Adds powershell syntax highlighting to docs

* add high priority for inline tasks in API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also catch psycopg errors directly

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* retry locking worker state after failure

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/cherry-pick/action.yml

@@ -0,0 +1,267 @@
+name: "Cherry-picker"
+description: "Cherry-pick PRs based on their labels"
+
+inputs:
+  token:
+    description: "GitHub Token"
+    required: true
+  git_user:
+    description: "Git user for pushing the cherry-pick PR"
+    required: true
+  git_user_email:
+    description: "Git user email for pushing the cherry-pick PR"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check if workflow should run
+      id: should_run
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -e -o pipefail
+        # For issues events, check if it's actually a PR
+        if [ "${{ github.event_name }}" = "issues" ]; then
+          # Check if this issue is actually a PR
+          PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} 2>/dev/null || echo "null")
+          if [ "$PR_DATA" = "null" ]; then
+            echo "should_run=false" >> $GITHUB_OUTPUT
+            echo "reason=not_a_pr" >> $GITHUB_OUTPUT
+            echo "This is an issue, not a PR. Skipping."
+            exit 0
+          fi
+
+          # Get PR data
+          PR_MERGED=$(echo "$PR_DATA" | jq -r '.merged')
+          PR_NUMBER="${{ github.event.issue.number }}"
+          MERGE_COMMIT_SHA=$(echo "$PR_DATA" | jq -r '.merge_commit_sha')
+
+          # Check if it's a backport label
+          LABEL_NAME="${{ github.event.label.name }}"
+          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
+            if [ "$PR_MERGED" = "true" ]; then
+              echo "should_run=true" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
+              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
+              exit 0
+            else
+              echo "should_run=false" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
+              echo "Backport label added to open PR. Will run after PR is merged."
+              exit 0
+            fi
+          else
+            echo "should_run=false" >> $GITHUB_OUTPUT
+            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        fi
+
+        # For pull_request and pull_request_target events
+        PR_NUMBER="${{ github.event.pull_request.number }}"
+        MERGE_COMMIT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
+
+        # Case 1: PR was just merged (closed + merged = true)
+        if [ "${{ github.event.action }}" = "closed" ] && [ "${{ github.event.pull_request.merged }}" = "true" ]; then
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "reason=pr_merged" >> $GITHUB_OUTPUT
+          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        # Case 2: Label was added
+        if [ "${{ github.event.action }}" = "labeled" ]; then
+          LABEL_NAME="${{ github.event.label.name }}"
+          # Check if it's a backport label
+          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
+            # Check if PR is already merged
+            if [ "${{ github.event.pull_request.merged }}" = "true" ]; then
+              echo "should_run=true" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
+              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
+              exit 0
+            else
+              echo "should_run=false" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
+              echo "Backport label added to open PR. Will run after PR is merged."
+              exit 0
+            fi
+          else
+            echo "should_run=false" >> $GITHUB_OUTPUT
+            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        fi
+
+        echo "should_run=false" >> $GITHUB_OUTPUT
+        echo "reason=unknown" >> $GITHUB_OUTPUT
+    - name: Configure Git
+      if: steps.should_run.outputs.should_run == 'true'
+      shell: bash
+      env:
+        user: ${{ inputs.git_user }}
+        email: ${{ inputs.git_user_email }}
+      run: |
+        git config --global user.name "${user}"
+        git config --global user.email "${email}"
+    - name: Get PR details and extract backport labels
+      if: steps.should_run.outputs.should_run == 'true'
+      id: pr_details
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -e -o pipefail
+        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
+
+        # Get PR details
+        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
+        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
+        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
+
+        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
+        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
+
+        # Determine which labels to process
+        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+          # Only process the specific label that was just added
+          if [ "${{ github.event_name }}" = "issues" ]; then
+            LABEL_NAME="${{ github.event.label.name }}"
+          else
+            LABEL_NAME="${{ github.event.label.name }}"
+          fi
+
+          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
+            echo "labels=$LABEL_NAME" >> $GITHUB_OUTPUT
+          else
+            echo "Label $LABEL_NAME does not match backport pattern"
+            echo "labels=" >> $GITHUB_OUTPUT
+          fi
+        else
+          # PR was just merged, process all backport labels
+          LABELS=$(gh pr view $PR_NUMBER --json labels --jq '.labels[].name' | grep '^backport/' | tr '\n' ' ' || true)
+          echo "labels=$LABELS" >> $GITHUB_OUTPUT
+        fi
+    - name: Cherry-pick to target branches
+      if: steps.should_run.outputs.should_run == 'true' && steps.pr_details.outputs.labels != ''
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -e -o pipefail
+        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
+        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
+        LABELS='${{ steps.pr_details.outputs.labels }}'
+
+        echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
+        echo "Found backport labels: $LABELS"
+
+        # Process each backport label
+        for label in $LABELS; do
+          if [[ "$label" =~ ^backport/(.+)$ ]]; then
+            TARGET_BRANCH="${BASH_REMATCH[1]}"
+            echo "Processing backport to branch: $TARGET_BRANCH"
+
+            # Check if target branch exists
+            if ! git ls-remote --heads origin "$TARGET_BRANCH" | grep -q "$TARGET_BRANCH"; then
+              echo "❌ Target branch $TARGET_BRANCH does not exist, skipping"
+
+              # Comment on the original PR about the missing branch
+              gh pr comment $PR_NUMBER --body "⚠️ Cannot backport to \`$TARGET_BRANCH\`: branch does not exist."
+              continue
+            fi
+
+            # Create a unique branch name for the cherry-pick
+            CHERRY_PICK_BRANCH="cherry-pick-${PR_NUMBER}-to-${TARGET_BRANCH}"
+
+            # Check if a cherry-pick PR already exists
+            EXISTING_PR=$(gh pr list --head "$CHERRY_PICK_BRANCH" --json number --jq '.[0].number' 2>/dev/null || echo "")
+            if [ -n "$EXISTING_PR" ]; then
+              echo "⚠️ Cherry-pick PR already exists: #$EXISTING_PR"
+              gh pr comment $PR_NUMBER --body "Cherry-pick to \`$TARGET_BRANCH\` already exists: #$EXISTING_PR"
+              continue
+            fi
+
+            # Fetch and checkout target branch
+            git fetch origin "$TARGET_BRANCH"
+            git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"
+
+            # Attempt cherry-pick
+            if git cherry-pick "$COMMIT_SHA"; then
+              echo "✅ Cherry-pick successful for $TARGET_BRANCH"
+
+              # Push the cherry-pick branch
+              git push origin "$CHERRY_PICK_BRANCH"
+
+              # Create PR for the cherry-pick
+              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER)"
+              CHERRY_PICK_BODY="Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
+
+        **Original PR:** #$PR_NUMBER
+        **Original Author:** @$PR_AUTHOR
+        **Cherry-picked commit:** $COMMIT_SHA"
+
+              NEW_PR=$(gh pr create \
+                --title "$CHERRY_PICK_TITLE" \
+                --body "$CHERRY_PICK_BODY" \
+                --base "$TARGET_BRANCH" \
+                --head "$CHERRY_PICK_BRANCH" \
+                --label "cherry-pick")
+
+              echo "✅ Created cherry-pick PR $NEW_PR for $TARGET_BRANCH"
+
+              # Comment on original PR
+              gh pr comment $PR_NUMBER --body "🍒 Cherry-pick to \`$TARGET_BRANCH\` created: $NEW_PR"
+
+            else
+              echo "⚠️ Cherry-pick failed for $TARGET_BRANCH, creating conflict resolution PR"
+
+              # Add conflicted files and commit
+              git add .
+              git commit -m "Cherry-pick #$PR_NUMBER to $TARGET_BRANCH (with conflicts)
+
+        This cherry-pick has conflicts that need manual resolution.
+
+        Original PR: #$PR_NUMBER
+        Original commit: $COMMIT_SHA"
+
+              # Push the branch with conflicts
+              git push origin "$CHERRY_PICK_BRANCH"
+
+              # Create PR with conflict notice
+              CONFLICT_TITLE="$PR_TITLE (backport of #$PR_NUMBER)"
+              CONFLICT_BODY="⚠️ **This cherry-pick has conflicts that require manual resolution.**
+
+        Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
+
+        **Original PR:** #$PR_NUMBER
+        **Original Author:** @$PR_AUTHOR
+        **Cherry-picked commit:** $COMMIT_SHA
+
+        **Please resolve the conflicts in this PR before merging.**"
+
+              NEW_PR=$(gh pr create \
+                --title "$CONFLICT_TITLE" \
+                --body "$CONFLICT_BODY" \
+                --base "$TARGET_BRANCH" \
+                --head "$CHERRY_PICK_BRANCH" \
+                --label "cherry-pick")
+
+              echo "⚠️ Created conflict resolution PR $NEW_PR for $TARGET_BRANCH"
+
+              # Comment on original PR
+              gh pr comment $PR_NUMBER --body "⚠️ Cherry-pick to \`$TARGET_BRANCH\` has conflicts: $NEW_PR"
+            fi
+
+            # Clean up - go back to main branch
+            git checkout main
+            git branch -D "$CHERRY_PICK_BRANCH" 2>/dev/null || true
+          fi
+        done

.github/cherry-pick-bot.yml

@@ -1,2 +0,0 @@
-enabled: true
-preservePullRequestTitle: true

.github/dependabot.yml

@@ -77,6 +77,12 @@ updates:
       goauthentik:
         patterns:
           - "@goauthentik/*"
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"
   - package-ecosystem: npm
     directory: "/website"
     schedule:

.github/workflows/_reusable-docker-build-single.yml

@@ -49,7 +49,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
           image-arch: ${{ inputs.image_arch }}
@@ -58,8 +58,8 @@ jobs:
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_CORP_USERNAME }}
+          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
         uses: docker/login-action@v3
@@ -90,7 +90,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -21,7 +21,7 @@ on:
 
 jobs:
   build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    uses: ./.github/workflows/_reusable-docker-build-single.yml
     secrets: inherit
     with:
       image_name: ${{ inputs.image_name }}
@@ -31,7 +31,7 @@ jobs:
       registry_ghcr: ${{ inputs.registry_ghcr }}
       release: ${{ inputs.release }}
   build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    uses: ./.github/workflows/_reusable-docker-build-single.yml
     secrets: inherit
     with:
       image_name: ${{ inputs.image_name }}
@@ -54,7 +54,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
   merge-server:
@@ -74,15 +74,15 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ secrets.DOCKER_CORP_USERNAME }}
+          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
         uses: docker/login-action@v3
@@ -97,7 +97,7 @@ jobs:
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-py-publish.yml

@@ -1,68 +0,0 @@
----
-name: API - Publish Python client
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-
-jobs:
-  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Install poetry & deps
-        shell: bash
-        run: |
-          pipx install poetry || true
-          sudo apt-get update
-          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
-      - name: Setup python and restore poetry
-        uses: actions/setup-python@v5
-        with:
-          python-version-file: "pyproject.toml"
-      - name: Generate API Client
-        run: make gen-client-py
-      - name: Publish package
-        working-directory: gen-py-api/
-        run: |
-          poetry build
-      - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          packages-dir: gen-py-api/dist/
-      # We can't easily upgrade the API client being used due to poetry being poetry
-      # so we'll have to rely on dependabot
-      # - name: Upgrade /
-      #   run: |
-      #     export VERSION=$(cd gen-py-api && poetry version -s)
-      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
-      # - uses: peter-evans/create-pull-request@v6
-      #   id: cpr
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     branch: update-root-api-client
-      #     commit-message: "root: bump API Client version"
-      #     title: "root: bump API Client version"
-      #     body: "root: bump API Client version"
-      #     delete-branch: true
-      #     signoff: true
-      #     # ID from https://api.github.com/users/authentik-automation[bot]
-      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      # - uses: peter-evans/enable-pull-request-automerge@v3
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-      #     merge-method: squash

.github/workflows/api-ts-publish.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"

.github/workflows/ci-api-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -71,7 +71,7 @@ jobs:
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"

.github/workflows/ci-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -49,7 +49,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -81,7 +81,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
@@ -102,7 +102,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/ci-main.yml

@@ -256,7 +256,7 @@ jobs:
       # Needed for checkout
       contents: read
     needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
+    uses: ./.github/workflows/_reusable-docker-build.yml
     secrets: inherit
     with:
       image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
@@ -278,7 +278,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR

.github/workflows/ci-outpost.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -38,7 +38,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
@@ -90,7 +90,7 @@ jobs:
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
@@ -115,7 +115,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -141,10 +141,10 @@ jobs:
       - uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -32,7 +32,7 @@ jobs:
             project: web
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -77,7 +77,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/gh-cherry-pick.yml

@@ -0,0 +1,36 @@
+name: GH - Cherry-pick
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+jobs:
+  cherry-pick:
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        if: ${{ env.GH_APP_ID != '' }}
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+      - uses: actions/checkout@v5
+        if: ${{ steps.app-token.outcome != 'skipped' }}
+        with:
+          fetch-depth: 0
+          token: "${{ steps.app-token.outputs.token }}"
+      - id: get-user-id
+        if: ${{ steps.app-token.outcome != 'skipped' }}
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: ./.github/actions/cherry-pick
+        if: ${{ steps.app-token.outcome != 'skipped' }}
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          git_user: ${{ steps.app-token.outputs.app-slug }}[bot]
+          git_user_email: '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'

.github/workflows/packages-npm-publish.yml

@@ -29,7 +29,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"

.github/workflows/release-branch-off.yml

@@ -43,10 +43,13 @@ jobs:
         with:
           dependencies: python
       - name: Create version branch
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
         run: |
           current_major_version="$(uv version --short | grep -oE "^[0-9]{4}\.[0-9]{1,2}")"
           git checkout -b "version-${current_major_version}"
           git push origin "version-${current_major_version}"
+          gh label create "backport/version-${current_major_version}" --description "Add this label to PRs to backport changes to version-${current_major_version}" --color "fbca04"
   bump-version-pr:
     name: Open version bump PR
     needs:

