tweak

Dockerfile

@@ -75,7 +75,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.19 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.18 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
 

web/src/flow/FlowExecutor.ts

@@ -199,16 +199,6 @@ export class FlowExecutor
         });
     }
 
-    private _loadingDisableInputs() {
-        const challengeElement = this.shadowRoot?.querySelector(this.challenge!.component);
-        if (!challengeElement) return;
-        challengeElement.shadowRoot?.querySelectorAll("ak-form-element").forEach((wrapper) => {
-            wrapper.querySelectorAll("input").forEach((input) => {
-                input.disabled = true;
-            });
-        });
-    }
-
     async submit(
         payload?: FlowChallengeResponseRequest,
         options?: SubmitOptions,
@@ -219,7 +209,6 @@ export class FlowExecutor
         payload.component = this.challenge.component;
         if (!options?.invisible) {
             this.loading = true;
-            this._loadingDisableInputs();
         }
         try {
             const challenge = await new FlowsApi(DEFAULT_CONFIG).flowsExecutorSolve({

website/docs/add-secure-apps/flows-stages/stages/user_login/index.md

@@ -39,7 +39,7 @@ When creating or editing this stage in the UI of the Admin interface, you can se
 
     When configured, all sessions authenticated by this stage will be bound to the selected network and/or GeoIP criteria.
 
-    Sessions that break this binding will be terminated on use. The created [`logout`](../../../../sys-mgmt/events/index.md#logout) event will contain additional data related to what caused the binding to be broken:
+    Sessions that break this binding will be terminated on use. The created [`logout`](../../../../sys-mgmt/events/event-actions#logout) event will contain additional data related to what caused the binding to be broken:
 
     ```json
     {

website/docs/install-config/upgrade.mdx

@@ -10,19 +10,13 @@ Upgrading to the latest version of authentik, whether a new major release or a p
 authentik does not support downgrading. Make sure to back up your database in case you need to revert an upgrade.
 :::
 
-**Preview the release notes**: Be sure to carefully read the [Release Notes](../releases/) for the specific version to which you plan to upgrade. The release might have special requirements or actions or contain breaking changes.
+- **Preview the Release Notes**: Be sure to carefully read the [Release Notes](../releases/) for the specific version to which you plan to upgrade. The release might have special requirements or actions or contain breaking changes.
 
-**Database backup**: Before upgrading, make a backup of your PostgreSQL database. You can create a backup by dumping your existing database. For detailed instructions, refer to the relevant guide for your deployment method ([Docker Compose](../troubleshooting/postgres/upgrade_docker.md) or [Kubernetes](../troubleshooting/postgres/upgrade_kubernetes.md)).
+- **Database backup**: Make a backup of your PostgreSQL database before upgrading. You can dump your existing database to get a backup file. For more information about dumping and backing up your database, refer to [Upgrade PostgreSQL on Docker Compose](../troubleshooting/postgres/upgrade_docker.md) or [Upgrade PostgreSQL on Kubernetes](../troubleshooting/postgres/upgrade_kubernetes.md).
 
-**Upgrade sequence**: Upgrades must follow the sequence of major releases; **do not skip** directly from an older major version to the most recent version.
+- **Upgrade sequence**: Upgrades need to follow the sequence of major releases; do not skip directly from an older major version to the most recent version. For example, if you are currently running 2023.10.3, you should first upgrade to the latest 2024.2.x release, then to the latest 2024.4.x release, and finally to the latest 2024.6.x release, in sequence. Always use the latest available patch version (_x_ in this case being the latest patch release) for each major.minor release.
 
-Always upgrade to the latest minor version (`.x`) within each `major.minor` version before upgrading to the next major version. For example, if you're currently running `2025.2.1`, upgrade in the following order:
-
-1. Upgrade to the latest `2025.2.x`.
-2. Then to the latest `2025.4.x`.
-3. Finally to the latest `2025.6.x`.
-
-**Outposts**: The version of the authentik server and all authentik outposts must match. Ensure that all [outposts are upgraded](../add-secure-apps/outposts/upgrading.md) at the same time as the core authentik instance.
+- **Outposts**: The versions of the authentik server and any authentik outposts must be the same. Always [upgrade any outposts](../add-secure-apps/outposts/upgrading.md) at the same time that you upgrade your authentik instance.
 
