lifecycle: fix arguments not being passed to worker command (cherry-pick #14574 ) (#14621 )

lifecycle: fix arguments not being passed to worker command (#14574) Co-authored-by: Jens L. <jens@goauthentik.io>
core: Bump django to 5.0.14, backport 2025.2 (#13997 )
2026-05-06 15:12:13 +02:00 · 2025-05-22 17:20:12 +02:00 · 2025-04-11 13:55:36 +02:00 · 2025-04-08 14:58:56 -03:00 · 2025-04-08 19:30:16 +02:00 · 2025-04-08 19:18:56 +02:00
2199 changed files with 71903 additions and 174718 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.4
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -17,12 +17,8 @@ optional_value = final

 [bumpversion:file:pyproject.toml]

-[bumpversion:file:uv.lock]
-
 [bumpversion:file:package.json]

-[bumpversion:file:package-lock.json]
-
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
@@ -33,4 +29,6 @@ optional_value = final

 [bumpversion:file:internal/constants/constants.go]

+[bumpversion:file:web/src/common/constants.ts]
+
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.dockerignore
+++ b/.dockerignore
@@ -5,10 +5,8 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
-**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
-.venv
--- a/.editorconfig
+++ b/.editorconfig
@@ -7,9 +7,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true

-[*.toml]
-indent_size = 2
-
 [*.html]
 indent_size = 2

--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@@ -1,22 +0,0 @@
---
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
---
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-
-   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -44,6 +44,7 @@ if is_release:
        ]
        if not prerelease:
            image_tags += [
+                f"{name}:latest",
                f"{name}:{version_family}",
            ]
 else:
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -9,22 +9,17 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
+    - name: Install poetry & deps
      shell: bash
      run: |
+        pipx install poetry || true
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
-      uses: astral-sh/setup-uv@v5
-      with:
-        enable-cache: true
-    - name: Setup python
+    - name: Setup python and restore poetry
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-    - name: Install Python deps
-      shell: bash
-      run: uv sync --all-extras --dev --frozen
+        cache: "poetry"
    - name: Setup node
      uses: actions/setup-node@v4
      with:
@@ -35,18 +30,15 @@ runs:
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
-    - name: Setup docker cache
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
-      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry install --sync
        cd web && npm ci
    - name: Generate config
-      shell: uv run python {0}
+      shell: poetry run python {0}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@@ -11,7 +11,7 @@ services:
      - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
    ports:
      - 6379:6379
    restart: always
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@@ -1,32 +1,7 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
 keypair
 keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
+hass
 warmup
-webauthn
+ontext
+singed
+assertIn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,13 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
-      - "/web/packages/sfe"
-      - "/web/packages/core"
-      - "/packages/esbuild-plugin-live-reload"
-      - "/packages/prettier-config"
-      - "/packages/tsconfig"
-      - "/packages/docusaurus-config"
-      - "/packages/eslint-config"
+      - "/web/sfe"
    schedule:
      interval: daily
      time: "04:00"
@@ -74,9 +68,6 @@ updates:
      wdio:
        patterns:
          - "@wdio/*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@@ -91,22 +82,6 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
-      build:
-        patterns:
-          - "@swc/*"
-          - "swc-*"
-          - "lightningcss*"
-          - "@rspack/binding*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
-      eslint:
-        patterns:
-          - "@eslint/*"
-          - "@typescript-eslint/*"
-          - "eslint-*"
-          - "eslint"
-          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
@@ -117,7 +92,7 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: daily
@@ -137,15 +112,3 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -31,4 +31,4 @@ If changes to the frontend have been made
 If applicable

 -   [ ] The documentation has been updated
-   [ ] The documentation has been formatted (`make docs`)
+-   [ ] The documentation has been formatted (`make website`)
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@@ -38,11 +38,9 @@ jobs:
      # Needed for attestation
      id-token: write
      attestations: write
-      # Needed for checkout
-      contents: read
    steps:
      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.6.0
+      - uses: docker/setup-qemu-action@v3.4.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@@ -30,6 +30,7 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
+          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -27,8 +27,8 @@ jobs:
      - name: Publish package
        working-directory: gen-ts-api/
        run: |
-          npm i
-          npm publish --tag generated
+          npm ci
+          npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
@@ -53,7 +53,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -1,94 +0,0 @@
-name: authentik-ci-api-docs
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - prettier-check
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install Dependencies
-        working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ${{ github.workspace }}/website/api/.docusaurus
-            ${{ github.workspace }}/website/api/**/.cache
-          key: |
-            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
-          restore-keys: |
-            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}
-      - name: Build API Docs via Docusaurus
-        working-directory: website
-        env:
-          NODE_ENV: production
-        run: npm run build -w api
-      - uses: actions/upload-artifact@v4
-        with:
-          name: api-docs
-          path: website/api/build
-          retention-days: 7
-  deploy:
-    runs-on: ubuntu-latest
-    needs:
-      - lint
-      - build
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
-        with:
-          name: api-docs
-          path: website/api/build
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - name: Deploy Netlify (Production)
-        working-directory: website/api
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        env:
-          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: npx netlify deploy --no-build --prod
-      - name: Deploy Netlify (Preview)
-        if: github.event_name == 'pull_request' || github.ref != 'refs/heads/main'
-        working-directory: website/api
-        env:
-          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
-          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: |
-          if [ -n "${VAR}" ]; then
-            npx netlify deploy --no-build --alias=deploy-preview-${{ github.event.number }}
-          fi
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -33,7 +33,7 @@ jobs:
          npm ci
      - name: Check changes have been applied
        run: |
-          uv run make aws-cfn
+          poetry run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -1,123 +0,0 @@
-name: authentik-ci-docs
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - prettier-check
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install dependencies
-        working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
-  build-docs:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - name: Build Documentation via Docusaurus
-        working-directory: website/
-        run: npm run build
-  build-integrations:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
-      - name: Build Integrations via Docusaurus
-        working-directory: website/
-        run: npm run build -w integrations
-  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-docs
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          platforms: linux/amd64,linux/arm64
-          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
-  ci-website-mark:
-    if: always()
-    needs:
-      - lint
-      - build-docs
-      - build-integrations
-      - build-container
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -9,15 +9,14 @@ on:

 jobs:
  test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        version:
          - docs
-          - version-2025-4
-          - version-2025-2
+          - version-2024-12
+          - version-2024-10
    steps:
      - uses: actions/checkout@v4
      - run: |
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -34,7 +34,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@@ -42,7 +42,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-make-seed:
    runs-on: ubuntu-latest
    steps:
@@ -62,7 +62,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
-          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@@ -70,6 +69,8 @@ jobs:
          fetch-depth: 0
      - name: checkout stable
        run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
@@ -82,7 +83,7 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@@ -90,13 +91,15 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
@@ -105,7 +108,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
  test-unittest:
    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
@@ -117,7 +120,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
-          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@@ -131,7 +133,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@@ -154,8 +156,8 @@ jobs:
        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
-          uv run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage run manage.py test tests/integration
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@@ -202,7 +204,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@@ -210,11 +212,10 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
-          npm run build:sfe
      - name: run e2e
        run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@@ -247,13 +248,11 @@ jobs:
      # Needed for attestation
      id-token: write
      attestations: write
-      # Needed for checkout
-      contents: read
    needs: ci-core-mark
    uses: ./.github/workflows/_reusable-docker-build.yaml
    secrets: inherit
    with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
+      image_name: ghcr.io/goauthentik/dev-server
      release: false
  pr-comment:
    needs:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout 5000s --verbose
@@ -59,7 +59,6 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@@ -83,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.4.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@@ -0,0 +1,74 @@
+name: authentik-ci-website
+
+on:
+  push:
+    branches:
+      - main
+      - next
+      - version-*
+  pull_request:
+    branches:
+      - main
+      - version-*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        command:
+          - lint:lockfile
+          - prettier-check
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: website/
+        run: npm ci
+      - name: Lint
+        working-directory: website/
+        run: npm run ${{ matrix.command }}
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: test
+        working-directory: website/
+        run: npm test
+  build:
+    runs-on: ubuntu-latest
+    name: ${{ matrix.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: build
+        working-directory: website/
+        run: npm run ${{ matrix.job }}
+  ci-website-mark:
+    if: always()
+    needs:
+      - lint
+      - test
+      - build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -2,7 +2,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -2,7 +2,7 @@ name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'

 env:
  POSTGRES_DB: authentik
@@ -24,7 +24,7 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
+      - run: poetry run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
@@ -37,7 +37,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@@ -53,7 +53,6 @@ jobs:
          body: ${{ steps.compress.outputs.markdown }}
          delete-branch: true
          signoff: true
-          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -1,47 +0,0 @@
-name: authentik-packages-npm-publish
-on:
-  push:
-    branches: [main]
-    paths:
-      - packages/docusaurus-config/**
-      - packages/eslint-config/**
-      - packages/prettier-config/**
-      - packages/tsconfig/**
-      - packages/esbuild-plugin-live-reload/**
-  workflow_dispatch:
-jobs:
-  publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        package:
-          - packages/docusaurus-config
-          - packages/eslint-config
-          - packages/prettier-config
-          - packages/tsconfig
-          - packages/esbuild-plugin-live-reload
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: ${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
-        with:
-          files: |
-            ${{ matrix.package }}/package.json
-      - name: Publish package
-        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: ${{ matrix.package }}
-        run: |
-          npm ci
-          npm run build
-          npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@@ -21,8 +21,8 @@ jobs:
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          uv run make migrate
-          uv run ak build_source_docs
+          poetry run make migrate
+          poetry run ak build_source_docs
      - name: Publish
        uses: netlify/actions/cli@master
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -20,49 +20,6 @@ jobs:
      release: true
      registry_dockerhub: true
      registry_ghcr: true
-  build-docs:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/docs
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
-          context: .
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: true
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
@@ -85,7 +42,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.4.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@@ -229,13 +186,13 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@v1
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: authentik-security-inc
          SENTRY_PROJECT: authentik
        with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
          sourcemaps: "./web/dist"
          url_prefix: "~/static/dist"
--- a/.github/workflows/repo-mirror-cleanup.yml
+++ b/.github/workflows/repo-mirror-cleanup.yml
@@ -1,21 +0,0 @@
-name: "authentik-repo-mirror-cleanup"
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@@ -11,10 +11,11 @@ jobs:
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        uses: pixta-dev/repository-mirroring-action@v1
        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
+          target_repo_url:
+            git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key:
+            ${{ secrets.GH_MIRROR_KEY }}
        env:
          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -1,27 +0,0 @@
-name: authentik-semgrep
-on:
-  workflow_dispatch: {}
-  pull_request: {}
-  push:
-    branches:
-      - main
-      - master
-    paths:
-      - .github/workflows/semgrep.yml
-  schedule:
-    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-    - cron: '12 15 * * *'
-jobs:
-  semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-    container:
-      image: semgrep/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@v4
-      - run: semgrep ci
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -1,13 +1,9 @@
 ---
-name: authentik-translate-extract-compile
+name: authentik-backend-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-      - version-*

 env:
  POSTGRES_DB: authentik
@@ -16,34 +12,26 @@ env:

 jobs:
  compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        if: ${{ github.event_name != 'pull_request' }}
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
-        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v4
-        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
      - name: run extract
        run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
      - name: run compile
        run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
-        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
@@ -53,6 +41,3 @@ jobs:
          body: "core, web: update translations"
          delete-branch: true
          signoff: true
-          labels: dependencies
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@@ -15,7 +15,6 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
-      - uses: actions/checkout@v4
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
@@ -26,13 +25,23 @@ jobs:
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
          echo "title=${title}" >> "$GITHUB_OUTPUT"
      - name: Rename
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
+          curl -L \
+            -X PATCH \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
+            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.gitignore
+++ b/.gitignore
@@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media

-# Node
-
-node_modules
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
-out/
 sdist/
 var/
 wheels/
@@ -100,6 +95,9 @@ ipython_config.py
 # pyenv
 .python-version