.github/workflows/release-bump-version.yml

@@ -1,168 +0,0 @@
----
-name: Release - Bump version
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: Version
-        required: true
-        type: string
-      release_reason:
-        description: Release reason
-        required: true
-        type: choice
-        options:
-          - bugfix
-          - feature
-          - security
-          - other
-          - prerelease
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-inputs:
-    name: Check inputs validity
-    runs-on: ubuntu-latest
-    steps:
-      - id: check
-        run: |
-          echo "${{ inputs.version }}" | grep -E "^[0-9]{4}\.[0-9]{1,2}\.[0-9]+(-rc[0-9]+)?$"
-          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
-    outputs:
-      major_version: "${{ steps.check.outputs.major_version }}"
-  bump-authentik:
-    name: Bump authentik version
-    needs:
-      - check-inputs
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.version }}"
-      - name: Commit and push
-        run: |
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
-          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
-          git push --follow-tags
-  bump-helm:
-    name: Bump Helm version
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: helm
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/helm"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        run: |
-          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
-          ./scripts/helm-docs.sh
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
-          title: "charts/authentik: bump to ${{ inputs.version }}"
-          body: "charts/authentik: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] ${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com"
-  bump-version:
-    name: Bump version repository
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - check-inputs
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: version
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/version"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump feature version
-        if: "${{ inputs.release_reason == 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Bump feature version
-        if: "${{ inputs.release_reason != 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "version: bump to ${{ inputs.version }}"
-          title: "version: bump to ${{ inputs.version }}"
-          body: "version: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"

.github/workflows/release-publish.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
+    uses: ./.github/workflows/_reusable-docker-build.yml
     secrets: inherit
     permissions:
       contents: read
@@ -58,7 +58,7 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v3
         id: attest
         if: true
         with:
@@ -84,7 +84,7 @@ jobs:
           - rac
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
@@ -124,7 +124,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -147,10 +147,10 @@ jobs:
         goarch: [amd64, arm64]
     steps:
       - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -187,7 +187,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/release-tag.yml

@@ -1,39 +1,195 @@
 ---
-name: Release - On tag
+name: Release - Tag new version
 
 on:
-  push:
-    tags:
-      - "version/*"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version
+        required: true
+        type: string
+      release_reason:
+        description: Release reason
+        required: true
+        type: choice
+        options:
+          - bugfix
+          - feature
+          - security
+          - other
+          - prerelease
+
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
 jobs:
-  build:
-    name: Create Release from Tag
+  check-inputs:
+    name: Check inputs validity
+    runs-on: ubuntu-latest
+    steps:
+      - id: check
+        run: |
+          echo "${{ inputs.version }}" | grep -E '^[0-9]{4}\.(0?[1-9]|1[0-2])\.[0-9]+(-rc[0-9]+)?$'
+          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
+      - id: changelog-url
+        run: |
+          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
+          else
+            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
+          fi
+          echo "changelog_url=${changelog_url}" >> "$GITHUB_OUTPUT"
+    outputs:
+      major_version: "${{ steps.check.outputs.major_version }}"
+      changelog_url: "${{ steps.changelog-url.outputs.changelog_url }}"
+  test:
+    name: Pre-release test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - name: Pre-release test
+      - run: make test-docker
+  bump-authentik:
+    name: Bump authentik version
+    needs:
+      - check-inputs
+      - test
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: actions/checkout@v5
+        with:
+          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: Run migrations
+        run: make migrate
+      - name: Bump version
+        run: "make bump version=${{ inputs.version }}"
+      - name: Commit and push
         run: |
-          make test-docker
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
+          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
+          git push --follow-tags
       - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1.1.4
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        uses: softprops/action-gh-release@v2
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ steps.ev.outputs.version }}
+          token: "${{ steps.app-token.outputs.token }}"
+          tag_name: "version/${{ inputs.version }}"
+          name: Release ${{ inputs.version }}
           draft: true
-          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}
+          prerelease: ${{ inputs.release_reason == 'prerelease' }}
+          generate_release_notes: true
+          body: |
+            See ${{ needs.check-inputs.outputs.changelog_url }}
+  bump-helm:
+    name: Bump Helm version
+    if: ${{ inputs.release_reason != 'prerelease' }}
+    needs:
+      - bump-authentik
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          repositories: helm
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: actions/checkout@v5
+        with:
+          repository: "${{ github.repository_owner }}/helm"
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Bump version
+        run: |
+          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
+          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
+          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
+          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
+          ./scripts/helm-docs.sh
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          branch: bump-${{ inputs.version }}
+          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
+          title: "charts/authentik: bump to ${{ inputs.version }}"
+          body: "charts/authentik: bump to ${{ inputs.version }}"
+          delete-branch: true
+          signoff: true
+          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
+  bump-version:
+    name: Bump version repository
+    if: ${{ inputs.release_reason != 'prerelease' }}
+    needs:
+      - check-inputs
+      - bump-authentik
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          repositories: version
+      - id: get-user-id
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: actions/checkout@v5
+        with:
+          repository: "${{ github.repository_owner }}/version"
+          token: "${{ steps.app-token.outputs.token }}"
+      - name: Bump version
+        if: "${{ inputs.release_reason == 'feature' }}"
+        run: |
+          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
+          jq \
+            --arg version "${{ inputs.version }}" \
+            --arg changelog "See ${changelog_url}" \
+            --arg changelog_url "${changelog_url}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+          mv version.new.json version.json
+      - name: Bump version
+        if: "${{ inputs.release_reason != 'feature' }}"
+        run: |
+          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
+          jq \
+            --arg version "${{ inputs.version }}" \
+            --arg changelog "See ${changelog_url}" \
+            --arg changelog_url "${changelog_url}" \
+            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
+          mv version.new.json version.json
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          branch: bump-${{ inputs.version }}
+          commit-message: "version: bump to ${{ inputs.version }}"
+          title: "version: bump to ${{ inputs.version }}"
+          body: "version: bump to ${{ inputs.version }}"
+          delete-branch: true
+          signoff: true
+          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"

.github/workflows/repo-stale.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

CODEOWNERS

@@ -33,17 +33,12 @@ packages/prettier-config                @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend
-tests/wdio/                             @goauthentik/frontend
 # Locale
 locale/                                 @goauthentik/backend @goauthentik/frontend
 web/xliff/                              @goauthentik/backend @goauthentik/frontend
-# Docs & Website
-docs/                                   @goauthentik/docs
-# TODO Remove after moving website to docs
+# Docs
 website/                                @goauthentik/docs
 CODE_OF_CONDUCT.md                      @goauthentik/docs
 # Security
 SECURITY.md                             @goauthentik/security @goauthentik/docs
-# TODO Remove after moving website to docs
 website/security/                       @goauthentik/security @goauthentik/docs
-docs/security/                          @goauthentik/security @goauthentik/docs

CONTRIBUTING.md

@@ -1 +0,0 @@
-website/docs/developer-docs/index.md

CONTRIBUTING.md

@@ -0,0 +1,4 @@
+# Contributing to authentik
+
+Thanks for your interest in contributing! Please see our [contributing guide](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github) for more information.
+

Dockerfile

@@ -26,7 +26,7 @@ RUN npm run build && \
     npm run build:sfe
 
 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.8 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.15 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.6-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -174,7 +174,8 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY ./packages/ /packages
+COPY ./packages/ /ak-root/packages
+RUN  ln -s /ak-root/packages /packages
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
 COPY --from=node-builder /work/web/dist/ /web/dist/
 COPY --from=node-builder /work/web/authentik/ /web/authentik/

Makefile

@@ -18,7 +18,24 @@ pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
 redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)
 
-all: lint-fix lint test gen web  ## Lint, build, and test everything
+UNAME := $(shell uname)
+
+# For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
+# to prevent SAML-related tests from failing and ensure correct pip dependency compilation
+ifeq ($(UNAME), Darwin)
+# Only add for brew users who installed libxmlsec1
+	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
+	ifdef BREW_EXISTS
+		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
+		ifdef LIBXML2_EXISTS
+			BREW_LDFLAGS := -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
+			BREW_CPPFLAGS := -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
+			BREW_PKG_CONFIG_PATH := $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
+		endif
+	endif
+endif
+
+all: lint-fix lint gen web test  ## Lint, build, and test everything
 
 HELP_WIDTH := $(shell grep -h '^[a-z][^ ]*:.*\#\#' $(MAKEFILE_LIST) 2>/dev/null | \
 	cut -d':' -f1 | awk '{printf "%d\n", length}' | sort -rn | head -1)
@@ -50,7 +67,14 @@ lint: ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
+ifdef LIBXML2_EXISTS
+# Clear cache to ensure fresh compilation
+	uv cache clean
+# Force compilation from source for lxml and xmlsec with correct environment
+	LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
+else
 	uv sync --frozen
+endif
 
 migrate: ## Run the Authentik Django server's migrations
 	uv run python -m lifecycle.migrate
@@ -160,7 +184,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@@ -176,7 +200,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \

README.md

@@ -15,15 +15,16 @@
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
+authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.
 
-Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
+Our [enterprise offering](https://goauthentik.io/pricing) is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.
 
 ## Installation
 
-For small/test setups it is recommended to use Docker Compose; refer to the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github).
-
-For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github).
+- Docker Compose: recommended for small/test setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/docker-compose/).
+- Kubernetes (Helm Chart): recommended for larger setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/kubernetes/) and the Helm chart [repository](https://github.com/goauthentik/helm).
+- AWS CloudFormation: deploy on AWS using our official templates. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/aws/).
+- DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the [app listing](https://marketplace.digitalocean.com/apps/authentik).
 
 ## Screenshots
 
@@ -32,14 +33,20 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 | ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
 | ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
 
-## Development
+## Development and contributions
 
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See the [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/) for information about setting up local build environments, testing your contributions, and our contribution process.
 
 ## Security
 
-See [SECURITY.md](SECURITY.md)
+Please see [SECURITY.md](SECURITY.md).
 
-## Adoption and Contributions
+## Adoption
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Using authentik? We'd love to hear your story and feature your logo. Email us at [hello@goauthentik.io](mailto:hello@goauthentik.io) or open a GitHub Issue/PR!
+
+## License
+
+[![MIT License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
+[![CC BY-SA 4.0](https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey?style=for-the-badge)](website/LICENSE)
+[![authentik EE License](https://img.shields.io/badge/License-EE-orange?style=for-the-badge)](authentik/enterprise/LICENSE)

SECURITY.md

@@ -20,12 +20,33 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2025.4.x  | ✅        |
 | 2025.6.x  | ✅        |
+| 2025.8.x  | ✅        |
 
 ## Reporting a Vulnerability
 
-To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the issue.
+If you discover a potential vulnerability, please report it responsibly through one of the following channels:
+
+- **Email**: [security@goauthentik.io](mailto:security@goauthentik.io)
+- **GitHub**: Submit a private security advisory via our [repository’s advisory portal](https://github.com/goauthentik/authentik/security/advisories/new)
+
+When submitting a report, please include as much detail as possible, such as:
+
+- **Affected version(s)**: The version of authentik where the issue was identified.
+- **Steps to reproduce**: A clear description or proof of concept to help us verify the issue.
+- **Impact assessment**: How the vulnerability could be exploited and its potential effect.
+- **Additional information**: Logs, configuration details (if relevant), or any suggested mitigations.
+
+We kindly ask that you do not disclose the vulnerability publicly until we have confirmed and addressed the issue.
+
+Our team will:
+
+- Acknowledge receipt of your report as quickly as possible.
+- Keep you updated on the investigation and resolution progress.
+
+## Researcher Recognition
+
+We value contributions from the security community. For each valid report, we will publish a dedicated entry on our Security Advisory page that optionally includes the reporter’s name (or preferred alias). Please note that while we do not currently offer monetary bounties, we are committed to giving researchers appropriate credit for their efforts in keeping authentik secure.
 
 ## Severity levels
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.8.0-rc4"
+VERSION = "2025.10.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/v1/tasks.py

@@ -38,6 +38,7 @@ from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.events.logs import capture_logs
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
+from authentik.tasks.apps import PRIORITY_HIGH
 from authentik.tasks.models import Task
 from authentik.tasks.schedules.models import Schedule
 from authentik.tenants.models import Tenant
@@ -111,6 +112,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
 @actor(
     description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
     throws=(DatabaseError, ProgrammingError, InternalError),
+    priority=PRIORITY_HIGH,
 )
 def blueprints_find_dict():
     blueprints = []

authentik/brands/tests.py

@@ -63,28 +63,6 @@ class TestBrands(APITestCase):
             },
         )
 
-    def test_brand_subdomain_same_suffix(self):
-        """Test Current brand API"""
-        Brand.objects.all().delete()
-        Brand.objects.create(domain="bar.baz", branding_title="custom")
-        Brand.objects.create(domain="foo.bar.baz", branding_title="custom")
-        self.assertJSONEqual(
-            self.client.get(
-                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
-            ).content.decode(),
-            {
-                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_title": "custom",
-                "branding_custom_css": "",
-                "matched_domain": "foo.bar.baz",
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-                "flags": self.default_flags,
-            },
-        )
-
     def test_fallback(self):
         """Test fallback brand"""
         Brand.objects.all().delete()

authentik/brands/utils.py

@@ -4,7 +4,6 @@ from typing import Any
 
 from django.db.models import F, Q
 from django.db.models import Value as V
-from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -21,9 +20,9 @@ DEFAULT_BRAND = Brand(domain="fallback")
 def get_brand_for_request(request: HttpRequest) -> Brand:
     """Get brand object for current request"""
     db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()), match_length=Length("domain"))
+        Brand.objects.annotate(host_domain=V(request.get_host()))
         .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("-match_length", "default")
+        .order_by("default")
     )
     brands = list(db_brands.all())
     if len(brands) < 1:

authentik/core/api/users.py

@@ -328,6 +328,12 @@ class SessionUserSerializer(PassiveSerializer):
     original = UserSelfSerializer(required=False)
 
 
+class UserPasswordSetSerializer(PassiveSerializer):
+    """Payload to set a users' password directly"""
+
+    password = CharField(required=True)
+
+
 class UsersFilter(FilterSet):
     """Filter for users"""
 
