web/e2e: Sessions

web: Flesh out Playwright.
web: Flesh out slim tests.
2026-05-06 07:02:51 +02:00 · 2025-08-06 21:40:58 +02:00 · 2025-08-06 21:31:14 +02:00
293 changed files with 6125 additions and 18772 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -0,0 +1,36 @@
+[bumpversion]
+current_version = 2025.6.4
+tag = True
+commit = True
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
+serialize = 
+	{major}.{minor}.{patch}-{rc_t}{rc_n}
+	{major}.{minor}.{patch}
+message = release: {new_version}
+tag_name = version/{new_version}
+
+[bumpversion:part:rc_t]
+values = 
+	rc
+	final
+optional_value = final
+
+[bumpversion:file:pyproject.toml]
+
+[bumpversion:file:uv.lock]
+
+[bumpversion:file:package.json]
+
+[bumpversion:file:package-lock.json]
+
+[bumpversion:file:docker-compose.yml]
+
+[bumpversion:file:schema.yml]
+
+[bumpversion:file:blueprints/schema.json]
+
+[bumpversion:file:authentik/__init__.py]
+
+[bumpversion:file:internal/constants/constants.go]
+
+[bumpversion:file:lifecycle/aws/template.yaml]
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,5 @@
 htmlcov
 *.env.yml
-node_modules
 **/node_modules
 dist/**
 build/**
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@@ -54,10 +54,6 @@ outputs:
 runs:
  using: "composite"
  steps:
-    - name: Setup authentik env
-      uses: ./.github/actions/setup
-      with:
-        dependencies: "python"
    - name: Generate config
      id: ev
      shell: bash
@@ -68,4 +64,4 @@ runs:
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        REF: ${{ github.ref }}
      run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -1,10 +1,12 @@
 """Helper script to get the actual branch name, docker safe"""

+import configparser
 import os
 from json import dumps
 from time import time

-from authentik import authentik_version
+parser = configparser.ConfigParser()
+parser.read(".bumpversion.cfg")

 # Decide if we should push the image or not
 should_push = True
@@ -29,7 +31,7 @@ is_release = "dev" not in image_names[0]
 sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")

 # 2042.1.0 or 2042.1.0-rc1
-version = authentik_version()
+version = parser.get("bumpversion", "current_version")
 # 2042.1
 version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
 prerelease = "-" in version
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -2,9 +2,6 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"

 inputs:
-  dependencies:
-    description: "List of dependencies to setup"
-    default: "system,python,node,go,runtime"
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
@@ -13,52 +10,42 @@ runs:
  using: "composite"
  steps:
    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      shell: bash
      run: |
-        sudo apt-get remove --purge man-db
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
    - name: Install uv
-      if: ${{ contains(inputs.dependencies, 'python') }}
      uses: astral-sh/setup-uv@v5
      with:
        enable-cache: true
    - name: Setup python
-      if: ${{ contains(inputs.dependencies, 'python') }}
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
    - name: Install Python deps
-      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
      run: uv sync --all-extras --dev --frozen
    - name: Setup node
-      if: ${{ contains(inputs.dependencies, 'node') }}
      uses: actions/setup-node@v4
      with:
        node-version-file: web/package.json
        cache: "npm"
        cache-dependency-path: web/package-lock.json
    - name: Setup go
-      if: ${{ contains(inputs.dependencies, 'go') }}
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
-      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
-      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
        cd web && npm ci
    - name: Generate config
-      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: uv run python {0}
      run: |
        from authentik.lib.generators import generate_id
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@@ -1,6 +1,5 @@
---
 # Re-usable workflow for a single-architecture build
-name: Reusable - Single-arch Container build
+name: Single-arch Container build

 on:
  workflow_call:
@@ -42,14 +41,14 @@ jobs:
      # Needed for checkout
      contents: read
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3.6.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
          image-arch: ${{ inputs.image_arch }}
@@ -58,8 +57,8 @@ jobs:
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@v3
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@@ -1,6 +1,5 @@
---
 # Re-usable workflow for a multi-architecture build
-name: Reusable - Multi-arch container build
+name: Multi-arch container build

 on:
  workflow_call:
@@ -49,12 +48,12 @@ jobs:
      tags: ${{ steps.ev.outputs.imageTagsJSON }}
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
  merge-server:
@@ -69,20 +68,20 @@ jobs:
      matrix:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@v3
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@@ -1,13 +1,10 @@
---
-name: API - Publish Python client
-
+name: authentik-api-py-publish
 on:
  push:
    branches: [main]
    paths:
      - "schema.yml"
  workflow_dispatch:
-
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
@@ -20,7 +17,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Install poetry & deps
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -1,13 +1,10 @@
---
-name: API - Publish Typescript client
-
+name: authentik-api-ts-publish
 on:
  push:
    branches: [main]
    paths:
      - "schema.yml"
  workflow_dispatch:
-
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
@@ -18,7 +15,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/setup-node@v4
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -1,5 +1,4 @@
---
-name: CI - API Docs
+name: authentik-ci-api-docs

 on:
  push:
@@ -21,7 +20,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Install Dependencies
        working-directory: website/
        run: npm ci
@@ -32,7 +31,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
@@ -66,7 +65,7 @@ jobs:
      - lint
      - build
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v5
        with:
          name: api-docs
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -1,5 +1,4 @@
---
-name: CI - AWS cfn
+name: authentik-ci-aws-cfn

 on:
  push:
@@ -21,7 +20,7 @@ jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v4
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -1,5 +1,4 @@
---
-name: CI - Docs
+name: authentik-ci-docs

 on:
  push:
@@ -21,7 +20,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Install dependencies
        working-directory: website/
        run: npm ci
@@ -32,7 +31,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
@@ -48,7 +47,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
@@ -70,7 +69,7 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
@@ -81,7 +80,7 @@ jobs:
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Main daily
+name: authentik-ci-main-daily

 on:
  workflow_dispatch:
@@ -19,7 +19,7 @@ jobs:
          - version-2025-4
          - version-2025-2
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Main
+name: authentik-ci-main

 on:
  push:
@@ -17,12 +17,6 @@ env:
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"

-permissions:
-  # Needed for checkout
-  contents: read
-  # Needed for codecov OIDC token
-  id-token: write
-
 jobs:
  lint:
    strategy:
@@ -36,7 +30,7 @@ jobs:
          - ruff
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
@@ -44,7 +38,7 @@ jobs:
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
@@ -71,7 +65,7 @@ jobs:
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: checkout stable
@@ -126,7 +120,7 @@ jobs:
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
@@ -142,18 +136,18 @@ jobs:
        uses: codecov/codecov-action@v5
        with:
          flags: unit
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: unit
          file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
@@ -166,13 +160,13 @@ jobs:
        uses: codecov/codecov-action@v5
        with:
          flags: integration
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: integration
          file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
    name: test-e2e (${{ matrix.job.name }})
    runs-on: ubuntu-latest
@@ -198,7 +192,7 @@ jobs:
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
@@ -225,13 +219,13 @@ jobs:
        uses: codecov/codecov-action@v5
        with:
          flags: e2e
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: e2e
          file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
    if: always()
    needs:
@@ -271,14 +265,14 @@ jobs:
      pull-requests: write
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-server
      - name: Comment on PR
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Outpost
+name: authentik-ci-outpost

 on:
  push:
@@ -16,7 +16,7 @@ jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
@@ -37,7 +37,7 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
@@ -79,7 +79,7 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
@@ -90,7 +90,7 @@ jobs:
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
@@ -138,7 +138,7 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - uses: actions/setup-go@v5
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -1,5 +1,4 @@
---
-name: CI - Web
+name: authentik-ci-web

 on:
  push:
@@ -31,7 +30,7 @@ jobs:
          - command: lit-analyse
            project: web
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: ${{ matrix.project }}/package.json
@@ -48,7 +47,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
@@ -76,7 +75,7 @@ jobs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,5 +1,4 @@
---
-name: QA - CodeQL
+name: "CodeQL"

 on:
  push:
@@ -24,7 +23,7 @@ jobs:
        language: ["go", "javascript", "python"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -1,6 +1,4 @@
---
-name: Gen - Webauthn MDS
-
+name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
@@ -21,7 +19,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -1,7 +1,6 @@
 ---
 # See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-name: GH - Cleanup actions cache after PR is closed
-
+name: Cleanup cache after PR is closed
 on:
  pull_request:
    types:
@@ -16,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4

      - name: Cleanup
        run: |
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -1,5 +1,4 @@
---
-name: GH - GHCR retention
+name: ghcr-retention

 on:
  # schedule:
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -1,5 +1,5 @@
 ---
-name: Gen - Compress images
+name: authentik-compress-images

 on:
  push:
@@ -33,7 +33,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -1,6 +1,4 @@
---
-name: Packages - Publish NPM packages
-
+name: authentik-packages-npm-publish
 on:
  push:
    branches: [main]
@@ -11,7 +9,6 @@ on:
      - packages/tsconfig/**
      - packages/esbuild-plugin-live-reload/**
  workflow_dispatch:
-
 jobs:
  publish:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
@@ -26,7 +23,7 @@ jobs:
          - packages/tsconfig
          - packages/esbuild-plugin-live-reload
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v4
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@@ -1,5 +1,4 @@
---
-name: CI - Source code docs
+name: authentik-publish-source-docs

 on:
  push:
@@ -17,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: generate docs
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -1,83 +0,0 @@
---
-name: Release - Branch-off
-
-on:
-  workflow_dispatch:
-    inputs:
-      next_version:
-        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
-        required: true
-        type: string
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-inputs:
-    name: Check inputs validity
-    runs-on: ubuntu-latest
-    steps:
-      - run: |
-          echo "${{ inputs.next_version }}" | grep -E "^[0-9]{4}\.[0-9]{1,2}$"
-  branch-off:
-    name: Branch-off
-    needs:
-      - check-inputs
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Checkout main
-        uses: actions/checkout@v5
-        with:
-          ref: main
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: python
-      - name: Create version branch
-        run: |
-          current_major_version="$(uv version --short | grep -oE "^[0-9]{4}\.[0-9]{1,2}")"
-          git checkout -b "version-${current_major_version}"
-          git push origin "version-${current_major_version}"
-  bump-version-pr:
-    name: Open version bump PR
-    needs:
-      - branch-off
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Checkout main
-        uses: actions/checkout@v5
-        with:
-          ref: main
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: release-bump-${{ inputs.next_version }}
-          commit-message: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          title: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          body: "root: bump version to ${{ inputs.next_version }}.0-rc1"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -1,5 +1,4 @@
---
-name: Release - Update next branch
+name: authentik-on-release-next-branch