+# celery beat schedule file
+celerybeat-schedule
+
 # SageMath parsed files
 *.sage.py

@@ -163,6 +161,8 @@ dmypy.json

 # pyenv

+# celery beat schedule file
+
 # SageMath parsed files

 # Environments
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,48 +0,0 @@
-# Prettier Ignorefile
-
-## Static Files
-**/LICENSE
-
-authentik/stages/**/*
-
-## Build asset directories
-coverage
-dist
-out
-.docusaurus
-# TODO Replace after moving website to docs
-website/api/reference
-
-## Environment
-*.env
-
-## Secrets
-*.secrets
-
-## Yarn
-.yarn/**/*
-
-## Node
-node_modules
-coverage
-
-## Configs
-*.log
-*.yaml
-*.yml
-
-# Templates
-# TODO: Rename affected files to *.template.* or similar.
-*.html
-*.mdx
-*.md
-
-## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-
-# Storybook
-storybook-static/
-.storybook/css-import-maps*
-
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,4 +1,26 @@
 {
+    "cSpell.words": [
+        "akadmin",
+        "asgi",
+        "authentik",
+        "authn",
+        "entra",
+        "goauthentik",
+        "jwe",
+        "jwks",
+        "kubernetes",
+        "oidc",
+        "openid",
+        "passwordless",
+        "plex",
+        "saml",
+        "scim",
+        "slo",
+        "sso",
+        "totp",
+        "traefik",
+        "webauthn"
+    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
@@ -6,22 +28,17 @@
        "!Context scalar",
        "!Enumerate sequence",
        "!Env scalar",
-        "!Env sequence",
-        "!File scalar",
-        "!File sequence",
        "!Find sequence",
-        "!FindObject sequence",
        "!Format sequence",
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
        "!Value scalar",
-        "!AtIndex scalar",
-        "!ParseJSON scalar"
+        "!AtIndex scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -34,9 +51,7 @@
            "ignoreCase": false
        }
    ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
    "github-actions.workflows.pinned.workflows": [
        ".github/workflows/ci-main.yml"
    ]
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -3,7 +3,7 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
@@ -12,7 +12,7 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
@@ -43,15 +43,15 @@
            "group": "build"
        },
        {
-            "label": "authentik/docs: make",
+            "label": "authentik/website: make",
            "command": "make",
-            "args": ["docs"],
+            "args": ["website"],
            "group": "build"
        },
        {
-            "label": "authentik/docs: watch",
+            "label": "authentik/website: watch",
            "command": "make",
-            "args": ["docs-watch"],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@@ -60,7 +60,7 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "make", "gen"],
            "group": "build"
        }
--- a/72
+++ b/72
@@ -1,49 +1,37 @@
 # Fallback
-*                                       @goauthentik/backend @goauthentik/frontend
+*                               @goauthentik/backend @goauthentik/frontend
 # Backend
-authentik/                              @goauthentik/backend
-blueprints/                             @goauthentik/backend
-cmd/                                    @goauthentik/backend
-internal/                               @goauthentik/backend
-lifecycle/                              @goauthentik/backend
-schemas/                                @goauthentik/backend
-scripts/                                @goauthentik/backend
-tests/                                  @goauthentik/backend
-pyproject.toml                          @goauthentik/backend
-uv.lock                                 @goauthentik/backend
-go.mod                                  @goauthentik/backend
-go.sum                                  @goauthentik/backend
+authentik/                      @goauthentik/backend
+blueprints/                     @goauthentik/backend
+cmd/                            @goauthentik/backend
+internal/                       @goauthentik/backend
+lifecycle/                      @goauthentik/backend
+schemas/                        @goauthentik/backend
+scripts/                        @goauthentik/backend
+tests/                          @goauthentik/backend
+pyproject.toml                  @goauthentik/backend
+poetry.lock                     @goauthentik/backend
+go.mod                          @goauthentik/backend
+go.sum                          @goauthentik/backend
 # Infrastructure
-.github/                                @goauthentik/infrastructure
-lifecycle/aws/                          @goauthentik/infrastructure
-Dockerfile                              @goauthentik/infrastructure
-*Dockerfile                             @goauthentik/infrastructure
-.dockerignore                           @goauthentik/infrastructure
-docker-compose.yml                      @goauthentik/infrastructure
-Makefile                                @goauthentik/infrastructure
-.editorconfig                           @goauthentik/infrastructure
-CODEOWNERS                              @goauthentik/infrastructure
-# Backend packages
-packages/django-dramatiq-postgres       @goauthentik/backend
-# Web packages
-packages/docusaurus-config              @goauthentik/frontend
-packages/esbuild-plugin-live-reload     @goauthentik/frontend
-packages/eslint-config                  @goauthentik/frontend
-packages/prettier-config                @goauthentik/frontend
-packages/tsconfig                       @goauthentik/frontend
+.github/                        @goauthentik/infrastructure
+lifecycle/aws/                  @goauthentik/infrastructure
+Dockerfile                      @goauthentik/infrastructure
+*Dockerfile                     @goauthentik/infrastructure
+.dockerignore                   @goauthentik/infrastructure
+docker-compose.yml              @goauthentik/infrastructure
+Makefile                        @goauthentik/infrastructure
+.editorconfig                   @goauthentik/infrastructure
+CODEOWNERS                      @goauthentik/infrastructure
 # Web
-web/                                    @goauthentik/frontend
-tests/wdio/                             @goauthentik/frontend
+web/                            @goauthentik/frontend
+tests/wdio/                     @goauthentik/frontend
 # Locale
-locale/                                 @goauthentik/backend @goauthentik/frontend
-web/xliff/                              @goauthentik/backend @goauthentik/frontend
+locale/                         @goauthentik/backend @goauthentik/frontend
+web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
-docs/                                   @goauthentik/docs
-# TODO Remove after moving website to docs
-website/                                @goauthentik/docs
-CODE_OF_CONDUCT.md                      @goauthentik/docs
+website/                        @goauthentik/docs
+CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                             @goauthentik/security @goauthentik/docs
-# TODO Remove after moving website to docs
-website/security/                       @goauthentik/security @goauthentik/docs
-docs/security/                          @goauthentik/security @goauthentik/docs
+SECURITY.md                     @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security @goauthentik/docs
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.

--- a/140
+++ b/140
@@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1

-# Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+# Stage 1: Build website
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/website
+
+RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
+    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    npm ci --include=dev
+
+COPY ./website /work/website/
+COPY ./blueprints /work/blueprints/
+COPY ./schema.yml /work/
+COPY ./SECURITY.md /work/
+
+RUN npm run build-bundled
+
+# Stage 2: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -13,20 +32,18 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
-    npm ci
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    npm ci --include=dev

 COPY ./package.json /work
 COPY ./web /work/web/
-# TODO: Update this after moving website to docs
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build && \
-    npm run build:sfe
+RUN npm run build

-# Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
+# Stage 3: Build go proxy
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@@ -50,8 +67,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -59,76 +76,70 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

-# Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+# Stage 4: MaxMind GeoIP
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
+ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"

 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.3 AS uv
-# Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
-
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
-
-WORKDIR /ak-root/
-
-COPY --from=uv /uv /uvx /bin/
-
-# Stage 6: Python dependencies
-FROM python-base AS python-deps
+# Stage 5: Python dependencies
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT

-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry

-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs
-    clang libkrb5-dev sccache \
-    # xmlsec
-    libltdl-dev && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
+    python -m venv /ak-root/venv/ && \
+    bash -c "source ${VENV_PATH}/bin/activate && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"

-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
-
-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
-    --mount=type=bind,target=uv.lock,src=uv.lock \
-    --mount=type=bind,target=packages,src=packages \
-    --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-install-project --no-dev
-
-# Stage 7: Run
-FROM python-base AS final-image
+# Stage 6: Run
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -160,7 +171,7 @@ RUN apt-get update && \

 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
@@ -169,10 +180,10 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY ./packages/ /ak-root/packages
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /web/dist/
-COPY --from=node-builder /work/web/authentik/ /web/authentik/
+COPY --from=python-deps /ak-root/venv /ak-root/venv
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip

 USER 1000
@@ -180,6 +191,9 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
    GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/191
+++ b/191
@@ -1,21 +1,37 @@
-.PHONY: gen dev-reset all clean test web docs
+.PHONY: gen dev-reset all clean test web website

-SHELL := /usr/bin/env bash
-.SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
+.SHELLFLAGS += ${SHELLFLAGS} -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
-PY_SOURCES = authentik packages tests scripts lifecycle .github
+NPM_VERSION = $(shell python -m scripts.npm_version)
+PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"

-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
+GEN_API_TS = "gen-ts-api"
+GEN_API_PY = "gen-py-api"
+GEN_API_GO = "gen-go-api"

-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
+
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
+		-I .github/codespell-words.txt \
+		-S 'web/src/locales/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
+		website/src \
+		website/blog \
+		website/docs \
+		website/integrations \
+		website/src

 all: lint-fix lint test gen web  ## Lint, build, and test everything

@@ -33,40 +49,34 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage html
-	uv run coverage report
+	coverage run manage.py test --keepdb authentik
+	coverage html
+	coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	black $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	codespell -w $(CODESPELL_ARGS)

 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
 	golangci-lint run -v

 core-install:
-	uv sync --frozen
+	poetry install

 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

 aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn

-run-server:  ## Run the main authentik server process
-	uv run ak server
-
-run-worker:  ## Run the main authentik worker process
-	uv run ak worker
-
 core-i18n-extract:
-	uv run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -76,7 +86,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en

-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`

 dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -89,10 +99,6 @@ dev-create-db:

 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

-update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
-
 #########################
 ## API Schema
 #########################
@@ -101,11 +107,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		ak spectacular --file schema.yml

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -124,20 +130,15 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	sed -i 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md

-gen-clean-ts:  ## Remove generated API client for TypeScript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+gen-clean-ts:  ## Remove generated API client for Typescript
+	rm -rf ./${GEN_API_TS}/
+	rm -rf ./web/node_modules/@goauthentik/api/

 gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	make -C ${PWD}/${GEN_API_GO} clean
-else
-	rm -rf ${PWD}/${GEN_API_GO}
-endif
+	rm -rf ./${GEN_API_GO}/

 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ./${GEN_API_PY}/

 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients

@@ -153,15 +154,15 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
+	mkdir -p web/node_modules/@goauthentik/api
+	cd ./${GEN_API_TS} && npm i
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api

 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@@ -169,40 +170,42 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
+	pip install ./${GEN_API_PY}

 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-else
-	cd ${PWD}/${GEN_API_GO} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+	cp schema.yml ./${GEN_API_GO}/
+	docker run \
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/ \
+		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	python -m scripts.generate_config

 gen: gen-build gen-client-ts

-#########################
-## Node.js
-#########################
-
-node-install:  ## Install the necessary libraries to build Node.js packages
-	npm ci
-	npm ci --prefix web
-
 #########################
 ## Web
 #########################

-web-build: node-install  ## Build the Authentik UI
+web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build

 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it

+web-install:  ## Install the necessary libraries to build the Authentik UI
+	cd web && npm ci
+
 web-test: ## Run tests for the Authentik UI
 	cd web && npm run test

@@ -229,40 +232,22 @@ web-i18n-extract:
 	cd web && npm run extract-locales

 #########################
-## Docs
+## Website
 #########################

-docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
+website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it

-docs-install:
-	npm ci --prefix website
+website-install:
+	cd website && npm ci

-docs-lint-fix: lint-codespell
-	npm run prettier --prefix website
+website-lint-fix: lint-codespell
+	cd website && npm run prettier

-docs-build:
-	npm run build --prefix website
+website-build:
+	cd website && npm run build

-docs-watch:  ## Build and watch the topics documentation
-	npm run start --prefix website
-
-integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
-
-integrations-build:
-	npm run build --prefix website -w integrations
-
-integrations-watch:  ## Build and watch the Integrations documentation
-	npm run start --prefix website -w integrations
-
-docs-api-build:
-	npm run build --prefix website -w api
-
-docs-api-watch:  ## Build and watch the API documentation
-	npm run build:api --prefix website -w api
-	npm run start --prefix website -w api
-
-docs-api-clean: ## Clean generated API documentation
-	npm run build:api:clean --prefix website -w api
+website-watch:  ## Build and watch the documentation website, updating automatically
+	cd website && npm run watch

 #########################
 ## Docker
@@ -273,7 +258,7 @@ docker:  ## Build a docker image of the current source tree
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

 test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
+	BUILD=true ./scripts/test_docker.sh

 #########################
 ## CI
@@ -286,21 +271,21 @@ ci--meta-debug:
 	node --version

 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	codespell $(CODESPELL_ARGS) -s

 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES)

 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
+	ak makemigrations --check

 ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	uv run coverage report
-	uv run coverage xml
+	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	coverage report
+	coverage xml
--- a/README.md
+++ b/README.md
@@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)

 ## Adoption and Contributions

-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di

 ## Independent audits and pentests

-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).