@@ -585,12 +591,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.reset_user_password")
     @extend_schema(
-        request=inline_serializer(
-            "UserPasswordSetSerializer",
-            {
-                "password": CharField(required=True),
-            },
-        ),
+        request=UserPasswordSetSerializer,
         responses={
             204: OpenApiResponse(description="Successfully changed password"),
             400: OpenApiResponse(description="Bad request"),
@@ -599,9 +600,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     @action(detail=True, methods=["POST"], permission_classes=[])
     def set_password(self, request: Request, pk: int) -> Response:
         """Set password for user"""
+        data = UserPasswordSetSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
         user: User = self.get_object()
         try:
-            user.set_password(request.data.get("password"), request=request)
+            user.set_password(data.validated_data["password"], request=request)
             user.save()
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)
@@ -678,8 +681,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             },
         ),
         responses={
-            "204": OpenApiResponse(description="Successfully started impersonation"),
-            "401": OpenApiResponse(description="Access denied"),
+            204: OpenApiResponse(description="Successfully started impersonation"),
         },
     )
     @action(detail=True, methods=["POST"], permission_classes=[])
@@ -698,7 +700,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                 "User attempted to impersonate without permissions",
                 user=request.user,
             )
-            return Response(status=401)
+            return Response(status=403)
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)
@@ -707,19 +709,19 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                 "User attempted to impersonate without providing a reason",
                 user=request.user,
             )
-            return Response(status=401)
+            raise ValidationError({"reason": _("This field is required.")})
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
         Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
 
-        return Response(status=201)
+        return Response(status=204)
 
     @extend_schema(
         request=OpenApiTypes.NONE,
         responses={
-            "204": OpenApiResponse(description="Successfully started impersonation"),
+            "204": OpenApiResponse(description="Successfully ended impersonation"),
         },
     )
     @action(detail=False, methods=["GET"])

authentik/core/api/utils.py

@@ -21,8 +21,6 @@ from rest_framework.serializers import (
     raise_errors_on_nested_writes,
 )
 
-from authentik.rbac.permissions import assign_initial_permissions
-
 
 def is_dict(value: Any):
     """Ensure a value is a dictionary, useful for JSONFields"""
@@ -52,15 +50,6 @@ class ModelSerializer(BaseModelSerializer):
     serializer_field_mapping = BaseModelSerializer.serializer_field_mapping.copy()
     serializer_field_mapping[models.JSONField] = JSONDictField
 
-    def create(self, validated_data):
-        instance = super().create(validated_data)
-
-        request = self.context.get("request")
-        if request and hasattr(request, "user") and not request.user.is_anonymous:
-            assign_initial_permissions(request.user, instance)
-
-        return instance
-
     def update(self, instance: Model, validated_data):
         raise_errors_on_nested_writes("update", self, validated_data)
         info = model_meta.get_field_info(instance)

authentik/core/tests/test_impersonation.py

@@ -59,7 +59,7 @@ class TestImpersonation(APITestCase):
             ),
             data={"reason": "some reason"},
         )
-        self.assertEqual(response.status_code, 201)
+        self.assertEqual(response.status_code, 204)
 
         response = self.client.get(reverse("authentik_api:user-me"))
         response_body = loads(response.content.decode())
@@ -80,7 +80,7 @@ class TestImpersonation(APITestCase):
             ),
             data={"reason": "some reason"},
         )
-        self.assertEqual(response.status_code, 201)
+        self.assertEqual(response.status_code, 204)
 
         response = self.client.get(reverse("authentik_api:user-me"))
         response_body = loads(response.content.decode())
@@ -137,10 +137,10 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
             data={"reason": ""},
         )
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, 400)
 
         response = self.client.get(reverse("authentik_api:user-me"))
         response_body = loads(response.content.decode())

authentik/core/tests/test_users_api.py

@@ -102,6 +102,16 @@ class TestUsersAPI(APITestCase):
         self.admin.refresh_from_db()
         self.assertTrue(self.admin.check_password(new_pw))
 
+    def test_set_password_blank(self):
+        """Test Direct password set"""
+        self.client.force_login(self.admin)
+        response = self.client.post(
+            reverse("authentik_api:user-set-password", kwargs={"pk": self.admin.pk}),
+            data={"password": ""},
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(response.content, {"password": ["This field may not be blank."]})
+
     def test_recovery(self):
         """Test user recovery link"""
         flow = create_test_flow(

authentik/events/api/notification_transports.py

@@ -23,6 +23,7 @@ from authentik.events.models import (
 )
 from authentik.events.utils import get_user
 from authentik.rbac.decorators import permission_required
+from authentik.stages.email.models import get_template_choices
 
 
 class NotificationTransportSerializer(ModelSerializer):
@@ -30,6 +31,18 @@ class NotificationTransportSerializer(ModelSerializer):
 
     mode_verbose = SerializerMethodField()
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields["email_template"].choices = get_template_choices()
+
+    def validate_email_template(self, value: str) -> str:
+        """Check validity of email template"""
+        choices = get_template_choices()
+        for path, _ in choices:
+            if path == value:
+                return value
+        raise ValidationError(f"Invalid template '{value}' specified.")
+
     def get_mode_verbose(self, instance: NotificationTransport) -> str:
         """Return selected mode with a UI Label"""
         return TransportMode(instance.mode).label
@@ -52,6 +65,8 @@ class NotificationTransportSerializer(ModelSerializer):
             "webhook_url",
             "webhook_mapping_body",
             "webhook_mapping_headers",
+            "email_subject_prefix",
+            "email_template",
             "send_once",
         ]
 

authentik/events/migrations/0012_notificationtransport_email_subject_prefix_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.1.11 on 2025-08-14 13:53
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0011_alter_systemtask_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="notificationtransport",
+            name="email_subject_prefix",
+            field=models.TextField(blank=True, default="authentik Notification: "),
+        ),
+        migrations.AddField(
+            model_name="notificationtransport",
+            name="email_template",
+            field=models.TextField(default="email/event_notification.html"),
+        ),
+    ]

authentik/events/models.py

@@ -41,6 +41,7 @@ from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
+from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tasks.models import TasksModel
 from authentik.tenants.models import Tenant
@@ -295,6 +296,15 @@ class NotificationTransport(TasksModel, SerializerModel):
 
     name = models.TextField(unique=True)
     mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)
+    send_once = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Only send notification once, for example when sending a webhook into a chat channel."
+        ),
+    )
+
+    email_subject_prefix = models.TextField(default="authentik Notification: ", blank=True)
+    email_template = models.TextField(default=EmailTemplates.EVENT_NOTIFICATION)
 
     webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
     webhook_mapping_body = models.ForeignKey(
@@ -319,12 +329,6 @@ class NotificationTransport(TasksModel, SerializerModel):
             "Mapping should return a dictionary of key-value pairs"
         ),
     )
-    send_once = models.BooleanField(
-        default=False,
-        help_text=_(
-            "Only send notification once, for example when sending a webhook into a chat channel."
-        ),
-    )
 
     def send(self, notification: "Notification") -> list[str]:
         """Send notification to user, called from async task"""
@@ -462,7 +466,6 @@ class NotificationTransport(TasksModel, SerializerModel):
                 notification=notification,
             )
             return None
-        subject_prefix = "authentik Notification: "
         context = {
             "key_value": {
                 "user_email": notification.user.email,
@@ -490,10 +493,10 @@ class NotificationTransport(TasksModel, SerializerModel):
                 "from": self.name,
             }
         mail = TemplateEmailMessage(
-            subject=subject_prefix + context["title"],
+            subject=self.email_subject_prefix + context["title"],
             to=[(notification.user.name, notification.user.email)],
             language=notification.user.locale(),
-            template_name="email/event_notification.html",
+            template_name=self.email_template,
             template_context=context,
         )
         send_mail.send_with_options(args=(mail.__dict__,), rel_obj=self)

authentik/events/tests/test_transports.py

@@ -5,10 +5,12 @@ from unittest.mock import PropertyMock, patch
 from django.core import mail
 from django.core.mail.backends.locmem import EmailBackend
 from django.test import TestCase
+from django.urls import reverse
 from requests_mock import Mocker
 
 from authentik import authentik_full_version
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.events.api.notification_transports import NotificationTransportSerializer
 from authentik.events.models import (
     Event,
     Notification,
@@ -18,6 +20,7 @@ from authentik.events.models import (
     TransportMode,
 )
 from authentik.lib.generators import generate_id
+from authentik.stages.email.models import get_template_choices
 
 
 class TestEventTransports(TestCase):
@@ -138,3 +141,76 @@ class TestEventTransports(TestCase):
             self.assertEqual(len(mail.outbox), 1)
             self.assertEqual(mail.outbox[0].subject, "authentik Notification: custom_foo")
             self.assertIn(self.notification.body, mail.outbox[0].alternatives[0][0])
+
+    def test_transport_email_custom_template(self):
+        """Test email transport with custom template"""
+        transport: NotificationTransport = NotificationTransport.objects.create(
+            name=generate_id(),
+            mode=TransportMode.EMAIL,
+            email_template="email/event_notification.html",
+        )
+        with patch(
+            "authentik.stages.email.models.EmailStage.backend_class",
+            PropertyMock(return_value=EmailBackend),
+        ):
+            transport.send(self.notification)
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertIn(self.notification.body, mail.outbox[0].alternatives[0][0])
+
+    def test_transport_email_custom_subject_prefix(self):
+        """Test email transport with custom subject prefix"""
+        transport: NotificationTransport = NotificationTransport.objects.create(
+            name=generate_id(),
+            mode=TransportMode.EMAIL,
+            email_subject_prefix="[CUSTOM] ",
+        )
+        with patch(
+            "authentik.stages.email.models.EmailStage.backend_class",
+            PropertyMock(return_value=EmailBackend),
+        ):
+            transport.send(self.notification)
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "[CUSTOM] custom_foo")
+
+    def test_transport_email_validation(self):
+        """Test email transport template validation"""
+
+        # Test valid template
+        serializer = NotificationTransportSerializer(
+            data={
+                "name": generate_id(),
+                "mode": TransportMode.EMAIL,
+                "email_template": "email/event_notification.html",
+            }
+        )
+        self.assertTrue(serializer.is_valid())
+
+        # Test invalid template - should fail due to choices validation
+        serializer = NotificationTransportSerializer(
+            data={
+                "name": generate_id(),
+                "mode": TransportMode.EMAIL,
+                "email_template": "invalid/template.html",
+            }
+        )
+        self.assertFalse(serializer.is_valid())
+        self.assertIn("email_template", serializer.errors)
+
+    def test_templates_api_endpoint(self):
+        """Test templates API endpoint returns valid templates"""
+        self.client.force_login(self.user)
+        response = self.client.get(reverse("authentik_api:emailstage-templates"))
+        self.assertEqual(response.status_code, 200)
+
+        data = response.json()
+        self.assertIsInstance(data, list)
+
+        # Check that we have at least the default templates
+        template_names = [item["name"] for item in data]
+        self.assertIn("email/event_notification.html", template_names)
+
+        # Verify all templates are valid choices
+        valid_choices = dict(get_template_choices())
+        for template in data:
+            self.assertIn(template["name"], valid_choices)
+            self.assertEqual(template["description"], valid_choices[template["name"]])

authentik/lib/default.yml

@@ -154,6 +154,7 @@ worker:
   consumer_listen_timeout: "seconds=30"
   task_max_retries: 20
   task_default_time_limit: "minutes=10"
+  lock_purge_interval: "minutes=1"
   task_purge_interval: "days=1"
   task_expiration: "days=30"
   scheduler_interval: "seconds=60"

authentik/lib/sentry.py

@@ -22,6 +22,7 @@ from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
+from sentry_sdk.integrations.dramatiq import DramatiqIntegration
 from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
@@ -109,11 +110,12 @@ def sentry_init(**sentry_init_kwargs):
         dsn=CONFIG.get("error_reporting.sentry_dsn"),
         integrations=[
             ArgvIntegration(),
-            StdlibIntegration(),
             DjangoIntegration(transaction_style="function_name", cache_spans=True),
+            DramatiqIntegration(),
             RedisIntegration(),
-            ThreadingIntegration(propagate_hub=True),
             SocketIntegration(),
+            StdlibIntegration(),
+            ThreadingIntegration(propagate_hub=True),
         ],
         before_send=before_send,
         traces_sampler=traces_sampler,

authentik/lib/sync/outgoing/api.py

@@ -1,4 +1,5 @@
 from dramatiq.actor import Actor
+from dramatiq.results.errors import ResultFailure
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, ChoiceField
@@ -110,9 +111,13 @@ class OutgoingSyncProviderStatusMixin:
                 "override_dry_run": params.validated_data["override_dry_run"],
                 "pk": params.validated_data["sync_object_id"],
             },
+            retries=0,
             rel_obj=provider,
         )
-        msg.get_result(block=True)
+        try:
+            msg.get_result(block=True)
+        except ResultFailure:
+            pass
         task: Task = msg.options["task"]
         task.refresh_from_db()
         return Response(SyncObjectResultSerializer(instance={"messages": task._messages}).data)

authentik/lib/sync/outgoing/tasks.py

@@ -20,6 +20,7 @@ from authentik.lib.sync.outgoing.exceptions import (
     TransientSyncException,
 )
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider
+from authentik.lib.utils.errors import exception_to_dict
 from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.tasks.models import Task
 