 on:
  schedule:
@@ -16,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: main
      - run: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -1,5 +1,5 @@
 ---
-name: Release - On publish
+name: authentik-on-release

 on:
  release:
@@ -10,7 +10,6 @@ jobs:
    uses: ./.github/workflows/_reusable-docker-build.yaml
    secrets: inherit
    permissions:
-      contents: read
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
@@ -24,14 +23,13 @@ jobs:
  build-docs:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
@@ -68,7 +66,6 @@ jobs:
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
@@ -83,7 +80,7 @@ jobs:
          - radius
          - rac
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
@@ -146,7 +143,7 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
@@ -186,7 +183,7 @@ jobs:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
@@ -202,7 +199,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Run test suite in final docker images
        run: |
          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
@@ -218,7 +215,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -1,195 +1,39 @@
 ---
-name: Release - Tag new version
+name: authentik-on-tag

 on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: Version
-        required: true
-        type: string
-      release_reason:
-        description: Release reason
-        required: true
-        type: choice
-        options:
-          - bugfix
-          - feature
-          - security
-          - other
-          - prerelease
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  push:
+    tags:
+      - "version/*"

 jobs:
-  check-inputs:
-    name: Check inputs validity
+  build:
+    name: Create Release from Tag
    runs-on: ubuntu-latest
    steps:
-      - id: check
+      - uses: actions/checkout@v4
+      - name: Pre-release test
        run: |
-          echo "${{ inputs.version }}" | grep -E '^[0-9]{4}\.(0?[1-9]|1[0-2])\.[0-9]+(-rc[0-9]+)?$'
-          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
-      - id: changelog-url
-        run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
-          else
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
-          fi
-          echo "changelog_url=${changelog_url}" >> "$GITHUB_OUTPUT"
-    outputs:
-      major_version: "${{ steps.check.outputs.major_version }}"
-      changelog_url: "${{ steps.changelog-url.outputs.changelog_url }}"
-  test:
-    name: Pre-release test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - run: make test-docker
-  bump-authentik:
-    name: Bump authentik version
-    needs:
-      - check-inputs
-      - test
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
+          make test-docker
+      - id: generate_token
+        uses: tibdex/github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
-          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Run migrations
-        run: make migrate
-      - name: Bump version
-        run: "make bump version=${{ inputs.version }}"
-      - name: Commit and push
-        run: |
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
-          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
-          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
-          git push --follow-tags
+          image-name: ghcr.io/goauthentik/server
      - name: Create Release
-        uses: softprops/action-gh-release@v2
+        id: create_release
+        uses: actions/create-release@v1.1.4
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          tag_name: "version/${{ inputs.version }}"
-          name: Release ${{ inputs.version }}
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ steps.ev.outputs.version }}
          draft: true
-          prerelease: ${{ inputs.release_reason == 'prerelease' }}
-          generate_release_notes: true
-          body: |
-            See ${{ needs.check-inputs.outputs.changelog_url }}
-  bump-helm:
-    name: Bump Helm version
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: helm
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/helm"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        run: |
-          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
-          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
-          ./scripts/helm-docs.sh
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
-          title: "charts/authentik: bump to ${{ inputs.version }}"
-          body: "charts/authentik: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
-  bump-version:
-    name: Bump version repository
-    if: ${{ inputs.release_reason != 'prerelease' }}
-    needs:
-      - check-inputs
-      - bump-authentik
-    runs-on: ubuntu-latest
-    steps:
-      - id: app-token
-        name: Generate app token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          repositories: version
-      - id: get-user-id
-        name: Get GitHub app user ID
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
-        with:
-          repository: "${{ github.repository_owner }}/version"
-          token: "${{ steps.app-token.outputs.token }}"
-      - name: Bump version
-        if: "${{ inputs.release_reason == 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Bump version
-        if: "${{ inputs.release_reason != 'feature' }}"
-        run: |
-          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
-          jq \
-            --arg version "${{ inputs.version }}" \
-            --arg changelog "See ${changelog_url}" \
-            --arg changelog_url "${changelog_url}" \
-            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
-          mv version.new.json version.json
-      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: "${{ steps.app-token.outputs.token }}"
-          branch: bump-${{ inputs.version }}
-          commit-message: "version: bump to ${{ inputs.version }}"
-          title: "version: bump to ${{ inputs.version }}"
-          body: "version: bump to ${{ inputs.version }}"
-          delete-branch: true
-          signoff: true
-          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
+          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}
--- a/.github/workflows/repo-mirror-cleanup.yml
+++ b/.github/workflows/repo-mirror-cleanup.yml
@@ -1,5 +1,4 @@
---
-name: Repo - Cleanup internal mirror
+name: "authentik-repo-mirror-cleanup"

 on:
  workflow_dispatch:
@@ -9,7 +8,7 @@ jobs:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@@ -1,5 +1,4 @@
---
-name: Repo - Mirror to internal
+name: "authentik-repo-mirror"

 on: [push, delete]

@@ -8,7 +7,7 @@ jobs:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -1,5 +1,4 @@
---
-name: Repo - Mark and close stale issues
+name: "authentik-repo-stale"

 on:
  schedule:
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -1,6 +1,4 @@
---
-name: QA - Semgrep
-
+name: authentik-semgrep
 on:
  workflow_dispatch: {}
  pull_request: {}
@@ -9,11 +7,10 @@ on:
      - main
      - master
    paths:
-      - .github/workflows/qa-semgrep.yml
+      - .github/workflows/semgrep.yml
  schedule:
    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
    - cron: '12 15 * * *'
-
 jobs:
  semgrep:
    name: semgrep/ci
@@ -26,5 +23,5 @@ jobs:
      image: semgrep/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - run: semgrep ci
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@@ -1,5 +1,4 @@
---
-name: Translation - Post advice
+name: authentik-translation-advice

 on:
  pull_request:
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -1,6 +1,5 @@
 ---
-name: Translation - Extract and compile
-
+name: authentik-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
@@ -26,11 +25,11 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@@ -1,7 +1,6 @@
---
 # Rename transifex pull requests to have a correct naming
 # Also enables auto squash-merge
-name: Translation - Auto-rename Transifex PRs
+name: authentik-translation-transifex-rename

 on:
  pull_request:
@@ -16,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
--- a/5
+++ b/5
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.8 AS uv
+FROM ghcr.io/astral-sh/uv:0.8.5 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.6-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -175,7 +175,6 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY ./packages/ /ak-root/packages
-RUN  ln -s /ak-root/packages /packages
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
 COPY --from=node-builder /work/web/dist/ /web/dist/
 COPY --from=node-builder /work/web/authentik/ /web/authentik/
--- a/21
+++ b/21
@@ -16,7 +16,6 @@ GEN_API_GO = gen-go-api
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
-redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)

 all: lint-fix lint test gen web  ## Lint, build, and test everything

@@ -58,7 +57,7 @@ migrate: ## Run the Authentik Django server's migrations
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

 aws-cfn:
-	cd lifecycle/aws && npm i && uv run npm run aws-cfn
+	cd lifecycle/aws && npm run aws-cfn

 run-server:  ## Run the main authentik server process
 	uv run ak server
@@ -80,10 +79,10 @@ core-i18n-extract:
 install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`

 dev-drop-db:
-	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
+	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
-	redis-cli -n ${redis_db} flushall
+	redis-cli -n 0 flushall

 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -94,17 +93,6 @@ update-test-mmdb:  ## Update test GeoIP and ASN Databases
 	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
 	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb

-bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
-ifndef version
-	$(error Usage: make bump version=20xx.xx.xx )
-endif
-	sed -i 's/^version = ".*"/version = "$(version)"/' pyproject.toml
-	sed -i 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
-	$(MAKE) gen-build gen-compose aws-cfn
-	npm version --no-git-tag-version --allow-same-version $(version)
-	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
-	echo -n $(version) > ${PWD}/internal/constants/VERSION
-
 #########################
 ## API Schema
 #########################
@@ -119,9 +107,6 @@ gen-build:  ## Extract the schema from the database
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
 		uv run ak spectacular --file schema.yml

-gen-compose:
-	uv run scripts/generate_docker_compose.py
-
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
 	npx prettier --write changelog.md
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
+| 2025.4.x  | ✅        |
 | 2025.6.x  | ✅        |
-| 2025.8.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@@ -1,28 +1,20 @@
 """authentik root module"""

-from functools import lru_cache
 from os import environ

-VERSION = "2025.8.0"
+__version__ = "2025.6.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


-@lru_cache
-def authentik_version() -> str:
-    return VERSION
-
-
-@lru_cache
-def authentik_build_hash(fallback: str | None = None) -> str:
+def get_build_hash(fallback: str | None = None) -> str:
    """Get build hash"""
    build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
    return fallback if build_hash == "" and fallback else build_hash


-@lru_cache
-def authentik_full_version() -> str:
+def get_full_version() -> str:
    """Get full version, with build hash appended"""
-    version = authentik_version()
-    if (build_hash := authentik_build_hash()) != "":
+    version = __version__
+    if (build_hash := get_build_hash()) != "":
        return f"{version}+{build_hash}"
    return version
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@@ -16,7 +16,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
@@ -78,7 +78,7 @@ class SystemInfoSerializer(PassiveSerializer):
        """Get versions"""
        return {
            "architecture": platform.machine(),
-            "authentik_version": authentik_full_version(),
+            "authentik_version": get_full_version(),
            "environment": get_env(),
            "openssl_fips_enabled": (
                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@@ -10,7 +10,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
@@ -29,20 +29,20 @@ class VersionSerializer(PassiveSerializer):

    def get_build_hash(self, _) -> str:
        """Get build hash, if version is not latest or released"""
-        return authentik_build_hash()
+        return get_build_hash()

    def get_version_current(self, _) -> str:
        """Get current version"""
-        return authentik_version()
+        return __version__