 ## What authentik classifies as a CVE

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2025.4.x  | ✅        |
-| 2025.6.x  | ✅        |
+| 2024.12.x | ✅        |
+| 2025.2.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.6.4"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@@ -0,0 +1,79 @@
+"""authentik administration metrics"""
+
+from datetime import timedelta
+
+from django.db.models.functions import ExtractHour
+from drf_spectacular.utils import extend_schema, extend_schema_field
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.fields import IntegerField, SerializerMethodField
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.models import EventAction
+
+
+class CoordinateSerializer(PassiveSerializer):
+    """Coordinates for diagrams"""
+
+    x_cord = IntegerField(read_only=True)
+    y_cord = IntegerField(read_only=True)
+
+
+class LoginMetricsSerializer(PassiveSerializer):
+    """Login Metrics per 1h"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get successful authorizations per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
+class AdministrationMetricsViewSet(APIView):
+    """Login Metrics per 1h"""
+
+    permission_classes = [IsAuthenticated]
+
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Login Metrics per 1h"""
+        serializer = LoginMetricsSerializer(True)
+        serializer.context["user"] = request.user
+        return Response(serializer.data)
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@@ -1,7 +1,6 @@
 """authentik administration overview"""

 from django.core.cache import cache
-from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -14,7 +13,6 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
-from authentik.tenants.utils import get_current_tenant


 class VersionSerializer(PassiveSerializer):
@@ -37,11 +35,9 @@ class VersionSerializer(PassiveSerializer):

    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
-        if get_current_tenant().schema_name == get_public_schema_name():
-            return __version__
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
-            update_latest_version.send()
+            update_latest_version.delay()
            return __version__
        return version_in_cache

--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@@ -0,0 +1,57 @@
+"""authentik administration overview"""
+
+from socket import gethostname
+
+from django.conf import settings
+from drf_spectacular.utils import extend_schema, inline_serializer
+from packaging.version import parse
+from rest_framework.fields import BooleanField, CharField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik import get_full_version
+from authentik.rbac.permissions import HasPermission
+from authentik.root.celery import CELERY_APP
+
+
+class WorkerView(APIView):
+    """Get currently connected worker count."""
+
+    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
+
+    @extend_schema(
+        responses=inline_serializer(
+            "Worker",
+            fields={
+                "worker_id": CharField(),
+                "version": CharField(),
+                "version_matching": BooleanField(),
+            },
+            many=True,
+        )
+    )
+    def get(self, request: Request) -> Response:
+        """Get currently connected worker count."""
+        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+        our_version = parse(get_full_version())
+        response = []
+        for worker in raw:
+            key = list(worker.keys())[0]
+            version = worker[key].get("version")
+            version_matching = False
+            if version:
+                version_matching = parse(version) == our_version
+            response.append(
+                {"worker_id": key, "version": version, "version_matching": version_matching}
+            )
+        # In debug we run with `task_always_eager`, so tasks are ran on the main process
+        if settings.DEBUG:  # pragma: no cover
+            response.append(
+                {
+                    "worker_id": f"authentik-debug@{gethostname()}",
+                    "version": get_full_version(),
+                    "version_matching": True,
+                }
+            )
+        return Response(response)
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@@ -3,9 +3,6 @@
 from prometheus_client import Info

 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.lib.config import CONFIG
-from authentik.lib.utils.time import fqdn_rand
-from authentik.tasks.schedules.common import ScheduleSpec

 PROM_INFO = Info("authentik_version", "Currently running authentik version")

@@ -17,31 +14,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
    label = "authentik_admin"
    verbose_name = "authentik Admin"
    default = True
-
-    @ManagedAppConfig.reconcile_global
-    def clear_update_notifications(self):
-        """Clear update notifications on startup if the notification was for the version
-        we're running now."""
-        from packaging.version import parse
-
-        from authentik.admin.tasks import LOCAL_VERSION
-        from authentik.events.models import EventAction, Notification
-
-        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-            if "new_version" not in notification.event.context:
-                continue
-            notification_version = notification.event.context["new_version"]
-            if LOCAL_VERSION >= parse(notification_version):
-                notification.delete()
-
-    @property
-    def global_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.admin.tasks import update_latest_version
-
-        return [
-            ScheduleSpec(
-                actor=update_latest_version,
-                crontab=f"{fqdn_rand('admin_latest_version')} * * * *",
-                paused=CONFIG.get_bool("disable_update_check"),
-            ),
-        ]
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@@ -0,0 +1,13 @@
+"""authentik admin settings"""
+
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "admin_latest_version": {
+        "task": "authentik.admin.tasks.update_latest_version",
+        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    }
+}
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@@ -0,0 +1,35 @@
+"""admin signals"""
+
+from django.dispatch import receiver
+from packaging.version import parse
+from prometheus_client import Gauge
+
+from authentik import get_full_version
+from authentik.root.celery import CELERY_APP
+from authentik.root.monitoring import monitoring_set
+
+GAUGE_WORKERS = Gauge(
+    "authentik_admin_workers",
+    "Currently connected workers, their versions and if they are the same version as authentik",
+    ["version", "version_matched"],
+)
+
+
+_version = parse(get_full_version())
+
+
+@receiver(monitoring_set)
+def monitoring_set_workers(sender, **kwargs):
+    """Set worker gauge"""
+    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+    worker_version_count = {}
+    for worker in raw:
+        key = list(worker.keys())[0]
+        version = worker[key].get("version")
+        version_matching = False
+        if version:
+            version_matching = parse(version) == _version
+        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
+        worker_version_count[version]["count"] += 1
+    for version, stats in worker_version_count.items():
+        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@@ -1,19 +1,19 @@
 """authentik admin tasks"""

 from django.core.cache import cache
+from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask
-from dramatiq import actor
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger

 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
+from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
-from authentik.tasks.models import Task
+from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
@@ -33,12 +33,27 @@ def _set_prom_info():
    )


-@actor(description=_("Update latest version info."))
-def update_latest_version():
-    self: Task = CurrentTask.get_task()
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
+def clear_update_notifications():
+    """Clear update notifications on startup if the notification was for the version
+    we're running now."""
+    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+        if "new_version" not in notification.event.context:
+            continue
+        notification_version = notification.event.context["new_version"]
+        if LOCAL_VERSION >= parse(notification_version):
+            notification.delete()
+
+
+@CELERY_APP.task(bind=True, base=SystemTask)
+@prefill_task
+def update_latest_version(self: SystemTask):
+    """Update latest version info"""
    if CONFIG.get_bool("disable_update_check"):
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        self.info("Version check disabled.")
+        self.set_status(TaskStatus.WARNING, "Version check disabled.")
        return
    try:
        response = get_http_session().get(
@@ -48,7 +63,7 @@ def update_latest_version():
        data = response.json()
        upstream_version = data.get("stable", {}).get("version")
        cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
-        self.info("Successfully updated latest Version")
+        self.set_status(TaskStatus.SUCCESSFUL, "Successfully updated latest Version")
        _set_prom_info()
        # Check if upstream version is newer than what we're running,
        # and if no event exists yet, create one.
@@ -71,7 +86,7 @@ def update_latest_version():
            ).save()
    except (RequestException, IndexError) as exc:
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        raise exc
+        self.set_error(exc)


 _set_prom_info()
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@@ -29,6 +29,18 @@ class TestAdminAPI(TestCase):
        body = loads(response.content)
        self.assertEqual(body["version_current"], __version__)

+    def test_workers(self):
+        """Test Workers API"""
+        response = self.client.get(reverse("authentik_api:admin_workers"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(len(body), 0)
+
+    def test_metrics(self):
+        """Test metrics API"""
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
+        self.assertEqual(response.status_code, 200)
+
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@@ -1,12 +1,12 @@
 """test admin tasks"""

-from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker

 from authentik.admin.tasks import (
    VERSION_CACHE_KEY,
+    clear_update_notifications,
    update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@@ -30,7 +30,7 @@ class TestAdminTasks(TestCase):
        """Test Update checker with valid response"""
        with Mocker() as mocker, CONFIG.patch("disable_update_check", False):
            mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
            self.assertTrue(
                Event.objects.filter(
@@ -40,7 +40,7 @@ class TestAdminTasks(TestCase):
                ).exists()
            )
            # test that a consecutive check doesn't create a duplicate event
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(
                len(
                    Event.objects.filter(
@@ -56,7 +56,7 @@ class TestAdminTasks(TestCase):
        """Test Update checker with invalid response"""
        with Mocker() as mocker:
            mocker.get("https://version.goauthentik.io/version.json", status_code=400)
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
            self.assertFalse(
                Event.objects.filter(
@@ -67,19 +67,17 @@ class TestAdminTasks(TestCase):
    def test_version_disabled(self):
        """Test Update checker while its disabled"""
        with CONFIG.patch("disable_update_check", True):
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")

    def test_clear_update_notifications(self):
        """Test clear of previous notification"""
-        admin_config = apps.get_app_config("authentik_admin")
        Event.objects.create(
-            action=EventAction.UPDATE_AVAILABLE,
-            context={"new_version": "99999999.9999999.9999999"},
+            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
        )
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@@ -3,14 +3,22 @@
 from django.urls import path

 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
+from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
+from authentik.admin.api.workers import WorkerView

 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
+    path(
+        "admin/metrics/",
+        AdministrationMetricsViewSet.as_view(),
+        name="admin_metrics",
+    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
+    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
    path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@@ -1,13 +1,12 @@
 """authentik API AppConfig"""

-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig


-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
    """authentik API Config"""

    name = "authentik.api"
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
-    default = True
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -1,12 +1,9 @@
 """API Authentication"""

 from hmac import compare_digest
-from pathlib import Path
-from tempfile import gettempdir
 from typing import Any

 from django.conf import settings
-from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@@ -14,17 +11,11 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger

 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API

 LOGGER = get_logger()
-_tmp = Path(gettempdir())
-try:
-    with open(_tmp / "authentik-core-ipc.key") as _f:
-        ipc_key = _f.read()
-except OSError:
-    ipc_key = None


 def validate_auth(header: bytes) -> str | None:
@@ -82,11 +73,6 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
    if user:
        CTX_AUTH_VIA.set("secret_key")
        return user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_ipc(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("ipc")
-        return user
    raise AuthenticationFailed("Token invalid/expired")


@@ -104,43 +90,6 @@ def token_secret_key(value: str) -> User | None:
    return outpost.user


-class IPCUser(AnonymousUser):
-    """'Virtual' user for IPC communication between authentik core and the authentik router"""
-
-    username = "authentik:system"
-    is_active = True
-    is_superuser = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    def has_perm(self, perm, obj=None):
-        return True
-
-    def has_perms(self, perm_list, obj=None):
-        return True
-
-    def has_module_perms(self, module):
-        return True
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-
-def token_ipc(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    if not ipc_key or not compare_digest(value, ipc_key):
-        return None
-    return IPCUser()
-
-
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""

--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component


-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.blueprints.models import BlueprintInstance
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required