@@ -164,16 +165,17 @@ class SyncTasks:
             except BadRequestSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, obj=obj)
                 task.warning(
-                    f"Failed to sync {obj._meta.verbose_name} {str(obj)} due to error: {str(exc)}",
+                    f"Failed to sync {str(obj)} due to error: {str(exc)}",
                     arguments=exc.args[1:],
                     obj=sanitize_item(obj),
+                    exception=exception_to_dict(exc),
                 )
             except TransientSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, user=obj)
                 task.warning(
-                    f"Failed to sync {obj._meta.verbose_name} {str(obj)} due to "
-                    "transient error: {str(exc)}",
+                    f"Failed to sync {str(obj)} due to " f"transient error: {str(exc)}",
                     obj=sanitize_item(obj),
+                    exception=exception_to_dict(exc),
                 )
             except StopSync as exc:
                 self.logger.warning("Stopping sync", exc=exc)

authentik/outposts/models.py

@@ -76,6 +76,7 @@ class OutpostConfig:
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
     kubernetes_ingress_class_name: str | None = field(default=None)
+    kubernetes_ingress_path_type: str | None = field(default=None)
     kubernetes_httproute_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_httproute_parent_refs: list[dict[str, str]] = field(default_factory=list)
     kubernetes_service_type: str = field(default="ClusterIP")
@@ -151,7 +152,7 @@ class OutpostServiceConnection(ScheduledModel, models.Model):
 
         state = cache.get(self.state_key, None)
         if not state:
-            outpost_service_connection_monitor.send_with_options(args=(self.pk), rel_obj=self)
+            outpost_service_connection_monitor.send_with_options(args=(self.pk,), rel_obj=self)
             return OutpostServiceConnectionState("", False)
         return state
 

authentik/policies/apps.py

@@ -26,7 +26,6 @@ HIST_POLICIES_EXECUTION_TIME = Histogram(
         "binding_order",
         "binding_target_type",
         "binding_target_name",
-        "object_pk",
         "object_type",
         "mode",
     ],

authentik/policies/engine.py

@@ -86,7 +86,6 @@ class PolicyEngine:
             binding_order=binding.order,
             binding_target_type=binding.target_type,
             binding_target_name=binding.target_name,
-            object_pk=str(self.request.obj.pk),
             object_type=class_to_path(self.request.obj.__class__),
             mode="cache_retrieve",
         ).time():

authentik/policies/password/models.py

@@ -103,7 +103,7 @@ class PasswordPolicy(Policy):
         if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
             LOGGER.debug("password failed", check="static", reason="amount_lowercase")
             return PolicyResult(False, self.error_message)
-        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_lowercase:
+        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_uppercase:
             LOGGER.debug("password failed", check="static", reason="amount_uppercase")
             return PolicyResult(False, self.error_message)
         if self.amount_symbols > 0:

authentik/policies/process.py

@@ -131,7 +131,6 @@ class PolicyProcess(PROCESS_CLASS):
                 binding_order=self.binding.order,
                 binding_target_type=self.binding.target_type,
                 binding_target_name=self.binding.target_name,
-                object_pk=str(self.request.obj.pk) if self.request.obj else "",
                 object_type=class_to_path(self.request.obj.__class__) if self.request.obj else "",
                 mode="execute_process",
             ).time(),

authentik/providers/oauth2/id_token.py

@@ -147,11 +147,12 @@ class IDToken:
         id_dict.update(self.claims)
         return id_dict
 
-    def to_access_token(self, provider: "OAuth2Provider") -> str:
+    def to_access_token(self, provider: "OAuth2Provider", token: "BaseGrantModel") -> str:
         """Encode id_token for use as access token, adding fields"""
         final = self.to_dict()
         final["azp"] = provider.client_id
         final["uid"] = generate_id()
+        final["scope"] = " ".join(token.scope)
         return provider.encode(final)
 
     def to_jwt(self, provider: "OAuth2Provider") -> str:

authentik/providers/oauth2/migrations/0028_migrate_session.py

@@ -11,7 +11,8 @@ def migrate_sessions(apps, schema_editor, model):
     AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
     db_alias = schema_editor.connection.alias
 
-    for obj in Model.objects.using(db_alias).all():
+    objs = list(Model.objects.using(db_alias).select_related("old_session").all())
+    for obj in objs:
         if not obj.old_session:
             continue
         obj.session = (

authentik/providers/oauth2/models.py

@@ -497,7 +497,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
 
     @id_token.setter
     def id_token(self, value: "IDToken"):
-        self.token = value.to_access_token(self.provider)
+        self.token = value.to_access_token(self.provider, self)
         self._id_token = json.dumps(asdict(value))
 
     @property

authentik/providers/oauth2/signals.py

@@ -23,7 +23,12 @@ def user_session_deleted_oauth_backchannel_logout_and_tokens_removal(
 
     backchannel_logout_notification_dispatch.send(
         revocations=[
-            (token.provider_id, token.id_token.iss, token.session.user.uid)
+            (
+                token.provider_id,
+                token.id_token.iss,
+                token.id_token.sub,
+                instance.session.session_key,
+            )
             for token in access_tokens
         ],
     )

authentik/providers/oauth2/tasks.py

@@ -14,13 +14,19 @@ LOGGER = get_logger()
 
 
 @actor(description=_("Send a back-channel logout request to the registered client"))
-def send_backchannel_logout_request(provider_pk: int, iss: str, sub: str = None) -> bool:
+def send_backchannel_logout_request(
+    provider_pk: int,
+    iss: str,
+    sub: str | None = None,
+    session_key: str | None = None,
+) -> bool:
     """Send a back-channel logout request to the registered client
 
     Args:
         provider_pk: The OAuth2 provider's primary key
         iss: The issuer URL for the logout token
         sub: The subject identifier to include in the logout token
+        session_key: The authentik session key to hash and include in the logout token
 
     Returns:
         bool: True if the request was sent successfully, False otherwise
@@ -33,11 +39,10 @@ def send_backchannel_logout_request(provider_pk: int, iss: str, sub: str = None)
         return
 
     # Generate the logout token
-    logout_token = create_logout_token(iss, provider, None, sub)
+    logout_token = create_logout_token(provider, iss, sub, session_key)
 
     # Get the back-channel logout URI from the provider's dedicated backchannel_logout_uri field
     # Back-channel logout requires explicit configuration - no fallback to redirect URIs
-
     backchannel_logout_uri = provider.backchannel_logout_uri
     if not backchannel_logout_uri:
         self.info("No back-channel logout URI found for provider")
@@ -60,9 +65,9 @@ def send_backchannel_logout_request(provider_pk: int, iss: str, sub: str = None)
 def backchannel_logout_notification_dispatch(revocations: list, **kwargs):
     """Handle backchannel logout notifications dispatched via signal"""
     for revocation in revocations:
-        provider_pk, iss, sub = revocation
+        provider_pk, iss, sub, session_key = revocation
         provider = OAuth2Provider.objects.filter(pk=provider_pk).first()
         send_backchannel_logout_request.send_with_options(
-            args=(provider_pk, iss, sub),
+            args=(provider_pk, iss, sub, session_key),
             rel_obj=provider,
         )

authentik/providers/oauth2/utils.py

@@ -4,17 +4,18 @@ import re
 import uuid
 from base64 import b64decode
 from binascii import Error
-from time import time
 from typing import Any
 from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
+from django.utils.timezone import now
 from structlog.stdlib import get_logger
 
 from authentik.core.middleware import CTX_AUTH_VIA, KEY_USER
 from authentik.events.models import Event, EventAction
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.errors import BearerTokenError
 from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
@@ -217,23 +218,25 @@ class HttpResponseRedirectScheme(HttpResponseRedirect):
 
 
 def create_logout_token(
-    iss: str,
     provider: OAuth2Provider,
-    session_key: str | None = None,
+    iss: str,
     sub: str | None = None,
+    session_key: str | None = None,
 ) -> str:
     """Create a logout token for Back-Channel Logout
 
     As per https://openid.net/specs/openid-connect-backchannel-1_0.html
     """
 
-    LOGGER.debug("Creating logout token", provider=provider, session_key=session_key, sub=sub)
+    LOGGER.debug("Creating logout token", provider=provider, sub=sub)
 
+    _now = now()
     # Create the logout token payload
     payload = {
         "iss": str(iss),
         "aud": provider.client_id,
-        "iat": int(time()),
+        "iat": int(_now.timestamp()),
+        "exp": int((_now + timedelta_from_string(provider.access_token_validity)).timestamp()),
         "jti": str(uuid.uuid4()),
         "events": {
             "http://schemas.openid.net/event/backchannel-logout": {},

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -127,6 +127,9 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                 and self.controller.outpost.config.kubernetes_ingress_secret_name
             ):
                 tls_hosts.append(external_host_name.hostname)
+            path_type = "Prefix"
+            if self.controller.outpost.config.kubernetes_ingress_path_type:
+                path_type = self.controller.outpost.config.kubernetes_ingress_path_type
             if proxy_provider.mode in [
                 ProxyMode.FORWARD_SINGLE,
                 ProxyMode.FORWARD_DOMAIN,
@@ -143,7 +146,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                                     ),
                                 ),
                                 path="/outpost.goauthentik.io",
-                                path_type="Prefix",
+                                path_type=path_type,
                             )
                         ]
                     ),
@@ -161,7 +164,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                                     ),
                                 ),
                                 path="/",
-                                path_type="Prefix",
+                                path_type=path_type,
                             )
                         ]
                     ),

authentik/providers/rac/migrations/0007_migrate_session.py

@@ -13,7 +13,7 @@ def migrate_sessions(apps, schema_editor):
     for token in ConnectionToken.objects.using(db_alias).all():
         token.session = (
             AuthenticatedSession.objects.using(db_alias)
-            .filter(session_key=token.old_session.session_key)
+            .filter(session__session_key=token.old_session.session_key)
             .first()
         )
         if token.session:

authentik/providers/scim/clients/exceptions.py

@@ -27,3 +27,8 @@ class SCIMRequestException(TransientSyncException):
         except ValidationError:
             pass
         return self._message
+
+    def __str__(self):
+        if self._response:
+            return self._response.text
+        return super().__str__()

authentik/rbac/middleware.py

@@ -0,0 +1,69 @@
+"""InitialPermissions middleware"""
+
+from collections.abc import Callable
+from contextvars import ContextVar
+from functools import partial
+
+from django.db.models import Model
+from django.db.models.signals import post_save
+from django.http import HttpRequest, HttpResponse
+
+from authentik.core.models import User
+from authentik.rbac.permissions import assign_initial_permissions
+
+_CTX_REQUEST = ContextVar[HttpRequest | None]("authentik_initial_permissions_request", default=None)
+
+
+class InitialPermissionsMiddleware:
+    """Register a handler for duration of request-response that assigns InitialPermissions"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+
+    def get_uid(self, request_id: str) -> str:
+        return f"InitialPermissionMiddleware-{request_id}"
+
+    def connect(self, request: HttpRequest):
+        if not hasattr(request, "request_id"):
+            return
+        post_save.connect(
+            partial(self.post_save_handler, request=request),
+            dispatch_uid=self.get_uid(request.request_id),
+            weak=False,
+        )
+
+    def disconnect(self, request: HttpRequest):
+        if not hasattr(request, "request_id"):
+            return
+        post_save.disconnect(dispatch_uid=self.get_uid(request.request_id))
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        _CTX_REQUEST.set(request)
+        self.connect(request)
+
+        response = self.get_response(request)
+
+        self.disconnect(request)
+        _CTX_REQUEST.set(None)
+        return response
+
+    def process_exception(self, request: HttpRequest, exception: Exception):
+        self.disconnect(request)
+
+    def post_save_handler(
+        self,
+        request: HttpRequest,
+        instance: Model,
+        created: bool,
+        **_,
+    ):
+        if not created:
+            return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
+        user: User = request.user
+        if not user or user.is_anonymous:
+            return
+        assign_initial_permissions(user, instance)

authentik/rbac/migrations/0006_alter_role_options.py

@@ -0,0 +1,24 @@
+# Generated by Django 5.1.11 on 2025-08-29 14:42
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_rbac", "0005_initialpermissions"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="role",
+            options={
+                "permissions": [
+                    ("assign_role_permissions", "Can assign permissions to roles"),
+                    ("unassign_role_permissions", "Can unassign permissions from roles"),
+                ],
+                "verbose_name": "Role",
+                "verbose_name_plural": "Roles",
+            },
+        ),
+    ]

authentik/rbac/models.py

@@ -71,8 +71,8 @@ class Role(SerializerModel):
         verbose_name = _("Role")
         verbose_name_plural = _("Roles")
         permissions = [
-            ("assign_role_permissions", _("Can assign permissions to users")),
-            ("unassign_role_permissions", _("Can unassign permissions from users")),
+            ("assign_role_permissions", _("Can assign permissions to roles")),
+            ("unassign_role_permissions", _("Can unassign permissions from roles")),
         ]
 
 

authentik/rbac/permissions.py

@@ -5,9 +5,12 @@ from django.db.models import Model
 from guardian.shortcuts import assign_perm
 from rest_framework.permissions import BasePermission, DjangoObjectPermissions
 from rest_framework.request import Request
+from structlog.stdlib import get_logger
 
 from authentik.rbac.models import InitialPermissions, InitialPermissionsMode
 
+LOGGER = get_logger()
+
 
 class ObjectPermissions(DjangoObjectPermissions):
     """RBAC Permissions"""
@@ -71,4 +74,10 @@ def assign_initial_permissions(user, instance: Model):
                 if initial_permissions.mode == InitialPermissionsMode.USER
                 else initial_permissions.role.group
             )
+            LOGGER.debug(
+                "Adding initial permission",
+                initial_permission=permission,
+                subject=assign_to,
+                object=instance,
+            )
             assign_perm(permission, assign_to, instance)

authentik/root/settings.py

@@ -4,7 +4,6 @@ import importlib
 from collections import OrderedDict
 from hashlib import sha512
 from pathlib import Path
-from tempfile import gettempdir
 
 import orjson
 from sentry_sdk import set_tag
@@ -266,6 +265,7 @@ MIDDLEWARE = [
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "authentik.core.middleware.ImpersonateMiddleware",
+    "authentik.rbac.middleware.InitialPermissionsMiddleware",
 ]
 MIDDLEWARE_LAST = [
     "django_prometheus.middleware.PrometheusAfterMiddleware",
@@ -368,6 +368,9 @@ DRAMATIQ = {
     "broker_class": "authentik.tasks.broker.Broker",
     "channel_prefix": "authentik",
     "task_model": "authentik.tasks.models.Task",
+    "lock_purge_interval": timedelta_from_string(
+        CONFIG.get("worker.lock_purge_interval")
+    ).total_seconds(),
     "task_purge_interval": timedelta_from_string(
         CONFIG.get("worker.task_purge_interval")
     ).total_seconds(),
@@ -424,7 +427,6 @@ DRAMATIQ = {
         (
             "authentik.tasks.middleware.MetricsMiddleware",
             {
-                "multiproc_dir": str(Path(gettempdir()) / "authentik_prometheus_tmp"),
                 "prefix": "authentik",
             },
         ),

authentik/sources/ldap/sync/membership.py

@@ -5,6 +5,7 @@ from typing import Any
 
 from django.db.models import Q
 from ldap3 import SUBTREE
+from ldap3.utils.conv import escape_filter_chars
 