 ## Upgrade authentik
 

website/docs/sys-mgmt/events/event-actions.md

@@ -0,0 +1,308 @@
+---
+title: Event actions
+---
+
+Whenever any of the following actions occur, an event is created. Actions are used to define [Notification Rules](notifications.md).
+
+### `login`
+
+A user logs in (including the source, if available).
+
+<details>
+<summary>Example</summary>
+
+```json
+{
+    "pk": "f00f54e7-2b38-421f-bc78-e61f950048d6",
+    "user": {
+        "pk": 1,
+        "email": "root@localhost",
+        "username": "akadmin"
+    },
+    "action": "login",
+    "app": "authentik.events.signals",
+    "context": {
+        "auth_method": "password",
+        "http_request": {
+            "args": {
+                "query": "next=%2F"
+            },
+            "path": "/api/v3/flows/executor/default-authentication-flow/",
+            "method": "GET"
+        },
+        "auth_method_args": {}
+    },
+    "client_ip": "::1",
+    "created": "2023-02-15T15:33:42.771091Z",
+    "expires": "2024-02-15T15:33:42.770425Z",
+    "brand": {
+        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
+    }
+}
+```
+
+</details>
+
+### `login_failed`
+
+A failed login attempt.
+
+<details>
+<summary>Example</summary>
+
+```json
+{
+    "pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7",
+    "user": {
+        "pk": 2,
+        "email": "",
+        "username": "AnonymousUser"
+    },
+    "action": "login_failed",
+    "app": "authentik.events.signals",
+    "context": {
+        "stage": {
+            "pk": "7e88f4a991c442c1a1335d80f0827d7f",
+            "app": "authentik_stages_password",
+            "name": "default-authentication-password",
+            "model_name": "passwordstage"
+        },
+        "password": "********************",
+        "username": "akadmin",
+        "http_request": {
+            "args": {
+                "query": "next=%2F"
+            },
+            "path": "/api/v3/flows/executor/default-authentication-flow/",
+            "method": "POST"
+        }
+    },
+    "client_ip": "::1",
+    "created": "2023-02-15T15:32:55.319608Z",
+    "expires": "2024-02-15T15:32:55.314581Z",
+    "brand": {
+        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
+    }
+}
+```
+
+</details>
+
+### `logout`
+
+A user logs out.
+
+<details>
+<summary>Example</summary>
+
+```json
+{
+    "pk": "474ffb6b-77e3-401c-b681-7d618962440f",
+    "user": {
+        "pk": 1,
+        "email": "root@localhost",
+        "username": "akadmin"
+    },
+    "action": "logout",
+    "app": "authentik.events.signals",
+    "context": {
+        "http_request": {
+            "args": {
+                "query": ""
+            },
+            "path": "/api/v3/flows/executor/default-invalidation-flow/",
+            "method": "GET"
+        }
+    },
+    "client_ip": "::1",
+    "created": "2023-02-15T15:39:55.976243Z",
+    "expires": "2024-02-15T15:39:55.975535Z",
+    "brand": {
+        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
+    }
+}
+```
+
+</details>
+
+### `user_write`
+
+A user is written to during a flow execution.
+
+<details>
+<summary>Example</summary>
+
+```json
+{
+    "pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060",
+    "user": {
+        "pk": 1,
+        "email": "root@localhost",
+        "username": "akadmin"
+    },
+    "action": "user_write",
+    "app": "authentik.events.signals",
+    "context": {
+        "name": "authentik Default Admin",
+        "email": "root@localhost",
+        "created": false,
+        "username": "akadmin",
+        "attributes": {
+            "settings": {
+                "locale": ""
+            }
+        },
+        "http_request": {
+            "args": {
+                "query": ""
+            },
+            "path": "/api/v3/flows/executor/default-user-settings-flow/",
+            "method": "GET"
+        }
+    },
+    "client_ip": "::1",
+    "created": "2023-02-15T15:41:18.411017Z",
+    "expires": "2024-02-15T15:41:18.410276Z",
+    "brand": {
+        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
+    }
+}
+```
+
+</details>
+
+### `suspicious_request`
+
+A suspicious request has been received (for example, a revoked token was used).
+
+### `password_set`
+
+A user sets their password.
+
+### `secret_view`
+
+A user views a token's/certificate's data.
+
+### `secret_rotate`
+
+A token was rotated automatically by authentik.
+
+### `invitation_used`
+
+An invitation is used.
+
+### `authorize_application`
+
+A user authorizes an application.
+
+<details>
+<summary>Example</summary>
+
+```json
+{
+    "pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680",
+    "user": {
+        "pk": 1,
+        "email": "root@localhost",
+        "username": "akadmin"
+    },
+    "action": "authorize_application",
+    "app": "authentik.providers.oauth2.views.authorize",
+    "context": {
+        "asn": {
+            "asn": 6805,
+            "as_org": "Telefonica Germany",
+            "network": "5.4.0.0/14"
+        },
+        "geo": {
+            "lat": 42.0,
+            "city": "placeholder",
+            "long": 42.0,
+            "country": "placeholder",
+            "continent": "placeholder"
+        },
+        "flow": "53287faa8a644b6cb124cb602a84282f",
+        "scopes": "ak_proxy profile openid email",
+        "http_request": {
+            "args": {
+                "query": "[...]"
+            },
+            "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
+            "method": "GET"
+        },
+        "authorized_application": {
+            "pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021",
+            "app": "authentik_core",
+            "name": "Alertmanager",
+            "model_name": "application"
+        }
+    },
+    "client_ip": "::1",
+    "created": "2023-02-15T10:02:48.615499Z",
+    "expires": "2023-04-26T10:02:48.612809Z",
+    "brand": {
+        "pk": "10800be643d44842ab9d97cb5f898ce9",
+        "app": "authentik_brands",
+        "name": "Default brand",
+        "model_name": "brand"
+    }
+}
+```
+
+</details>
+
+### `source_linked`
+
+A user links a source to their account.
+
+### `impersonation_started` / `impersonation_ended`
+
+A user starts/ends impersonation, including the user that was impersonated.
+
+### `policy_execution`
+
+A policy is executed (when a policy has "Execution Logging" enabled).
+
+### `policy_exception` / `property_mapping_exception`
+
+A policy or property mapping causes an exception.
+
+### `system_task_exception`
+
+An exception occurred in a system task.
+
+### `system_exception`
+
+A general exception in authentik occurred.
+
+### `configuration_error`
+
+A configuration error occurs, for example during the authorization of an application.
+
+### `model_created` / `model_updated` / `model_deleted`
+
+Logged when any model is created/updated/deleted, including the user that sent the request.
+
+:::info
+Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.
+:::
+
+### `email_sent`
+
+An email has been sent. Included is the email that was sent.
+
+### `update_available`
+
+An update is available.