@@ -39,7 +39,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        """Ensure the path (if set) specified is retrievable"""
        if path == "" or path.startswith(OCI_PREFIX):
            return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
        if path not in [file["path"] for file in files]:
            raise ValidationError(_("Blueprint file does not exist"))
        return path
@@ -115,7 +115,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def available(self, request: Request) -> Response:
        """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
        return Response(files)

    @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -129,5 +129,5 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    def apply(self, request: Request, *args, **kwargs) -> Response:
        """Apply a blueprint"""
        blueprint = self.get_object()
-        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
+        apply_blueprint.delay(str(blueprint.pk)).get()
        return self.retrieve(request, *args, **kwargs)
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@@ -6,12 +6,9 @@ from inspect import ismethod

 from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
-from dramatiq.broker import get_broker
 from structlog.stdlib import BoundLogger, get_logger

-from authentik.lib.utils.time import fqdn_rand
 from authentik.root.signals import startup
-from authentik.tasks.schedules.common import ScheduleSpec


 class ManagedAppConfig(AppConfig):
@@ -37,7 +34,7 @@ class ManagedAppConfig(AppConfig):

    def import_related(self):
        """Automatically import related modules which rely on just being imported
-        to register themselves (mainly django signals and tasks)"""
+        to register themselves (mainly django signals and celery tasks)"""

        def import_relative(rel_module: str):
            try:
@@ -83,16 +80,6 @@ class ManagedAppConfig(AppConfig):
        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_GLOBAL_CATEGORY
        return func

-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        """Get a list of schedule specs that must exist in each tenant"""
-        return []
-
-    @property
-    def global_schedule_specs(self) -> list[ScheduleSpec]:
-        """Get a list of schedule specs that must exist in the default tenant"""
-        return []
-
    def _reconcile_tenant(self) -> None:
        """reconcile ourselves for tenanted methods"""
        from authentik.tenants.models import Tenant
@@ -113,12 +100,8 @@ class ManagedAppConfig(AppConfig):
        """
        from django_tenants.utils import get_public_schema_name, schema_context

-        try:
-            with schema_context(get_public_schema_name()):
-                self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
-        except (DatabaseError, ProgrammingError, InternalError) as exc:
-            self.logger.debug("Failed to access database to run reconcile", exc=exc)
-            return
+        with schema_context(get_public_schema_name()):
+            self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)


 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -129,29 +112,19 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
    verbose_name = "authentik Blueprints"
    default = True

+    @ManagedAppConfig.reconcile_global
+    def load_blueprints_v1_tasks(self):
+        """Load v1 tasks"""
+        self.import_module("authentik.blueprints.v1.tasks")
+
+    @ManagedAppConfig.reconcile_tenant
+    def blueprints_discovery(self):
+        """Run blueprint discovery"""
+        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
+
+        blueprints_discovery.delay()
+        clear_failed_blueprints.delay()
+
    def import_models(self):
        super().import_models()
        self.import_module("authentik.blueprints.v1.meta.apply_blueprint")
-
-    @ManagedAppConfig.reconcile_global
-    def tasks_middlewares(self):
-        from authentik.blueprints.v1.tasks import BlueprintWatcherMiddleware
-
-        get_broker().add_middleware(BlueprintWatcherMiddleware())
-
-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
-
-        return [
-            ScheduleSpec(
-                actor=blueprints_discovery,
-                crontab=f"{fqdn_rand('blueprints_v1_discover')} * * * *",
-                send_on_startup=True,
-            ),
-            ScheduleSpec(
-                actor=clear_failed_blueprints,
-                crontab=f"{fqdn_rand('blueprints_v1_cleanup')} * * * *",
-                send_on_startup=True,
-            ),
-        ]
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@@ -72,33 +72,20 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
-                    "anyOf": [
-                        {
-                            "type": "array",
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
-                        },
-                        {
-                            "type": "object",
-                            "additionalProperties": {
-                                "type": "array",
-                                "items": {"$ref": "#/$defs/blueprint_entry"},
-                            },
-                        },
-                    ],
+                    "type": "array",
+                    "items": {
+                        "oneOf": [],
+                    },
                },
            },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
        }

-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
    @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))

    @staticmethod
    def json_default(value: Any) -> Any:
@@ -125,7 +112,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )

@@ -147,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@@ -218,7 +205,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@@ -3,7 +3,6 @@
 from pathlib import Path
 from uuid import uuid4

-from django.contrib.contenttypes.fields import GenericRelation
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -72,13 +71,6 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
    enabled = models.BooleanField(default=True)
    managed_models = ArrayField(models.TextField(), default=list)

-    # Manual link to tasks instead of using TasksModel because of loop imports
-    tasks = GenericRelation(
-        "authentik_tasks.Task",
-        content_type_field="rel_obj_content_type",
-        object_id_field="rel_obj_id",
-    )
-
    class Meta:
        verbose_name = _("Blueprint Instance")
        verbose_name_plural = _("Blueprint Instances")
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@@ -0,0 +1,18 @@
+"""blueprint Settings"""
+
+from celery.schedules import crontab
+
+from authentik.lib.utils.time import fqdn_rand
+
+CELERY_BEAT_SCHEDULE = {
+    "blueprints_v1_discover": {
+        "task": "authentik.blueprints.v1.tasks.blueprints_discovery",
+        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+    "blueprints_v1_cleanup": {
+        "task": "authentik.blueprints.v1.tasks.clear_failed_blueprints",
+        "schedule": crontab(minute=fqdn_rand("blueprints_v1_cleanup"), hour="*"),
+        "options": {"queue": "authentik_scheduled"},
+    },
+}
--- a/authentik/blueprints/tasks.py
+++ b/authentik/blueprints/tasks.py
@@ -1,2 +0,0 @@
-# Import all v1 tasks for auto task discovery
-from authentik.blueprints.v1.tasks import *  # noqa: F403
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
-      - identifiers:
-            name: "%(id)s"
-            slug: "%(id)s"
-        model: authentik_flows.flow
-        state: present
-        attrs:
-            designation: stage_configuration
-            title: foo
+    - identifiers:
+          name: "%(id)s"
+          slug: "%(id)s"
+      model: authentik_flows.flow
+      state: present
+      attrs:
+          designation: stage_configuration
+          title: foo
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@@ -12,8 +12,8 @@ context:
    context1: context-nested-value
    context2: !Context context1
 entries:
-    - model: !Format ["%%s", authentik_sources_oauth.oauthsource]
-      state: !Format ["%%s", present]
+    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
+      state: !Format ["%s", present]
      identifiers:
          slug: test
      attrs:
@@ -27,23 +27,19 @@ entries:
                  [slug, default-source-authentication],
              ]
          enrollment_flow:
-              !Find [!Format  ["%%s", authentik_flows.Flow], [slug, default-source-enrollment]]
+              !Find [!Format  ["%s", authentik_flows.Flow], [slug, default-source-enrollment]]
    - attrs:
          expression: return True
      identifiers:
-          name: !Format [foo-%%s-%%s-%%s, !Context foo, !Context bar, qux]
+          name: !Format [foo-%s-%s-%s, !Context foo, !Context bar, qux]
      id: policy
      model: authentik_policies_expression.expressionpolicy
    - attrs:
          attributes:
              env_null: !Env [bar-baz, null]
-              file_content: !File '%(file_name)s'
-              file_default: !File ['%(file_default_name)s', 'default']
-              file_non_existent: !File '/does-not-exist'
-              json_parse: !ParseJSON '{"foo": "bar"}'
              policy_pk1:
                  !Format [
-                      "%%s-%%s",
+                      "%s-%s",
                      !Find [
                          authentik_policies_expression.expressionpolicy,
                          [
@@ -54,29 +50,29 @@ entries:
                      ],
                      suffix,
                  ]
-              policy_pk2: !Format ["%%s-%%s", !KeyOf policy, suffix]
+              policy_pk2: !Format ["%s-%s", !KeyOf policy, suffix]
              boolAnd:
-                  !Condition [AND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [AND, !Context foo, !Format ["%s", "a_string"], 1]
              boolNand:
-                  !Condition [NAND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [NAND, !Context foo, !Format ["%s", "a_string"], 1]
              boolOr:
                  !Condition [
                      OR,
                      !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                      null,
                  ]
              boolNor:
                  !Condition [
                      NOR,
                      !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                      null,
                  ]
              boolXor:
-                  !Condition [XOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XOR, !Context foo, !Format ["%s", "a_string"], 1]
              boolXnor:
-                  !Condition [XNOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XNOR, !Context foo, !Format ["%s", "a_string"], 1]
              boolComplex:
                  !Condition [
                      XNOR,
@@ -92,7 +88,7 @@ entries:
                              {
                                  with: { keys: "and_values" },
                                  and_nested_custom_tags:
-                                      !Format ["foo-%%s", !Context foo],
+                                      !Format ["foo-%s", !Context foo],
                              },
                      },
                      null,
@@ -101,7 +97,7 @@ entries:
                  !If [
                      !Condition [AND, false],
                      null,
-                      [list, with, items, !Format ["foo-%%s", !Context foo]],
+                      [list, with, items, !Format ["foo-%s", !Context foo]],
                  ]
              if_true_simple: !If [!Context foo, true, text]
              if_short: !If [!Context foo]
@@ -109,22 +105,22 @@ entries:
              enumerate_mapping_to_mapping: !Enumerate [
                  !Context mapping,
                  MAP,
-                  [!Format ["prefix-%%s", !Index 0], !Format ["other-prefix-%%s", !Value 0]]
+                  [!Format ["prefix-%s", !Index 0], !Format ["other-prefix-%s", !Value 0]]
              ]
              enumerate_mapping_to_sequence: !Enumerate [
                  !Context mapping,
                  SEQ,
-                  !Format ["prefixed-pair-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-pair-%s-%s", !Index 0, !Value 0]
              ]
              enumerate_sequence_to_sequence: !Enumerate [
                  !Context sequence,
                  SEQ,
-                  !Format ["prefixed-items-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-items-%s-%s", !Index 0, !Value 0]
              ]
              enumerate_sequence_to_mapping: !Enumerate [
                  !Context sequence,
                  MAP,
-                  [!Format ["index: %%d", !Index 0], !Value 0]
+                  [!Format ["index: %d", !Index 0], !Value 0]
              ]
              nested_complex_enumeration: !Enumerate [
                  !Context sequence,
@@ -135,9 +131,9 @@ entries:
                          !Context mapping,
                          MAP,
                          [
-                              !Format ["%%s", !Index 0],
+                              !Format ["%s", !Index 0],
                              [
-                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%%s", !Value 0]],
+                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%s", !Value 0]],
                                  {
                                    outer_value: !Value 1,
                                    outer_index: !Index 1,
@@ -154,7 +150,6 @@ entries:
              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
              at_index_mapping: !AtIndex [!Context mapping, "key2"]
              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
-              find_object: !AtIndex [!FindObject [authentik_providers_oauth2.scopemapping, [scope_name, openid]], managed]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_managed_app_config.py
+++ b/authentik/blueprints/tests/test_managed_app_config.py
@@ -1,14 +0,0 @@
-from django.test import TestCase
-
-from authentik.blueprints.apps import ManagedAppConfig
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestManagedAppConfig(TestCase):
-    def test_apps_use_managed_app_config(self):
-        for app in get_apps():
-            if app.name.startswith("authentik.enterprise"):
-                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
-            else:
-                self.assertIn(ManagedAppConfig, app.__class__.__bases__)
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:


 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
+    if "local" in str(blueprint_file):
        continue
    setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))
--- a/authentik/blueprints/tests/test_serializer_models.py
+++ b/authentik/blueprints/tests/test_serializer_models.py
@@ -5,6 +5,7 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase

+from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken

@@ -21,13 +22,10 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
            return
        model_class = test_model()
        self.assertTrue(isinstance(model_class, SerializerModel))
-        # Models that have subclasses don't have to have a serializer
-        if len(test_model.__subclasses__()) > 0:
-            return
        self.assertIsNotNone(model_class.serializer)
        if model_class.serializer.Meta().model == RefreshToken:
            return
-        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))
+        self.assertEqual(model_class.serializer.Meta().model, test_model)

    return tester

@@ -36,6 +34,6 @@ for app in apps.get_app_configs():
    if not app.label.startswith("authentik"):
        continue
    for model in app.get_models():
-        if not issubclass(model, SerializerModel):
+        if not is_model_allowed(model):
            continue
        setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@@ -1,11 +1,9 @@
 """Test blueprints v1"""

-from os import chmod, environ, unlink, write
-from tempfile import mkstemp
+from os import environ

 from django.test import TransactionTestCase

-from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.core.models import Group
@@ -128,119 +126,101 @@ class TestBlueprintsV1(TransactionTestCase):

        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)

-    @apply_blueprint("system/providers-oauth2.yaml")
    def test_import_yaml_tags(self):
        """Test some yaml tags"""
        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
        Group.objects.filter(name="test").delete()
        environ["foo"] = generate_id()
-        file, file_name = mkstemp()
-        write(file, b"foo")
-        _, file_default_name = mkstemp()
-        chmod(file_default_name, 0o000)  # Remove all permissions so we can't read the file
-        importer = Importer.from_string(
-            load_fixture(
-                "fixtures/tags.yaml",
-                file_name=file_name,
-                file_default_name=file_default_name,
-            ),
-            {"bar": "baz"},
-        )
+        importer = Importer.from_string(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
        self.assertTrue(policy)
-        group = Group.objects.filter(name="test").first()
-        self.assertIsNotNone(group)
-        self.assertEqual(
-            group.attributes,
-            {
-                "policy_pk1": str(policy.pk) + "-suffix",
-                "policy_pk2": str(policy.pk) + "-suffix",
-                "boolAnd": True,
-                "boolNand": False,
-                "boolOr": True,
-                "boolNor": False,
-                "boolXor": True,
-                "boolXnor": False,
-                "boolComplex": True,
-                "if_true_complex": {
-                    "dictionary": {
-                        "with": {"keys": "and_values"},
-                        "and_nested_custom_tags": "foo-bar",
-                    }
-                },
-                "if_false_complex": ["list", "with", "items", "foo-bar"],
-                "if_true_simple": True,
-                "if_short": True,
-                "if_false_simple": 2,
-                "enumerate_mapping_to_mapping": {
-                    "prefix-key1": "other-prefix-value",
-                    "prefix-key2": "other-prefix-2",
-                },
-                "enumerate_mapping_to_sequence": [
-                    "prefixed-pair-key1-value",
-                    "prefixed-pair-key2-2",
-                ],
-                "enumerate_sequence_to_sequence": [
-                    "prefixed-items-0-foo",
-                    "prefixed-items-1-bar",
-                ],
-                "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
-                "nested_complex_enumeration": {
-                    "0": {
-                        "key1": [
-                            ["prefixed-f", "prefixed-o", "prefixed-o"],
-                            {
-                                "outer_value": "foo",
-                                "outer_index": 0,
-                                "middle_value": "value",
-                                "middle_index": "key1",
-                            },
-                        ],
-                        "key2": [
-                            ["prefixed-f", "prefixed-o", "prefixed-o"],
-                            {
-                                "outer_value": "foo",
-                                "outer_index": 0,
-                                "middle_value": 2,
-                                "middle_index": "key2",
-                            },
-                        ],
+        self.assertTrue(
+            Group.objects.filter(
+                attributes={
+                    "policy_pk1": str(policy.pk) + "-suffix",
+                    "policy_pk2": str(policy.pk) + "-suffix",
+                    "boolAnd": True,
+                    "boolNand": False,
+                    "boolOr": True,
+                    "boolNor": False,
+                    "boolXor": True,
+                    "boolXnor": False,
+                    "boolComplex": True,
+                    "if_true_complex": {
+                        "dictionary": {
+                            "with": {"keys": "and_values"},
+                            "and_nested_custom_tags": "foo-bar",
+                        }
                    },
-                    "1": {
-                        "key1": [
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
-                            {
-                                "outer_value": "bar",
-                                "outer_index": 1,
-                                "middle_value": "value",
-                                "middle_index": "key1",
-                            },
-                        ],
-                        "key2": [
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
-                            {
-                                "outer_value": "bar",
-                                "outer_index": 1,
-                                "middle_value": 2,
-                                "middle_index": "key2",
-                            },
-                        ],
+                    "if_false_complex": ["list", "with", "items", "foo-bar"],
+                    "if_true_simple": True,
+                    "if_short": True,
+                    "if_false_simple": 2,
+                    "enumerate_mapping_to_mapping": {
+                        "prefix-key1": "other-prefix-value",
+                        "prefix-key2": "other-prefix-2",
                    },
-                },
-                "nested_context": "context-nested-value",
-                "env_null": None,
-                "file_content": "foo",
-                "file_default": "default",
-                "file_non_existent": None,
-                "json_parse": {"foo": "bar"},
-                "at_index_sequence": "foo",
-                "at_index_sequence_default": "non existent",
-                "at_index_mapping": 2,
-                "at_index_mapping_default": "non existent",
-                "find_object": "goauthentik.io/providers/oauth2/scope-openid",
-            },
+                    "enumerate_mapping_to_sequence": [
+                        "prefixed-pair-key1-value",
+                        "prefixed-pair-key2-2",
+                    ],
+                    "enumerate_sequence_to_sequence": [
+                        "prefixed-items-0-foo",
+                        "prefixed-items-1-bar",
+                    ],
+                    "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
+                    "nested_complex_enumeration": {
+                        "0": {
+                            "key1": [
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
+                                {
+                                    "outer_value": "foo",
+                                    "outer_index": 0,
+                                    "middle_value": "value",
+                                    "middle_index": "key1",
+                                },
+                            ],
+                            "key2": [
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
+                                {
+                                    "outer_value": "foo",
+                                    "outer_index": 0,
+                                    "middle_value": 2,
+                                    "middle_index": "key2",
+                                },
+                            ],
+                        },
+                        "1": {
+                            "key1": [
+                                ["prefixed-b", "prefixed-a", "prefixed-r"],
+                                {
+                                    "outer_value": "bar",
+                                    "outer_index": 1,
+                                    "middle_value": "value",
+                                    "middle_index": "key1",
+                                },
+                            ],
+                            "key2": [
+                                ["prefixed-b", "prefixed-a", "prefixed-r"],
+                                {
+                                    "outer_value": "bar",
+                                    "outer_index": 1,
+                                    "middle_value": 2,
+                                    "middle_index": "key2",
+                                },
+                            ],
+                        },
+                    },
+                    "nested_context": "context-nested-value",
+                    "env_null": None,
+                    "at_index_sequence": "foo",
+                    "at_index_sequence_default": "non existent",
+                    "at_index_mapping": 2,
+                    "at_index_mapping_default": "non existent",
+                }
+            ).exists()
        )
        self.assertTrue(
            OAuthSource.objects.filter(
@@ -248,8 +228,6 @@ class TestBlueprintsV1(TransactionTestCase):
                consumer_key=environ["foo"],
            )
        )
-        unlink(file_name)
-        unlink(file_default_name)

    def test_export_validate_import_policies(self):
        """Test export and validate it"""
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@@ -54,7 +54,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
            file.seek(0)
            file_hash = sha512(file.read().encode()).hexdigest()
            file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
            instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
            self.assertEqual(instance.last_applied_hash, file_hash)
            self.assertEqual(
@@ -82,7 +82,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
            blueprint = BlueprintInstance.objects.filter(name="foo").first()
            self.assertEqual(
                blueprint.last_applied_hash,
@@ -107,7 +107,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
            blueprint.refresh_from_db()
            self.assertEqual(
                blueprint.last_applied_hash,
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@@ -6,7 +6,6 @@ from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
-from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
 from typing import Any, Literal, Union
@@ -18,15 +17,12 @@ from django.db.models import Model, Q
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
-from structlog.stdlib import get_logger
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode

 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel

-LOGGER = get_logger()
-

 class UNSET:
    """Used to test whether a key has not been set."""
@@ -168,7 +164,9 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))

-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
@@ -195,18 +193,11 @@ class Blueprint:
    """Dataclass used for a full export"""

    version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
    context: dict = field(default_factory=dict)

    metadata: BlueprintMetadata | None = field(default=None)

-    def iter_entries(self) -> Iterable[BlueprintEntry]:
-        if isinstance(self.entries, dict):
-            for _section, entries in self.entries.items():
-                yield from entries
-        else:
-            yield from self.entries
-

 class YAMLTag:
    """Base class for all YAML Tags"""
@@ -237,7 +228,7 @@ class KeyOf(YAMLTag):
        self.id_from = node.value

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
            if _entry.id == self.id_from and _entry._state.instance:
                # Special handling for PolicyBindingModels, as they'll have a different PK
                # which is used when creating policy bindings
@@ -271,34 +262,6 @@ class Env(YAMLTag):
        return getenv(self.key) or self.default


-class File(YAMLTag):
-    """Lookup file with optional default"""
-
-    path: str
-    default: Any | None
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
-        super().__init__()
-        self.default = None
-        if isinstance(node, ScalarNode):
-            self.path = node.value
-        if isinstance(node, SequenceNode):
-            self.path = loader.construct_object(node.value[0])
-            self.default = loader.construct_object(node.value[1])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        try:
-            with open(self.path, encoding="utf8") as _file:
-                return _file.read().strip()
-        except OSError as exc:
-            LOGGER.warning(
-                "Failed to read file. Falling back to default value",
-                path=self.path,
-                exc=exc,
-            )
-            return self.default
-
-
 class Context(YAMLTag):
    """Lookup key from instance context"""

@@ -323,22 +286,6 @@ class Context(YAMLTag):
        return value


-class ParseJSON(YAMLTag):
-    """Parse JSON from context/env/etc value"""
-
-    raw: str
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
-        super().__init__()
-        self.raw = node.value
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        try:
-            return loads(self.raw)
-        except JSONDecodeError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
-
-
 class Format(YAMLTag):
    """Format a string"""

@@ -367,7 +314,7 @@ class Format(YAMLTag):


 class Find(YAMLTag):
-    """Find any object primary key"""
+    """Find any object"""

    model_name: str | YAMLTag
    conditions: list[list]
@@ -382,7 +329,7 @@ class Find(YAMLTag):
                values.append(loader.construct_object(node_values))
            self.conditions.append(values)

-    def _get_instance(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        if isinstance(self.model_name, YAMLTag):
            model_name = self.model_name.resolve(entry, blueprint)
        else:
@@ -404,29 +351,12 @@ class Find(YAMLTag):
            else:
                query_value = cond[1]
            query &= Q(**{query_key: query_value})
-        return model_class.objects.filter(query).first()
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        instance = self._get_instance(entry, blueprint)
+        instance = model_class.objects.filter(query).first()
        if instance:
            return instance.pk
        return None


-class FindObject(Find):
-    """Find any object"""
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        instance = self._get_instance(entry, blueprint)
-        if not instance:
-            return None
-        if not isinstance(instance, SerializerModel):
-            raise EntryInvalidError.from_entry(
-                f"Model {self.model_name} is not resolvable through FindObject", entry
-            )
-        return instance.serializer(instance=instance).data
-
-
 class Condition(YAMLTag):
    """Convert all values to a single boolean"""

@@ -722,18 +652,15 @@ class BlueprintLoader(SafeLoader):
        super().__init__(*args, **kwargs)
        self.add_constructor("!KeyOf", KeyOf)
        self.add_constructor("!Find", Find)
-        self.add_constructor("!FindObject", FindObject)
        self.add_constructor("!Context", Context)
        self.add_constructor("!Format", Format)
        self.add_constructor("!Condition", Condition)
        self.add_constructor("!If", If)
        self.add_constructor("!Env", Env)
-        self.add_constructor("!File", File)
        self.add_constructor("!Enumerate", Enumerate)
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
        self.add_constructor("!AtIndex", AtIndex)
-        self.add_constructor("!ParseJSON", ParseJSON)