 from authentik.core.models import Group, User
 from authentik.sources.ldap.models import LDAP_DISTINGUISHED_NAME, LDAP_UNIQUENESS, LDAPSource
@@ -52,7 +53,8 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
         for group in page_data:
             if self._source.lookup_groups_from_user:
                 group_dn = group.get("dn", {})
-                group_filter = f"({self._source.group_membership_field}={group_dn})"
+                escaped_dn = escape_filter_chars(group_dn)
+                group_filter = f"({self._source.group_membership_field}={escaped_dn})"
                 group_members = self._source.connection().extend.standard.paged_search(
                     search_base=self.base_dn_users,
                     search_filter=group_filter,

authentik/sources/ldap/tests/test_sync.py

@@ -4,6 +4,8 @@ from unittest.mock import MagicMock, patch
 
 from django.db.models import Q
 from django.test import TestCase
+from ldap3.core.exceptions import LDAPInvalidFilterError
+from ldap3.utils.conv import escape_filter_chars
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Group, User
@@ -519,3 +521,89 @@ class LDAPSyncTests(TestCase):
 
         self.assertFalse(User.objects.filter(username__startswith="not-in-the-source").exists())
         self.assertFalse(Group.objects.filter(name__startswith="not-in-the-source").exists())
+
+    def test_membership_sync_special_chars_in_group_dn(self):
+        """Test membership synchronization with special characters in group DN"""
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.lookup_groups_from_user = True
+        self.source.group_membership_field = "memberOf"
+
+        # Mock connection with group DN containing special characters
+        mock_conn = MagicMock()
+
+        # Simulate group with special characters in DN: parentheses, backslashes, asterisks
+        special_group_dn = "cn=test(group),ou=groups,dc=example,dc=com"
+        backslash_group_dn = "cn=test\\group,ou=groups,dc=example,dc=com"
+        asterisk_group_dn = "cn=test*group,ou=groups,dc=example,dc=com"
+
+        # Mock the paged_search method that would be called with the filter
+        mock_standard = MagicMock()
+        mock_conn.extend.standard = mock_standard
+
+        # Test case 1: Group DN with parentheses
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", return_value=mock_conn):
+            membership_sync = MembershipLDAPSynchronizer(self.source, Task())
+
+            # Simulate group data with special characters in DN
+            page_data = [{"dn": special_group_dn}]
+
+            # This should not raise LDAPInvalidFilterError anymore
+            try:
+                membership_sync.sync(page_data)
+                # Verify that the filter was properly escaped
+                # The call should have been made with escaped characters
+                mock_standard.paged_search.assert_called()
+                call_args = mock_standard.paged_search.call_args
+                search_filter = call_args[1]["search_filter"]
+                # The parentheses should be escaped as \28 and \29
+                self.assertIn("\\28", search_filter)  # Escaped (
+                self.assertIn("\\29", search_filter)  # Escaped )
+            except LDAPInvalidFilterError:
+                self.fail("LDAPInvalidFilterError should not be raised with escaped filter")
+
+        # Test case 2: Group DN with backslashes
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", return_value=mock_conn):
+            membership_sync = MembershipLDAPSynchronizer(self.source, Task())
+            page_data = [{"dn": backslash_group_dn}]
+
+            try:
+                membership_sync.sync(page_data)
+                call_args = mock_standard.paged_search.call_args
+                search_filter = call_args[1]["search_filter"]
+                # The backslash should be escaped as \5c
+                self.assertIn("\\5c", search_filter)  # Escaped \
+            except LDAPInvalidFilterError:
+                self.fail("LDAPInvalidFilterError should not be raised with escaped filter")
+
+        # Test case 3: Group DN with asterisks
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", return_value=mock_conn):
+            membership_sync = MembershipLDAPSynchronizer(self.source, Task())
+            page_data = [{"dn": asterisk_group_dn}]
+
+            try:
+                membership_sync.sync(page_data)
+                call_args = mock_standard.paged_search.call_args
+                search_filter = call_args[1]["search_filter"]
+                # The asterisk should be escaped as \2a
+                self.assertIn("\\2a", search_filter)  # Escaped *
+            except LDAPInvalidFilterError:
+                self.fail("LDAPInvalidFilterError should not be raised with escaped filter")
+
+    def test_escape_filter_chars_function(self):
+        """Test the escape_filter_chars function directly"""
+
+        # Test various special characters that need escaping
+        test_cases = [
+            ("test(group)", "test\\28group\\29"),  # parentheses
+            ("test\\group", "test\\5cgroup"),  # backslash
+            ("test*group", "test\\2agroup"),  # asterisk
+            ("test(*)group", "test\\28\\2a\\29group"),  # multiple special chars
+            ("normalgroup", "normalgroup"),  # no special chars
+            ("", ""),  # empty string
+        ]
+
+        for input_str, expected in test_cases:
+            with self.subTest(input_str=input_str):
+                result = escape_filter_chars(input_str)
+                self.assertEqual(result, expected)

authentik/stages/authenticator_duo/api.py

@@ -198,7 +198,10 @@ class AuthenticatorDuoStageViewSet(UsedByMixin, ModelViewSet):
             return {"error": "", "count": created}
         except RuntimeError as exc:
             LOGGER.warning("failed to get users from duo", exc=exc)
-            return {"error": str(exc), "count": created}
+            return {
+                "error": "An internal error occurred while importing devices.",
+                "count": created,
+            }
 
 
 class DuoDeviceSerializer(ModelSerializer):

authentik/stages/authenticator_duo/tests.py

@@ -168,6 +168,8 @@ class AuthenticatorDuoStageTests(FlowTestCase):
             client_secret=generate_id(),
             api_hostname=generate_id(),
         )
+
+        # Test missing admin credentials
         response = self.client.post(
             reverse(
                 "authentik_api:authenticatorduostage-import-devices-automatic",
@@ -178,6 +180,31 @@ class AuthenticatorDuoStageTests(FlowTestCase):
         )
         self.assertEqual(response.status_code, 400)
 
+        # Test internal error handling
+        stage.admin_integration_key = generate_id()
+        stage.admin_secret_key = generate_id()
+        stage.save()
+        with patch(
+            "duo_client.admin.Admin.get_users_iterator",
+            MagicMock(side_effect=RuntimeError("Duo API error")),
+        ):
+            response = self.client.post(
+                reverse(
+                    "authentik_api:authenticatorduostage-import-devices-automatic",
+                    kwargs={
+                        "pk": str(stage.pk),
+                    },
+                ),
+            )
+            self.assertEqual(response.status_code, 400)
+            self.assertJSONEqual(
+                response.content,
+                {
+                    "error": "An internal error occurred while importing devices.",
+                    "count": 0,
+                },
+            )
+
     def test_api_import_automatic(self):
         """test `import_devices_automatic`"""
         self.client.force_login(self.user)

authentik/stages/authenticator_email/models.py

@@ -15,18 +15,10 @@ from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.stages.authenticator.models import SideChannelDevice
+from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 
 
-class EmailTemplates(models.TextChoices):
-    """Templates used for rendering the Email"""
-
-    EMAIL_OTP = (
-        "email/email_otp.html",
-        _("Email OTP"),
-    )  # nosec
-
-
 class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
     """Use Email-based authentication instead of authenticator-based."""
 

authentik/stages/email/management/commands/test_email.py

@@ -35,7 +35,12 @@ class Command(TenantCommand):
             template_context={},
         )
         try:
-            send_mail(message.__dict__, stage.pk)
+            if not stage.use_global_settings:
+                message.from_email = stage.from_address
+
+            send_mail.send(message.__dict__, stage.pk).get_result(block=True)
+
+            self.stdout.write(self.style.SUCCESS(f"Test email sent to {options['to']}"))
         finally:
             if delete_stage:
                 stage.delete()

authentik/stages/email/models.py

@@ -32,6 +32,14 @@ class EmailTemplates(models.TextChoices):
         "email/account_confirmation.html",
         _("Account Confirmation"),
     )
+    EMAIL_OTP = (
+        "email/email_otp.html",
+        _("Email OTP"),
+    )  # nosec
+    EVENT_NOTIFICATION = (
+        "email/event_notification.html",
+        _("Event Notification"),
+    )
 
 
 def get_template_choices():

authentik/stages/email/tests/test_management_commands.py

@@ -0,0 +1,66 @@
+"""Test email management commands"""
+
+from unittest.mock import patch
+
+from django.core import mail
+from django.core.mail.backends.locmem import EmailBackend
+from django.core.management import call_command
+from django.test import TestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.stages.email.models import EmailStage
+
+
+class TestEmailManagementCommands(TestCase):
+    """Test email management commands"""
+
+    def setUp(self):
+        self.user = create_test_admin_user()
+
+    def test_test_email_command_with_stage(self):
+        """Test test_email command with specified stage"""
+        EmailStage.objects.create(
+            name="test-stage",
+            from_address="test@authentik.local",
+            host="localhost",
+            port=25,
+        )
+
+        with patch("authentik.stages.email.models.EmailStage.backend_class", EmailBackend):
+            call_command("test_email", "test@example.com", stage="test-stage")
+
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "authentik Test-Email")
+            self.assertEqual(mail.outbox[0].to, ["test@example.com"])
+
+    def test_test_email_command_with_global_settings(self):
+        """Test test_email command with global settings"""
+        # Mock the backend to use Django's locmem backend
+        with patch("authentik.stages.email.models.EmailStage.backend_class", EmailBackend):
+            call_command("test_email", "test@example.com")
+
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "authentik Test-Email")
+            self.assertEqual(mail.outbox[0].to, ["test@example.com"])
+
+    def test_test_email_command_invalid_stage(self):
+        """Test test_email command with invalid stage"""
+        call_command("test_email", "test@example.com", stage="nonexistent")
+
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_test_email_command_with_custom_from(self):
+        """Test test_email command respects custom from address"""
+        EmailStage.objects.create(
+            name="test-stage",
+            from_address="custom@authentik.local",
+            host="localhost",
+            port=25,
+        )
+
+        with patch("authentik.stages.email.models.EmailStage.backend_class", EmailBackend):
+            call_command("test_email", "test@example.com", stage="test-stage")
+
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].from_email, "custom@authentik.local")
+            self.assertEqual(mail.outbox[0].to, ["test@example.com"])

authentik/stages/email/tests/test_templates.py

@@ -54,7 +54,7 @@ class TestEmailStageTemplates(FlowTestCase):
             chmod(file2, 0o000)  # Remove all permissions so we can't read the file
             choices = get_template_choices()
             self.assertEqual(choices[-1][0], Path(file).name)
-            self.assertEqual(len(choices), 3)
+            self.assertEqual(len(choices), 5)
             unlink(file)
             unlink(file2)
 

authentik/tasks/apps.py

@@ -2,6 +2,8 @@ from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 
+PRIORITY_HIGH = 1000
+
 
 class AuthentikTasksConfig(ManagedAppConfig):
     name = "authentik.tasks"

authentik/tasks/middleware.py

@@ -14,6 +14,7 @@ from django_redis import get_redis_connection
 from dramatiq.broker import Broker
 from dramatiq.message import Message
 from dramatiq.middleware import Middleware
+from psycopg.errors import Error
 from redis.exceptions import RedisError
 from structlog.stdlib import get_logger
 
@@ -26,6 +27,7 @@ from authentik.tenants.utils import get_current_tenant
 
 LOGGER = get_logger()
 HEALTHCHECK_LOGGER = get_logger("authentik.worker").bind()
+DB_ERRORS = (OperationalError, Error, RedisError)
 
 
 class TenantMiddleware(Middleware):
@@ -100,10 +102,15 @@ class MessagesMiddleware(Middleware):
             TaskStatus.ERROR,
             exception,
         )
+        event_kwargs = {
+            "actor": task.actor_name,
+        }
+        if task.rel_obj:
+            event_kwargs["rel_obj"] = task.rel_obj
         Event.new(
             EventAction.SYSTEM_TASK_EXCEPTION,
             message=f"Task {task.actor_name} encountered an error",
-            actor=task.actor_name,
+            **event_kwargs,
         ).with_exception(exception).save()
 
     def after_skip_message(self, broker: Broker, message: Message):
@@ -151,7 +158,6 @@ class DescriptionMiddleware(Middleware):
 
 
 class _healthcheck_handler(BaseHTTPRequestHandler):
-
     def log_request(self, code="-", size="-"):
         HEALTHCHECK_LOGGER.info(
             self.path,
@@ -171,7 +177,7 @@ class _healthcheck_handler(BaseHTTPRequestHandler):
             redis_conn = get_redis_connection()
             redis_conn.ping()
             self.send_response(200)
-        except (OperationalError, RedisError):  # pragma: no cover
+        except DB_ERRORS:  # pragma: no cover
             self.send_response(503)
         self.send_header("Content-Type", "text/plain; charset=utf-8")
         self.send_header("Content-Length", "0")
@@ -212,6 +218,14 @@ class WorkerStatusMiddleware(Middleware):
             hostname=socket.gethostname(),
             version=authentik_full_version(),
         )
+        while True:
+            try:
+                WorkerStatusMiddleware.keep(status)
+            except DB_ERRORS:  # pragma: no cover
+                sleep(10)
+                pass
+
+    def keep(status: WorkerStatus):
         lock_id = f"goauthentik.io/worker/status/{status.pk}"
         with pglock.advisory(lock_id, side_effect=pglock.Raise):
             while True:

authentik/tasks/schedules/api.py

@@ -107,7 +107,6 @@ class ScheduleViewSet(
         "rel_obj_content_type__app_label",
         "rel_obj_content_type__model",
         "rel_obj_id",
-        "description",
     )
     filterset_class = ScheduleFilter
     ordering = (

authentik/tenants/management/commands/createsuperuser.py

@@ -0,0 +1,10 @@
+from django.core.management.base import BaseCommand
+
+
+class Command(BaseCommand):
+    help = "ak createsuperuser should not be used. Instead, use ak create_admin_group"
+
+    def handle(self, *args, **options):  # noqa: ANN001, D401
+        raise RuntimeError(
+            "ak createsuperuser should not be used. Instead, use ak create_admin_group"
+        )