    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
        if get_current_tenant().schema_name == get_public_schema_name():
-            return authentik_version()
+            return __version__
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
            update_latest_version.send()
-            return authentik_version()
+            return __version__
        return version_in_cache

    def get_version_latest_valid(self, _) -> bool:
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@@ -8,7 +8,7 @@ from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
 from authentik.events.models import Event, EventAction
 from authentik.lib.config import CONFIG
@@ -19,16 +19,16 @@ LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-LOCAL_VERSION = parse(authentik_version())
+LOCAL_VERSION = parse(__version__)


 def _set_prom_info():
    """Set prometheus info for version"""
    PROM_INFO.info(
        {
-            "version": authentik_version(),
+            "version": __version__,
            "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": authentik_build_hash(),
+            "build_hash": get_build_hash(),
        }
    )

--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@@ -5,7 +5,7 @@ from json import loads
 from django.test import TestCase
 from django.urls import reverse

-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
 from authentik.lib.generators import generate_id
@@ -27,7 +27,7 @@ class TestAdminAPI(TestCase):
        response = self.client.get(reverse("authentik_api:admin_version"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["version_current"], authentik_version())
+        self.assertEqual(body["version_current"], __version__)

    def test_apps(self):
        """Test apps API"""
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@@ -8,6 +8,8 @@ API Browser - {{ brand.branding_title }}

 {% block head %}
 <script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
+<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

 {% block body %}
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@@ -11,7 +11,7 @@ from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -48,7 +48,7 @@ class Command(BaseCommand):
            "$schema": "http://json-schema.org/draft-07/schema",
            "$id": "https://goauthentik.io/blueprints/schema.json",
            "type": "object",
-            "title": f"authentik {authentik_version()} Blueprint schema",
+            "title": f"authentik {__version__} Blueprint schema",
            "required": ["version", "entries"],
            "properties": {
                "version": {
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@@ -3,10 +3,10 @@
 from typing import Any

 from django.db import models
-from drf_spectacular.utils import extend_schema, extend_schema_field
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
+from rest_framework.fields import CharField, ChoiceField, ListField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
@@ -18,8 +18,6 @@ from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.rbac.filters import SecretKeyFilter
-from authentik.tenants.api.settings import FlagJSONField
-from authentik.tenants.flags import Flag
 from authentik.tenants.utils import get_current_tenant


@@ -112,16 +110,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    flow_device_code = CharField(source="flow_device_code.slug", required=False)

    default_locale = CharField(read_only=True)
-    flags = SerializerMethodField()
-
-    @extend_schema_field(field=FlagJSONField)
-    def get_flags(self, _):
-        values = {}
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.visibility == "public":
-                values[_flag.key] = _flag.get()
-        return values


 class BrandViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@@ -10,20 +10,11 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_brand
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLProvider
-from authentik.tenants.flags import Flag


 class TestBrands(APITestCase):
    """Test brands"""

-    def setUp(self):
-        super().setUp()
-        self.default_flags = {}
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.visibility == "public":
-                self.default_flags[_flag.key] = _flag.get()
-
    def test_current_brand(self):
        """Test Current brand API"""
        brand = create_test_brand()
@@ -38,7 +29,6 @@ class TestBrands(APITestCase):
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
                "default_locale": "",
-                "flags": self.default_flags,
            },
        )

@@ -59,7 +49,27 @@ class TestBrands(APITestCase):
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
                "default_locale": "",
-                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_same_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.all().delete()
+        Brand.objects.create(domain="bar.baz", branding_title="custom")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom",
+                "branding_custom_css": "",
+                "matched_domain": "foo.bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
            },
        )

@@ -77,7 +87,6 @@ class TestBrands(APITestCase):
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
                "default_locale": "",
-                "flags": self.default_flags,
            },
        )

@@ -158,7 +167,6 @@ class TestBrands(APITestCase):
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
                "default_locale": "",
-                "flags": self.default_flags,
            },
        )

--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@@ -4,11 +4,12 @@ from typing import Any

 from django.db.models import F, Q
 from django.db.models import Value as V
+from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.brands.models import Brand
 from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
@@ -20,9 +21,9 @@ DEFAULT_BRAND = Brand(domain="fallback")
 def get_brand_for_request(request: HttpRequest) -> Brand:
    """Get brand object for current request"""
    db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()))
+        Brand.objects.annotate(host_domain=V(request.get_host()), match_length=Length("domain"))
        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("default")
+        .order_by("-match_length", "default")
    )
    brands = list(db_brands.all())
    if len(brands) < 1:
@@ -43,5 +44,5 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
        "html_meta": {**get_http_meta()},
-        "version": authentik_full_version(),
+        "version": get_full_version(),
    }
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -6,7 +6,6 @@ from copy import copy
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.shortcuts import get_object_or_404
-from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
@@ -67,15 +66,6 @@ class ApplicationSerializer(ModelSerializer):
            user = self.context["request"].user
        return app.get_launch_url(user)

-    def validate_slug(self, slug: str) -> str:
-        if slug in Application.reserved_slugs:
-            raise ValidationError(
-                _("The slug '{slug}' is reserved and cannot be used for applications.").format(
-                    slug=slug
-                )
-            )
-        return slug
-
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -154,8 +154,7 @@ class UserSerializer(ModelSerializer):
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["password"] = CharField(required=False, allow_null=True)
            self.fields["permissions"] = ListField(
-                required=False,
-                child=ChoiceField(choices=get_permission_choices()),
+                required=False, child=ChoiceField(choices=get_permission_choices())
            )

    def create(self, validated_data: dict) -> User:
@@ -270,10 +269,7 @@ class UserSelfSerializer(ModelSerializer):
        ListSerializer(
            child=inline_serializer(
                "UserSelfGroups",
-                {
-                    "name": CharField(read_only=True),
-                    "pk": CharField(read_only=True),
-                },
+                {"name": CharField(read_only=True), "pk": CharField(read_only=True)},
            )
        )
    )
@@ -321,8 +317,7 @@ class UserSelfSerializer(ModelSerializer):

 class SessionUserSerializer(PassiveSerializer):
    """Response for the /user/me endpoint, returns the currently active user (as `user` property)
-    and, if this user is being impersonated, the original user in the `original` property.
-    """
+    and, if this user is being impersonated, the original user in the `original` property."""

    user = UserSelfSerializer()
    original = UserSelfSerializer(required=False)
@@ -410,15 +405,21 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    ordering = ["username", "date_joined", "last_updated"]
    serializer_class = UserSerializer
    filterset_class = UsersFilter
-    search_fields = ["email", "name", "uuid", "username"]
+    search_fields = [
+        "username",
+        "name",
+        "is_active",
+        "email",
+        "uuid",
+        "attributes",
+        "date_joined",
+        "last_updated",
+    ]

    def get_ql_fields(self):
        from djangoql.schema import BoolField, StrField

-        from authentik.enterprise.search.fields import (
-            ChoiceSearchField,
-            JSONSearchField,
-        )
+        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField

        return [
            StrField(User, "username"),
@@ -513,12 +514,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            )
        },
    )
-    @action(
-        detail=False,
-        methods=["POST"],
-        pagination_class=None,
-        filter_backends=[],
-    )
+    @action(detail=False, methods=["POST"], pagination_class=None, filter_backends=[])
    def service_account(self, request: Request) -> Response:
        """Create a new user account that is marked as a service account"""
        username = request.data.get("name")
@@ -562,13 +558,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                return Response(data={"non_field_errors": [str(exc)]}, status=400)

    @extend_schema(responses={200: SessionUserSerializer(many=False)})
-    @action(
-        url_path="me",
-        url_name="me",
-        detail=False,
-        pagination_class=None,
-        filter_backends=[],
-    )
+    @action(url_path="me", url_name="me", detail=False, pagination_class=None, filter_backends=[])
    def user_me(self, request: Request) -> Response:
        """Get information about current user"""
        context = {"request": request}
@@ -620,7 +610,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
    def recovery(self, request: Request, pk: int) -> Response:
-        """Create a temporary link that a user can use to recover their account"""
+        """Create a temporary link that a user can use to recover their accounts"""
        link, _ = self._create_recovery_link()
        return Response({"link": link})

@@ -641,7 +631,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
    def recovery_email(self, request: Request, pk: int) -> Response:
-        """Send an email with a temporary link that a user can use to recover their account"""
+        """Create a temporary link that a user can use to recover their accounts"""
        for_user: User = self.get_object()
        if for_user.email == "":
            LOGGER.debug("User doesn't have an email address")
@@ -694,18 +684,14 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
        ) and not request.user.has_perm("authentik_core.impersonate"):
-            LOGGER.debug(
-                "User attempted to impersonate without permissions",
-                user=request.user,
-            )
+            LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
            return Response(status=401)
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
        if not reason and request.tenant.impersonation_require_reason:
            LOGGER.debug(
-                "User attempted to impersonate without providing a reason",
-                user=request.user,
+                "User attempted to impersonate without providing a reason", user=request.user
            )
            return Response(status=401)

@@ -744,8 +730,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    @extend_schema(
        responses={
            200: inline_serializer(
-                "UserPathSerializer",
-                {"paths": ListField(child=CharField(), read_only=True)},
+                "UserPathSerializer", {"paths": ListField(child=CharField(), read_only=True)}
            )
        },
        parameters=[
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@@ -11,7 +11,7 @@ from django.core.management.base import BaseCommand
 from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.core.models import User
 from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
@@ -19,7 +19,7 @@ from authentik.events.utils import model_to_dict


 def get_banner_text(shell_type="shell") -> str:
-    return f"""### authentik {shell_type} ({authentik_full_version()})
+    return f"""### authentik {shell_type} ({get_full_version()})
 ### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """


--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -548,9 +548,6 @@ class Application(SerializerModel, PolicyBindingModel):

    objects = ApplicationQuerySet.as_manager()

-    # Reserved slugs that would clash with OAuth2 provider endpoints
-    reserved_slugs = ["authorize", "token", "device", "userinfo", "introspect", "revoke"]
-
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.applications import ApplicationSerializer
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -15,11 +15,7 @@
        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
        {% block head_before %}
        {% endblock %}
-
-        {% include "base/theme.html" %}
-
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-
        <style>{{ brand_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
--- a/authentik/core/templates/base/theme.html
+++ b/authentik/core/templates/base/theme.html
@@ -1,11 +0,0 @@
-{% if ui_theme == "dark" %}
-  <meta name="color-scheme" content="dark" />
-  <meta name="theme-color" content="#18191a">
-{% elif ui_theme == "light" %}
-  <meta name="color-scheme" content="light" />
-  <meta name="theme-color" content="#ffffff">
-{% else %}
-  <meta name="color-scheme" content="light dark" />
-  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-{% endif %}
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@@ -4,6 +4,8 @@