 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -36,7 +36,6 @@ from authentik.core.models import (
    GroupSourceConnection,
    PropertyMapping,
    Provider,
-    Session,
    Source,
    User,
    UserSourceConnection,
@@ -57,6 +56,7 @@ from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDeviceConnection,
 )
 from authentik.events.logs import LogEvent, capture_logs
+from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
@@ -76,7 +76,6 @@ from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
-from authentik.tasks.models import Task
 from authentik.tenants.models import Tenant

 # Context set when the serializer is created in a blueprint context
@@ -109,7 +108,6 @@ def excluded_models() -> list[type[Model]]:
        Policy,
        PolicyBindingModel,
        # Classes that have other dependencies
-        Session,
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
@@ -118,7 +116,7 @@ def excluded_models() -> list[type[Model]]:
        SCIMProviderGroup,
        SCIMProviderUser,
        Tenant,
-        Task,
+        SystemTask,
        ConnectionToken,
        AuthorizationCode,
        AccessToken,
@@ -384,7 +382,7 @@ class Importer:
    def _apply_models(self, raise_errors=False) -> bool:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
            model_app_label, model_name = entry.get_model(self._import).split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
--- a/authentik/blueprints/v1/meta/apply_blueprint.py
+++ b/authentik/blueprints/v1/meta/apply_blueprint.py
@@ -44,7 +44,7 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):
            return MetaResult()
        LOGGER.debug("Applying blueprint from meta model", blueprint=self.blueprint_instance)

-        apply_blueprint(self.blueprint_instance.pk)
+        apply_blueprint(str(self.blueprint_instance.pk))
        return MetaResult()


--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models

    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@@ -4,17 +4,12 @@ from dataclasses import asdict, dataclass, field
 from hashlib import sha512
 from pathlib import Path
 from sys import platform
-from uuid import UUID

 from dacite.core import from_dict
-from django.conf import settings
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask, CurrentTaskNotFound
-from dramatiq.actor import actor
-from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
 from watchdog.events import (
    FileCreatedEvent,
@@ -36,13 +31,15 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.events.logs import capture_logs
+from authentik.events.models import TaskStatus
+from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
-from authentik.tasks.models import Task
-from authentik.tasks.schedules.models import Schedule
+from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant

 LOGGER = get_logger()
+_file_watcher_started = False


@dataclass
@@ -56,21 +53,22 @@ class BlueprintFile:
    meta: BlueprintMetadata | None = field(default=None)


-class BlueprintWatcherMiddleware(Middleware):
-    def start_blueprint_watcher(self):
-        """Start blueprint watcher"""
-        observer = Observer()
-        kwargs = {}
-        if platform.startswith("linux"):
-            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
-        observer.schedule(
-            BlueprintEventHandler(), CONFIG.get("blueprints_dir"), recursive=True, **kwargs
-        )
-        observer.start()
+def start_blueprint_watcher():
+    """Start blueprint watcher, if it's not running already."""
+    # This function might be called twice since it's called on celery startup

-    def after_worker_boot(self, broker, worker):
-        if not settings.TEST:
-            self.start_blueprint_watcher()
+    global _file_watcher_started  # noqa: PLW0603
+    if _file_watcher_started:
+        return
+    observer = Observer()
+    kwargs = {}
+    if platform.startswith("linux"):
+        kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
+    observer.schedule(
+        BlueprintEventHandler(), CONFIG.get("blueprints_dir"), recursive=True, **kwargs
+    )
+    observer.start()
+    _file_watcher_started = True


 class BlueprintEventHandler(FileSystemEventHandler):
@@ -94,7 +92,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
        LOGGER.debug("new blueprint file created, starting discovery")
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
-                Schedule.dispatch_by_actor(blueprints_discovery)
+                blueprints_discovery.delay()

    def on_modified(self, event: FileSystemEvent):
        """Process file modification"""
@@ -105,14 +103,14 @@ class BlueprintEventHandler(FileSystemEventHandler):
            with tenant:
                for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                    LOGGER.debug("modified blueprint file, starting apply", instance=instance)
-                    apply_blueprint.send_with_options(args=(instance.pk,), rel_obj=instance)
+                    apply_blueprint.delay(instance.pk.hex)


-@actor(
-    description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
+@CELERY_APP.task(
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
 def blueprints_find_dict():
+    """Find blueprints as `blueprints_find` does, but return a safe dict"""
    blueprints = []
    for blueprint in blueprints_find():
        blueprints.append(sanitize_dict(asdict(blueprint)))
@@ -148,19 +146,21 @@ def blueprints_find() -> list[BlueprintFile]:
    return blueprints


-@actor(
-    description=_("Find blueprints and check if they need to be created in the database."),
-    throws=(DatabaseError, ProgrammingError, InternalError),
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError), base=SystemTask, bind=True
 )
-def blueprints_discovery(path: str | None = None):
-    self: Task = CurrentTask.get_task()
+@prefill_task
+def blueprints_discovery(self: SystemTask, path: str | None = None):
+    """Find blueprints and check if they need to be created in the database"""
    count = 0
    for blueprint in blueprints_find():
        if path and blueprint.path != path:
            continue
        check_blueprint_v1_file(blueprint)
        count += 1
-    self.info(f"Successfully imported {count} files.")
+    self.set_status(
+        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+    )


 def check_blueprint_v1_file(blueprint: BlueprintFile):
@@ -187,26 +187,22 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
        )
    if instance.last_applied_hash != blueprint.hash:
        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
-        apply_blueprint.send_with_options(args=(instance.pk,), rel_obj=instance)
+        apply_blueprint.delay(str(instance.pk))


-@actor(description=_("Apply single blueprint."))
-def apply_blueprint(instance_pk: UUID):
-    try:
-        self: Task = CurrentTask.get_task()
-    except CurrentTaskNotFound:
-        self = Task()
-    self.set_uid(str(instance_pk))
+@CELERY_APP.task(
+    bind=True,
+    base=SystemTask,
+)
+def apply_blueprint(self: SystemTask, instance_pk: str):
+    """Apply single blueprint"""
+    self.save_on_success = False
    instance: BlueprintInstance | None = None
    try:
        instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
-        if not instance:
-            self.warning(f"Could not find blueprint {instance_pk}, skipping")
+        if not instance or not instance.enabled:
            return
        self.set_uid(slugify(instance.name))
-        if not instance.enabled:
-            self.info(f"Blueprint {instance.name} is disabled, skipping")
-            return
        blueprint_content = instance.retrieve()
        file_hash = sha512(blueprint_content.encode()).hexdigest()
        importer = Importer.from_string(blueprint_content, instance.context)
@@ -216,18 +212,19 @@ def apply_blueprint(instance_pk: UUID):
        if not valid:
            instance.status = BlueprintInstanceStatus.ERROR
            instance.save()
-            self.logs(logs)
+            self.set_status(TaskStatus.ERROR, *logs)
            return
        with capture_logs() as logs:
            applied = importer.apply()
            if not applied:
                instance.status = BlueprintInstanceStatus.ERROR
                instance.save()
-                self.logs(logs)
+                self.set_status(TaskStatus.ERROR, *logs)
                return
        instance.status = BlueprintInstanceStatus.SUCCESSFUL
        instance.last_applied_hash = file_hash
        instance.last_applied = now()
+        self.set_status(TaskStatus.SUCCESSFUL)
    except (
        OSError,
        DatabaseError,
@@ -238,14 +235,15 @@ def apply_blueprint(instance_pk: UUID):
    ) as exc:
        if instance:
            instance.status = BlueprintInstanceStatus.ERROR
-        self.error(exc)
+        self.set_error(exc)
    finally:
        if instance:
            instance.save()


-@actor(description=_("Remove blueprints which couldn't be fetched."))
+@CELERY_APP.task()
 def clear_failed_blueprints():
+    """Remove blueprints which couldn't be fetched"""
    # Exclude OCI blueprints as those might be temporarily unavailable
    for blueprint in BlueprintInstance.objects.exclude(path__startswith=OCI_PREFIX):
        try:
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@@ -49,8 +49,6 @@ class BrandSerializer(ModelSerializer):
            "branding_title",
            "branding_logo",
            "branding_favicon",
-            "branding_custom_css",
-            "branding_default_flow_background",
            "flow_authentication",
            "flow_invalidation",
            "flow_recovery",
@@ -59,7 +57,6 @@ class BrandSerializer(ModelSerializer):
            "flow_device_code",
            "default_application",
            "web_certificate",
-            "client_certificates",
            "attributes",
        ]
        extra_kwargs = {
@@ -89,7 +86,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    branding_title = CharField()
    branding_logo = CharField(source="branding_logo_url")
    branding_favicon = CharField(source="branding_favicon_url")
-    branding_custom_css = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
@@ -121,7 +117,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "domain",
        "branding_title",
        "web_certificate__name",
-        "client_certificates__name",
    ]
    filterset_fields = [
        "brand_uuid",
@@ -130,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "branding_title",
        "branding_logo",
        "branding_favicon",
-        "branding_default_flow_background",
        "flow_authentication",
        "flow_invalidation",
        "flow_recovery",
@@ -138,7 +132,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "flow_user_settings",
        "flow_device_code",
        "web_certificate",
-        "client_certificates",
    ]
    ordering = ["domain"]

--- a/authentik/brands/apps.py
+++ b/authentik/brands/apps.py
@@ -1,16 +1,14 @@
 """authentik brands app"""

-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig


-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
    """authentik Brand app"""

    name = "authentik.brands"
    label = "authentik_brands"
    verbose_name = "authentik Brands"
-    default = True
    mountpoints = {
        "authentik.brands.urls_root": "",
    }
-    default = True
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@@ -1,35 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-22 01:51
-
-from pathlib import Path
-from django.db import migrations, models
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    Brand = apps.get_model("authentik_brands", "brand")
-
-    db_alias = schema_editor.connection.alias
-
-    path = Path("/web/dist/custom.css")
-    if not path.exists():
-        return
-    css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0007_brand_default_application"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_custom_css",
-            field=models.TextField(blank=True, default=""),
-        ),
-        migrations.RunPython(migrate_custom_css),
-    ]
--- a/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
+++ b/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
@@ -1,18 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-19 22:54
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0008_brand_branding_custom_css"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_default_flow_background",
-            field=models.TextField(default="/static/dist/assets/images/flow_background.jpg"),
-        ),
-    ]
--- a/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
+++ b/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
@@ -1,37 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-19 15:09
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0009_brand_branding_default_flow_background"),
-        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="client_certificates",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                help_text="Certificates used for client authentication.",
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="brand",
-            name="web_certificate",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Web Certificate used by the authentik Core webserver.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="+",
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@@ -33,10 +33,6 @@ class Brand(SerializerModel):

    branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
    branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
-    branding_custom_css = models.TextField(default="", blank=True)
-    branding_default_flow_background = models.TextField(
-        default="/static/dist/assets/images/flow_background.jpg"
-    )

    flow_authentication = models.ForeignKey(
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
@@ -73,13 +69,6 @@ class Brand(SerializerModel):
        default=None,
        on_delete=models.SET_DEFAULT,
        help_text=_("Web Certificate used by the authentik Core webserver."),
-        related_name="+",
-    )
-    client_certificates = models.ManyToManyField(
-        CertificateKeyPair,
-        default=None,
-        blank=True,
-        help_text=_("Certificates used for client authentication."),
    )
    attributes = models.JSONField(default=dict, blank=True)

@@ -95,12 +84,6 @@ class Brand(SerializerModel):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
        return self.branding_favicon

-    def branding_default_flow_background_url(self) -> str:
-        """Get branding_default_flow_background with the correct prefix"""
-        if self.branding_default_flow_background.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_default_flow_background
-        return self.branding_default_flow_background
-
    @property
    def serializer(self) -> Serializer:
        from authentik.brands.api import BrandSerializer
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@@ -24,7 +24,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
-                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@@ -44,7 +43,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "custom",
-                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@@ -52,27 +50,6 @@ class TestBrands(APITestCase):
            },
        )