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.8.0-rc4 Blueprint schema",
+    "title": "authentik 2025.10.0-rc1 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -6753,6 +6753,15 @@
                     "title": "Webhook mapping headers",
                     "description": "Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs"
                 },
+                "email_subject_prefix": {
+                    "type": "string",
+                    "title": "Email subject prefix"
+                },
+                "email_template": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Email template"
+                },
                 "send_once": {
                     "type": "boolean",
                     "title": "Send once",

blueprints/system/bootstrap.yaml

@@ -5,7 +5,7 @@ metadata:
     blueprints.goauthentik.io/system-bootstrap: "true"
     blueprints.goauthentik.io/system: "true"
     blueprints.goauthentik.io/description: |
-      This blueprint configures the default admin user and group, and configures them for the [Automated install](https://goauthentik.io/docs/installation/automated-install).
+      This blueprint configures the default admin user and group, and configures them for the [Automated install](https://docs.goauthentik.io/docs/install-config/automated-install?utm_source=bootstrap_blueprint).
 context:
   username: akadmin
   group_name: authentik Admins

blueprints/system/providers-oauth2.yaml

@@ -24,7 +24,7 @@ entries:
       expression: |
         return {
             "email": request.user.email,
-            "email_verified": True
+            "email_verified": False
         }
   - identifiers:
       managed: goauthentik.io/providers/oauth2/scope-profile

docker-compose.yml

@@ -48,7 +48,7 @@ services:
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.0-rc4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.0-rc1}
     ports:
     - ${COMPOSE_PORT_HTTP:-9000}:9000
     - ${COMPOSE_PORT_HTTPS:-9443}:9443
@@ -72,7 +72,7 @@ services:
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.0-rc4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.10.0-rc1}
     restart: unless-stopped
     user: root
     volumes:

go.mod

@@ -6,7 +6,7 @@ require (
 	beryju.io/ldap v0.1.0
 	github.com/avast/retry-go/v4 v4.6.1
 	github.com/coreos/go-oidc/v3 v3.15.0
-	github.com/getsentry/sentry-go v0.35.0
+	github.com/getsentry/sentry-go v0.35.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-openapi/runtime v0.28.0
@@ -17,22 +17,22 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/grafana/pyroscope-go v1.2.4
+	github.com/grafana/pyroscope-go v1.2.7
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
-	github.com/prometheus/client_golang v1.23.0
-	github.com/redis/go-redis/v9 v9.11.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/redis/go-redis/v9 v9.13.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
+	github.com/spf13/cobra v1.10.1
+	github.com/stretchr/testify v1.11.1
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025064.8
+	goauthentik.io/api/v3 v3.2025100.4
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0
+	golang.org/x/oauth2 v0.31.0
+	golang.org/x/sync v0.17.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -60,7 +60,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
-	github.com/grafana/pyroscope-go/godeltaprof v0.1.8 // indirect
+	github.com/grafana/pyroscope-go/godeltaprof v0.1.9 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
@@ -70,16 +70,17 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/crypto v0.38.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.25.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -26,8 +26,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.35.0 h1:+FJNlnjJsZMG3g0/rmmP7GiKjQoUF5EXfEtBwtPtkzY=
-github.com/getsentry/sentry-go v0.35.0/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
+github.com/getsentry/sentry-go v0.35.1 h1:iopow6UVLE2aXu46xKVIs8Z9D/YZkJrHkgozrxa+tOQ=
+github.com/getsentry/sentry-go v0.35.1/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -87,10 +87,10 @@ github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2e
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grafana/pyroscope-go v1.2.4 h1:B22GMXz+O0nWLatxLuaP7o7L9dvP0clLvIpmeEQQM0Q=
-github.com/grafana/pyroscope-go v1.2.4/go.mod h1:zzT9QXQAp2Iz2ZdS216UiV8y9uXJYQiGE1q8v1FyhqU=
-github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
-github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
+github.com/grafana/pyroscope-go v1.2.7 h1:VWBBlqxjyR0Cwk2W6UrE8CdcdD80GOFNutj0Kb1T8ac=
+github.com/grafana/pyroscope-go v1.2.7/go.mod h1:o/bpSLiJYYP6HQtvcoVKiE9s5RiNgjYTj1DhiddP2Pc=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.9 h1:c1Us8i6eSmkW+Ez05d3co8kasnuOY813tbMN8i/a3Og=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.9/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -140,16 +140,16 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc=
-github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
-github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
 github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
-github.com/redis/go-redis/v9 v9.11.0 h1:E3S08Gl/nJNn5vkxd2i78wZxWAPNZgUNTp8WIJUAiIs=
-github.com/redis/go-redis/v9 v9.11.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.13.0 h1:PpmlVykE0ODh8P43U0HqC+2NXHXwG+GUtQyz+MPKGRg=
+github.com/redis/go-redis/v9 v9.13.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -158,10 +158,10 @@ github.com/sethvargo/go-envconfig v1.3.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -169,8 +169,8 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/wwt/guac v1.3.2 h1:sH6OFGa/1tBs7ieWBVlZe7t6F5JAOWBry/tqQL/Vup4=
 github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
@@ -185,8 +185,10 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025064.8 h1:wgegkPUtGSrOR7+Rnd0cxLVU0cEea87BatjESa6BJv0=
-goauthentik.io/api/v3 v3.2025064.8/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+goauthentik.io/api/v3 v3.2025100.4 h1:ordAECV5Imfd2DaPMHrAWa0Au+03cBYg09T3iOcjD9w=
+goauthentik.io/api/v3 v3.2025100.4/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
@@ -194,25 +196,25 @@ golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqj
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo=
+golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
-golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

internal/constants/VERSION

@@ -1 +1 @@
-2025.8.0-rc4
+2025.10.0-rc1

internal/utils/web/http_compress.go

@@ -0,0 +1,91 @@
+// https://github.com/gorilla/handlers/issues/259#issuecomment-2671695039
+package web
+
+import (
+	"bufio"
+	"net"
+	"net/http"
+
+	"github.com/gorilla/handlers"
+)
+
+// compressHandler is an HTTP handler that adds the Content-Encoding header
+// back to responses when removed by the http.FileServer.
+//
+// handlers.CompressHandler(newCompressHandler(http.FileServer(...)))
+type compressHandler struct {
+	// handler is an HTTP handler, usually an http.FileServer.
+	handler http.Handler
+}
+
+var _ http.Handler = &compressHandler{}
+
+func NewCompressHandler(handler http.Handler) http.Handler {
+	h := &compressHandler{
+		handler: handler,
+	}
+	return handlers.CompressHandler(h)
+}
+
+func (h *compressHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// The wrapped response writer saves the incoming content encoding so
+	// it can be restored when writing the response headers.
+	cw := &compressedResponseWriter{
+		encoding:       w.Header().Get("Content-Encoding"),
+		fixed:          false,
+		responseWriter: w,
+	}
+	h.handler.ServeHTTP(cw, r)
+}
+
+// compressedResponseWriter is an http.ResponseWriter that ensures that a
+// previously-set Content-Encoding header is in place before writing the
+// response.
+type compressedResponseWriter struct {
+	encoding       string
+	fixed          bool
+	responseWriter http.ResponseWriter
+}
+
+var _ http.ResponseWriter = &compressedResponseWriter{}
+
+func (w *compressedResponseWriter) Header() http.Header {
+	return w.responseWriter.Header()
+}
+
+func (w *compressedResponseWriter) fixContentEncoding() {
+	if w.fixed {
+		return
+	}
+	w.fixed = true
+	// The Go 1.23 http.FileServer() removes headers like Content-Encoding
+	// from error responses. This breaks gzip and deflate encoding.
+	// https://github.com/gorilla/handlers/issues/259
+	// https://github.com/golang/go/issues/66343
+	if w.encoding == "gzip" || w.encoding == "deflate" {
+		if w.Header().Get("Content-Encoding") == "" {
+			w.Header().Set("Content-Encoding", w.encoding)
+		}
+	}
+}
+
+func (w *compressedResponseWriter) Write(data []byte) (int, error) {
+	w.fixContentEncoding()
+	return w.responseWriter.Write(data)
+}
+
+func (w *compressedResponseWriter) WriteHeader(statusCode int) {
+	w.fixContentEncoding()
+	w.responseWriter.WriteHeader(statusCode)
+}
+
+func (w *compressedResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	if hj, ok := w.responseWriter.(http.Hijacker); ok {
+		return hj.Hijack()
+	}
+	return nil, nil, http.ErrNotSupported
+}
+
+// Ensure our compressedResponseWriter implements the necessary interfaces.
+var _ http.ResponseWriter = &compressedResponseWriter{}
+var _ http.Hijacker = &compressedResponseWriter{}

internal/web/proxy.go

@@ -5,6 +5,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -15,6 +16,7 @@ import (
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/sentry"
 	"goauthentik.io/internal/utils/web"
+	staticWeb "goauthentik.io/web"
 )
 
 var (
@@ -88,19 +90,81 @@ func (ws *WebServer) configureProxy() {
 }
 
 func (ws *WebServer) proxyErrorHandler(rw http.ResponseWriter, req *http.Request, err error) {
-	if !errors.Is(err, ErrAuthentikStarting) {
-		ws.log.WithError(err).Warning("failed to proxy to backend")
+	accept := req.Header.Get("Accept")
+
+	header := rw.Header()
+
+	if errors.Is(err, ErrAuthentikStarting) {
+		header.Set("Retry-After", "5")
+
+		if strings.Contains(accept, "application/json") {
+			header.Set("Content-Type", "application/json")
+
+			err = json.NewEncoder(rw).Encode(map[string]string{
+				"error": "authentik starting",
+			})
+
+			if err != nil {
+				ws.log.WithError(err).Warning("failed to write error message")
+				return
+			}
+		} else if strings.Contains(accept, "text/html") {
+			header.Set("Content-Type", "text/html")
+			rw.WriteHeader(http.StatusServiceUnavailable)
+
+			loadingSplashFile, err := staticWeb.StaticDir.Open("standalone/loading/startup.html")
+
+			if err != nil {
+				ws.log.WithError(err).Warning("failed to open startup splash screen")
+				return
+			}
+
+			loadingSplashHTML, err := io.ReadAll(loadingSplashFile)
+
+			if err != nil {
+				ws.log.WithError(err).Warning("failed to read startup splash screen")
+				return
+			}
+
+			_, err = rw.Write(loadingSplashHTML)
+
+			if err != nil {
+				ws.log.WithError(err).Warning("failed to write startup splash screen")
+				return
+			}
+		} else {
+			header.Set("Content-Type", "text/plain")
+			rw.WriteHeader(http.StatusServiceUnavailable)
+
+			// Fallback to just a status message
+			_, err = rw.Write([]byte("authentik starting"))
+
+			if err != nil {
+				ws.log.WithError(err).Warning("failed to write initializing HTML")
+			}
+		}
+
+		return
 	}
-	rw.WriteHeader(http.StatusBadGateway)
+
+	ws.log.WithError(err).Warning("failed to proxy to backend")
+
 	em := fmt.Sprintf("failed to connect to authentik backend: %v", err)
-	// return json if the client asks for json
-	if req.Header.Get("Accept") == "application/json" {
+
+	if strings.Contains(accept, "application/json") {
+		header.Set("Content-Type", "application/json")
+		rw.WriteHeader(http.StatusBadGateway)
+
 		err = json.NewEncoder(rw).Encode(map[string]string{
 			"error": em,
 		})
 	} else {
+		header.Set("Content-Type", "text/plain")
+		rw.WriteHeader(http.StatusBadGateway)
+
 		_, err = rw.Write([]byte(em))
 	}
+
 	if err != nil {
 		ws.log.WithError(err).Warning("failed to write error message")
 	}

internal/web/static.go

@@ -17,9 +17,7 @@ func (ws *WebServer) configureStatic() {
 	// Setup routers
 	staticRouter := ws.loggingRouter.NewRoute().Subrouter()
 	staticRouter.Use(ws.staticHeaderMiddleware)
-	indexLessRouter := staticRouter.NewRoute().Subrouter()
-	// Specifically disable index
-	indexLessRouter.Use(web.DisableIndex)
+	staticRouter.Use(web.DisableIndex)
 
 	distFs := http.FileServer(http.Dir("./web/dist"))
 
@@ -31,18 +29,18 @@ func (ws *WebServer) configureStatic() {
 		return h
 	}
 
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/dist/").Handler(pathStripper(
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/dist/").Handler(pathStripper(
 		distFs,
 		"static/dist/",
 		config.Get().Web.Path,
 	))
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/authentik/").Handler(pathStripper(
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/authentik/").Handler(pathStripper(
 		http.FileServer(http.Dir("./web/authentik")),
 		"static/authentik/",
 		config.Get().Web.Path,
 	))
 
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/flow/{flow_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/flow/{flow_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 
 		pathStripper(
@@ -51,9 +49,9 @@ func (ws *WebServer) configureStatic() {
 			config.Get().Web.Path,
 		).ServeHTTP(rw, r)
 	})
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/admin/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/admin", config.Get().Web.Path), distFs))
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/user/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/user", config.Get().Web.Path), distFs))
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/rac/{app_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/admin/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/admin", config.Get().Web.Path), distFs))
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/user/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/user", config.Get().Web.Path), distFs))
+	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/rac/{app_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 
 		pathStripper(
@@ -66,7 +64,7 @@ func (ws *WebServer) configureStatic() {
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
 		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
-		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").Handler(pathStripper(
+		staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").Handler(pathStripper(
 			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 				fsMedia.ServeHTTP(w, r)

internal/web/web.go

@@ -12,7 +12,6 @@ import (
 	"path"
 	"time"
 
-	"github.com/gorilla/handlers"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/securecookie"
 	"github.com/pires/go-proxyproto"
@@ -60,7 +59,7 @@ func NewWebServer() *WebServer {
 	l := log.WithField("logger", "authentik.router")
 	mainHandler := mux.NewRouter()
 	mainHandler.Use(web.ProxyHeaders())
-	mainHandler.Use(handlers.CompressHandler)
+	mainHandler.Use(web.NewCompressHandler)
 	loggingHandler := mainHandler.NewRoute().Subrouter()
 	loggingHandler.Use(web.NewLoggingHandler(l, nil))
 

ldap.Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25-bookworm AS builder
 
 ARG TARGETOS
 ARG TARGETARCH

lifecycle/ak

@@ -68,6 +68,11 @@ function prepare_debug {
     chown authentik:authentik /unittest.xml
 }
 