 {% block head %}
 <script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
 {% endblock %}

--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@@ -4,6 +4,8 @@

 {% block head %}
 <script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
+<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
+<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}

--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@@ -3,7 +3,7 @@
 from django import template
 from django.templatetags.static import static as static_loader

-from authentik import authentik_full_version
+from authentik import get_full_version

 register = template.Library()

@@ -11,4 +11,4 @@ register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
-    return static_loader(path.replace("%v", authentik_full_version()))
+    return static_loader(path.replace("%v", get_full_version()))
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@@ -257,35 +257,3 @@ class TestApplicationsAPI(APITestCase):
        self.assertEqual(
            Application.objects.with_provider().get(slug=slug).get_provider(), provider
        )
-
-    def test_create_application_with_reserved_slug(self):
-        """Test creating an application with a reserved slug"""
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse("authentik_api:application-list"),
-            {
-                "name": "Test Application",
-                "slug": Application.reserved_slugs[0],
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        self.assertIn("slug", response.data)
-        self.assertIn("reserved", response.data["slug"][0])
-
-    def test_update_application_with_reserved_slug(self):
-        """Test updating an application to use a reserved slug"""
-        self.client.force_login(self.user)
-        app = Application.objects.create(
-            name="Test Application",
-            slug="valid-slug",
-        )
-
-        response = self.client.patch(
-            reverse("authentik_api:application-detail", kwargs={"slug": app.slug}),
-            {
-                "slug": Application.reserved_slugs[0],
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        self.assertIn("slug", response.data)
-        self.assertIn("reserved", response.data["slug"][0])
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@@ -10,7 +10,7 @@ from django.utils.translation import gettext as _
 from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request

-from authentik import authentik_build_hash
+from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
@@ -46,13 +46,11 @@ class InterfaceView(TemplateView):
    """Base interface view"""

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        brand = CurrentBrandSerializer(self.request.brand)
        kwargs["config_json"] = dumps(ConfigView(request=Request(self.request)).get_config().data)
-        kwargs["ui_theme"] = brand.data["ui_theme"]
-        kwargs["brand_json"] = dumps(brand.data)
+        kwargs["brand_json"] = dumps(CurrentBrandSerializer(self.request.brand).data)
        kwargs["version_family"] = f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}"
        kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
-        kwargs["build"] = authentik_build_hash()
+        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@@ -12,7 +12,7 @@ from cryptography.x509.oid import NameOID
 from django.db import models
 from django.utils.translation import gettext_lazy as _

-from authentik import authentik_version
+from authentik import __version__
 from authentik.crypto.models import CertificateKeyPair


@@ -85,7 +85,7 @@ class CertificateBuilder:
            .issuer_name(
                x509.Name(
                    [
-                        x509.NameAttribute(NameOID.COMMON_NAME, f"authentik {authentik_version()}"),
+                        x509.NameAttribute(NameOID.COMMON_NAME, f"authentik {__version__}"),
                    ]
                )
            )
--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@@ -23,7 +23,6 @@ from authentik.events.models import (
 )
 from authentik.events.utils import get_user
 from authentik.rbac.decorators import permission_required
-from authentik.stages.email.models import get_template_choices


 class NotificationTransportSerializer(ModelSerializer):
@@ -31,18 +30,6 @@ class NotificationTransportSerializer(ModelSerializer):

    mode_verbose = SerializerMethodField()

-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.fields["email_template"].choices = get_template_choices()
-
-    def validate_email_template(self, value: str) -> str:
-        """Check validity of email template"""
-        choices = get_template_choices()
-        for path, _ in choices:
-            if path == value:
-                return value
-        raise ValidationError(f"Invalid template '{value}' specified.")
-
    def get_mode_verbose(self, instance: NotificationTransport) -> str:
        """Return selected mode with a UI Label"""
        return TransportMode(instance.mode).label
@@ -65,8 +52,6 @@ class NotificationTransportSerializer(ModelSerializer):
            "webhook_url",
            "webhook_mapping_body",
            "webhook_mapping_headers",
-            "email_subject_prefix",
-            "email_template",
            "send_once",
        ]

--- a/authentik/events/migrations/0012_notificationtransport_email_subject_prefix_and_more.py
+++ b/authentik/events/migrations/0012_notificationtransport_email_subject_prefix_and_more.py
@@ -1,23 +0,0 @@
-# Generated by Django 5.1.11 on 2025-08-14 13:53
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_events", "0011_alter_systemtask_options"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="notificationtransport",
-            name="email_subject_prefix",
-            field=models.TextField(blank=True, default="authentik Notification: "),
-        ),
-        migrations.AddField(
-            model_name="notificationtransport",
-            name="email_template",
-            field=models.TextField(default="email/event_notification.html"),
-        ),
-    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -18,7 +18,7 @@ from requests import RequestException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.brands.models import Brand
 from authentik.brands.utils import DEFAULT_BRAND
 from authentik.core.middleware import (
@@ -41,7 +41,6 @@ from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tasks.models import TasksModel
 from authentik.tenants.models import Tenant
@@ -296,15 +295,6 @@ class NotificationTransport(TasksModel, SerializerModel):

    name = models.TextField(unique=True)
    mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)
-    send_once = models.BooleanField(
-        default=False,
-        help_text=_(
-            "Only send notification once, for example when sending a webhook into a chat channel."
-        ),
-    )
-
-    email_subject_prefix = models.TextField(default="authentik Notification: ", blank=True)
-    email_template = models.TextField(default=EmailTemplates.EVENT_NOTIFICATION)

    webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
    webhook_mapping_body = models.ForeignKey(
@@ -329,6 +319,12 @@ class NotificationTransport(TasksModel, SerializerModel):
            "Mapping should return a dictionary of key-value pairs"
        ),
    )
+    send_once = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Only send notification once, for example when sending a webhook into a chat channel."
+        ),
+    )

    def send(self, notification: "Notification") -> list[str]:
        """Send notification to user, called from async task"""
@@ -438,7 +434,7 @@ class NotificationTransport(TasksModel, SerializerModel):
                    "title": notification.body,
                    "color": "#fd4b2d",
                    "fields": fields,
-                    "footer": f"authentik {authentik_full_version()}",
+                    "footer": f"authentik {get_full_version()}",
                }
            ],
        }
@@ -466,6 +462,7 @@ class NotificationTransport(TasksModel, SerializerModel):
                notification=notification,
            )
            return None
+        subject_prefix = "authentik Notification: "
        context = {
            "key_value": {
                "user_email": notification.user.email,
@@ -493,10 +490,10 @@ class NotificationTransport(TasksModel, SerializerModel):
                "from": self.name,
            }
        mail = TemplateEmailMessage(
-            subject=self.email_subject_prefix + context["title"],
+            subject=subject_prefix + context["title"],
            to=[(notification.user.name, notification.user.email)],
            language=notification.user.locale(),
-            template_name=self.email_template,
+            template_name="email/event_notification.html",
            template_context=context,
        )
        send_mail.send_with_options(args=(mail.__dict__,), rel_obj=self)
--- a/authentik/events/tests/test_transports.py
+++ b/authentik/events/tests/test_transports.py
@@ -5,12 +5,10 @@ from unittest.mock import PropertyMock, patch
 from django.core import mail
 from django.core.mail.backends.locmem import EmailBackend
 from django.test import TestCase
-from django.urls import reverse
 from requests_mock import Mocker

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.events.api.notification_transports import NotificationTransportSerializer
 from authentik.events.models import (
    Event,
    Notification,
@@ -20,7 +18,6 @@ from authentik.events.models import (
    TransportMode,
 )
 from authentik.lib.generators import generate_id
-from authentik.stages.email.models import get_template_choices


 class TestEventTransports(TestCase):
@@ -121,7 +118,7 @@ class TestEventTransports(TestCase):
                                {"short": True, "title": "Event user", "value": self.user.username},
                                {"title": "foo", "value": "bar,"},
                            ],
-                            "footer": f"authentik {authentik_full_version()}",
+                            "footer": f"authentik {get_full_version()}",
                        }
                    ],
                },
@@ -141,76 +138,3 @@ class TestEventTransports(TestCase):
            self.assertEqual(len(mail.outbox), 1)
            self.assertEqual(mail.outbox[0].subject, "authentik Notification: custom_foo")
            self.assertIn(self.notification.body, mail.outbox[0].alternatives[0][0])
-
-    def test_transport_email_custom_template(self):
-        """Test email transport with custom template"""
-        transport: NotificationTransport = NotificationTransport.objects.create(
-            name=generate_id(),
-            mode=TransportMode.EMAIL,
-            email_template="email/event_notification.html",
-        )
-        with patch(
-            "authentik.stages.email.models.EmailStage.backend_class",
-            PropertyMock(return_value=EmailBackend),
-        ):
-            transport.send(self.notification)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertIn(self.notification.body, mail.outbox[0].alternatives[0][0])
-
-    def test_transport_email_custom_subject_prefix(self):
-        """Test email transport with custom subject prefix"""
-        transport: NotificationTransport = NotificationTransport.objects.create(
-            name=generate_id(),
-            mode=TransportMode.EMAIL,
-            email_subject_prefix="[CUSTOM] ",
-        )
-        with patch(
-            "authentik.stages.email.models.EmailStage.backend_class",
-            PropertyMock(return_value=EmailBackend),
-        ):
-            transport.send(self.notification)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(mail.outbox[0].subject, "[CUSTOM] custom_foo")
-
-    def test_transport_email_validation(self):
-        """Test email transport template validation"""
-
-        # Test valid template
-        serializer = NotificationTransportSerializer(
-            data={
-                "name": generate_id(),
-                "mode": TransportMode.EMAIL,
-                "email_template": "email/event_notification.html",
-            }
-        )
-        self.assertTrue(serializer.is_valid())
-
-        # Test invalid template - should fail due to choices validation
-        serializer = NotificationTransportSerializer(
-            data={
-                "name": generate_id(),
-                "mode": TransportMode.EMAIL,
-                "email_template": "invalid/template.html",
-            }
-        )
-        self.assertFalse(serializer.is_valid())
-        self.assertIn("email_template", serializer.errors)
-
-    def test_templates_api_endpoint(self):
-        """Test templates API endpoint returns valid templates"""
-        self.client.force_login(self.user)
-        response = self.client.get(reverse("authentik_api:emailstage-templates"))
-        self.assertEqual(response.status_code, 200)
-
-        data = response.json()
-        self.assertIsInstance(data, list)
-
-        # Check that we have at least the default templates
-        template_names = [item["name"] for item in data]
-        self.assertIn("email/event_notification.html", template_names)
-
-        # Verify all templates are valid choices
-        valid_choices = dict(get_template_choices())
-        for template in data:
-            self.assertIn(template["name"], valid_choices)
-            self.assertEqual(template["description"], valid_choices[template["name"]])
--- a/authentik/flows/management/commands/benchmark.py
+++ b/authentik/flows/management/commands/benchmark.py
@@ -10,7 +10,7 @@ from django.core.management.base import BaseCommand
 from django.test import RequestFactory
 from structlog.stdlib import get_logger