-    def test_brand_subdomain_same_suffix(self):
-        """Test Current brand API"""
-        Brand.objects.all().delete()
-        Brand.objects.create(domain="bar.baz", branding_title="custom")
-        Brand.objects.create(domain="foo.bar.baz", branding_title="custom")
-        self.assertJSONEqual(
-            self.client.get(
-                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
-            ).content.decode(),
-            {
-                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
-                "branding_favicon": "/static/dist/assets/icons/icon.png",
-                "branding_title": "custom",
-                "branding_custom_css": "",
-                "matched_domain": "foo.bar.baz",
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-            },
-        )
-
    def test_fallback(self):
        """Test fallback brand"""
        Brand.objects.all().delete()
@@ -82,7 +59,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
-                "branding_custom_css": "",
                "matched_domain": "fallback",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@@ -145,38 +121,3 @@ class TestBrands(APITestCase):
                "subject": None,
            },
        )
-
-    def test_branding_url(self):
-        """Test branding attributes return correct values"""
-        brand = create_test_brand()
-        brand.branding_default_flow_background = "https://goauthentik.io/img/icon.png"
-        brand.branding_favicon = "https://goauthentik.io/img/icon.png"
-        brand.branding_logo = "https://goauthentik.io/img/icon.png"
-        brand.save()
-        self.assertEqual(
-            brand.branding_default_flow_background_url(), "https://goauthentik.io/img/icon.png"
-        )
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
-            {
-                "branding_logo": "https://goauthentik.io/img/icon.png",
-                "branding_favicon": "https://goauthentik.io/img/icon.png",
-                "branding_title": "authentik",
-                "branding_custom_css": "",
-                "matched_domain": brand.domain,
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-            },
-        )
-
-    def test_custom_css(self):
-        """Test custom_css"""
-        brand = create_test_brand()
-        brand.branding_custom_css = """* {
-            font-family: "Foo bar";
-        }"""
-        brand.save()
-        res = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@@ -4,14 +4,11 @@ from typing import Any

 from django.db.models import F, Q
 from django.db.models import Value as V
-from django.db.models.functions import Length
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
-from django.utils.safestring import mark_safe
+from sentry_sdk import get_current_span

 from authentik import get_full_version
 from authentik.brands.models import Brand
-from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant

 _q_default = Q(default=True)
@@ -21,9 +18,9 @@ DEFAULT_BRAND = Brand(domain="fallback")
 def get_brand_for_request(request: HttpRequest) -> Brand:
    """Get brand object for current request"""
    db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()), match_length=Length("domain"))
+        Brand.objects.annotate(host_domain=V(request.get_host()))
        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("-match_length", "default")
+        .order_by("default")
    )
    brands = list(db_brands.all())
    if len(brands) < 1:
@@ -35,14 +32,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
-    # only directly exposes this as a function that also wraps it in a <script> tag
-    # which we dont want for CSS
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
+    trace = ""
+    span = get_current_span()
+    if span:
+        trace = span.to_traceparent()
    return {
        "brand": brand,
-        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
-        "html_meta": {**get_http_meta()},
+        "sentry_trace": trace,
        "version": get_full_version(),
    }
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -2,9 +2,11 @@

 from collections.abc import Iterator
 from copy import copy
+from datetime import timedelta

 from django.core.cache import cache
 from django.db.models import QuerySet
+from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@@ -18,6 +20,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@@ -25,6 +28,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
+from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@@ -42,7 +46,7 @@ LOGGER = get_logger()

 def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
    """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}app_access/{user_pk}"
+    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
    if page_number:
        key += f"/{page_number}"
    return key
@@ -149,10 +153,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        return applications

    def _filter_applications_with_launch_url(
-        self, paginated_apps: Iterator[Application]
+        self, pagined_apps: Iterator[Application]
    ) -> list[Application]:
        applications = []
-        for app in paginated_apps:
+        for app in pagined_apps:
            if app.get_launch_url():
                applications.append(app)
        return applications
@@ -317,3 +321,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        return set_file_url(request, app, "meta_icon")
+
+    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
+    @extend_schema(responses={200: CoordinateSerializer(many=True)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def metrics(self, request: Request, slug: str):
+        """Metrics for application logins"""
+        app = self.get_object()
+        return Response(
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION,
+                context__authorized_application__pk=app.pk.hex,
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@@ -5,7 +5,6 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
-from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

@@ -55,11 +54,6 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""

-    expires = DateTimeField(source="session.expires", read_only=True)
-    last_ip = IPAddressField(source="session.last_ip", read_only=True)
-    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
-    last_used = DateTimeField(source="session.last_used", read_only=True)
-
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
@@ -68,19 +62,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session.session_key
+        return request._request.session.session_key == instance.session_key

    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.session.last_user_agent)
+        return user_agent_parser.Parse(instance.last_user_agent)

    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
        """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)

    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
        """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)

    class Meta:
        model = AuthenticatedSession
@@ -96,7 +90,6 @@ class AuthenticatedSessionSerializer(ModelSerializer):
            "last_used",
            "expires",
        ]
-        extra_args = {"uuid": {"read_only": True}}


 class AuthenticatedSessionViewSet(
@@ -108,10 +101,9 @@ class AuthenticatedSessionViewSet(
 ):
    """AuthenticatedSession Viewset"""

-    lookup_field = "uuid"
-    queryset = AuthenticatedSession.objects.select_related("session").all()
+    queryset = AuthenticatedSession.objects.all()
    serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
-    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@@ -1,6 +1,8 @@
 """Authenticator Devices API Views"""

-from drf_spectacular.utils import extend_schema
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
@@ -13,7 +15,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

-from authentik.core.api.users import ParamUserSerializer
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.stages.authenticator import device_classes, devices_for_user
@@ -22,7 +23,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDevice


 class DeviceSerializer(MetaNameSerializer):
-    """Serializer for authenticator devices"""
+    """Serializer for Duo authenticator devices"""

    pk = CharField()
    name = CharField()
@@ -32,27 +33,22 @@ class DeviceSerializer(MetaNameSerializer):
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
    extra_description = SerializerMethodField()
-    external_id = SerializerMethodField()

    def get_type(self, instance: Device) -> str:
        """Get type of device"""
        return instance._meta.label

-    def get_extra_description(self, instance: Device) -> str | None:
+    def get_extra_description(self, instance: Device) -> str:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
-            return instance.device_type.description if instance.device_type else None
+            return (
+                instance.device_type.description
+                if instance.device_type
+                else _("Extra description not available")
+            )
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
-        return None
-
-    def get_external_id(self, instance: Device) -> str | None:
-        """Get external Device ID"""
-        if isinstance(instance, WebAuthnDevice):
-            return instance.device_type.aaguid if instance.device_type else None
-        if isinstance(instance, EndpointDevice):
-            return instance.data.get("deviceSignals", {}).get("deviceModel")
-        return None
+        return ""


 class DeviceViewSet(ViewSet):
@@ -61,6 +57,7 @@ class DeviceViewSet(ViewSet):
    serializer_class = DeviceSerializer
    permission_classes = [IsAuthenticated]

+    @extend_schema(responses={200: DeviceSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        devices = devices_for_user(request.user)
@@ -82,11 +79,18 @@ class AdminDeviceViewSet(ViewSet):
            yield from device_set

    @extend_schema(
-        parameters=[ParamUserSerializer],
+        parameters=[
+            OpenApiParameter(
+                name="user",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+            )
+        ],
        responses={200: DeviceSerializer(many=True)},
    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
-        args = ParamUserSerializer(data=request.query_params)
-        args.is_valid(raise_exception=True)
-        return Response(DeviceSerializer(self.get_devices(**args.validated_data), many=True).data)
+        kwargs = {}
+        if "user" in request.query_params:
+            kwargs = {"user": request.query_params["user"]}
+        return Response(DeviceSerializer(self.get_devices(**kwargs), many=True).data)
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -99,17 +99,18 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        if self.instance or superuser:
-            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
-            if not has_perm:
-                raise ValidationError(
-                    _(
-                        (
-                            "User does not have permission to set "
-                            "superuser status to {superuser_status}."
-                        ).format_map({"superuser_status": superuser})
-                    )
+        has_perm = user.has_perm(perm)
+        if self.instance and not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
+        if not has_perm:
+            raise ValidationError(
+                _(
+                    (
+                        "User does not have permission to set "
+                        "superuser status to {superuser_status}."
+                    ).format_map({"superuser_status": superuser})
                )
+            )
        return superuser

    class Meta:
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@@ -5,7 +5,6 @@ from collections.abc import Iterable
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@@ -155,17 +154,6 @@ class SourceViewSet(
            matching_sources.append(source_settings.validated_data)
        return Response(matching_sources)

-    def destroy(self, request: Request, *args, **kwargs):
-        """Prevent deletion of built-in sources"""
-        instance: Source = self.get_object()
-
-        if instance.managed == Source.MANAGED_INBUILT:
-            raise ValidationError(
-                {"detail": "Built-in sources cannot be deleted"}, code="protected"
-            )
-
-        return super().destroy(request, *args, **kwargs)
-

 class UserSourceConnectionSerializer(SourceSerializer):
    """User source connection"""
@@ -179,13 +167,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "user",
            "source",
            "source_obj",
-            "identifier",
            "created",
-            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
-            "last_updated": {"read_only": True},
        }


@@ -202,7 +187,7 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    filterset_fields = ["user", "source__slug"]
-    search_fields = ["user__username", "source__slug", "identifier"]
+    search_fields = ["source__slug"]
    ordering = ["source__slug", "pk"]
    owner_field = "user"

@@ -221,11 +206,9 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "source_obj",
            "identifier",
            "created",
-            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
-            "last_updated": {"read_only": True},
        }


@@ -242,5 +225,6 @@ class GroupSourceConnectionViewSet(
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    filterset_fields = ["group", "source__slug"]
-    search_fields = ["group__name", "source__slug", "identifier"]
+    search_fields = ["source__slug"]
    ordering = ["source__slug", "pk"]
+    owner_field = "user"
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -1,11 +1,15 @@
 """User API Views"""

 from datetime import timedelta
+from importlib import import_module
 from json import loads
 from typing import Any

+from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
+from django.contrib.sessions.backends.base import SessionBase
+from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -51,6 +55,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@@ -67,8 +72,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
+    AuthenticatedSession,
    Group,
-    Session,
    Token,
    TokenIntents,
    User,
@@ -82,18 +87,12 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
-from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()
-
-
-class ParamUserSerializer(PassiveSerializer):
-    """Partial serializer for query parameters to select a user"""
-
-    user = PrimaryKeyRelatedField(queryset=User.objects.all().exclude_anonymous(), required=False)
+SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


 class UserGroupSerializer(ModelSerializer):
@@ -229,7 +228,6 @@ class UserSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
-            "date_joined",
            "is_superuser",
            "groups",
            "groups_obj",
@@ -244,7 +242,6 @@ class UserSerializer(ModelSerializer):
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
-            "date_joined": {"read_only": True},
            "password_change_date": {"read_only": True},
        }

@@ -321,6 +318,53 @@ class SessionUserSerializer(PassiveSerializer):
    original = UserSelfSerializer(required=False)


+class UserMetricsSerializer(PassiveSerializer):
+    """User Metrics"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        request = self.context["request"]
+        return (
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN, user__pk=user.pk
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        request = self.context["request"]
+        return (
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED, context__username=user.username
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        request = self.context["request"]
+        return (
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
 class UsersFilter(FilterSet):
    """Filter for users"""

