web (#765 ) Bumps [codemirror](https://github.com/codemirror/CodeMirror) from 5.60.0 to 5.61.0. - [Release notes](https://github.com/codemirror/CodeMirror/releases) - [Changelog](https://github.com/codemirror/CodeMirror/blob/master/CHANGELOG.md) - [Commits](https://github.com/codemirror/CodeMirror/compare/5.60.0...5.61.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-04-21 10:18:32 +02:00
dependabot[bot]	2825710262	build(deps): bump @sentry/tracing from 6.2.5 to 6.3.0 in /web (#767 ) Bumps [@sentry/tracing](https://github.com/getsentry/sentry-javascript) from 6.2.5 to 6.3.0. - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-javascript/compare/6.2.5...6.3.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2021-04-21 10:18:18 +02:00
Jens Langhammer	7346ccf2b7	web/admin: add description for fields in proxy provider form Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 10:18:00 +02:00
Jens Langhammer	57072dd6ce	stages/identification: fix query logic for user lookup Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-21 10:09:38 +02:00
Jens Langhammer	fec098a823	web/admin: only allow policies to be bound to sources as users/groups cannot be checked Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 23:30:37 +02:00
Jens Langhammer	73950b72e5	web/admin: improve phrasing for Policy bindings Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 23:16:17 +02:00
Jens Langhammer	b40afb9b7d	stages/identification: ignore inactive users Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 21:45:14 +02:00
Jens Langhammer	1f783dfc01	stages/user_login: add default backend closes #763 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 20:53:07 +02:00
Jens Langhammer	7ccf8bcdc8	web/admin: only pre-select items when creating a new object Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 20:32:47 +02:00
Jens Langhammer	76131e40ec	tests/e2e: monkey patch OAuth1 test instead of setting URLs manually Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 20:03:20 +02:00
Jens Langhammer	5955394c1d	web: send response info when response is thrown Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 17:32:38 +02:00
Jens Langhammer	a8998a6356	sources/oauth: handle error in auzre_ad when ID Can't be extracted Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 17:27:52 +02:00
Jens Langhammer	dc75d7b7f0	sources/oauth: fix error whilst fetching user profile when source uses fixed URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 17:25:59 +02:00
Jens Langhammer	34a191f216	web/admin: fix link to providers on overview page Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 16:35:21 +02:00
Jens Langhammer	299931985e	web: fix mis-matched package-lock file Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 11:27:56 +02:00
Jens Langhammer	b946fbf9e7	Merge branch 'version-2021.4'	2021-04-20 09:21:26 +02:00
Jens Langhammer	5db3409efc	web: bump lingui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-20 09:13:42 +02:00
dependabot[bot]	649db054a6	build(deps): bump boto3 from 1.17.53 to 1.17.54 (#762 )	2021-04-20 08:26:10 +02:00
Jens Langhammer	15d5b91642	root: fix developer link in readme Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2021-04-19 22:05:58 +02:00