-from authentik import authentik_version
+from authentik import __version__
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.models import Flow
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
@@ -99,7 +99,7 @@ class Command(BaseCommand):
        total_min: int = min(min(inner) for inner in values)
        total_avg = sum(sum(inner) for inner in values) / sum(len(inner) for inner in values)

-        print(f"Version: {authentik_version()}")
+        print(f"Version: {__version__}")
        print(f"Processes: {len(values)}")
        print(f"\tMax: {total_max * 100}ms")
        print(f"\tMin: {total_min * 100}ms")
--- a/authentik/lib/logging.py
+++ b/authentik/lib/logging.py
@@ -14,7 +14,7 @@ LOG_PRE_CHAIN = [
    # is not from structlog.
    structlog.stdlib.add_log_level,
    structlog.stdlib.add_logger_name,
-    structlog.processors.TimeStamper(fmt="iso", utc=False),
+    structlog.processors.TimeStamper(),
    structlog.processors.StackInfoRenderer(),
 ]

--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@@ -10,7 +10,6 @@ from django.db import DatabaseError, InternalError, OperationalError, Programmin
 from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
 from docker.errors import DockerException
-from dramatiq.errors import Retry
 from h11 import LocalProtocolError
 from ldap3.core.exceptions import LDAPException
 from psycopg.errors import Error
@@ -22,7 +21,6 @@ from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
-from sentry_sdk.integrations.dramatiq import DramatiqIntegration
 from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
@@ -31,7 +29,7 @@ from sentry_sdk.tracing import BAGGAGE_HEADER_NAME, SENTRY_TRACE_HEADER_NAME
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import authentik_user_agent
 from authentik.lib.utils.reflection import get_env
@@ -70,8 +68,6 @@ ignored_classes = (
    LocalProtocolError,
    # rest_framework error
    APIException,
-    # dramatiq errors
-    Retry,
    # custom baseclass
    SentryIgnoredException,
    # ldap errors
@@ -110,20 +106,19 @@ def sentry_init(**sentry_init_kwargs):
        dsn=CONFIG.get("error_reporting.sentry_dsn"),
        integrations=[
            ArgvIntegration(),
-            DjangoIntegration(transaction_style="function_name", cache_spans=True),
-            DramatiqIntegration(),
-            RedisIntegration(),
-            SocketIntegration(),
            StdlibIntegration(),
+            DjangoIntegration(transaction_style="function_name", cache_spans=True),
+            RedisIntegration(),
            ThreadingIntegration(propagate_hub=True),
+            SocketIntegration(),
        ],
        before_send=before_send,
        traces_sampler=traces_sampler,
-        release=f"authentik@{authentik_version()}",
+        release=f"authentik@{__version__}",
        transport=SentryTransport,
        **kwargs,
    )
-    set_tag("authentik.build_hash", authentik_build_hash("tagged"))
+    set_tag("authentik.build_hash", get_build_hash("tagged"))
    set_tag("authentik.env", get_env())
    set_tag("authentik.component", "backend")

--- a/authentik/lib/sync/outgoing/signals.py
+++ b/authentik/lib/sync/outgoing/signals.py
@@ -16,18 +16,8 @@ def register_signals(
    """Register sync signals"""
    uid = class_to_path(provider_type)

-    def model_post_save(
-        sender: type[Model],
-        instance: User | Group,
-        created: bool,
-        update_fields: list[str] | None = None,
-        **_,
-    ):
+    def model_post_save(sender: type[Model], instance: User | Group, created: bool, **_):
        """Post save handler"""
-        # Special case for user object; don't start sync task when we've only updated `last_login`
-        # This primarily happens during user login
-        if sender == User and update_fields == {"last_login"}:
-            return
        task_sync_direct_dispatch.send(
            class_to_path(instance.__class__),
            instance.pk,
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@@ -5,7 +5,7 @@ from uuid import uuid4
 from requests.sessions import PreparedRequest, Session
 from structlog.stdlib import get_logger

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.lib.config import CONFIG

 LOGGER = get_logger()
@@ -13,7 +13,7 @@ LOGGER = get_logger()

 def authentik_user_agent() -> str:
    """Get a common user agent"""
-    return f"authentik@{authentik_full_version()}"
+    return f"authentik@{get_full_version()}"


 class TimeoutSession(Session):
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@@ -13,7 +13,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

-from authentik import authentik_build_hash
+from authentik import get_build_hash
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -194,7 +194,7 @@ class OutpostViewSet(UsedByMixin, ModelViewSet):
                    "openssl_version": state.openssl_version,
                    "fips_enabled": state.fips_enabled,
                    "hostname": state.hostname,
-                    "build_hash_should": authentik_build_hash(),
+                    "build_hash_should": get_build_hash(),
                }
            )
        return Response(OutpostHealthSerializer(states, many=True).data)
--- a/authentik/outposts/controllers/base.py
+++ b/authentik/outposts/controllers/base.py
@@ -4,7 +4,7 @@ from dataclasses import dataclass

 from structlog.stdlib import get_logger

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import SentryIgnoredException
@@ -99,6 +99,6 @@ class BaseController:
        image_name_template: str = CONFIG.get("outposts.container_image_base")
        return image_name_template % {
            "type": self.outpost.type,
-            "version": authentik_version(),
-            "build_hash": authentik_build_hash(),
+            "version": __version__,
+            "build_hash": get_build_hash(),
        }
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@@ -13,7 +13,7 @@ from paramiko.ssh_exception import SSHException
 from structlog.stdlib import get_logger
 from yaml import safe_dump

-from authentik import authentik_version
+from authentik import __version__
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.docker_ssh import DockerInlineSSH, SSHManagedExternallyException
@@ -185,7 +185,7 @@ class DockerController(BaseController):
        try:
            self.client.images.pull(image)
        except DockerException:  # pragma: no cover
-            image = f"ghcr.io/goauthentik/{self.outpost.type}:{authentik_version()}"
+            image = f"ghcr.io/goauthentik/{self.outpost.type}:{__version__}"
            self.client.images.pull(image)
        return image

--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@@ -17,7 +17,7 @@ from requests import Response
 from structlog.stdlib import get_logger
 from urllib3.exceptions import HTTPError

-from authentik import authentik_version
+from authentik import __version__
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.base import ControllerException
 from authentik.outposts.controllers.k8s.triggers import NeedsRecreate, NeedsUpdate
@@ -29,8 +29,8 @@ T = TypeVar("T", V1Pod, V1Deployment)


 def get_version() -> str:
-    """Wrapper for authentik_version() to make testing easier"""
-    return authentik_version()
+    """Wrapper for __version__ to make testing easier"""
+    return __version__


 class KubernetesObjectReconciler(Generic[T]):
--- a/authentik/outposts/controllers/k8s/deployment.py
+++ b/authentik/outposts/controllers/k8s/deployment.py
@@ -23,7 +23,7 @@ from kubernetes.client import (
    V1SecurityContext,
 )

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
@@ -94,7 +94,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
        meta = self.get_object_meta(name=self.name)
        image_name = self.controller.get_container_image()
        image_pull_secrets = self.outpost.config.kubernetes_image_pull_secrets
-        version = authentik_full_version().replace("+", "-")
+        version = get_full_version().replace("+", "-")
        return V1Deployment(
            metadata=meta,
            spec=V1DeploymentSpec(
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -19,7 +19,7 @@ from packaging.version import Version, parse
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.blueprints.models import ManagedModel
 from authentik.brands.models import Brand
 from authentik.core.models import (
@@ -40,7 +40,7 @@ from authentik.outposts.controllers.k8s.utils import get_namespace
 from authentik.tasks.schedules.common import ScheduleSpec
 from authentik.tasks.schedules.models import ScheduledModel

-OUR_VERSION = parse(authentik_version())
+OUR_VERSION = parse(__version__)
 OUTPOST_HELLO_INTERVAL = 10
 LOGGER = get_logger()

@@ -481,7 +481,7 @@ class OutpostState:
        """Check if outpost version matches our version"""
        if not self.version:
            return False
-        if self.build_hash != authentik_build_hash():
+        if self.build_hash != get_build_hash():
            return False
        return parse(self.version) != OUR_VERSION

--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@@ -6,7 +6,7 @@ from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.test import TransactionTestCase

-from authentik import authentik_version
+from authentik import __version__
 from authentik.core.tests.utils import create_test_flow
 from authentik.outposts.consumer import WebsocketMessage, WebsocketMessageInstruction
 from authentik.outposts.models import Outpost, OutpostType
@@ -65,7 +65,7 @@ class TestOutpostWS(TransactionTestCase):
                WebsocketMessage(
                    instruction=WebsocketMessageInstruction.HELLO,
                    args={
-                        "version": authentik_version(),
+                        "version": __version__,
                        "buildHash": "foo",
                        "uuid": "123",
                    },
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@@ -7,7 +7,6 @@ For example: The 'dummy' policy is available at `authentik.policies.dummy`.
 from prometheus_client import Gauge, Histogram

 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.tenants.flags import Flag

 GAUGE_POLICIES_CACHED = Gauge(
    "authentik_policies_cached",
@@ -33,12 +32,6 @@ HIST_POLICIES_EXECUTION_TIME = Histogram(
 )


-class BufferedPolicyAccessViewFlag(Flag[bool], key="policies_buffered_access_view"):
-
-    default = False
-    visibility = "public"
-
-
 class AuthentikPoliciesConfig(ManagedAppConfig):
    """authentik policies app config"""

@@ -46,4 +39,3 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
    label = "authentik_policies"
    verbose_name = "authentik Policies"
    default = True
-    mountpoint = "policy/"
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@@ -103,7 +103,7 @@ class PasswordPolicy(Policy):
        if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
            LOGGER.debug("password failed", check="static", reason="amount_lowercase")
            return PolicyResult(False, self.error_message)
-        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_uppercase:
+        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_lowercase:
            LOGGER.debug("password failed", check="static", reason="amount_uppercase")
            return PolicyResult(False, self.error_message)
        if self.amount_symbols > 0:
--- a/authentik/policies/templates/policies/buffer.html
+++ b/authentik/policies/templates/policies/buffer.html
@@ -1,121 +0,0 @@
-{% extends 'login/base_full.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block head %}
-{{ block.super }}
-<script>
-"use strict";
-
-let redirecting = false;
-
-async function checkAuth() {
-    if (redirecting) {
-        console.debug(
-            "authentik/policies/buffer: Already authenticating in another tab. This page will refresh once authentication is completed.",
-        );
-
-        return true;
-    }
-
-    const url = "{{ check_auth_url }}";
-    console.debug("authentik/policies/buffer: Checking authentication...");
-
-    return fetch(url, {
-        method: "HEAD",
-    })
-        .then((response) => {
-            if (response.status >= 400) {
-                return false;
-            }
-
-            console.debug("authentik/policies/buffer: Continuing");
-
-            if ("{{ auth_req_method }}" === "post") {
-                document.querySelector("form")?.submit();
-                return true;
-            }
-
-            window.location.assign("{{ continue_url|escapejs }}");
-
-            return true;
-        })
-        .catch((error) => {
-            console.warn("authentik/policies/buffer: Error checking authentication.", error);
-            return false;
-        })
-}
-
-const offset = 20;
-
-let timeoutID = -1;
-let timeout = 100;
-let attempts = 0;
-
-async function main() {
-    window.clearTimeout(timeoutID);
-
-    attempts += 1;
-
-    redirecting = await checkAuth();
-
-    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
-
-    timeoutID = window.setTimeout(main, timeout);
-
-    timeout += offset * attempts;
-
-    if (timeout >= 2000) {
-        timeout = 2000;
-    }
-}
-
-document.addEventListener("visibilitychange", async () => {
-    if (document.hidden) return;
-
-    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
-
-    redirecting = await checkAuth();
-});
-
-main();
-</script>
-{% endblock %}
-
-{% block title %}
-{% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
-{% endblock %}
-
-{% block card_title %}
-{% trans 'Waiting for authentication...' %}
-{% endblock %}
-
-{% block card %}
-<form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
-  {% if auth_req_method == "post" %}
-    {% for key, value in auth_req_body.items %}
-      <input type="hidden" name="{{ key }}" value="{{ value }}" />
-    {% endfor %}
-  {% endif %}
-  <div class="pf-c-empty-state">
-    <div class="pf-c-empty-state__content">
-      <div class="pf-c-empty-state__icon">
-        <span class="pf-c-spinner pf-m-xl" role="progressbar">
-          <span class="pf-c-spinner__clipper"></span>
-          <span class="pf-c-spinner__lead-ball"></span>
-          <span class="pf-c-spinner__tail-ball"></span>
-        </span>
-      </div>
-      <h1 class="pf-c-title pf-m-lg">
-        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
-      </h1>
-    </div>
-  </div>
-  <div class="pf-c-form__group pf-m-action">
-    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
-      {% trans "Authenticate in this tab" %}
-    </a>
-  </div>
-</form>
-{% endblock %}
--- a/authentik/policies/tests/test_views.py
+++ b/authentik/policies/tests/test_views.py
@@ -1,125 +0,0 @@
-from django.contrib.auth.models import AnonymousUser
-from django.contrib.sessions.middleware import SessionMiddleware
-from django.http import HttpResponse
-from django.test import RequestFactory, TestCase
-from django.urls import reverse
-
-from authentik.core.models import Application, Provider
-from authentik.core.tests.utils import create_test_flow, create_test_user
-from authentik.flows.models import FlowDesignation
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import dummy_get_response
-from authentik.policies.apps import BufferedPolicyAccessViewFlag
-from authentik.policies.views import (
-    QS_BUFFER_ID,
-    SESSION_KEY_BUFFER,
-    BufferedPolicyAccessView,
-    BufferView,
-    PolicyAccessView,
-)
-from authentik.tenants.flags import patch_flag
-
-
-class TestPolicyViews(TestCase):
-    """Test PolicyAccessView"""
-
-    def setUp(self):
-        super().setUp()
-        self.factory = RequestFactory()
-        self.user = create_test_user()
-
-    def test_pav(self):
-        """Test simple policy access view"""
-        provider = Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-
-        class TestView(PolicyAccessView):
-            def resolve_provider_application(self):
-                self.provider = provider
-                self.application = app
-
-            def get(self, *args, **kwargs):
-                return HttpResponse("foo")
-
-        req = self.factory.get("/")
-        req.user = self.user
-        res = TestView.as_view()(req)
-        self.assertEqual(res.status_code, 200)
-        self.assertEqual(res.content, b"foo")
-
-    @patch_flag(BufferedPolicyAccessViewFlag, True)
-    def test_pav_buffer(self):
-        """Test simple policy access view"""
-        provider = Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-
-        class TestView(BufferedPolicyAccessView):
-            def resolve_provider_application(self):
-                self.provider = provider
-                self.application = app
-
-            def get(self, *args, **kwargs):
-                return HttpResponse("foo")
-
-        req = self.factory.get("/")
-        req.user = AnonymousUser()
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(req)
-        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
-        req.session.save()
-        res = TestView.as_view()(req)
-        self.assertEqual(res.status_code, 302)
-        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
-
-    @patch_flag(BufferedPolicyAccessViewFlag, True)
-    def test_pav_buffer_skip(self):
-        """Test simple policy access view (skip buffer)"""
-        provider = Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-
-        class TestView(BufferedPolicyAccessView):
-            def resolve_provider_application(self):
-                self.provider = provider
-                self.application = app
-
-            def get(self, *args, **kwargs):
-                return HttpResponse("foo")
-
-        req = self.factory.get("/?skip_buffer=true")
-        req.user = AnonymousUser()
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(req)
-        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
-        req.session.save()
-        res = TestView.as_view()(req)
-        self.assertEqual(res.status_code, 302)
-        self.assertTrue(res.url.startswith(reverse("authentik_flows:default-authentication")))
-
-    def test_buffer(self):
-        """Test buffer view"""
-        uid = generate_id()
-        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
-        req.user = AnonymousUser()
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(req)
-        ts = generate_id()
-        req.session[SESSION_KEY_BUFFER % uid] = {
-            "method": "get",
-            "body": {},
-            "url": f"/{ts}",
-        }
-        req.session.save()
-
-        res = BufferView.as_view()(req)
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(ts, res.render().content.decode())
--- a/authentik/policies/urls.py
+++ b/authentik/policies/urls.py
@@ -1,14 +1,7 @@
 """API URLs"""

-from django.urls import path
-
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
-from authentik.policies.views import BufferView
-
-urlpatterns = [
-    path("buffer", BufferView.as_view(), name="buffer"),
-]

 api_urlpatterns = [
    ("policies/all", PolicyViewSet),
--- a/authentik/policies/views.py
+++ b/authentik/policies/views.py
@@ -1,37 +1,23 @@
 """authentik access helper classes"""

 from typing import Any
-from uuid import uuid4

 from django.contrib import messages
 from django.contrib.auth.mixins import AccessMixin
 from django.contrib.auth.views import redirect_to_login
-from django.http import HttpRequest, HttpResponse, QueryDict
-from django.shortcuts import redirect
-from django.urls import reverse
-from django.utils.http import urlencode
+from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
-from django.views.generic.base import TemplateView, View
+from django.views.generic.base import View
 from structlog.stdlib import get_logger

 from authentik.core.models import Application, Provider, User
-from authentik.flows.models import Flow, FlowDesignation
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import (
-    SESSION_KEY_APPLICATION_PRE,
-    SESSION_KEY_PLAN,
-    SESSION_KEY_POST,
-)
+from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_POST
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.policies.apps import BufferedPolicyAccessViewFlag
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyRequest, PolicyResult

 LOGGER = get_logger()
-QS_BUFFER_ID = "af_bf_id"
-QS_SKIP_BUFFER = "skip_buffer"
-SESSION_KEY_BUFFER = "authentik/policies/pav_buffer/%s"


 class RequestValidationError(SentryIgnoredException):
@@ -139,66 +125,3 @@ class PolicyAccessView(AccessMixin, View):
            for message in result.messages:
                messages.error(self.request, _(message))
        return result
-
-
-def url_with_qs(url: str, **kwargs):
-    """Update/set querystring of `url` with the parameters in `kwargs`. Original query string
-    parameters are retained"""
-    if "?" not in url:
-        return url + f"?{urlencode(kwargs)}"
-    url, _, qs = url.partition("?")
-    qs = QueryDict(qs, mutable=True)
-    qs.update(kwargs)
-    return url + f"?{urlencode(qs.items())}"
-
-
-class BufferView(TemplateView):
-    """Buffer view"""
-
-    template_name = "policies/buffer.html"
-
-    def get_context_data(self, **kwargs):
-        buf_id = self.request.GET.get(QS_BUFFER_ID)
-        buffer: dict = self.request.session.get(SESSION_KEY_BUFFER % buf_id)
-        kwargs["auth_req_method"] = buffer["method"]
-        kwargs["auth_req_body"] = buffer["body"]
-        kwargs["auth_req_url"] = url_with_qs(buffer["url"], **{QS_SKIP_BUFFER: True})
-        kwargs["check_auth_url"] = reverse("authentik_api:user-me")
-        kwargs["continue_url"] = url_with_qs(buffer["url"], **{QS_BUFFER_ID: buf_id})
-        return super().get_context_data(**kwargs)
-
-
-class BufferedPolicyAccessView(PolicyAccessView):
-    """PolicyAccessView which buffers access requests in case the user is not logged in"""
-
-    def handle_no_permission(self):
-        plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
-        if plan:
-            flow = Flow.objects.filter(pk=plan.flow_pk).first()
-            if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
-                LOGGER.debug("Not buffering request, no flow or flow not for authentication")
-                return super().handle_no_permission()
-        if not plan:
-            LOGGER.debug("Not buffering request, no flow plan active")
-            return super().handle_no_permission()
-        if not BufferedPolicyAccessViewFlag().get():
-            return super().handle_no_permission()
-        if self.request.GET.get(QS_SKIP_BUFFER):
-            LOGGER.debug("Not buffering request, explicit skip")
-            return super().handle_no_permission()
-        buffer_id = str(uuid4())
-        LOGGER.debug("Buffering access request", bf_id=buffer_id)
-        self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
-            "body": self.request.POST,
-            "url": self.request.build_absolute_uri(self.request.get_full_path()),
-            "method": self.request.method.lower(),
-        }
-        return redirect(
-            url_with_qs(reverse("authentik_policies:buffer"), **{QS_BUFFER_ID: buffer_id})
-        )
-
-    def dispatch(self, request, *args, **kwargs):
-        response = super().dispatch(request, *args, **kwargs)
-        if QS_BUFFER_ID in self.request.GET:
-            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
-        return response
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -30,7 +30,7 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
-from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
+from authentik.policies.views import PolicyAccessView, RequestValidationError
 from authentik.providers.oauth2.constants import (
    PKCE_METHOD_PLAIN,
    PKCE_METHOD_S256,
@@ -334,7 +334,7 @@ class OAuthAuthorizationParams:
        return code


-class AuthorizationFlowInitView(BufferedPolicyAccessView):
+class AuthorizationFlowInitView(PolicyAccessView):
    """OAuth2 Flow initializer, checks access to application and starts flow"""

    params: OAuthAuthorizationParams
--- a/authentik/providers/rac/models.py
+++ b/authentik/providers/rac/models.py
@@ -120,13 +120,9 @@ class RACPropertyMapping(PropertyMapping):

    def evaluate(self, user: User | None, request: HttpRequest | None, **kwargs) -> Any:
        """Evaluate `self.expression` using `**kwargs` as Context."""
-        settings = {}
-        for key, value in self.static_settings.items():
-            if value and value != "":
-                settings[key] = value
-        if self.expression != "":
-            always_merger.merge(settings, super().evaluate(user, request, **kwargs))
-        return settings
+        if len(self.static_settings) > 0:
+            return self.static_settings
+        return super().evaluate(user, request, **kwargs)

    @property
    def component(self) -> str:
--- a/authentik/providers/rac/templates/if/rac.html
+++ b/authentik/providers/rac/templates/if/rac.html
@@ -4,6 +4,8 @@

 {% block head %}
 <script src="{% versioned_script 'dist/rac/index-%v.js' %}" type="module"></script>
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon_url }}">
 <link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
 {% include "base/header_js.html" %}
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@@ -18,14 +18,14 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT

 PLAN_CONNECTION_SETTINGS = "connection_settings"


-class RACStartView(BufferedPolicyAccessView):
+class RACStartView(PolicyAccessView):
    """Start a RAC connection by checking access and creating a connection token"""

    endpoint: Endpoint
--- a/authentik/providers/saml/views/flows.py
+++ b/authentik/providers/saml/views/flows.py
@@ -35,8 +35,8 @@ REQUEST_KEY_SAML_SIG_ALG = "SigAlg"
 REQUEST_KEY_SAML_RESPONSE = "SAMLResponse"
 REQUEST_KEY_RELAY_STATE = "RelayState"

-PLAN_CONTEXT_SAML_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
-PLAN_CONTEXT_SAML_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
+SESSION_KEY_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
+SESSION_KEY_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"


 # This View doesn't have a URL on purpose, as its called by the FlowExecutor
@@ -50,11 +50,10 @@ class SAMLFlowFinalView(ChallengeStageView):
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        application: Application = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
        provider: SAMLProvider = get_object_or_404(SAMLProvider, pk=application.provider_id)
-        if PLAN_CONTEXT_SAML_AUTH_N_REQUEST not in self.executor.plan.context:
-            self.logger.warning("No AuthNRequest in context")
+        if SESSION_KEY_AUTH_N_REQUEST not in self.request.session:
            return self.executor.stage_invalid()

-        auth_n_request: AuthNRequest = self.executor.plan.context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST]
+        auth_n_request: AuthNRequest = self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST)
        try:
            response = AssertionProcessor(provider, request, auth_n_request).build_response()
        except SAMLException as exc:
@@ -107,3 +106,6 @@ class SAMLFlowFinalView(ChallengeStageView):
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        # We'll never get here since the challenge redirects to the SP
        return HttpResponseBadRequest()
+
+    def cleanup(self):
+        self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST, None)
--- a/authentik/providers/saml/views/slo.py
+++ b/authentik/providers/saml/views/slo.py
@@ -19,9 +19,9 @@ from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.providers.saml.views.flows import (
-    PLAN_CONTEXT_SAML_LOGOUT_REQUEST,
    REQUEST_KEY_RELAY_STATE,
    REQUEST_KEY_SAML_REQUEST,
+    SESSION_KEY_LOGOUT_REQUEST,
 )

 LOGGER = get_logger()
@@ -33,10 +33,6 @@ class SAMLSLOView(PolicyAccessView):

    flow: Flow

-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-        self.plan_context = {}
-
    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
        self.provider: SAMLProvider = get_object_or_404(
@@ -63,7 +59,6 @@ class SAMLSLOView(PolicyAccessView):
            request,
            {
                PLAN_CONTEXT_APPLICATION: self.application,
-                **self.plan_context,
            },
        )
        plan.append_stage(in_memory_stage(SessionEndStage))
@@ -88,7 +83,7 @@ class SAMLSLOBindingRedirectView(SAMLSLOView):
                self.request.GET[REQUEST_KEY_SAML_REQUEST],
                relay_state=self.request.GET.get(REQUEST_KEY_RELAY_STATE, None),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
+            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
        except CannotHandleAssertion as exc:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
@@ -116,7 +111,7 @@ class SAMLSLOBindingPOSTView(SAMLSLOView):
                payload[REQUEST_KEY_SAML_REQUEST],
                relay_state=payload.get(REQUEST_KEY_RELAY_STATE, None),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
+            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
        except CannotHandleAssertion as exc:
            LOGGER.info(str(exc))
            return bad_request_message(self.request, str(exc))
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@@ -15,16 +15,16 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_POST
 from authentik.lib.views import bad_request_message
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (
-    PLAN_CONTEXT_SAML_AUTH_N_REQUEST,
    REQUEST_KEY_RELAY_STATE,
    REQUEST_KEY_SAML_REQUEST,
    REQUEST_KEY_SAML_SIG_ALG,
    REQUEST_KEY_SAML_SIGNATURE,
+    SESSION_KEY_AUTH_N_REQUEST,
    SAMLFlowFinalView,
 )
 from authentik.stages.consent.stage import (
@@ -35,14 +35,10 @@ from authentik.stages.consent.stage import (
 LOGGER = get_logger()


-class SAMLSSOView(BufferedPolicyAccessView):
+class SAMLSSOView(PolicyAccessView):
    """SAML SSO Base View, which plans a flow and injects our final stage.
    Calls get/post handler."""

-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-        self.plan_context = {}
-
    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
        self.provider: SAMLProvider = get_object_or_404(
@@ -72,7 +68,6 @@ class SAMLSSOView(BufferedPolicyAccessView):
                    PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
                    % {"application": self.application.name},
                    PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
-                    **self.plan_context,
                },
            )
        except FlowNonApplicableException:
@@ -88,7 +83,7 @@ class SAMLSSOView(BufferedPolicyAccessView):

    def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
        """GET and POST use the same handler, but we can't
-        override .dispatch easily because BufferedPolicyAccessView's dispatch"""
+        override .dispatch easily because PolicyAccessView's dispatch"""
        return self.get(request, application_slug)


@@ -108,7 +103,7 @@ class SAMLSSOBindingRedirectView(SAMLSSOView):
                self.request.GET.get(REQUEST_KEY_SAML_SIGNATURE),
                self.request.GET.get(REQUEST_KEY_SAML_SIG_ALG),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
        except CannotHandleAssertion as exc:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
@@ -142,7 +137,7 @@ class SAMLSSOBindingPOSTView(SAMLSSOView):
                payload[REQUEST_KEY_SAML_REQUEST],
                payload.get(REQUEST_KEY_RELAY_STATE),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
        except CannotHandleAssertion as exc:
            LOGGER.info(str(exc))
            return bad_request_message(self.request, str(exc))
@@ -156,4 +151,4 @@ class SAMLSSOBindingInitView(SAMLSSOView):
        """Create SAML Response from scratch"""
        LOGGER.debug("No SAML Request, using IdP-initiated flow.")
        auth_n_request = AuthNRequestParser(self.provider).idp_initiated()
-        self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+        self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -10,7 +10,7 @@ import orjson
 from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace

-from authentik import authentik_version
+from authentik import __version__
 from authentik.lib.config import CONFIG, django_db_config, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
@@ -144,13 +144,13 @@ GUARDIAN_MONKEY_PATCH_USER = False
 SPECTACULAR_SETTINGS = {
    "TITLE": "authentik",
    "DESCRIPTION": "Making authentication simple.",
-    "VERSION": authentik_version(),
+    "VERSION": __version__,
    "COMPONENT_SPLIT_REQUEST": True,
    "SCHEMA_PATH_PREFIX": "/api/v([0-9]+(beta)?)",
    "SCHEMA_PATH_PREFIX_TRIM": True,
    "SERVERS": [
        {
-            "url": "/api/v3",
+            "url": "/api/v3/",
        },
    ],
    "CONTACT": {
@@ -567,7 +567,7 @@ if DEBUG:
    enable_debug_trace(True)


-CONFIG.log("info", "Booting authentik", version=authentik_version())
+CONFIG.log("info", "Booting authentik", version=__version__)

 # Load subapps's settings
 _filter_and_update(SHARED_APPS + TENANT_APPS)
--- a/authentik/root/test_plugin.py
+++ b/authentik/root/test_plugin.py
@@ -5,7 +5,7 @@ from ssl import OPENSSL_VERSION
 import pytest
 from cryptography.hazmat.backends.openssl.backend import backend

-from authentik import authentik_full_version
+from authentik import get_full_version

 IS_CI = "CI" in environ

@@ -22,7 +22,7 @@ def pytest_sessionstart(*_, **__):
 def pytest_report_header(*_, **__):
    """Add authentik version to pytest output"""
    return [
-        f"authentik version: {authentik_full_version()}",
+        f"authentik version: {get_full_version()}",
        f"OpenSSL version: {OPENSSL_VERSION}, FIPS: {backend._fips_enabled}",
    ]

--- a/authentik/sources/plex/plex.py
+++ b/authentik/sources/plex/plex.py
@@ -6,7 +6,7 @@ from django.http.response import Http404
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger

-from authentik import authentik_version
+from authentik import __version__
 from authentik.core.sources.flow_manager import SourceFlowManager
 from authentik.lib.utils.http import get_http_session
 from authentik.sources.plex.models import (
@@ -38,7 +38,7 @@ class PlexAuth:
        """Get common headers"""
        return {
            "X-Plex-Product": "authentik",
-            "X-Plex-Version": authentik_version(),
+            "X-Plex-Version": __version__,
            "X-Plex-Device-Vendor": "goauthentik.io",
        }

--- a/authentik/stages/authenticator_email/models.py
+++ b/authentik/stages/authenticator_email/models.py
@@ -15,10 +15,18 @@ from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.stages.authenticator.models import SideChannelDevice
-from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage


+class EmailTemplates(models.TextChoices):
+    """Templates used for rendering the Email"""
+
+    EMAIL_OTP = (
+        "email/email_otp.html",
+        _("Email OTP"),
+    )  # nosec
+
+
 class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
    """Use Email-based authentication instead of authenticator-based."""

--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/email/models.py
+++ b/authentik/stages/email/models.py
@@ -32,14 +32,6 @@ class EmailTemplates(models.TextChoices):
        "email/account_confirmation.html",
        _("Account Confirmation"),
    )
-    EMAIL_OTP = (
-        "email/email_otp.html",
-        _("Email OTP"),
-    )  # nosec
-    EVENT_NOTIFICATION = (
-        "email/event_notification.html",
-        _("Event Notification"),
-    )


 def get_template_choices():
--- a/authentik/stages/email/tests/test_templates.py
+++ b/authentik/stages/email/tests/test_templates.py
@@ -54,7 +54,7 @@ class TestEmailStageTemplates(FlowTestCase):
            chmod(file2, 0o000)  # Remove all permissions so we can't read the file
            choices = get_template_choices()
            self.assertEqual(choices[-1][0], Path(file).name)
-            self.assertEqual(len(choices), 5)
+            self.assertEqual(len(choices), 3)
            unlink(file)
            unlink(file2)

--- a/authentik/tasks/api/workers.py
+++ b/authentik/tasks/api/workers.py
@@ -7,7 +7,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.tasks.models import WorkerStatus

@@ -30,7 +30,7 @@ class WorkerView(APIView):
    )
    def get(self, request: Request) -> Response:
        response = []
-        our_version = parse(authentik_full_version())
+        our_version = parse(get_full_version())
        for status in WorkerStatus.objects.filter(last_seen__gt=now() - timedelta(minutes=2)):
            lock_id = f"goauthentik.io/worker/status/{status.pk}"
            with pglock.advisory(lock_id, timeout=0, side_effect=pglock.Return) as acquired:
--- a/authentik/tasks/middleware.py
+++ b/authentik/tasks/middleware.py
@@ -7,9 +7,7 @@ import pglock
 from django.db import OperationalError, connections
 from django.utils.timezone import now
 from django_dramatiq_postgres.middleware import HTTPServer
-from django_dramatiq_postgres.middleware import (
-    MetricsMiddleware as BaseMetricsMiddleware,
-)
+from django_dramatiq_postgres.middleware import MetricsMiddleware as BaseMetricsMiddleware
 from django_redis import get_redis_connection
 from dramatiq.broker import Broker
 from dramatiq.message import Message
@@ -17,15 +15,13 @@ from dramatiq.middleware import Middleware
 from redis.exceptions import RedisError
 from structlog.stdlib import get_logger

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.events.models import Event, EventAction
-from authentik.lib.sentry import should_ignore_exception
 from authentik.tasks.models import Task, TaskStatus, WorkerStatus
 from authentik.tenants.models import Tenant
 from authentik.tenants.utils import get_current_tenant

 LOGGER = get_logger()
-HEALTHCHECK_LOGGER = get_logger("authentik.worker").bind()


 class TenantMiddleware(Middleware):
@@ -92,24 +88,17 @@ class MessagesMiddleware(Middleware):
        task: Task = message.options["task"]
        if exception is None:
            task.log(str(type(self)), TaskStatus.INFO, "Task finished processing without errors")
-            return
-        if should_ignore_exception(exception):
-            return
-        task.log(
-            str(type(self)),
-            TaskStatus.ERROR,
-            exception,
-        )
-        event_kwargs = {
-            "actor": task.actor_name,
-        }
-        if task.rel_obj:
-            event_kwargs["rel_obj"] = task.rel_obj
-        Event.new(
-            EventAction.SYSTEM_TASK_EXCEPTION,
-            message=f"Task {task.actor_name} encountered an error",
-            **event_kwargs,
-        ).with_exception(exception).save()
+        else:
+            task.log(
+                str(type(self)),
+                TaskStatus.ERROR,
+                exception,
+            )
+            Event.new(
+                EventAction.SYSTEM_TASK_EXCEPTION,
+                message=f"Task {task.actor_name} encountered an error",
+                actor=task.actor_name,
+            ).with_exception(exception).save()

    def after_skip_message(self, broker: Broker, message: Message):
        task: Task = message.options["task"]
@@ -156,16 +145,6 @@ class DescriptionMiddleware(Middleware):


 class _healthcheck_handler(BaseHTTPRequestHandler):
-    def log_request(self, code="-", size="-"):
-        HEALTHCHECK_LOGGER.info(
-            self.path,
-            method=self.command,
-            status=code,
-        )
-
-    def log_error(self, format, *args):
-        HEALTHCHECK_LOGGER.warning(format, *args)
-
    def do_HEAD(self):
        try:
            for db_conn in connections.all():
@@ -214,7 +193,7 @@ class WorkerStatusMiddleware(Middleware):
    def run():
        status = WorkerStatus.objects.create(
            hostname=socket.gethostname(),
-            version=authentik_full_version(),
+            version=get_full_version(),
        )
        lock_id = f"goauthentik.io/worker/status/{status.pk}"
        with pglock.advisory(lock_id, side_effect=pglock.Raise):
--- a/authentik/tasks/signals.py
+++ b/authentik/tasks/signals.py
@@ -6,7 +6,7 @@ from django.utils.timezone import now, timedelta
 from packaging.version import parse
 from prometheus_client import Gauge

-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.root.monitoring import monitoring_set
 from authentik.tasks.models import WorkerStatus

@@ -22,7 +22,7 @@ GAUGE_WORKERS = Gauge(
 )


-_version = parse(authentik_full_version())
+_version = parse(get_full_version())


@receiver(monitoring_set)
--- a/authentik/tasks/worker.py
+++ b/authentik/tasks/worker.py
--- a/authentik/tenants/api/settings.py
+++ b/authentik/tenants/api/settings.py
@@ -1,57 +1,19 @@
 """Serializer for tenants models"""

-from typing import get_args
-
-from django.utils.translation import gettext_lazy as _
 from django_tenants.utils import get_public_schema_name
-from drf_spectacular.extensions import OpenApiSerializerFieldExtension
-from drf_spectacular.plumbing import build_basic_type, build_object_type
-from rest_framework.exceptions import ValidationError
 from rest_framework.fields import JSONField
 from rest_framework.generics import RetrieveUpdateAPIView
 from rest_framework.permissions import SAFE_METHODS

-from authentik.core.api.utils import JSONDictField, ModelSerializer
+from authentik.core.api.utils import ModelSerializer
 from authentik.rbac.permissions import HasPermission
-from authentik.tenants.flags import Flag
 from authentik.tenants.models import Tenant


-class FlagJSONField(JSONDictField):
-
-    def run_validators(self, value: dict):
-        super().run_validators(value)
-        for flag in Flag.available():
-            _flag = flag()
-            if _flag.key in value:
-                flag_value = value.get(_flag.key)
-                flag_type = get_args(_flag.__orig_bases__[0])[0]
-                if flag_value and not isinstance(flag_value, flag_type):
-                    raise ValidationError(
-                        _("Value for flag {flag_key} needs to be of type {type}.").format(
-                            flag_key=_flag.key, type=flag_type.__name__
-                        )
-                    )
-
-
-class FlagsJSONExtension(OpenApiSerializerFieldExtension):
-    """Generate API Schema for JSON fields as"""
-
-    target_class = "authentik.tenants.api.settings.FlagJSONField"
-
-    def map_serializer_field(self, auto_schema, direction):
-        props = {}
-        for flag in Flag.available():
-            _flag = flag()
-            props[_flag.key] = build_basic_type(get_args(_flag.__orig_bases__[0])[0])
-        return build_object_type(props, required=props.keys())
-
-
 class SettingsSerializer(ModelSerializer):
    """Settings Serializer"""

    footer_links = JSONField(required=False)
-    flags = FlagJSONField()

    class Meta:
        model = Tenant
@@ -69,7 +31,6 @@ class SettingsSerializer(ModelSerializer):
            "impersonation_require_reason",
            "default_token_duration",
            "default_token_length",
-            "flags",
        ]


--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Teffen Ellis	99fa5ec7cc	web/e2e: Sessions	2025-08-06 21:40:58 +02:00
Teffen Ellis	2800211dd0	web: Flesh out Playwright. web: Flesh out slim tests.	2025-08-06 21:31:14 +02:00