@@ -392,23 +436,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
-    filterset_class = UsersFilter
    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
-
-    def get_ql_fields(self):
-        from djangoql.schema import BoolField, StrField
-
-        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField
-
-        return [
-            StrField(User, "username"),
-            StrField(User, "name"),
-            StrField(User, "email"),
-            StrField(User, "path"),
-            BoolField(User, "is_active", nullable=True),
-            ChoiceSearchField(User, "type"),
-            JSONSearchField(User, "attributes", suggest_nested=False),
-        ]
+    filterset_class = UsersFilter

    def get_queryset(self):
        base_qs = User.objects.all().exclude_anonymous()
@@ -424,7 +453,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)

-    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
+    def _create_recovery_link(self) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
        brand: Brand = self.request._request.brand
@@ -446,16 +475,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            raise ValidationError(
                {"non_field_errors": "Recovery flow not applicable to user"}
            ) from None
-        _plan = FlowToken.pickle(plan)
-        if for_email:
-            _plan = pickle_flow_token_for_email(plan)
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
                "user": user,
                "flow": flow,
-                "_plan": _plan,
-                "revoke_on_execution": not for_email,
+                "_plan": FlowToken.pickle(plan),
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
@@ -579,6 +604,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)

+    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
+    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def metrics(self, request: Request, pk: int) -> Response:
+        """User metrics per 1h"""
+        user: User = self.get_object()
+        serializer = UserMetricsSerializer(instance={})
+        serializer.context["user"] = user
+        serializer.context["request"] = request
+        return Response(serializer.data)
+
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        responses={
@@ -614,7 +650,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if for_user.email == "":
            LOGGER.debug("User doesn't have an email address")
            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link(for_email=True)
+        link, token = self._create_recovery_link()
        # Lookup the email stage to assure the current user can access it
        stages = get_objects_for_user(
            request.user, "authentik_stages_email.view_emailstage"
@@ -738,6 +774,10 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
-            Session.objects.filter(authenticatedsession__user=instance).delete()
+            sessions = AuthenticatedSession.objects.filter(user=instance)
+            session_ids = sessions.values_list("session_key", flat=True)
+            for session in session_ids:
+                SessionStore(session).delete()
+            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@@ -2,7 +2,6 @@

 from typing import Any

-from django.db import models
 from django.db.models import Model
 from drf_spectacular.extensions import OpenApiSerializerFieldExtension
 from drf_spectacular.plumbing import build_basic_type
@@ -21,8 +20,6 @@ from rest_framework.serializers import (
    raise_errors_on_nested_writes,
 )

-from authentik.rbac.permissions import assign_initial_permissions
-

 def is_dict(value: Any):
    """Ensure a value is a dictionary, useful for JSONFields"""
@@ -31,36 +28,8 @@ def is_dict(value: Any):
    raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")


-class JSONDictField(JSONField):
-    """JSON Field which only allows dictionaries"""
-
-    default_validators = [is_dict]
-
-
-class JSONExtension(OpenApiSerializerFieldExtension):
-    """Generate API Schema for JSON fields as"""
-
-    target_class = "authentik.core.api.utils.JSONDictField"
-
-    def map_serializer_field(self, auto_schema, direction):
-        return build_basic_type(OpenApiTypes.OBJECT)
-
-
 class ModelSerializer(BaseModelSerializer):

-    # By default, JSON fields we have are used to store dictionaries
-    serializer_field_mapping = BaseModelSerializer.serializer_field_mapping.copy()
-    serializer_field_mapping[models.JSONField] = JSONDictField
-
-    def create(self, validated_data):
-        instance = super().create(validated_data)
-
-        request = self.context.get("request")
-        if request and hasattr(request, "user") and not request.user.is_anonymous:
-            assign_initial_permissions(request.user, instance)
-
-        return instance
-
    def update(self, instance: Model, validated_data):
        raise_errors_on_nested_writes("update", self, validated_data)
        info = model_meta.get_field_info(instance)
@@ -92,6 +61,21 @@ class ModelSerializer(BaseModelSerializer):
        return instance


+class JSONDictField(JSONField):
+    """JSON Field which only allows dictionaries"""
+
+    default_validators = [is_dict]
+
+
+class JSONExtension(OpenApiSerializerFieldExtension):
+    """Generate API Schema for JSON fields as"""
+
+    target_class = "authentik.core.api.utils.JSONDictField"
+
+    def map_serializer_field(self, auto_schema, direction):
+        return build_basic_type(OpenApiTypes.OBJECT)
+
+
 class PassiveSerializer(Serializer):
    """Base serializer class which doesn't implement create/update methods"""

--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@@ -1,7 +1,8 @@
 """authentik core app config"""

+from django.conf import settings
+
 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.tasks.schedules.common import ScheduleSpec


 class AuthentikCoreConfig(ManagedAppConfig):
@@ -13,6 +14,14 @@ class AuthentikCoreConfig(ManagedAppConfig):
    mountpoint = ""
    default = True

+    @ManagedAppConfig.reconcile_global
+    def debug_worker_hook(self):
+        """Dispatch startup tasks inline when debugging"""
+        if settings.DEBUG:
+            from authentik.root.celery import worker_ready_hook
+
+            worker_ready_hook()
+
    @ManagedAppConfig.reconcile_tenant
    def source_inbuilt(self):
        """Reconcile inbuilt source"""
@@ -23,20 +32,5 @@ class AuthentikCoreConfig(ManagedAppConfig):
                "name": "authentik Built-in",
                "slug": "authentik-built-in",
            },
-            managed=Source.MANAGED_INBUILT,
+            managed="goauthentik.io/sources/inbuilt",
        )
-
-    @property
-    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
-        from authentik.core.tasks import clean_expired_models, clean_temporary_users
-
-        return [
-            ScheduleSpec(
-                actor=clean_expired_models,
-                crontab="2-59/5 * * * *",
-            ),
-            ScheduleSpec(
-                actor=clean_temporary_users,
-                crontab="9-59/5 * * * *",
-            ),
-        ]
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@@ -24,15 +24,6 @@ class InbuiltBackend(ModelBackend):
        self.set_method("password", request)
        return user

-    async def aauthenticate(
-        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
-    ) -> User | None:
-        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
-        if not user:
-            return None
-        self.set_method("password", request)
-        return user
-
    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@@ -11,6 +11,7 @@ from authentik.core.expression.exceptions import SkipObjectException
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.types import PolicyRequest

 PROPERTY_MAPPING_TIME = Histogram(
@@ -68,11 +69,12 @@ class PropertyMappingEvaluator(BaseEvaluator):
        # For dry-run requests we don't save exceptions
        if self.dry_run:
            return
+        error_string = exception_to_string(exc)
        event = Event.new(
            EventAction.PROPERTY_MAPPING_EXCEPTION,
            expression=expression_source,
-            message="Failed to execute property mapping",
-        ).with_exception(exc)
+            message=error_string,
+        )
        if "request" in self._context:
            req: PolicyRequest = self._context["request"]
            if req.http_request:
--- a/authentik/core/management/commands/bootstrap_tasks.py
+++ b/authentik/core/management/commands/bootstrap_tasks.py
@@ -0,0 +1,21 @@
+"""Run bootstrap tasks"""
+
+from django.core.management.base import BaseCommand
+from django_tenants.utils import get_public_schema_name
+
+from authentik.root.celery import _get_startup_tasks_all_tenants, _get_startup_tasks_default_tenant
+from authentik.tenants.models import Tenant
+
+
+class Command(BaseCommand):
+    """Run bootstrap tasks to ensure certain objects are created"""
+
+    def handle(self, **options):
+        for task in _get_startup_tasks_default_tenant():
+            with Tenant.objects.get(schema_name=get_public_schema_name()):
+                task()
+
+        for task in _get_startup_tasks_all_tenants():
+            for tenant in Tenant.objects.filter(ready=True):
+                with tenant:
+                    task()
--- a/authentik/core/management/commands/change_user_type.py
+++ b/authentik/core/management/commands/change_user_type.py
@@ -13,6 +13,7 @@ class Command(TenantCommand):
        parser.add_argument("usernames", nargs="*", type=str)

    def handle_per_tenant(self, **options):
+        print(options)
        new_type = UserTypes(options["type"])
        qs = (
            User.objects.exclude_anonymous()
--- a/authentik/core/management/commands/clearsessions.py
+++ b/authentik/core/management/commands/clearsessions.py
@@ -1,15 +0,0 @@
-"""Change user type"""
-
-from importlib import import_module
-
-from django.conf import settings
-
-from authentik.tenants.management import TenantCommand
-
-
-class Command(TenantCommand):
-    """Delete all sessions"""
-
-    def handle_per_tenant(self, **options):
-        engine = import_module(settings.SESSION_ENGINE)
-        engine.SessionStore.clear_expired()
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@@ -2,7 +2,6 @@

 from django.apps import apps
 from django.contrib.auth.management import create_permissions
-from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user

@@ -17,10 +16,6 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
-                # See https://code.djangoproject.com/ticket/28417
-                # Remove potential lingering old permissions
-                call_command("remove_stale_contenttypes", "--no-input")
-
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@@ -0,0 +1,47 @@
+"""Run worker"""
+
+from sys import exit as sysexit
+from tempfile import tempdir
+
+from celery.apps.worker import Worker
+from django.core.management.base import BaseCommand
+from django.db import close_old_connections
+from structlog.stdlib import get_logger
+
+from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
+from authentik.root.celery import CELERY_APP
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Run worker"""
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "-b",
+            "--beat",
+            action="store_false",
+            help="When set, this worker will _not_ run Beat (scheduled) tasks",
+        )
+
+    def handle(self, **options):
+        LOGGER.debug("Celery options", **options)
+        close_old_connections()
+        start_debug_server()
+        worker: Worker = CELERY_APP.Worker(
+            no_color=False,
+            quiet=True,
+            optimization="fair",
+            autoscale=(CONFIG.get_int("worker.concurrency"), 1),
+            task_events=True,
+            beat=options.get("beat", True),
+            schedule_filename=f"{tempdir}/celerybeat-schedule",
+            queues=["authentik", "authentik_scheduled", "authentik_events"],
+        )
+        for task in CELERY_APP.tasks:
+            LOGGER.debug("Registered task", task=task)
+
+        worker.start()
+        sysexit(worker.exitcode)
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@@ -2,15 +2,9 @@

 from collections.abc import Callable
 from contextvars import ContextVar
-from functools import partial
 from uuid import uuid4

-from django.contrib.auth import logout
-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
-from django.utils.deprecation import MiddlewareMixin
-from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@@ -26,45 +20,6 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)


-def get_user(request):
-    if not hasattr(request, "_cached_user"):
-        user = None
-        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
-            user = authenticated_session.user
-        request._cached_user = user or AnonymousUser()
-    return request._cached_user
-
-
-async def aget_user(request):
-    if not hasattr(request, "_cached_user"):
-        user = None
-        if (
-            authenticated_session := await request.session.aget("authenticatedsession", None)
-        ) is not None:
-            user = authenticated_session.user
-        request._cached_user = user or AnonymousUser()
-    return request._cached_user
-
-
-class AuthenticationMiddleware(MiddlewareMixin):
-    def process_request(self, request):
-        if not hasattr(request, "session"):
-            raise ImproperlyConfigured(
-                "The Django authentication middleware requires session "
-                "middleware to be installed. Edit your MIDDLEWARE setting to "
-                "insert "
-                "'authentik.root.middleware.SessionMiddleware' before "
-                "'authentik.core.middleware.AuthenticationMiddleware'."
-            )
-        request.user = SimpleLazyObject(lambda: get_user(request))
-        request.auser = partial(aget_user, request)
-
-        user = request.user
-        if user and user.is_authenticated and not user.is_active:
-            logout(request)
-            raise AssertionError()
-
-
 class ImpersonateMiddleware:
    """Middleware to impersonate users"""

--- a/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
+++ b/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
@@ -1,19 +0,0 @@
-# Generated by Django 5.0.13 on 2025-04-07 14:04
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0043_alter_group_options"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="usersourceconnection",
-            name="new_identifier",
-            field=models.TextField(default=""),
-            preserve_default=False,
-        ),
-    ]
--- a/Show More
+++ b/Show More