+if [[ -z "${PROMETHEUS_MULTIPROC_DIR}" ]]; then
+    export PROMETHEUS_MULTIPROC_DIR="${TMPDIR:-/tmp}/authentik_prometheus_tmp"
+fi
+mkdir -p "${PROMETHEUS_MULTIPROC_DIR}"
+
 if [[ "$(python -m authentik.lib.config debugger 2>/dev/null)" == "True" ]]; then
     prepare_debug
 fi

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1024.0",
+                "aws-cdk": "^2.1029.0",
                 "cross-env": "^10.0.0"
             },
             "engines": {
@@ -24,9 +24,9 @@
             "license": "MIT"
         },
         "node_modules/aws-cdk": {
-            "version": "2.1024.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1024.0.tgz",
-            "integrity": "sha512-hY0iVT2gPX/QOQXL7RSP2sqIRI/4BYU27vSmbhZxLEj//c3pkMkd9QpIHj7gOhyWC2gf6n5JuYPw27Dgw8FEdA==",
+            "version": "2.1029.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1029.0.tgz",
+            "integrity": "sha512-TYJGMs1QVYgOTqt0MnbykZvKXMThevjg/m16MuERlWK3fQErhKcUkMmJ8uUY0SBf70FvT7tQdBq9dnsa34TM2A==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1024.0",
+        "aws-cdk": "^2.1029.0",
         "cross-env": "^10.0.0"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.8.0-rc4
+    Default: 2025.10.0-rc1
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

lifecycle/gunicorn.conf.py

@@ -33,15 +33,12 @@ wait_for_db()
 _tmp = Path(gettempdir())
 worker_class = "lifecycle.worker.DjangoUvicornWorker"
 worker_tmp_dir = str(_tmp.joinpath("authentik_gunicorn_tmp"))
-prometheus_tmp_dir = str(_tmp.joinpath("authentik_prometheus_tmp"))
 
 os.makedirs(worker_tmp_dir, exist_ok=True)
-os.makedirs(prometheus_tmp_dir, exist_ok=True)
 
 bind = f"unix://{str(_tmp.joinpath('authentik-core.sock'))}"
 
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "authentik.root.settings")
-os.environ.setdefault("PROMETHEUS_MULTIPROC_DIR", prometheus_tmp_dir)
 
 preload_app = True
 

locale/de/LC_MESSAGES/django.po

@@ -33,16 +33,16 @@
 # Till-Frederik Riechard, 2025
 # Alexander Mnich, 2025
 # Ben, 2025
-# Fabian, 2025
+# datenschmutz, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-11 00:12+0000\n"
+"POT-Creation-Date: 2025-08-30 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Fabian, 2025\n"
+"Last-Translator: datenschmutz, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -56,7 +56,7 @@ msgstr "Versionshistorie"
 
 #: authentik/admin/tasks.py
 msgid "Update latest version info."
-msgstr ""
+msgstr "Versionsinfo aktualisieren."
 
 #: authentik/admin/tasks.py
 #, python-brace-format
@@ -116,18 +116,22 @@ msgstr "authentik Export - {date}"
 #: authentik/blueprints/v1/tasks.py
 msgid "Find blueprints as `blueprints_find` does, but return a safe dict."
 msgstr ""
+"Blueprints ähnlich zu `blueprints_find` finden, aber ein sicheres Dictionary"
+" zurückgeben."
 
 #: authentik/blueprints/v1/tasks.py
 msgid "Find blueprints and check if they need to be created in the database."
 msgstr ""
+"Blueprints finden und prüfen, ob sie in der Datenbank erstellt werden "
+"müssen."
 
 #: authentik/blueprints/v1/tasks.py
 msgid "Apply single blueprint."
-msgstr ""
+msgstr "Einzelnen Blueprint anwenden."
 
 #: authentik/blueprints/v1/tasks.py
 msgid "Remove blueprints which couldn't be fetched."
-msgstr ""
+msgstr "Blueprints entfernen, die nicht abgerufen werden konnten."
 
 #: authentik/brands/models.py
 msgid ""
@@ -169,6 +173,8 @@ msgstr "Nutzer hat keinen Zugriff auf diese Anwendung."
 #, python-brace-format
 msgid "The slug '{slug}' is reserved and cannot be used for applications."
 msgstr ""
+"Der Slug '{slug}' ist reserviert und kann nicht für Applikationen verwendet "
+"werden."
 
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
@@ -253,11 +259,11 @@ msgstr "Passwort zurücksetzen"
 msgid "Can impersonate other users"
 msgstr "Kann sich als anderer Benutzer ausgeben"
 
-#: authentik/core/models.py authentik/rbac/models.py
+#: authentik/core/models.py
 msgid "Can assign permissions to users"
 msgstr "Kann Benutzern Berechtigungen zuweisen"
 
-#: authentik/core/models.py authentik/rbac/models.py
+#: authentik/core/models.py
 msgid "Can unassign permissions from users"
 msgstr "Kann Berechtigungen von Benutzern entfernen"
 
@@ -479,11 +485,11 @@ msgstr "Die Quelle ist nicht zur Benutzerregistrierung eingerichtet."
 
 #: authentik/core/tasks.py
 msgid "Remove expired objects."
-msgstr ""
+msgstr "Abgelaufene Objekte entfernen."
 
 #: authentik/core/tasks.py
 msgid "Remove temporary users created by SAML Sources."
-msgstr ""
+msgstr "Temporäre Benutzer entfernen, die von SAML-Sources erstellt wurden."
 
 #: authentik/core/templates/if/error.html
 msgid "Go home"
@@ -539,7 +545,7 @@ msgstr "Zertifikat-Schlüsselpaare"
 
 #: authentik/crypto/tasks.py
 msgid "Discover, import and update certificates from the filesystem."
-msgstr ""
+msgstr "Zertifikate vom Dateisystem entdecken, importieren und aktualisieren."
 
 #: authentik/enterprise/api.py
 msgid "Enterprise is required to create/update this object."
@@ -601,10 +607,12 @@ msgid ""
 "Check if any UniquePasswordPolicy exists, and if not, purge the password "
 "history table."
 msgstr ""
+"Prüfen, ob eine `UniquePasswordPolicy` existiert, und falls nicht, die "
+"Passwort-Historientabelle bereinigen."
 
 #: authentik/enterprise/policies/unique_password/tasks.py
 msgid "Remove user password history that are too old."
-msgstr ""
+msgstr "Benutzer-Passworthistorien entfernen, die zu alt sind."
 
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@@ -656,31 +664,39 @@ msgstr "Google Workspace Provider Zuordnungen"
 
 #: authentik/enterprise/providers/google_workspace/tasks.py
 msgid "Sync Google Workspace provider objects."
-msgstr ""
+msgstr "Google-Workspace-Provider-Objekte synchronisieren."
 
 #: authentik/enterprise/providers/google_workspace/tasks.py
 msgid "Full sync for Google Workspace provider."
-msgstr ""
+msgstr "Vollständige Synchronisierung für Google-Workspace-Provider."
 
 #: authentik/enterprise/providers/google_workspace/tasks.py
 msgid "Sync a direct object (user, group) for Google Workspace provider."
 msgstr ""
+"Ein direktes Objekt (Benutzer, Gruppe) für den Google-Workspace-Provider "
+"synchronisieren."
 
 #: authentik/enterprise/providers/google_workspace/tasks.py
 msgid ""
 "Dispatch syncs for a direct object (user, group) for Google Workspace "
 "providers."
 msgstr ""
+"Synchronisierungen für ein direktes Objekt (Benutzer, Gruppe) bei Google-"
+"Workspace-Providern auslösen."
 
 #: authentik/enterprise/providers/google_workspace/tasks.py
 msgid "Sync a related object (memberships) for Google Workspace provider."
 msgstr ""
+"Ein verbundenes Objekt (Mitgliedschaften) für den Google-Workspace-Provider "
+"synchronisieren."
 
 #: authentik/enterprise/providers/google_workspace/tasks.py
 msgid ""
 "Dispatch syncs for a related object (memberships) for Google Workspace "
 "providers."
 msgstr ""
+"Synchronisierungen für ein verbundenes Objekt (Mitgliedschaften) bei Google-"
+"Workspace-Providern auslösen."
 
 #: authentik/enterprise/providers/microsoft_entra/models.py
 msgid "Microsoft Entra Provider User"
@@ -712,31 +728,39 @@ msgstr "Microsoft Entra Provider Zuordnungen"
 
 #: authentik/enterprise/providers/microsoft_entra/tasks.py
 msgid "Sync Microsoft Entra provider objects."
-msgstr ""
+msgstr "Microsoft-Entra-Provider-Objekte synchronisieren."
 
 #: authentik/enterprise/providers/microsoft_entra/tasks.py
 msgid "Full sync for Microsoft Entra provider."
-msgstr ""
+msgstr "Vollständige Synchronisierung für Microsoft-Entra-Provider."
 
 #: authentik/enterprise/providers/microsoft_entra/tasks.py
 msgid "Sync a direct object (user, group) for Microsoft Entra provider."
 msgstr ""
+"Ein direktes Objekt (Benutzer, Gruppe) für den Microsoft-Entra-Provider "
+"synchronisieren."
 
 #: authentik/enterprise/providers/microsoft_entra/tasks.py
 msgid ""
 "Dispatch syncs for a direct object (user, group) for Microsoft Entra "
 "providers."
 msgstr ""
+"Synchronisierungen für ein direktes Objekt (Benutzer, Gruppe) bei Microsoft-"
+"Entra-Providern auslösen."
 
 #: authentik/enterprise/providers/microsoft_entra/tasks.py
 msgid "Sync a related object (memberships) for Microsoft Entra provider."
 msgstr ""
+"Ein verbundenes Objekt (Mitgliedschaften) für den Microsoft-Entra-Provider "
+"synchronisieren."
 
 #: authentik/enterprise/providers/microsoft_entra/tasks.py
 msgid ""
 "Dispatch syncs for a related object (memberships) for Microsoft Entra "
 "providers."
 msgstr ""
+"Synchronisierungen für ein verbundenes Objekt (Mitgliedschaften) bei "
+"Microsoft-Entra-Providern auslösen."
 
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
@@ -777,11 +801,11 @@ msgstr "SSF Stream Ereignisse"
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Dispatch SSF events."
-msgstr ""
+msgstr "SSF-Events auslösen."
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Send an SSF event."
-msgstr ""
+msgstr "Ein SSF-Event senden."
 
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@@ -851,7 +875,7 @@ msgstr "Quell-Stages"
 
 #: authentik/enterprise/tasks.py
 msgid "Update enterprise license status."
-msgstr ""
+msgstr "Enterprise-Lizenzstatus aktualisieren."
 
 #: authentik/events/models.py
 msgid "Event"
@@ -878,6 +902,14 @@ msgstr "Slack Webhook (Slack/Discord)"
 msgid "Email"
 msgstr "E-Mail"
 
+#: authentik/events/models.py
+msgid ""
+"Only send notification once, for example when sending a webhook into a chat "
+"channel."
+msgstr ""
+"Benachrichtigung nur einmal senden, z. B. beim Senden eines Webhooks in "
+"einen Chat-Kanal"
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -894,14 +926,6 @@ msgstr ""
 "Konfigurieren Sie zusätzliche Header, die gesendet werden sollen. Die "
 "Zuordnung sollte ein dictionary von Schlüssel-Wert-Paaren zurückgeben."
 
-#: authentik/events/models.py
-msgid ""
-"Only send notification once, for example when sending a webhook into a chat "
-"channel."
-msgstr ""
-"Benachrichtigung nur einmal senden, z. B. beim Senden eines Webhooks in "
-"einen Chat-Kanal"
-
 #: authentik/events/models.py
 msgid "Severity"
 msgstr "Schweregrad"
@@ -1001,25 +1025,29 @@ msgstr "Systemoperationen"
 
 #: authentik/events/tasks.py
 msgid "Dispatch new event notifications."
-msgstr ""
+msgstr "Neue Event-Benachrichtigungen versenden."
 
 #: authentik/events/tasks.py
 msgid ""
 "Check if policies attached to NotificationRule match event and dispatch "
 "notification tasks."
 msgstr ""
+"Prüfen, ob die an NotificationRule angehängten Policies zum Event passen, "
+"und Benachrichtigungs-Tasks auslösen."
 
 #: authentik/events/tasks.py
 msgid "Send notification."
-msgstr ""
+msgstr "Benachrichtigung senden."
 
 #: authentik/events/tasks.py
 msgid "Cleanup events for GDPR compliance."
-msgstr ""
+msgstr "Events zur Einhaltung der DSGVO bereinigen."
 
 #: authentik/events/tasks.py
 msgid "Cleanup seen notifications and notifications whose event expired."
 msgstr ""
+"Gesehene Benachrichtigungen und Benachrichtigungen, deren Event abgelaufen "
+"ist, bereinigen."
 
 #: authentik/flows/api/flows.py
 #, python-brace-format
@@ -1311,27 +1339,29 @@ msgstr "Outposts"
 
 #: authentik/outposts/tasks.py
 msgid "Update cached state of service connection."
-msgstr ""
+msgstr "Zwischengespeicherten Status der Service-Verbindung aktualisieren."
 
 #: authentik/outposts/tasks.py
 msgid "Create/update/monitor/delete the deployment of an Outpost."
 msgstr ""
+"Deployment eines Outposts erstellen, aktualisieren, überwachen oder löschen."
 
 #: authentik/outposts/tasks.py
 msgid "Ensure that all Outposts have valid Service Accounts and Tokens."
 msgstr ""
+"Sicherstellen, dass alle Outposts gültige Service Accounts und Tokens haben."
 
 #: authentik/outposts/tasks.py
 msgid "Send update to outpost"
-msgstr ""
+msgstr "Update an Outpost senden."
 
 #: authentik/outposts/tasks.py
 msgid "Checks the local environment and create Service connections."
-msgstr ""
+msgstr "Überprüft Die lokale Umgebung und Service-Verbindungen erstellen."
 