website/docs/sys-mgmt/events/index.md

@@ -4,319 +4,20 @@ title: Events
 
 Events are authentik's built-in logging system. Every event is logged, whether it is initiated by a user or by authentik.
 
-Events can be used to define [notification rules](notifications.md), with specified [transport options](transports.md) of local (in the authentik UI), email or webhook.
+Certain information is stripped from events to ensure that no passwords or other credentials are saved in the log.
 
-Certain information is stripped from events, to ensure no passwords or other credentials are saved in the log.
+## About notifications
 
-## Event retention
+Events can be used to define [notification rules](notifications.md), with specified [transport options](transports.md) of either local (shown in the authentik UI), email, or webhook.
 
-The event retention is configured in the **System > Settings** area of the Admin interface, with the default being set to 365 days.
+## About logging
 
-If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, `days=1`).
+Event logging in authentik provides several layers of transparency about user and system actions, from a quick view on the Overview dashboard, to a full, searchable list of all events, with a volume graph to highlight any spikes, in the Admin interface under **Events > Logs**.
 
-## Event actions
+Refer to our [Logging documentation](./logging-events.md) for more information.
 
-Whenever any of the following actions occur, an event is created.
+## Event retention and forwarding
 
-### `login`
+The event retention setting is configured in the **System > Settings** area of the Admin interface, with the default being set to 365 days.
 
-A user logs in (including the source, if available)
-
-<details>
-<summary>Example</summary>
-
-```json
-{
-    "pk": "f00f54e7-2b38-421f-bc78-e61f950048d6",
-    "user": {
-        "pk": 1,
-        "email": "root@localhost",
-        "username": "akadmin"
-    },
-    "action": "login",
-    "app": "authentik.events.signals",
-    "context": {
-        "auth_method": "password",
-        "http_request": {
-            "args": {
-                "query": "next=%2F"
-            },
-            "path": "/api/v3/flows/executor/default-authentication-flow/",
-            "method": "GET"
-        },
-        "auth_method_args": {}
-    },
-    "client_ip": "::1",
-    "created": "2023-02-15T15:33:42.771091Z",
-    "expires": "2024-02-15T15:33:42.770425Z",
-    "brand": {
-        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_brands",
-        "name": "Default brand",
-        "model_name": "brand"
-    }
-}
-```
-
-</details>
-
-### `login_failed`
-
-A failed login attempt
-
-<details>
-<summary>Example</summary>
-
-```json
-{
-    "pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7",
-    "user": {
-        "pk": 2,
-        "email": "",
-        "username": "AnonymousUser"
-    },
-    "action": "login_failed",
-    "app": "authentik.events.signals",
-    "context": {
-        "stage": {
-            "pk": "7e88f4a991c442c1a1335d80f0827d7f",
-            "app": "authentik_stages_password",
-            "name": "default-authentication-password",
-            "model_name": "passwordstage"
-        },
-        "password": "********************",
-        "username": "akadmin",
-        "http_request": {
-            "args": {
-                "query": "next=%2F"
-            },
-            "path": "/api/v3/flows/executor/default-authentication-flow/",
-            "method": "POST"
-        }
-    },
-    "client_ip": "::1",
-    "created": "2023-02-15T15:32:55.319608Z",
-    "expires": "2024-02-15T15:32:55.314581Z",
-    "brand": {
-        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_brands",
-        "name": "Default brand",
-        "model_name": "brand"
-    }
-}
-```
-
-</details>
-
-### `logout`
-
-A user logs out.
-
-<details>
-<summary>Example</summary>
-
-```json
-{
-    "pk": "474ffb6b-77e3-401c-b681-7d618962440f",
-    "user": {
-        "pk": 1,
-        "email": "root@localhost",
-        "username": "akadmin"
-    },
-    "action": "logout",
-    "app": "authentik.events.signals",
-    "context": {
-        "http_request": {
-            "args": {
-                "query": ""
-            },
-            "path": "/api/v3/flows/executor/default-invalidation-flow/",
-            "method": "GET"
-        }
-    },
-    "client_ip": "::1",
-    "created": "2023-02-15T15:39:55.976243Z",
-    "expires": "2024-02-15T15:39:55.975535Z",
-    "brand": {
-        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_brands",
-        "name": "Default brand",
-        "model_name": "brand"
-    }
-}
-```
-
-</details>
-
-### `user_write`
-
-A user is written to during a flow execution.
-
-<details>
-<summary>Example</summary>
-
-```json
-{
-    "pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060",
-    "user": {
-        "pk": 1,
-        "email": "root@localhost",
-        "username": "akadmin"
-    },
-    "action": "user_write",
-    "app": "authentik.events.signals",
-    "context": {
-        "name": "authentik Default Admin",
-        "email": "root@localhost",
-        "created": false,
-        "username": "akadmin",
-        "attributes": {
-            "settings": {
-                "locale": ""
-            }
-        },
-        "http_request": {
-            "args": {
-                "query": ""
-            },
-            "path": "/api/v3/flows/executor/default-user-settings-flow/",
-            "method": "GET"
-        }
-    },
-    "client_ip": "::1",
-    "created": "2023-02-15T15:41:18.411017Z",
-    "expires": "2024-02-15T15:41:18.410276Z",
-    "brand": {
-        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
-        "app": "authentik_brands",
-        "name": "Default brand",
-        "model_name": "brand"
-    }
-}
-```
-
-</details>
-
-### `suspicious_request`
-
-A suspicious request has been received (for example, a revoked token was used).
-
-### `password_set`
-
-A user sets their password.
-
-### `secret_view`
-
-A user views a token's/certificate's data.
-
-### `secret_rotate`
-
-A token was rotated automatically by authentik.
-
-### `invitation_used`
-
-An invitation is used.
-
-### `authorize_application`
-
-A user authorizes an application.
-
-<details>
-<summary>Example</summary>
-
-```json
-{
-    "pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680",
-    "user": {
-        "pk": 1,
-        "email": "root@localhost",
-        "username": "akadmin"
-    },
-    "action": "authorize_application",
-    "app": "authentik.providers.oauth2.views.authorize",
-    "context": {
-        "asn": {
-            "asn": 6805,
-            "as_org": "Telefonica Germany",
-            "network": "5.4.0.0/14"
-        },
-        "geo": {
-            "lat": 42.0,
-            "city": "placeholder",
-            "long": 42.0,
-            "country": "placeholder",
-            "continent": "placeholder"
-        },
-        "flow": "53287faa8a644b6cb124cb602a84282f",
-        "scopes": "ak_proxy profile openid email",
-        "http_request": {
-            "args": {
-                "query": "[...]"
-            },
-            "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
-            "method": "GET"
-        },
-        "authorized_application": {
-            "pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021",
-            "app": "authentik_core",
-            "name": "Alertmanager",
-            "model_name": "application"
-        }
-    },
-    "client_ip": "::1",
-    "created": "2023-02-15T10:02:48.615499Z",
-    "expires": "2023-04-26T10:02:48.612809Z",
-    "brand": {
-        "pk": "10800be643d44842ab9d97cb5f898ce9",
-        "app": "authentik_brands",
-        "name": "Default brand",
-        "model_name": "brand"
-    }
-}
-```
-
-</details>
-
-### `source_linked`
-
-A user links a source to their account
-
-### `impersonation_started` / `impersonation_ended`
-
-A user starts/ends impersonation, including the user that was impersonated
-
-### `policy_execution`
-
-A policy is executed (when a policy has "Execution Logging" enabled).
-
-### `policy_exception` / `property_mapping_exception`
-
-A policy or property mapping causes an exception
-
-### `system_task_exception`
-
-An exception occurred in a system task.
-
-### `system_exception`
-
-A general exception in authentik occurred.
-
-### `configuration_error`
-
-A configuration error occurs, for example during the authorization of an application
-
-### `model_created` / `model_updated` / `model_deleted`
-
-Logged when any model is created/updated/deleted, including the user that sent the request.
-
-:::info
-Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.
-:::
-
-### `email_sent`
-
-An email has been sent. Included is the email that was sent.
-
-### `update_available`
-
-An update is available
+If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention time period to a short time frame (for example, `days=1`).

website/docs/sys-mgmt/events/logging-events.md

@@ -0,0 +1,33 @@
+---
+title: Logging events
+---
+
+Logs are a vital tool for system diagnostics, event auditing, user management, reporting, and more. They capture detailed information about each event including the client's IP address, the user involved, the date and time, and the specific action taken.
+
+Event logging in authentik is highly configurable. You can set the [retention period](./index.md#event-retention-and-forwarding) for storing and displaying events, specify which events should trigger a [notification](./notifications.md), and access low-level details about when and where each event occurred.
+
+### Troubleshooting with event logs
+
+For guidance on troubleshooting with logs, including setting log levels (info, warning, etc.), enabling `trace` mode, viewing historical logs, and streaming logs in real-time, see [Capturing logs in authentik](../../troubleshooting/logs.mdx).
+
+## Enhanced audit logging (Enterprise)
+
+In the enterprise version, two enhancements make reading the logs even easier:
+
+- the Event details page in the user interface presents abstracted and easily accessible information about each event in an easy-to-access table.
+
+- for any event that involves the creation or modification of an object, the corresponding code differences are displayed, allowing for comparison of the previous and new configuration settings or values. For example, if an authentik administrator updates a user's email address, both the old and new email addresses are displayed in the event's detailed view. (In the open source version, event details only show that a change was made and which application and model was involved.)
+
+![](./events-diffs.png)
+
+You can view audit details in the following areas of the authentik Admin interface:
+
+- **Admin interface > Dashboards > Overview**: In the **Recent events** section click an event name to view its details.
+
+- **Admin interface > Events > Logs**: In the event list, click the arrow toggle next to the event you want to view.
+
+## Viewing events in maps and charts (Enterprise)
+
+With the enterprise version, you can view recent events on both a world map view with pinpoints indicating where each event occurred and also a color-coded chart that highlights event types and volume.
+
+![](./event-map-chart.png)

website/docs/sys-mgmt/events/notifications.md

@@ -1,18 +1,37 @@
 ---
-title: Notifications
+title: Notification rules
+sidebar_label: Notification rules
 ---
 
 :::note
-To prevent infinite loops (events created by policies which are attached to a Notification rule), **any events created by a policy which is attached to any Notification Rules do not trigger notifications.**
+To prevent infinite loops of cause and effect (events created by policies which are attached to a notification rule), _any events created by a policy which is attached to any notification rules do not trigger notifications._
 :::
 
-## Filtering Events
+An authentik administrator can create notification rules based on the creation of specified events. Filtering of events is processed by the authentik Policy Engine, using a combination of both 1) a policy and 2) a notification rule.
 
-An authentik administrator can create notification rules based on the creation of specified events. Filtering is done by using the Policy Engine. You can do simple filtering using the "Event Matcher Policy" type.
+## Workflow overview
 
-![](./event_matcher.png)
+To receive notifications about events, follow this workflow:
 
-An event has to match all configured fields, otherwise the rule will not trigger.
+1. Create a notification transport (or use a default notification transport).
+2. Create a policy.
+3. Create a notification rule and bind the policy to the rule.
+
+## 1. Create a notification transport
+
+A notification transport determines the method used to deliver notifications to users. Supported delivery methods are: local notifications displayed in the authentik UI, email, and webhook. Follow these [instructions](./transports.md#create-a-notification-transport) to create a notification transport.
+
+## 2. Create a policy
+
+You will need to create a policy (either the **Event Matcher** policy or a custom Expression policy) that defines which events will trigger a notification.
+
+### Event Matcher policy
+
+For simple event matching you can [create and configure](../../customize/policies/working_with_policies.md) a **Event Matcher** policy to define which events (known as _Actions_ in the policy) will trigger a notification. For example, whenever a user deletes a model object, or whenever any user fails to successfully log in.
+
+Be aware that an event has to match all configured fields in the policy, otherwise the notification rule will not trigger.
+
+### Expression policy for events
 
 To match events with an "Expression Policy", you can write code like so:
 
@@ -23,17 +42,25 @@ if "event" not in request.context:
 return ip_address(request.context["event"].client_ip) in ip_network('192.0.2.0/24')
 ```
 
-## Selecting who gets notified
+## 3. Create a notification rule and bind it to the policy
 
-After you've created the policies to match the events you want, create a "Notification Rule".
+After you've created the policies to match the events you want, create a notification rule.
 
-You have to select which group the generated notification should be sent to. If left empty, the rule will be disabled.
+1. Log in as an administrator, open the authentik Admin interface, and navigate to **Event > Notification Rules**.
+
+2. Click **Create** to add a new notification rule or click the **Edit** icon next to an existing rule to modify it.
+
+3. Define the policy configurations, and then click **Create** or **Update** to save the settings.
+
+- Note that policies are executed regardless of whether a group is selected. However, notifications are only triggered when a group is selected.
+- You also have to select which [notification transport](./transports.md) should be used to send the notification. Two notification transports are created by default:
+    - `default-email-transport`: Delivers notifications via email using the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended).
+    - `default-local-transport`: Delivers notifications within the authentik UI.
+
+4. In the list of notification rules, click the arrow in the row of the notification rule to expand the details of the rule.
+
+5. Click **Bind existing Policy/Group/User** and in the **Create Binding** modal, select the policy that you created for this notification rule and then click **Create** to finalize the binding.
 
 :::info
-Before authentik 2023.5, when no group is selected, policies bound to the rule are not executed. Starting with authentik 2023.5, policies are executed even when no group is selected.
+Be aware that policies are executed even when no group is selected.
 :::
-
-You also have to select which transports should be used to send the notification.
-A transport with the name "default-email-transport" is created by default. This transport will use the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended).
-
-Starting with authentik 2022.6, a new default transport will be created. This is because notifications are no longer created by default, they are now a transport method instead. This allows for better customization of the notification before it is created.

website/docs/sys-mgmt/events/transports.md

@@ -1,10 +1,30 @@
 ---
-title: Transports
+title: Transport rules
+sidebar_label: Transport rules
 ---
 
-Notifications can be sent to users via multiple mediums. By default, the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) will be used.
+To receive notifications about events you must first [create a notification transport](#create-a-notification-transport), and then define a notification rule with a bound policy. For more information, see the [Workflow overview](./notifications.md#workflow-overview).
 
-## Generic Webhook
+## Notification transport modes
+
+Notifications can be sent to users via multiple mediums, or _transports_:
+
+- Local (in the authentik user interface)
+- Email
+- Webhook (generic)
+- Webhook (Slack/Discord)
+
+### Local
+
+This notification transport will manifest the notification within the authentik user interface (UI).
+
+### Email
+
+Select this transport to send event notifications to an email address. Note that by default the [global email configuration](../../install-config/install/docker-compose.mdx#email-configuration-optional-but-recommended) is used.
+
+To edit an email address, follow the same instructions as above for configuring the global email during the installation process.
+
+### Webhook (generic)
 
 This will send a POST request to the given URL with the following contents:
 
@@ -23,7 +43,7 @@ This will send a POST request to the given URL with the following contents:
 
 The `Content-Type` header is set to `text/json`.
 
-Starting in 2021.9, you can also select a Notification mapping. This allows you to freely configure the request's payload. For example:
+You can also select a Notification mapping. This allows you to freely configure the request's payload. For example:
 
 ```python
 return {
@@ -31,6 +51,14 @@ return {
 }
 ```
 
-## Slack Webhook
+### Webhook (Slack or Discord)
 
 This sends a request using the Slack-specific format. This is also compatible with Discord's webhooks by appending `/slack` to the Discord webhook URL.
+
+## Create a notification transport
+
+1. Log in as an administrator to the authentik Admin interface, and then navigate to **Event > Notification Transports**.
+
+2. Click **Create** to add a new transport or click the **Edit** icon next to an existing notification transport to modify it.
+
+3. Define the **Name** and **Mode** for the notification transport, enter required configuration settings, and then click **Create**.

website/integrations/services/kanboard/index.md

@@ -29,6 +29,7 @@ To support the integration of Kanboard with authentik, you need to create an app
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+
     - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.

website/integrations/services/papra/index.mdx

@@ -1,60 +0,0 @@
----
-title: Integrate with Papra
-sidebar_label: Papra
-support_level: community
----
-
-## What is Papra
-
-> An open-source document management platform designed to help you organize, secure, and archive your files effortlessly.
->
-> -- https://papra.app/
-
-## Preparation
-
-The following placeholders are used in this guide:
-
-- `authentik.company` is the FQDN of the authentik installation.
-- `papra.company` is the FQDN of the Papra installation.
-
-:::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
-:::
-
-## authentik configuration
-
-To support the integration of Papra with authentik, you need to create an application/provider pair in authentik.
-
-### Create an application and provider in authentik
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-        - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://papra.company/api/auth/oauth2/callback/authentik`.
-        - Select any available signing key.
-    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
-
-3. Click **Submit** to save the new application and provider.
-
-## Papra configuration
-
-To support the integration of Papra with authentik, you'll need to add the following environment variable to your Papra deployment:
-
-```yaml
-AUTH_PROVIDERS_CUSTOMS=[{"providerId": "authentik","providerName": "authentik","providerIconUrl": "https://authentik.company/static/dist/assets/icons/icon.png","clientId": "<client_id>","clientSecret": "<client_secret>","type": "oidc","discoveryUrl": "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration","scopes": ["openid", "profile", "email"]}]
-```
-
-:::note
-The JSON needs to be inline (single line) because various `.env` parsers, such as the one used by Docker Compose, do not support multiline environment variables.
-:::
-
-## Configuration verification
-
-To verify the integration with Papra, log out and attempt to log back in using the **Log in with authentik** button. You should be redirected to the authenik login page. Once authenticated, you should be redirected to the Papra dashboard.
-
-## Resources
-
-- [Papra Docs - Setup Custom OAuth2 Providers](https://docs.papra.app/guides/setup-custom-oauth2-providers/)

website/integrations/services/planka/index.mdx

@@ -1,74 +0,0 @@
----
-title: Integrate with Planka
-sidebar_label: Planka
-support_level: community
----
-
-## What is Planka
-
-> Planka is an open-source, Trello-like application with a Kanban board system, used for project management.
->
-> -- https://planka.app/
-
-## Preparation
-
-The following placeholders are used in this guide:
-
-- `authentik.company` is the FQDN of the authentik installation.
-- `planka.company` is the FQDN of the Planka installation.
-
-:::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
-:::
-
-## authentik configuration
-
-To support the integration of Planka with authentik, you need to create an application/provider pair in authentik.
-
-### Create an application and provider in authentik
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://planka.company/oidc-callback`.
-        - Select any available signing key.
-    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
-
-3. Click **Submit** to save the new application and provider.
-
-### Create a group in authentik _(optional)_
-
-To provision users in Planka with administrative permissions, you will need to create a group in authentik.
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Directory** > **Groups** and click **Create**.
-3. Set a name for the group (e.g. `Planka Admins`) and click **Create**.
-4. Click the name of the newly created group, and then switch to the **Users** tab.
-5. Click **Add existing user**, select the user who requires Planka administrator access, and click **Add**.
-
-## Planka configuration
-
-Add the following required environment variables to your Planka deployment:
-
-```yaml
-OIDC_ISSUER=https://authentik.company/application/o/<application_slug>/
-OIDC_CLIENT_ID=<client if from authentik>
-OIDC_CLIENT_SECRET=<client secret from authentik>
-
-#Optionally, if you want to provision users with administrator access, include the following environment variable:
-OIDC_ADMIN_ROLES=<authentik group name>
-
-#Optionally, if you want to enforce the use of SSO and disable local authentication, include the following environment variable:
-OIDC_ENFORCED=true
-```
-
-## Configuration verification
-
-To verify the integration with Planka, log out and attempt to log back in using the **Log in with SSO** button. You should be redirected to authentik. Once authenticated, you should then be redirected to the Planka dashboard.
-
-## Resources
-
-- [Planka Docs - OIDC (OpenID Connect)](https://docs.planka.cloud/docs/configuration/oidc)

website/sidebars/docs.mjs

@@ -594,7 +594,12 @@ const items = [
                     type: "doc",
                     id: "sys-mgmt/events/index",
                 },
-                items: ["sys-mgmt/events/notifications", "sys-mgmt/events/transports"],
+                items: [
+                    "sys-mgmt/events/notifications",
+                    "sys-mgmt/events/transports",
+                    "sys-mgmt/events/logging-events",
+                    "sys-mgmt/events/event-actions",
+                ],
             },
             "sys-mgmt/certificates",
             "sys-mgmt/settings",

website/sidebars/integrations.mjs

@@ -25,7 +25,6 @@ const items = [
             "services/onlyoffice/index",
             "services/openproject/index",
             "services/owncloud/index",
-            "services/planka/index",
             "services/rocketchat/index",
             "services/roundcube/index",
             "services/sharepoint-se/index",
@@ -89,7 +88,6 @@ const items = [
             "services/outline/index",
             "services/paperless-ng/index",
             "services/paperless-ngx/index",
-            "services/papra/index",
             "services/snipe-it/index",
             "services/tandoor/index",
             "services/wiki-js/index",