 #: authentik/outposts/tasks.py
 msgid "Terminate session on all outposts."
-msgstr ""
+msgstr "Session auf allen Outposts beenden."
 
 #: authentik/policies/denied.py
 msgid "Access denied"
@@ -1569,17 +1599,19 @@ msgstr "Reputationswert"
 
 #: authentik/policies/templates/policies/buffer.html
 msgid "Waiting for authentication..."
-msgstr ""
+msgstr "Warte auf Authentifizierung …"
 
 #: authentik/policies/templates/policies/buffer.html
 msgid ""
 "You're already authenticating in another tab. This page will refresh once "
 "authentication is completed."
 msgstr ""
+"Du authentifizierst dich bereits in einem anderen Tab. Diese Seite wird "
+"aktualisiert, sobald die Authentifizierung abgeschlossen ist."
 
 #: authentik/policies/templates/policies/buffer.html
 msgid "Authenticate in this tab"
-msgstr ""
+msgstr "In diesem Tab authentifizieren"
 
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
@@ -1826,7 +1858,7 @@ msgstr "URIs weiterleiten"
 
 #: authentik/providers/oauth2/models.py
 msgid "Back-Channel Logout URI"
-msgstr ""
+msgstr "Back-Channel Logout URI"
 
 #: authentik/providers/oauth2/models.py
 msgid "Include claims in id_token"
@@ -1961,11 +1993,13 @@ msgstr "Geräte-Token"
 
 #: authentik/providers/oauth2/tasks.py
 msgid "Send a back-channel logout request to the registered client"
-msgstr ""
+msgstr "Eine Back-Channel-Logout-Anfrage an den registrierten Client senden."
 
 #: authentik/providers/oauth2/tasks.py
 msgid "Handle backchannel logout notifications dispatched via signal"
 msgstr ""
+"Back-Channel-Logout-Benachrichtigungen verarbeiten, die per Signal ausgelöst"
+" wurden."
 
 #: authentik/providers/oauth2/views/authorize.py
 #: authentik/providers/saml/views/flows.py
@@ -2078,7 +2112,7 @@ msgstr "Proxy Anbietern"
 
 #: authentik/providers/proxy/tasks.py
 msgid "Terminate session on Proxy outpost."
-msgstr ""
+msgstr "Session auf Proxy-Outpost beenden."
 
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
@@ -2425,27 +2459,35 @@ msgstr "SCIM Provider Eigenschafts-Zuordnungen"
 
 #: authentik/providers/scim/tasks.py
 msgid "Sync SCIM provider objects."
-msgstr ""
+msgstr "SCIM-Provider-Objekte synchronisieren."
 
 #: authentik/providers/scim/tasks.py
 msgid "Full sync for SCIM provider."
-msgstr ""
+msgstr "Vollständige Synchronisierung für SCIM-Provider."
 
 #: authentik/providers/scim/tasks.py
 msgid "Sync a direct object (user, group) for SCIM provider."
 msgstr ""
+"Ein direktes Objekt (Benutzer, Gruppe) für den SCIM-Provider "
+"synchronisieren."
 
 #: authentik/providers/scim/tasks.py
 msgid "Dispatch syncs for a direct object (user, group) for SCIM providers."
 msgstr ""
+"Synchronisierungen für ein direktes Objekt (Benutzer, Gruppe) bei SCIM-"
+"Providern auslösen."
 
 #: authentik/providers/scim/tasks.py
 msgid "Sync a related object (memberships) for SCIM provider."
 msgstr ""
+"Ein verbundenes Objekt (Mitgliedschaften) für den SCIM-Provider "
+"synchronisieren."
 
 #: authentik/providers/scim/tasks.py
 msgid "Dispatch syncs for a related object (memberships) for SCIM providers."
 msgstr ""
+"Synchronisierungen für ein verbundenes Objekt (Mitgliedschaften) bei SCIM-"
+"Providern auslösen."
 
 #: authentik/rbac/models.py
 msgid "Role"
@@ -2455,6 +2497,14 @@ msgstr "Rolle"
 msgid "Roles"
 msgstr "Rollen"
 
+#: authentik/rbac/models.py
+msgid "Can assign permissions to roles"
+msgstr "Kann Berechtigungen Rollen zuweisen"
+
+#: authentik/rbac/models.py
+msgid "Can unassign permissions from roles"
+msgstr "Kann Berechtigungen von Rollen entfernen"
+
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr "Initiale Berechtigungen"
@@ -2606,11 +2656,11 @@ msgstr "Kerberos Gruppen Quellverbindungen"
 
 #: authentik/sources/kerberos/tasks.py
 msgid "Check connectivity for Kerberos sources."
-msgstr ""
+msgstr "Konnektivität für Kerberos-Sources prüfen."
 
 #: authentik/sources/kerberos/tasks.py
 msgid "Sync Kerberos source."
-msgstr ""
+msgstr "Kerberos-Source synchronisieren."
 
 #: authentik/sources/kerberos/views.py
 msgid "SPNEGO authentication required"
@@ -2782,15 +2832,15 @@ msgstr ""
 
 #: authentik/sources/ldap/tasks.py
 msgid "Check connectivity for LDAP source."
-msgstr ""
+msgstr "Konnektivität für LDAP-Source prüfen."
 
 #: authentik/sources/ldap/tasks.py
 msgid "Sync LDAP source."
-msgstr ""
+msgstr "LDAP-Source synchronisieren."
 
 #: authentik/sources/ldap/tasks.py
 msgid "Sync page for LDAP source."
-msgstr ""
+msgstr "Sync-Seite für LDAP-Source."
 
 #: authentik/sources/oauth/clients/oauth2.py
 msgid "No token received."
@@ -3010,6 +3060,8 @@ msgid ""
 "Update OAuth sources' config from well_known, and JWKS info from the "
 "configured URL."
 msgstr ""
+"OAuth-Sources-Konfiguration aus `well_known` und JWKS-Informationen von der "
+"konfigurierten URL aktualisieren."
 
 #: authentik/sources/oauth/views/callback.py
 #, python-brace-format
@@ -3072,7 +3124,7 @@ msgstr "Plex Gruppen Quellverbindungen"
 
 #: authentik/sources/plex/tasks.py
 msgid "Check the validity of a Plex source."
-msgstr ""
+msgstr "Gültigkeit einer Plex-Source prüfen."
 
 #: authentik/sources/saml/models.py
 msgid "Redirect Binding"
@@ -3221,10 +3273,6 @@ msgstr "Duo Gerät"
 msgid "Duo Devices"
 msgstr "Duo Geräte"
 
-#: authentik/stages/authenticator_email/models.py
-msgid "Email OTP"
-msgstr "E-Mail Einmalpasswort"
-
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
 msgid ""
@@ -3519,6 +3567,8 @@ msgstr "WebAuthn-Gerätetypen"
 msgid ""
 "Background task to import FIDO Alliance MDS blob and AAGUIDs into database."
 msgstr ""
+"Hintergrund-Task zum Importieren des FIDO-Alliance-MDS-Blobs und der AAGUIDs"
+" in die Datenbank."
 
 #: authentik/stages/captcha/models.py
 msgid "Public key, acquired your captcha Provider."
@@ -3618,12 +3668,24 @@ msgstr "Passwort zurücksetzen"
 msgid "Account Confirmation"
 msgstr "Konto-Bestätigung"
 
+#: authentik/stages/email/models.py
+msgid "Email OTP"
+msgstr "E-Mail Einmalpasswort"
+
+#: authentik/stages/email/models.py
+msgid "Event Notification"
+msgstr "Event Benachrichtigung"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
 "number of attempts exceed recovery_max_attempts within this period, further "
 "attempts will be rate-limited. (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
+"Das Zeitfenster, in dem aktuelle Kontowiederherstellungsversuche gezählt "
+"werden. Wenn die Anzahl der Versuche innerhalb dieses Zeitraums "
+"`recovery_max_attempts` überschreitet, werden weitere Versuche rate-"
+"limitiert. (Format: hours=1;minutes=2;seconds=3)."
 
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
@@ -3655,6 +3717,8 @@ msgid ""
 "Too many account verification attempts. Please try again after {minutes} "
 "minutes."
 msgstr ""
+"Zu viele Kontoüberprüfungsversuche. Bitte versuche es in {minutes} Minuten "
+"erneut."
 
 #: authentik/stages/email/stage.py
 msgid "Email Successfully sent."
@@ -3662,7 +3726,7 @@ msgstr "E-Mail erfolgreich gesendet."
 
 #: authentik/stages/email/tasks.py
 msgid "Send email."
-msgstr ""
+msgstr "E-Mail senden."
 
 #: authentik/stages/email/templates/email/account_confirmation.html
 #: authentik/stages/email/templates/email/account_confirmation.txt
@@ -4204,40 +4268,40 @@ msgstr ""
 
 #: authentik/tasks/models.py
 msgid "Tenant this task belongs to"
-msgstr ""
+msgstr "Tenant, zu dem dieser Task gehört"
 
 #: authentik/tasks/models.py
 msgid "Retry failed task"
-msgstr ""
+msgstr "Fehlgeschlagenen Task erneut ausführen"
 
 #: authentik/tasks/models.py
 msgid "Worker status"
-msgstr ""
+msgstr "Worker Status"
 
 #: authentik/tasks/models.py
 msgid "Worker statuses"
-msgstr ""
+msgstr "Worker Status"
 
 #: authentik/tasks/schedules/models.py
 msgid "Unique schedule identifier"
-msgstr ""
+msgstr "Eindeutiger Zeitplan-Identifikator"
 
 #: authentik/tasks/schedules/models.py
 msgid "User schedule identifier"
-msgstr ""
+msgstr "Benutzer-Zeitplan-Identifikator"
 
 #: authentik/tasks/schedules/models.py
 msgid "Manually trigger a schedule"
-msgstr ""
+msgstr "Einen Zeitplan manuell auslösen"
 
 #: authentik/tasks/tasks.py
 msgid "Remove old worker statuses."
-msgstr ""
+msgstr "Alte Worker-Status entfernen."
 
 #: authentik/tenants/api/settings.py
 #, python-brace-format
 msgid "Value for flag {flag_key} needs to be of type {type}."
-msgstr ""
+msgstr "Der Wert für Flag {flag_key} muss vom Typ {type} sein."
 
 #: authentik/tenants/models.py
 msgid ""
@@ -4329,73 +4393,73 @@ msgstr "Domains"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Queue name"
-msgstr ""
+msgstr "Queue Name"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Dramatiq actor name"
-msgstr ""
+msgstr "Dramatiq actor name"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Message body"
-msgstr ""
+msgstr "Nachrichteninhalt"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Task status"
-msgstr ""
+msgstr "Task Status"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Task last modified time"
-msgstr ""
+msgstr "Zeitpunkt der letzten Änderung des Tasks"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Task result"
-msgstr ""
+msgstr "Task-Ergebnis"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Result expiry time"
-msgstr ""
+msgstr "Ablaufzeit des Ergebnisses"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Task"
-msgstr ""
+msgstr "Task"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Tasks"
-msgstr ""
+msgstr "Tasks"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 #, python-format
 msgid "%(value)s is not a valid crontab"
-msgstr ""
+msgstr "%(value)s ist kein gültiger Crontab"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Dramatiq actor to call"
-msgstr ""
+msgstr "Dramatiq-Actor, der aufgerufen werden soll"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Args to send to the actor"
-msgstr ""
+msgstr "Args, die an den Actor gesendet werden sollen"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Kwargs to send to the actor"
-msgstr ""
+msgstr "Kwargs, die an den Actor gesendet werden sollen"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Options to send to the actor"
-msgstr ""
+msgstr "Optionen, die an den Actor gesendet werden sollen"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "When to schedule tasks"
-msgstr ""
+msgstr "Wann Tasks geplant werden sollen"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Pause this schedule"
-msgstr ""
+msgstr "Diesen Zeitplan pausieren"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Schedule"
-msgstr ""
+msgstr "Zeitplan"
 
 #: packages/django-dramatiq-postgres/django_dramatiq_postgres/models.py
 msgid "Schedules"
-msgstr ""
+msgstr "Zeitpläne"

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-11 00:12+0000\n"
+"POT-Creation-Date: 2025-09-04 00:09+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -152,6 +152,10 @@ msgstr ""
 msgid "No empty segments in user path allowed."
 msgstr ""
 
+#: authentik/core/api/users.py
+msgid "This field is required."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr ""
@@ -206,11 +210,11 @@ msgstr ""
 msgid "Can impersonate other users"
 msgstr ""
 
-#: authentik/core/models.py authentik/rbac/models.py
+#: authentik/core/models.py
 msgid "Can assign permissions to users"
 msgstr ""
 
-#: authentik/core/models.py authentik/rbac/models.py
+#: authentik/core/models.py
 msgid "Can unassign permissions from users"
 msgstr ""
 
@@ -790,6 +794,12 @@ msgstr ""
 msgid "Email"
 msgstr ""
 
+#: authentik/events/models.py
+msgid ""
+"Only send notification once, for example when sending a webhook into a chat "
+"channel."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -802,12 +812,6 @@ msgid ""
 "of key-value pairs"
 msgstr ""
 
-#: authentik/events/models.py
-msgid ""
-"Only send notification once, for example when sending a webhook into a chat "
-"channel."
-msgstr ""
-
 #: authentik/events/models.py
 msgid "Severity"
 msgstr ""
@@ -2199,6 +2203,14 @@ msgstr ""
 msgid "Roles"
 msgstr ""
 
+#: authentik/rbac/models.py
+msgid "Can assign permissions to roles"
+msgstr ""
+
+#: authentik/rbac/models.py
+msgid "Can unassign permissions from roles"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
 msgstr ""
@@ -2905,10 +2917,6 @@ msgstr ""
 msgid "Duo Devices"
 msgstr ""
 
-#: authentik/stages/authenticator_email/models.py
-msgid "Email OTP"
-msgstr ""
-
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
 msgid ""
@@ -3269,6 +3277,14 @@ msgstr ""
 msgid "Account Confirmation"
 msgstr ""
 
+#: authentik/stages/email/models.py
+msgid "Email OTP"
+msgstr ""
+
+#: authentik/stages/email/models.py
+msgid "Event Notification"
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "