Merge branch 'main' into saml-source-logoutrequest

.github/actions/setup/action.yml

@@ -25,7 +25,7 @@ runs:
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
       with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext libclang-dev libkadm5clnt-mit12 libkadm5clnt7t64-heimdal libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
         update: true
         upgrade: false
         install-recommends: false
@@ -52,19 +52,19 @@ runs:
       run: uv sync --all-extras --dev --locked
     - name: Setup rust (stable)
       if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         rustflags: ""
     - name: Setup rust (nightly)
       if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         toolchain: nightly
         components: rustfmt
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@e3134ec54b36203e18f2d1e80652058bd078dd91 # v2
+      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)

.github/workflows/qa-codeql.yml

@@ -28,10 +28,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.4
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4.35.4
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.4
+        uses: github/codeql-action/analyze@v4

.github/workflows/release-branch-off.yml

@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       next_version:
-        description: Next version (for example, if you're currently releasing 2026.5, then enter 2026.8)
+        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
         required: true
         type: string
 
@@ -68,14 +68,10 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: Run migrations
         run: make migrate
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Re-generate API Clients
-        run: make gen
       - name: Create pull request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:

.github/workflows/release-publish.yml

@@ -191,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/release-tag.yml

@@ -82,14 +82,10 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: Run migrations
         run: make migrate
       - name: Bump version
         run: "make bump version=${{ inputs.version }}"
-      - name: Re-generate API Clients
-        run: make gen
       - name: Commit and push
         run: |
           # ID from https://api.github.com/users/authentik-automation[bot]

Cargo.lock

@@ -1744,6 +1744,16 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "iri-string"
+version = "0.7.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
@@ -3193,9 +3203,9 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 
 [[package]]
 name = "sentry"
-version = "0.48.1"
+version = "0.48.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b93b3e19f45495ddd41d8222a152c48c84f6ba45abe9c69e2527e9cdea29bb5b"
+checksum = "e8ac94aab850a23d7507307cc505332ed2bafd36c65930dfc5c43610f9e9b477"
 dependencies = [
  "cfg_aliases",
  "httpdate",
@@ -3390,9 +3400,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with"
-version = "3.19.0"
+version = "3.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f05839ce67618e14a09b286535c0d9c94e85ef25469b0e13cb4f844e5593eb19"
+checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f"
 dependencies = [
  "base64 0.22.1",
  "chrono",
@@ -3924,9 +3934,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.52.3"
+version = "1.52.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
+checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
 dependencies = [
  "bytes",
  "libc",
@@ -4072,21 +4082,21 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.10"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
  "bitflags 2.11.0",
  "bytes",
  "futures-util",
  "http",
  "http-body",
+ "iri-string",
  "pin-project-lite",
  "tokio",
  "tower",
  "tower-layer",
  "tower-service",
- "url",
 ]
 
 [[package]]

Cargo.toml

@@ -67,7 +67,7 @@ reqwest-middleware = { version = "= 0.5.1", features = [
   "rustls",
 ] }
 rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.1", default-features = false, features = [
+sentry = { version = "= 0.48.0", default-features = false, features = [
   "backtrace",
   "contexts",
   "debug-images",
@@ -80,7 +80,7 @@ sentry = { version = "= 0.48.1", default-features = false, features = [
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.19.0", default-features = false, features = [
+serde_with = { version = "= 3.18.0", default-features = false, features = [
   "base64",
 ] }
 sqlx = { version = "= 0.8.6", default-features = false, features = [
@@ -97,12 +97,12 @@ sqlx = { version = "= 0.8.6", default-features = false, features = [
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
 time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.3", features = ["full", "tracing"] }
+tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
 tokio-retry2 = "= 0.9.1"
 tokio-rustls = "= 0.26.4"
 tokio-util = { version = "= 0.7.18", features = ["full"] }
 tower = "= 0.5.3"
-tower-http = { version = "= 0.6.10", features = ["timeout"] }
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
 tracing = "= 0.1.44"
 tracing-error = "= 0.2.1"
 tracing-subscriber = { version = "= 0.3.23", features = [

authentik/api/authentication.py

@@ -42,29 +42,11 @@ def validate_auth(header: bytes, format="bearer") -> str | None:
     return auth_credentials
 
 
-class VirtualUser(AnonymousUser):
-    is_active = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-    def all_roles(self):
-        return []
-
-
-class IPCUser(VirtualUser):
+class IPCUser(AnonymousUser):
     """'Virtual' user for IPC communication between authentik core and the authentik router"""
 
     username = "authentik:system"
+    is_active = True
     is_superuser = True
 
     @property
@@ -80,6 +62,17 @@ class IPCUser(VirtualUser):
     def has_module_perms(self, module):
         return True
 
+    @property
+    def is_anonymous(self):
+        return False
+
+    @property
+    def is_authenticated(self):
+        return True
+
+    def all_roles(self):
+        return []
+
 
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""

authentik/common/saml/exceptions.py

@@ -1,4 +1,4 @@
-"""authentik SAML IDP Exceptions"""
+"""Common SAML Exceptions"""
 
 from authentik.lib.sentry import SentryIgnoredException
 

authentik/common/saml/parsers/logout_request.py

@@ -1,4 +1,4 @@
-"""LogoutRequest parser"""
+"""Shared SAML LogoutRequest parser"""
 
 from base64 import b64decode
 from dataclasses import dataclass
@@ -6,41 +6,29 @@ from dataclasses import dataclass
 from defusedxml import ElementTree
 
 from authentik.common.saml.constants import NS_SAML_ASSERTION, NS_SAML_PROTOCOL
-from authentik.providers.saml.exceptions import CannotHandleAssertion
-from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.processors.authn_request_parser import ERROR_CANNOT_DECODE_REQUEST
+from authentik.common.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
 
 
 @dataclass(slots=True)
 class LogoutRequest:
-    """Logout Request"""
+    """Parsed SAML LogoutRequest"""
 
     id: str | None = None
-
     issuer: str | None = None
-
     name_id: str | None = None
-
     name_id_format: str | None = None
-
     session_index: str | None = None
-
     relay_state: str | None = None
 
 
 class LogoutRequestParser:
-    """LogoutRequest Parser"""
-
-    provider: SAMLProvider
-
-    def __init__(self, provider: SAMLProvider):
-        self.provider = provider
+    """Parse incoming SAML LogoutRequest messages"""
 
     def _parse_xml(self, decoded_xml: str | bytes, relay_state: str | None = None) -> LogoutRequest:
         root = ElementTree.fromstring(decoded_xml)
         request = LogoutRequest(
-            id=root.attrib["ID"],
+            id=root.attrib.get("ID"),
         )
         # Try both namespaces for Issuer
         issuers = root.findall(f"{{{NS_SAML_PROTOCOL}}}Issuer")
@@ -55,7 +43,6 @@ class LogoutRequestParser:
             name_ids = root.findall(f"{{{NS_SAML_PROTOCOL}}}NameID")
         if len(name_ids) > 0:
             request.name_id = name_ids[0].text
-            # Extract NameID Format if present
             if "Format" in name_ids[0].attrib:
                 request.name_id_format = name_ids[0].attrib["Format"]
 
@@ -70,22 +57,17 @@ class LogoutRequestParser:
         return request
 
     def parse(self, saml_request: str, relay_state: str | None = None) -> LogoutRequest:
-        """Validate and parse raw request with enveloped signautre."""
+        """Parse a POST-binding LogoutRequest (base64 encoded)."""
         try:
             decoded_xml = b64decode(saml_request.encode())
         except UnicodeDecodeError:
-            raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST) from None
+            raise CannotHandleAssertion("Cannot decode SAML request") from None
         return self._parse_xml(decoded_xml, relay_state)
 
-    def parse_detached(
-        self,
-        saml_request: str,
-        relay_state: str | None = None,
-    ) -> LogoutRequest:
-        """Validate and parse raw request with detached signature"""
+    def parse_detached(self, saml_request: str, relay_state: str | None = None) -> LogoutRequest:
+        """Parse a Redirect-binding LogoutRequest (deflate + base64 encoded)."""
         try:
             decoded_xml = decode_base64_and_inflate(saml_request)
         except UnicodeDecodeError:
-            raise CannotHandleAssertion(ERROR_CANNOT_DECODE_REQUEST) from None
-
+            raise CannotHandleAssertion("Cannot decode SAML request") from None
         return self._parse_xml(decoded_xml, relay_state)

authentik/common/saml/parsers/logout_response.py

@@ -0,0 +1,43 @@
+"""Shared SAML LogoutResponse parser"""
+
+from defusedxml.lxml import fromstring
+from lxml.etree import _Element  # nosec
+from structlog.stdlib import get_logger
+
+from authentik.common.saml.constants import NS_SAML_PROTOCOL, SAML_STATUS_SUCCESS
+from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
+
+LOGGER = get_logger()
+
+
+class LogoutResponseParser:
+    """Parse and validate SAML LogoutResponse messages"""
+
+    _root: _Element
+
+    def __init__(self, raw_response: str):
+        self._raw_response = raw_response
+
+    def parse(self):
+        """Decode and parse the LogoutResponse XML."""
+        # decode_base64_and_inflate handles both deflate-compressed (Redirect binding)
+        # and plain base64 (POST binding) responses
+        response_xml = decode_base64_and_inflate(self._raw_response)
+        self._root = fromstring(response_xml.encode())
+
+    def verify_status(self) -> bool:
+        """Check LogoutResponse status. Returns True if status is Success."""
+        status = self._root.find(f"{{{NS_SAML_PROTOCOL}}}Status")
+        if status is None:
+            return True
+        status_code = status.find(f"{{{NS_SAML_PROTOCOL}}}StatusCode")
+        if status_code is None:
+            return True
+        status_value = status_code.attrib.get("Value", "")
+        if status_value != SAML_STATUS_SUCCESS:
+            LOGGER.warning(
+                "LogoutResponse status is not Success",
+                status=status_value,
+            )
+            return False
+        return True

authentik/core/api/groups.py

@@ -246,25 +246,6 @@ class GroupSerializer(ModelSerializer):
                 )
         return superuser
 
-    def validate_users(self, users: list) -> list:
-        """Require add_user_to_group permission when adding new members via group PATCH."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return users
-        if not self.instance:
-            return users
-        # BulkManyRelatedField returns raw PKs, not model instances
-        current_user_pks = set(self.instance.users.values_list("pk", flat=True))
-        new_users = [u for u in users if u not in current_user_pks]
-        if not new_users:
-            return users
-        has_perm = request.user.has_perm(
-            "authentik_core.add_user_to_group"
-        ) or request.user.has_perm("authentik_core.add_user_to_group", self.instance)
-        if not has_perm:
-            raise ValidationError(_("User does not have permission to add members to this group."))
-        return users
-
     class Meta:
         model = Group
         fields = [

authentik/core/api/users.py

@@ -297,36 +297,6 @@ class UserSerializer(ModelSerializer):
             raise ValidationError(_("Setting a user to internal service account is not allowed."))
         return user_type
 
-    def validate_groups(self, groups: list) -> list:
-        """Require enable_group_superuser permission when adding a user to a superuser group."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return groups
-        current_groups = set(self.instance.groups.all()) if self.instance else set()
-        for group in groups:
-            if not group.is_superuser:
-                continue
-            if group in current_groups:
-                continue
-            if not request.user.has_perm("authentik_core.enable_group_superuser"):
-                raise ValidationError(
-                    _("User does not have permission to add members to a superuser group.")
-                )
-        return groups
-
-    def validate_roles(self, roles: list) -> list:
-        """Require change_role permission when assigning new roles to a user."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return roles
-        current_roles = set(self.instance.roles.all()) if self.instance else set()
-        new_roles = [r for r in roles if r not in current_roles]
-        if not new_roles:
-            return roles
-        if not request.user.has_perm("authentik_rbac.change_role"):
-            raise ValidationError(_("User does not have permission to assign roles."))
-        return roles
-
     def validate(self, attrs: dict) -> dict:
         if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
             raise ValidationError(_("Can't modify internal service account users"))

authentik/core/tests/test_groups_api.py

@@ -158,58 +158,3 @@ class TestGroupsAPI(APITestCase):
             data={"name": generate_id(), "is_superuser": True},
         )
         self.assertEqual(res.status_code, 201)
-
-    def test_patch_users_no_perm(self):
-        """PATCH group with new users without add_user_to_group must be rejected."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_users_with_global_perm(self):
-        """PATCH group with new users with global add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group")
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_users_with_obj_perm(self):
-        """PATCH group with new users with object-level add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_users_no_perm(self):
-        """PATCH group keeping existing membership without add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)

authentik/core/tests/test_users_api.py

@@ -12,7 +12,6 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     AuthenticatedSession,
-    Group,
     Session,
     Token,
     User,
@@ -26,7 +25,6 @@ from authentik.core.tests.utils import (
 )
 from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
-from authentik.rbac.models import Role
 from authentik.stages.email.models import EmailStage
 
 INVALID_PASSWORD_HASH = "not-a-valid-hash"
@@ -941,79 +939,3 @@ class TestUsersAPI(APITestCase):
         self.assertIn(user2.pk, pks)
         # Verify user2 comes before user1 in descending order
         self.assertLess(pks.index(user2.pk), pks.index(user1.pk))
-
-
-class TestUsersAPIGroupRoleValidation(APITestCase):
-    """Test that PATCH /api/v3/core/users/{pk}/ enforces group and role permission checks."""
-
-    def setUp(self) -> None:
-        self.actor = create_test_user()
-        self.target = create_test_user()
-
-    def _patch(self, data: dict):
-        self.client.force_login(self.actor)
-        return self.client.patch(
-            reverse("authentik_api:user-detail", kwargs={"pk": self.target.pk}),
-            data=data,
-            content_type="application/json",
-        )
-
-    def test_patch_superuser_group_no_perm(self):
-        """Assigning a superuser group without enable_group_superuser must be rejected."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_superuser_group_with_perm(self):
-        """Assigning a superuser group with enable_group_superuser must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        self.actor.assign_perms_to_managed_role("authentik_core.enable_group_superuser")
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_non_superuser_group_no_perm(self):
-        """Assigning a non-superuser group without special permission must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=False)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_superuser_group_no_perm(self):
-        """Keeping an existing superuser group membership without the permission must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        self.target.groups.add(group)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_role_no_perm(self):
-        """Assigning a new role without change_role must be rejected."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        role = Role.objects.create(name=generate_id())
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_role_with_perm(self):
-        """Assigning a new role with change_role must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        self.actor.assign_perms_to_managed_role("authentik_rbac.change_role")
-        role = Role.objects.create(name=generate_id())
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_role_no_perm(self):
-        """Keeping an existing role without change_role must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        role = Role.objects.create(name=generate_id())
-        self.target.roles.add(role)
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 200)

authentik/endpoints/connectors/agent/api/connectors.py

@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -44,6 +44,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_ME
 
 
 class AgentConnectorSerializer(ConnectorSerializer):
+
     class Meta(ConnectorSerializer.Meta):
         model = AgentConnector
         fields = ConnectorSerializer.Meta.fields + [
@@ -62,6 +63,7 @@ class AgentConnectorSerializer(ConnectorSerializer):
 
 
 class MDMConfigSerializer(PassiveSerializer):
+
     platform = ChoiceField(choices=OSFamily.choices)
     enrollment_token = PrimaryKeyRelatedField(
         queryset=EnrollmentToken.objects.including_expired().all()
@@ -87,6 +89,7 @@ class AgentConnectorViewSet(
     UsedByMixin,
     ModelViewSet,
 ):
+
     queryset = AgentConnector.objects.all()
     serializer_class = AgentConnectorSerializer
     search_fields = ["name"]
@@ -118,8 +121,6 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentEnrollmentAuth],
-        # Permissions are handled via AgentEnrollmentAuth
-        permission_classes=[AllowAny],
     )
     def enroll(self, request: Request):
         token: EnrollmentToken = request.auth
@@ -150,13 +151,7 @@ class AgentConnectorViewSet(
         request=OpenApiTypes.NONE,
         responses=AgentConfigSerializer(),
     )
-    @action(
-        methods=["GET"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["GET"], detail=False, authentication_classes=[AgentAuth])
     def agent_config(self, request: Request):
         token: DeviceToken = request.auth
         connector: AgentConnector = token.device.connector.agentconnector
@@ -170,13 +165,7 @@ class AgentConnectorViewSet(
         request=DeviceFacts(),
         responses={204: OpenApiResponse(description="Successfully checked in")},
     )
-    @action(
-        methods=["POST"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
     def check_in(self, request: Request):
         token: DeviceToken = request.auth
         data = DeviceFacts(data=request.data)

authentik/endpoints/connectors/agent/auth.py

@@ -1,6 +1,5 @@
 from typing import Any
 
-from django.db.models import Model
 from django.http import HttpRequest
 from django.utils.timezone import now
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
@@ -10,7 +9,7 @@ from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.api.authentication import VirtualUser, validate_auth
+from authentik.api.authentication import IPCUser, validate_auth
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import User
 from authentik.crypto.apps import MANAGED_KEY
@@ -26,19 +25,9 @@ LOGGER = get_logger()
 PLATFORM_ISSUER = "goauthentik.io/platform"
 
 
-class DeviceUser(VirtualUser):
-
+class DeviceUser(IPCUser):
     username = "authentik:endpoints:device"
 
-    def has_perm(self, perm: str, obj: Model | None = None) -> bool:
-        print(perm)
-        if perm in [
-            "authentik_core.view_user",
-            "authentik_core.view_group",
-        ]:
-            return True
-        return False
-
 
 class AgentEnrollmentAuth(BaseAuthentication):
 

authentik/endpoints/connectors/agent/tests/test_agent_api.py

@@ -223,17 +223,3 @@ class TestAgentAPI(APITestCase):
             data={"platform": OSFamily.macOS, "enrollment_token": self.token.pk},
         )
         self.assertEqual(res.status_code, 200)
-
-    def test_users_list(self):
-        response = self.client.get(
-            reverse("authentik_api:user-list"),
-            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_other_api_forbidden(self):
-        response = self.client.get(
-            reverse("authentik_api:application-list"),
-            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
-        )
-        self.assertEqual(response.status_code, 403)

authentik/enterprise/endpoints/connectors/agent/api/connectors.py

@@ -2,7 +2,6 @@ from django.urls import reverse
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
@@ -26,13 +25,7 @@ class AgentConnectorViewSetMixin:
         request=OpenApiTypes.NONE,
         responses=AgentAuthenticationResponse(),
     )
-    @action(
-        methods=["POST"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
     @enterprise_action
     def auth_ia(self, request: Request) -> Response:
         token: DeviceToken = request.auth

authentik/enterprise/providers/ws_federation/processors/sign_in.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -56,9 +55,7 @@ class SignInRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        reply = urlparse(req.wreply)
-        configured = urlparse(provider.acs_url)
-        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
+        if not req.wreply.startswith(provider.acs_url):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/processors/sign_out.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -33,9 +32,7 @@ class SignOutRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        reply = urlparse(req.wreply)
-        configured = urlparse(provider.acs_url)
-        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
+        if not req.wreply.startswith(provider.acs_url):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/tests/test_sign_in.py

@@ -27,27 +27,12 @@ class TestWSFedSignIn(TestCase):
             name=generate_id(),
             authorization_flow=self.flow,
             signing_kp=self.cert,
-            acs_url="https://t.goauthentik.io",
-            audience="foo",
         )
         self.app = Application.objects.create(
             name=generate_id(), slug=generate_id(), provider=self.provider
         )
         self.factory = RequestFactory()
 
-    def test_wreply(self):
-        request = self.factory.get(
-            "/?wreply=https://t.goauthentik.io/foo&wa=wsignin1.0&wtrealm=foo",
-            user=get_anonymous_user(),
-        )
-        SignInRequest.parse(request)
-        with self.assertRaises(ValueError):
-            request = self.factory.get(
-                "/?wreply=https://t.goauthentik.io.invalid.com&wa=wsignin1.0&wtrealm=foo",
-                user=get_anonymous_user(),
-            )
-            SignInRequest.parse(request)
-
     def test_token_gen(self):
         request = self.factory.get("/", user=get_anonymous_user())
         proc = SignInProcessor(

authentik/providers/oauth2/api/tokens.py

@@ -9,10 +9,10 @@ from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 
 
@@ -20,7 +20,7 @@ class ExpiringBaseGrantModelSerializer(ModelSerializer, MetaNameSerializer):
     """Serializer for BaseGrantModel and ExpiringBaseGrant"""
 
     user = UserSerializer()
-    provider = ProviderSerializer()
+    provider = OAuth2ProviderSerializer()
     scope = ListField(child=CharField())
 
     class Meta:

authentik/providers/saml/processors/authn_request_parser.py

@@ -19,8 +19,8 @@ from authentik.common.saml.constants import (
     RSA_SHA512,
     SAML_NAME_ID_FORMAT_UNSPECIFIED,
 )
+from authentik.common.saml.exceptions import CannotHandleAssertion
 from authentik.lib.xml import lxml_from_string
-from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
 from authentik.sources.saml.models import SAMLNameIDPolicy

authentik/providers/saml/processors/logout_response_processor.py

@@ -15,8 +15,8 @@ from authentik.common.saml.constants import (
     NS_SAML_PROTOCOL,
     SIGN_ALGORITHM_TRANSFORM_MAP,
 )
+from authentik.common.saml.parsers.logout_request import LogoutRequest
 from authentik.providers.saml.models import SAMLProvider
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
 from authentik.providers.saml.utils import get_random_id
 from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
 from authentik.providers.saml.utils.time import get_time_string

authentik/providers/saml/tasks.py

@@ -5,10 +5,10 @@ from django.contrib.auth import get_user_model
 from dramatiq.actor import actor
 from structlog.stdlib import get_logger
 
+from authentik.common.saml.parsers.logout_request import LogoutRequest
 from authentik.events.models import Event, EventAction
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
 from authentik.providers.saml.processors.logout_response_processor import LogoutResponseProcessor
 
 LOGGER = get_logger()

authentik/providers/saml/tests/test_logout_processor_and_parser.py

@@ -8,10 +8,10 @@ from authentik.common.saml.constants import (
     RSA_SHA256,
     SAML_NAME_ID_FORMAT_EMAIL,
 )
+from authentik.common.saml.parsers.logout_request import LogoutRequestParser
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 
 
 class TestLogoutIntegration(TestCase):
@@ -46,7 +46,7 @@ class TestLogoutIntegration(TestCase):
         )
 
         # Create parser for validation
-        self.parser = LogoutRequestParser(self.provider)
+        self.parser = LogoutRequestParser()
 
     def test_post_binding_roundtrip(self):
         """Test that a POST-encoded request can be parsed correctly"""
@@ -100,7 +100,7 @@ class TestLogoutIntegration(TestCase):
         encoded = processor.encode_post()
 
         # Create parser with verification enabled
-        parser = LogoutRequestParser(self.provider)
+        parser = LogoutRequestParser()
 
         # Parse it - this would validate signature if verification is enabled
         parsed = parser.parse(encoded)

authentik/providers/saml/tests/test_logout_request_parser.py

@@ -4,9 +4,9 @@ from django.test import TestCase
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_TRANSIENT
+from authentik.common.saml.parsers.logout_request import LogoutRequestParser
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.sources.saml.models import SAMLSource
 
 GET_LOGOUT_REQUEST = (
@@ -51,7 +51,7 @@ class TestLogoutRequest(TestCase):
 
     def test_static_get(self):
         """Test static LogoutRequest"""
-        request = LogoutRequestParser(self.provider).parse_detached(GET_LOGOUT_REQUEST)
+        request = LogoutRequestParser().parse_detached(GET_LOGOUT_REQUEST)
         self.assertEqual(request.id, "id-2ea1b01f69363ac95e3da4a15409b9d8ec525944")
         self.assertEqual(request.issuer, "saml-test-sp")
         # The GET request has an empty NameID element with transient format
@@ -60,7 +60,7 @@ class TestLogoutRequest(TestCase):
 
     def test_static_post(self):
         """Test static LogoutRequest"""
-        request = LogoutRequestParser(self.provider).parse(POST_LOGOUT_REQUEST)
+        request = LogoutRequestParser().parse(POST_LOGOUT_REQUEST)
         self.assertEqual(request.id, "id-b8f4fd51ed4106f1e782b95d51d9ad3f385e5816")
         self.assertEqual(request.issuer, "saml-test-sp")
         # The POST request has an empty NameID element with transient format

authentik/providers/saml/tests/test_logout_response_processor.py

@@ -9,11 +9,11 @@ from authentik.common.saml.constants import (
     NS_SAML_PROTOCOL,
     NS_SIGNATURE,
 )
+from authentik.common.saml.parsers.logout_request import LogoutRequest
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequest
 from authentik.providers.saml.processors.logout_response_processor import LogoutResponseProcessor
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 

authentik/providers/saml/tests/test_views_sp_slo.py

@@ -7,11 +7,11 @@ from django.test import RequestFactory, TestCase
 from django.urls import reverse
 
 from authentik.common.saml.constants import SAML_NAME_ID_FORMAT_EMAIL
+from authentik.common.saml.exceptions import CannotHandleAssertion
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_brand, create_test_cert, create_test_flow
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLLogoutMethods, SAMLProvider
 from authentik.providers.saml.processors.logout_request import LogoutRequestProcessor
 from authentik.providers.saml.views.flows import (

authentik/providers/saml/views/sp_slo.py

@@ -7,6 +7,8 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
 
+from authentik.common.saml.exceptions import CannotHandleAssertion
+from authentik.common.saml.parsers.logout_request import LogoutRequestParser
 from authentik.core.models import Application, AuthenticatedSession
 from authentik.events.models import Event, EventAction
 from authentik.flows.models import Flow, in_memory_stage
@@ -16,7 +18,6 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.iframe_logout import IframeLogoutStageView
-from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import (
     SAMLBindings,
     SAMLLogoutMethods,
@@ -24,7 +25,6 @@ from authentik.providers.saml.models import (
     SAMLSession,
 )
 from authentik.providers.saml.native_logout import NativeLogoutStageView
-from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.providers.saml.processors.logout_response_processor import LogoutResponseProcessor
 from authentik.providers.saml.tasks import send_saml_logout_response
 from authentik.providers.saml.utils.encoding import nice64
@@ -251,7 +251,7 @@ class SPInitiatedSLOBindingRedirectView(SPInitiatedSLOView):
             return bad_request_message(self.request, "The SAML request payload is missing.")
 
         try:
-            logout_request = LogoutRequestParser(self.provider).parse_detached(
+            logout_request = LogoutRequestParser().parse_detached(
                 self.request.GET[REQUEST_KEY_SAML_REQUEST],
                 relay_state=self.request.GET.get(REQUEST_KEY_RELAY_STATE, None),
             )
@@ -295,7 +295,7 @@ class SPInitiatedSLOBindingPOSTView(SPInitiatedSLOView):
             return bad_request_message(self.request, "The SAML request payload is missing.")
 
         try:
-            logout_request = LogoutRequestParser(self.provider).parse(
+            logout_request = LogoutRequestParser().parse(
                 payload[REQUEST_KEY_SAML_REQUEST],
                 relay_state=payload.get(REQUEST_KEY_RELAY_STATE, None),
             )

authentik/providers/saml/views/sso.py

@@ -8,6 +8,7 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
 
+from authentik.common.saml.exceptions import CannotHandleAssertion
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
@@ -16,7 +17,6 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO,
 from authentik.flows.views.executor import SESSION_KEY_POST
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
-from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (

authentik/sources/saml/api/source.py

@@ -43,6 +43,7 @@ class SAMLSourceSerializer(SourceSerializer):
             "force_authn",
             "name_id_policy",
             "binding_type",
+            "slo_binding",
             "verification_kp",
             "signing_kp",
             "digest_algorithm",
@@ -51,6 +52,8 @@ class SAMLSourceSerializer(SourceSerializer):
             "encryption_kp",
             "signed_assertion",
             "signed_response",
+            "sign_authn_request",
+            "sign_logout_request",
         ]
 
 
@@ -78,6 +81,7 @@ class SAMLSourceViewSet(UsedByMixin, ModelViewSet):
         "force_authn",
         "name_id_policy",
         "binding_type",
+        "slo_binding",
         "verification_kp",
         "signing_kp",
         "digest_algorithm",
@@ -85,6 +89,8 @@ class SAMLSourceViewSet(UsedByMixin, ModelViewSet):
         "temporary_user_delete_after",
         "signed_assertion",
         "signed_response",
+        "sign_authn_request",
+        "sign_logout_request",
     ]
     search_fields = ["name", "slug"]
     ordering = ["name"]

authentik/sources/saml/migrations/0022_samlsource_sign_authn_request_and_more.py

@@ -0,0 +1,101 @@
+# Generated by Django 5.2.11 on 2026-02-09 22:34
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0057_remove_user_groups_remove_user_user_permissions_and_more"),
+        ("authentik_sources_saml", "0021_samlsource_signed_assertion_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="samlsource",
+            name="sign_authn_request",
+            field=models.BooleanField(
+                default=True,
+                help_text="Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set.",
+                verbose_name="Sign AuthnRequest",
+            ),
+        ),
+        migrations.AddField(
+            model_name="samlsource",
+            name="sign_logout_request",
+            field=models.BooleanField(
+                default=True,
+                help_text="Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set.",
+                verbose_name="Sign LogoutRequest",
+            ),
+        ),
+        migrations.AddField(
+            model_name="samlsource",
+            name="slo_binding",
+            field=models.CharField(
+                choices=[("REDIRECT", "Redirect Binding"), ("POST", "POST Binding")],
+                default="REDIRECT",
+                help_text="Binding type for Single Logout requests to the IdP.",
+                max_length=100,
+                verbose_name="SLO Binding",
+            ),
+        ),
+        migrations.CreateModel(
+            name="SAMLSourceSession",
+            fields=[
+                (
+                    "saml_session_id",
+                    models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False),
+                ),
+                (
+                    "session_index",
+                    models.TextField(
+                        blank=True,
+                        default="",
+                        help_text="SAML SessionIndex from the IdP's AuthnStatement",
+                    ),
+                ),
+                ("name_id", models.TextField(help_text="SAML NameID value for this session")),
+                (
+                    "name_id_format",
+                    models.TextField(blank=True, default="", help_text="SAML NameID format"),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                (
+                    "session",
+                    models.ForeignKey(
+                        help_text="Link to the user's authenticated session",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.authenticatedsession",
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_sources_saml.samlsource",
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                        verbose_name="User",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SAML Source Session",
+                "verbose_name_plural": "SAML Source Sessions",
+                "indexes": [
+                    models.Index(fields=["source", "user"], name="authentik_s_source__abd088_idx"),
+                    models.Index(fields=["session"], name="authentik_s_session_054d2d_idx"),
+                ],
+            },
+        ),
+    ]

authentik/sources/saml/models.py

@@ -1,6 +1,7 @@
 """saml sp models"""
 
 from typing import Any
+from uuid import uuid4
 
 from django.db import models
 from django.http import HttpRequest
@@ -36,9 +37,11 @@ from authentik.common.saml.constants import (
     SHA512,
 )
 from authentik.core.models import (
+    AuthenticatedSession,
     GroupSourceConnection,
     PropertyMapping,
     Source,
+    User,
     UserSourceConnection,
 )
 from authentik.core.types import UILoginButton, UserSettingSerializer
@@ -78,6 +81,13 @@ class SAMLNameIDPolicy(models.TextChoices):
     UNSPECIFIED = SAML_NAME_ID_FORMAT_UNSPECIFIED
 
 
+class SAMLSLOBindingTypes(models.TextChoices):
+    """SAML SLO Binding types"""
+
+    REDIRECT = "REDIRECT", _("Redirect Binding")
+    POST = "POST", _("POST Binding")
+
+
 class SAMLSource(Source):
     """Authenticate using an external SAML Identity Provider."""
 
@@ -134,6 +144,28 @@ class SAMLSource(Source):
         choices=SAMLBindingTypes.choices,
         default=SAMLBindingTypes.REDIRECT,
     )
+    slo_binding = models.CharField(
+        max_length=100,
+        choices=SAMLSLOBindingTypes.choices,
+        default=SAMLSLOBindingTypes.REDIRECT,
+        verbose_name=_("SLO Binding"),
+        help_text=_("Binding type for Single Logout requests to the IdP."),
+    )
+
+    sign_authn_request = models.BooleanField(
+        default=True,
+        verbose_name=_("Sign AuthnRequest"),
+        help_text=_(
+            "Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set."
+        ),
+    )
+    sign_logout_request = models.BooleanField(
+        default=True,
+        verbose_name=_("Sign LogoutRequest"),
+        help_text=_(
+            "Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set."
+        ),
+    )
 
     temporary_user_delete_after = models.TextField(
         default="days=1",
@@ -355,3 +387,39 @@ class GroupSAMLSourceConnection(GroupSourceConnection):
     class Meta:
         verbose_name = _("Group SAML Source Connection")
         verbose_name_plural = _("Group SAML Source Connections")
+
+
+class SAMLSourceSession(models.Model):
+    """Track active SAML source sessions for Single Logout support"""
+
+    saml_session_id = models.UUIDField(default=uuid4, primary_key=True)
+    source = models.ForeignKey(SAMLSource, on_delete=models.CASCADE)
+    user = models.ForeignKey(User, verbose_name=_("User"), on_delete=models.CASCADE)
+    session = models.ForeignKey(
+        AuthenticatedSession,
+        on_delete=models.CASCADE,
+        help_text=_("Link to the user's authenticated session"),
+    )
+    session_index = models.TextField(
+        default="",
+        blank=True,
+        help_text=_("SAML SessionIndex from the IdP's AuthnStatement"),
+    )
+    name_id = models.TextField(help_text=_("SAML NameID value for this session"))
+    name_id_format = models.TextField(
+        default="",
+        blank=True,
+        help_text=_("SAML NameID format"),
+    )
+    created = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        verbose_name = _("SAML Source Session")
+        verbose_name_plural = _("SAML Source Sessions")
+        indexes = [
+            models.Index(fields=["source", "user"]),
+            models.Index(fields=["session"]),
+        ]
+
+    def __str__(self):
+        return f"SAML Source Session for source {self.source_id} and user {self.user_id}"

authentik/sources/saml/processors/logout_request.py

@@ -0,0 +1,210 @@
+"""SAML Source LogoutRequest Processor"""
+
+import base64
+from urllib.parse import quote, urlencode
+
+import xmlsec
+from django.http import HttpRequest
+from lxml import etree  # nosec
+from lxml.etree import Element, _Element
+
+from authentik.common.saml.constants import (
+    DIGEST_ALGORITHM_TRANSLATION_MAP,
+    NS_MAP,
+    NS_SAML_ASSERTION,
+    NS_SAML_PROTOCOL,
+    SAML_NAME_ID_FORMAT_EMAIL,
+    SIGN_ALGORITHM_TRANSFORM_MAP,
+)
+from authentik.lib.xml import remove_xml_newlines
+from authentik.providers.saml.utils import get_random_id
+from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
+from authentik.providers.saml.utils.time import get_time_string
+from authentik.sources.saml.models import SAMLSource
+
+
+class LogoutRequestProcessor:
+    """Generate SAML LogoutRequest messages for SP-initiated logout"""
+
+    source: SAMLSource
+    http_request: HttpRequest
+    destination: str
+    name_id: str
+    name_id_format: str
+    session_index: str
+    relay_state: str | None
+
+    _issue_instant: str
+    _request_id: str
+
+    def __init__(
+        self,
+        source: SAMLSource,
+        http_request: HttpRequest,
+        destination: str,
+        name_id: str,
+        name_id_format: str = SAML_NAME_ID_FORMAT_EMAIL,
+        session_index: str = "",
+        relay_state: str | None = None,
+    ):
+        self.source = source
+        self.http_request = http_request
+        self.destination = destination
+        self.name_id = name_id
+        self.name_id_format = name_id_format
+        self.session_index = session_index
+        self.relay_state = relay_state
+
+        self._issue_instant = get_time_string()
+        self._request_id = get_random_id()
+
+    def get_issuer(self) -> Element:
+        """Get Issuer element"""
+        issuer = Element(f"{{{NS_SAML_ASSERTION}}}Issuer")
+        issuer.text = self.source.get_issuer(self.http_request)
+        return issuer
+
+    def get_name_id(self) -> Element:
+        """Get NameID element"""
+        name_id = Element(f"{{{NS_SAML_ASSERTION}}}NameID")
+        name_id.attrib["Format"] = self.name_id_format
+        name_id.text = self.name_id
+        return name_id
+
+    def build(self) -> Element:
+        """Build a SAML LogoutRequest as etree Element"""
+        logout_request = Element(f"{{{NS_SAML_PROTOCOL}}}LogoutRequest", nsmap=NS_MAP)
+        logout_request.attrib["ID"] = self._request_id
+        logout_request.attrib["Version"] = "2.0"
+        logout_request.attrib["IssueInstant"] = self._issue_instant
+        logout_request.attrib["Destination"] = self.destination
+
+        logout_request.append(self.get_issuer())
+        logout_request.append(self.get_name_id())
+
+        if self.session_index:
+            session_index_element = Element(f"{{{NS_SAML_PROTOCOL}}}SessionIndex")
+            session_index_element.text = self.session_index
+            logout_request.append(session_index_element)
+
+        return logout_request
+
+    def encode_post(self) -> str:
+        """Encode LogoutRequest for POST binding"""
+        logout_request = self.build()
+        if self.source.signing_kp and self.source.sign_logout_request:
+            self._sign_logout_request(logout_request)
+        return base64.b64encode(etree.tostring(logout_request)).decode()
+
+    def encode_redirect(self) -> str:
+        """Encode LogoutRequest for Redirect binding"""
+        logout_request = self.build()
+        xml_str = etree.tostring(logout_request, encoding="UTF-8", xml_declaration=True)
+        return deflate_and_base64_encode(xml_str.decode("UTF-8"))
+
+    def get_redirect_url(self) -> str:
+        """Build complete logout URL for redirect binding with signature if needed"""
+        encoded_request = self.encode_redirect()
+        params = {
+            "SAMLRequest": encoded_request,
+        }
+
+        if self.relay_state:
+            params["RelayState"] = self.relay_state
+
+        if self.source.signing_kp and self.source.sign_logout_request:
+            sig_alg = self.source.signature_algorithm
+            params["SigAlg"] = sig_alg
+
+            query_string = self._build_signable_query_string(params)
+            signature = self._sign_query_string(query_string)
+            params["Signature"] = base64.b64encode(signature).decode()
+
+        separator = "&" if "?" in self.destination else "?"
+        return f"{self.destination}{separator}{urlencode(params)}"
+
+    def get_post_form_data(self) -> dict:
+        """Get form data for POST binding"""
+        return {
+            "SAMLRequest": self.encode_post(),
+            "RelayState": self.relay_state or "",
+        }
+
+    def _sign_logout_request(self, logout_request: _Element):
+        """Sign the LogoutRequest element"""
+        signature_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
+            self.source.signature_algorithm, xmlsec.constants.TransformRsaSha1
+        )
+        signature = xmlsec.template.create(
+            logout_request,
+            xmlsec.constants.TransformExclC14N,
+            signature_algorithm_transform,
+            ns=xmlsec.constants.DSigNs,
+        )
+
+        issuer = logout_request.find(f"{{{NS_SAML_ASSERTION}}}Issuer")
+        if issuer is not None:
+            issuer.addnext(signature)
+        else:
+            logout_request.insert(0, signature)
+
+        self._sign(logout_request)
+
+    def _sign(self, element: _Element):
+        """Sign an XML element based on the source's configured signing settings"""
+        digest_algorithm_transform = DIGEST_ALGORITHM_TRANSLATION_MAP.get(
+            self.source.digest_algorithm, xmlsec.constants.TransformSha1
+        )
+        xmlsec.tree.add_ids(element, ["ID"])
+        signature_node = xmlsec.tree.find_node(element, xmlsec.constants.NodeSignature)
+        ref = xmlsec.template.add_reference(
+            signature_node,
+            digest_algorithm_transform,
+            uri="#" + element.attrib["ID"],
+        )
+        xmlsec.template.add_transform(ref, xmlsec.constants.TransformEnveloped)
+        xmlsec.template.add_transform(ref, xmlsec.constants.TransformExclC14N)
+        key_info = xmlsec.template.ensure_key_info(signature_node)
+        xmlsec.template.add_x509_data(key_info)
+
+        ctx = xmlsec.SignatureContext()
+
+        key = xmlsec.Key.from_memory(
+            self.source.signing_kp.key_data,
+            xmlsec.constants.KeyDataFormatPem,
+            None,
+        )
+        key.load_cert_from_memory(
+            self.source.signing_kp.certificate_data,
+            xmlsec.constants.KeyDataFormatCertPem,
+        )
+        ctx.key = key
+        ctx.sign(remove_xml_newlines(element, signature_node))
+
+    def _build_signable_query_string(self, params: dict) -> str:
+        """Build query string for signing (order matters per SAML spec)"""
+        ordered = []
+        if "SAMLRequest" in params:
+            ordered.append(f"SAMLRequest={quote(params['SAMLRequest'], safe='')}")
+        if "RelayState" in params:
+            ordered.append(f"RelayState={quote(params['RelayState'], safe='')}")
+        if "SigAlg" in params:
+            ordered.append(f"SigAlg={quote(params['SigAlg'], safe='')}")
+        return "&".join(ordered)
+
+    def _sign_query_string(self, query_string: str) -> bytes:
+        """Sign the query string for redirect binding"""
+        signature_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
+            self.source.signature_algorithm, xmlsec.constants.TransformRsaSha256
+        )
+
+        key = xmlsec.Key.from_memory(
+            self.source.signing_kp.key_data,
+            xmlsec.constants.KeyDataFormatPem,
+            None,
+        )
+
+        ctx = xmlsec.SignatureContext()
+        ctx.key = key
+
+        return ctx.sign_binary(query_string.encode("utf-8"), signature_algorithm_transform)

authentik/sources/saml/processors/logout_response.py

@@ -0,0 +1,96 @@
+"""SAML Source LogoutResponse Builder"""
+
+import base64
+from urllib.parse import urlencode
+
+from django.http import HttpRequest
+from lxml import etree  # nosec
+from lxml.etree import Element
+
+from authentik.common.saml.constants import (
+    NS_MAP,
+    NS_SAML_ASSERTION,
+    NS_SAML_PROTOCOL,
+    SAML_STATUS_SUCCESS,
+)
+from authentik.providers.saml.utils import get_random_id
+from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
+from authentik.providers.saml.utils.time import get_time_string
+from authentik.sources.saml.models import SAMLSource
+
+
+class LogoutResponseBuilder:
+    """Build SAML LogoutResponse messages for IdP-initiated logout"""
+
+    source: SAMLSource
+    http_request: HttpRequest
+    destination: str
+    in_response_to: str
+
+    _issue_instant: str
+    _response_id: str
+
+    def __init__(
+        self,
+        source: SAMLSource,
+        http_request: HttpRequest,
+        destination: str,
+        in_response_to: str,
+    ):
+        self.source = source
+        self.http_request = http_request
+        self.destination = destination
+        self.in_response_to = in_response_to
+
+        self._issue_instant = get_time_string()
+        self._response_id = get_random_id()
+
+    def build(self) -> Element:
+        """Build a SAML LogoutResponse as etree Element"""
+        response = Element(f"{{{NS_SAML_PROTOCOL}}}LogoutResponse", nsmap=NS_MAP)
+        response.attrib["ID"] = self._response_id
+        response.attrib["Version"] = "2.0"
+        response.attrib["IssueInstant"] = self._issue_instant
+        response.attrib["Destination"] = self.destination
+        response.attrib["InResponseTo"] = self.in_response_to
+
+        # Issuer
+        issuer = Element(f"{{{NS_SAML_ASSERTION}}}Issuer")
+        issuer.text = self.source.get_issuer(self.http_request)
+        response.append(issuer)
+
+        # Status
+        status = Element(f"{{{NS_SAML_PROTOCOL}}}Status")
+        status_code = Element(f"{{{NS_SAML_PROTOCOL}}}StatusCode")
+        status_code.attrib["Value"] = SAML_STATUS_SUCCESS
+        status.append(status_code)
+        response.append(status)
+
+        return response
+
+    def encode_post(self) -> str:
+        """Encode LogoutResponse for POST binding"""
+        response = self.build()
+        return base64.b64encode(etree.tostring(response)).decode()
+
+    def encode_redirect(self) -> str:
+        """Encode LogoutResponse for Redirect binding"""
+        response = self.build()
+        xml_str = etree.tostring(response, encoding="UTF-8", xml_declaration=True)
+        return deflate_and_base64_encode(xml_str.decode("UTF-8"))
+
+    def get_redirect_url(self, relay_state: str | None = None) -> str:
+        """Build complete URL for redirect binding"""
+        encoded = self.encode_redirect()
+        params = {"SAMLResponse": encoded}
+        if relay_state:
+            params["RelayState"] = relay_state
+        separator = "&" if "?" in self.destination else "?"
+        return f"{self.destination}{separator}{urlencode(params)}"
+
+    def get_post_form_data(self, relay_state: str | None = None) -> dict:
+        """Get form data for POST binding"""
+        data = {"SAMLResponse": self.encode_post()}
+        if relay_state:
+            data["RelayState"] = relay_state
+        return data

authentik/sources/saml/processors/metadata.py

@@ -8,6 +8,7 @@ from authentik.common.saml.constants import (
     NS_SAML_METADATA,
     NS_SIGNATURE,
     SAML_BINDING_POST,
+    SAML_BINDING_REDIRECT,
 )
 from authentik.providers.saml.utils.encoding import strip_pem_header
 from authentik.sources.saml.models import SAMLSource
@@ -75,6 +76,19 @@ class MetadataProcessor:
         if encryption_descriptor is not None:
             sp_sso_descriptor.append(encryption_descriptor)
 
+        if self.source.slo_url:
+            slo_location = self.source.build_full_url(self.http_request, view="slo")
+
+            slo_redirect = SubElement(
+                sp_sso_descriptor, f"{{{NS_SAML_METADATA}}}SingleLogoutService"
+            )
+            slo_redirect.attrib["Binding"] = SAML_BINDING_REDIRECT
+            slo_redirect.attrib["Location"] = slo_location
+
+            slo_post = SubElement(sp_sso_descriptor, f"{{{NS_SAML_METADATA}}}SingleLogoutService")
+            slo_post.attrib["Binding"] = SAML_BINDING_POST
+            slo_post.attrib["Location"] = slo_location
+
         sp_sso_descriptor.append(self.get_name_id_format())
 
         assertion_consumer_service = SubElement(

authentik/sources/saml/processors/request.py

@@ -72,7 +72,11 @@ class RequestProcessor:
         # Create issuer object
         auth_n_request.append(self.get_issuer())
 
-        if self.source.signing_kp and self.source.binding_type != SAMLBindingTypes.REDIRECT:
+        if (
+            self.source.signing_kp
+            and self.source.sign_authn_request
+            and self.source.binding_type != SAMLBindingTypes.REDIRECT
+        ):
             sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                 self.source.signature_algorithm, xmlsec.constants.TransformRsaSha1
             )
@@ -93,7 +97,11 @@ class RequestProcessor:
         (used for POST Bindings)"""
         auth_n_request = self.get_auth_n()
 
-        if self.source.signing_kp and self.source.binding_type != SAMLBindingTypes.REDIRECT:
+        if (
+            self.source.signing_kp
+            and self.source.sign_authn_request
+            and self.source.binding_type != SAMLBindingTypes.REDIRECT
+        ):
             xmlsec.tree.add_ids(auth_n_request, ["ID"])
 
             ctx = xmlsec.SignatureContext()
@@ -141,7 +149,7 @@ class RequestProcessor:
         if self.relay_state != "":
             response_dict["RelayState"] = self.relay_state
 
-        if self.source.signing_kp:
+        if self.source.signing_kp and self.source.sign_authn_request:
             sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                 self.source.signature_algorithm, xmlsec.constants.TransformRsaSha1
             )

authentik/sources/saml/processors/response.py

@@ -1,7 +1,6 @@
 """authentik saml source processor"""
 
 from base64 import b64decode
-from datetime import UTC, datetime
 from time import mktime
 from typing import TYPE_CHECKING
 
@@ -41,15 +40,11 @@ from authentik.sources.saml.exceptions import (
     InvalidSignature,
     MismatchedRequestID,
     MissingSAMLResponse,
-    SAMLException,
     UnsupportedNameIDFormat,
 )
-from authentik.sources.saml.models import (
-    GroupSAMLSourceConnection,
-    SAMLSource,
-    UserSAMLSourceConnection,
-)
+from authentik.sources.saml.models import SAMLSource, UserSAMLSourceConnection
 from authentik.sources.saml.processors.request import SESSION_KEY_REQUEST_ID
+from authentik.sources.saml.stages import PLAN_CONTEXT_SAML_SESSION_DATA, SAMLSourceFlowManager
 
 LOGGER = get_logger()
 if TYPE_CHECKING:
@@ -97,7 +92,6 @@ class ResponseProcessor:
 
         self._verify_request_id()
         self._verify_status()
-        self._verify_conditions()
 
     def _decrypt_response(self):
         """Decrypt SAMLResponse EncryptedAssertion Element"""
@@ -129,20 +123,6 @@ class ResponseProcessor:
         )
         self._assertion = decrypted_assertion
 
-    def _verify_conditions(self):
-        conditions = self.get_assertion().find(f"{{{NS_SAML_ASSERTION}}}Conditions")
-        if conditions is None:
-            return
-        _now = now()
-        before = conditions.attrib.get("NotBefore")
-        if before:
-            if datetime.fromisoformat(before).replace(tzinfo=UTC) > _now:
-                raise SAMLException("Assertion is not valid yet or expired.")
-        on_or_after = conditions.attrib.get("NotOnOrAfter")
-        if on_or_after:
-            if datetime.fromisoformat(on_or_after).replace(tzinfo=UTC) < _now:
-                raise SAMLException("Assertion is not valid yet or expired.")
-
     def _verify_signature(self, signature_node: _Element):
         """Verify a single signature node"""
         xmlsec.tree.add_ids(self._root, ["ID"])
@@ -232,9 +212,10 @@ class ResponseProcessor:
         user has an attribute that refers to our Source for cleanup. The user is also deleted
         on logout and periodically."""
         # Create a temporary User
-        name_id_el, name_id = self._get_name_id()
+        name_id = self._get_name_id()
+        username = name_id.text
         # trim username to ensure it is max 150 chars
-        username = f"ak-{name_id[: USERNAME_MAX_LENGTH - 14]}-transient"
+        username = f"ak-{username[: USERNAME_MAX_LENGTH - 14]}-transient"
         expiry = mktime(
             (now() + timedelta_from_string(self._source.temporary_user_delete_after)).timetuple()
         )
@@ -250,29 +231,48 @@ class ResponseProcessor:
             },
             path=self._source.get_user_path(),
         )
-        LOGGER.debug("Created temporary user for NameID Transient", username=name_id)
+        LOGGER.debug("Created temporary user for NameID Transient", username=name_id.text)
         user.set_unusable_password()
         user.save()
-        UserSAMLSourceConnection.objects.create(source=self._source, user=user, identifier=name_id)
+        UserSAMLSourceConnection.objects.create(
+            source=self._source, user=user, identifier=name_id.text
+        )
+        session_index = self._get_session_index()
         return SAMLSourceFlowManager(
             source=self._source,
             request=self._http_request,
-            identifier=str(name_id),
+            identifier=str(name_id.text),
             user_info={
                 "root": self._root,
                 "assertion": self.get_assertion(),
-                "name_id": name_id_el,
+                "name_id": name_id,
+            },
+            policy_context={
+                PLAN_CONTEXT_SAML_SESSION_DATA: {
+                    "session_index": session_index or "",
+                    "name_id": name_id.text,
+                    "name_id_format": name_id.attrib.get("Format", ""),
+                },
             },
-            policy_context={},
         )
 
+    def _get_session_index(self) -> str | None:
+        """Get SessionIndex from AuthnStatement element"""
+        assertion = self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
+        if assertion is None:
+            return None
+        authn_statement = assertion.find(f"{{{NS_SAML_ASSERTION}}}AuthnStatement")
+        if authn_statement is None:
+            return None
+        return authn_statement.attrib.get("SessionIndex")
+
     def get_assertion(self) -> Element | None:
         """Get assertion element, if we have a signed assertion"""
         if self._assertion is not None:
             return self._assertion
         return self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
 
-    def _get_name_id(self) -> tuple[Element, str]:
+    def _get_name_id(self) -> Element:
         """Get NameID Element"""
         assertion = self.get_assertion()
         if assertion is None:
@@ -283,11 +283,12 @@ class ResponseProcessor:
         name_id = subject.find(f"{{{NS_SAML_ASSERTION}}}NameID")
         if name_id is None:
             raise ValueError("NameID element not found")
-        return name_id, "".join(name_id.itertext())
+        return name_id
 
     def _get_name_id_filter(self) -> dict[str, str]:
         """Returns the subject's NameID as a Filter for the `User`"""
-        name_id_el, name_id = self._get_name_id()
+        name_id_el = self._get_name_id()
+        name_id = name_id_el.text
         if not name_id:
             raise UnsupportedNameIDFormat("Subject's NameID is empty.")
         _format = name_id_el.attrib["Format"]
@@ -308,35 +309,34 @@ class ResponseProcessor:
 
     def prepare_flow_manager(self) -> SourceFlowManager:
         """Prepare flow plan depending on whether or not the user exists"""
-        name_id_el, name_id = self._get_name_id()
+        name_id = self._get_name_id()
         # Sanity check, show a warning if NameIDPolicy doesn't match what we go
-        if self._source.name_id_policy != name_id_el.attrib["Format"]:
+        if self._source.name_id_policy != name_id.attrib["Format"]:
             LOGGER.warning(
                 "NameID from IdP doesn't match our policy",
                 expected=self._source.name_id_policy,
-                got=name_id_el.attrib["Format"],
+                got=name_id.attrib["Format"],
             )
         # transient NameIDs are handled separately as they don't have to go through flows.
-        if name_id_el.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
+        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
             return self._handle_name_id_transient()
 
+        session_index = self._get_session_index()
         return SAMLSourceFlowManager(
             source=self._source,
             request=self._http_request,
-            identifier=str(name_id),
+            identifier=str(name_id.text),
             user_info={
                 "root": self._root,
                 "assertion": self.get_assertion(),
-                "name_id": name_id_el,
+                "name_id": name_id,
             },
             policy_context={
                 "saml_response": etree.tostring(self._root),
+                PLAN_CONTEXT_SAML_SESSION_DATA: {
+                    "session_index": session_index or "",
+                    "name_id": name_id.text,
+                    "name_id_format": name_id.attrib.get("Format", ""),
+                },
             },
         )
-
-
-class SAMLSourceFlowManager(SourceFlowManager):
-    """Source flow manager for SAML Sources"""
-
-    user_connection_type = UserSAMLSourceConnection
-    group_connection_type = GroupSAMLSourceConnection

authentik/sources/saml/signals.py

@@ -3,12 +3,40 @@
 from django.contrib.auth.signals import user_logged_out
 from django.dispatch import receiver
 from django.http import HttpRequest
+from django.urls import reverse
 from structlog.stdlib import get_logger
 
-from authentik.core.models import USER_ATTRIBUTE_DELETE_ON_LOGOUT, User
+from authentik.core.models import USER_ATTRIBUTE_DELETE_ON_LOGOUT, AuthenticatedSession, User
+from authentik.flows.challenge import PLAN_CONTEXT_ATTRS, PLAN_CONTEXT_TITLE, PLAN_CONTEXT_URL
+from authentik.flows.models import in_memory_stage
+from authentik.flows.stage import RedirectStage, SessionEndStage
+from authentik.flows.views.executor import FlowExecutorView
+from authentik.providers.saml.native_logout import NativeLogoutStageView
+from authentik.sources.saml.models import SAMLSLOBindingTypes, SAMLSourceSession
+from authentik.sources.saml.processors.logout_request import LogoutRequestProcessor
+from authentik.sources.saml.views import PLAN_CONTEXT_SAML_RELAY_STATE, AutosubmitStageView
+from authentik.stages.user_logout.models import UserLogoutStage
+from authentik.stages.user_logout.stage import flow_pre_user_logout
 
 LOGGER = get_logger()
 
+# Stages that redirect the user away from authentik. Source SLO stages must be
+# inserted before these so they have a chance to execute.
+TERMINAL_STAGE_VIEWS = {SessionEndStage, NativeLogoutStageView}
+
+
+def _insert_before_terminal_stage(plan, stage):
+    """Insert a stage before any terminal stage (SessionEndStage, NativeLogoutStageView)
+    in the plan. Falls back to append if no terminal stage is found."""
+    for i, binding in enumerate(plan.bindings):
+        try:
+            if binding.stage.view in TERMINAL_STAGE_VIEWS:
+                plan.insert_stage(stage, index=i)
+                return
+        except NotImplementedError:
+            continue
+    plan.append_stage(stage)
+
 
 @receiver(user_logged_out)
 def on_user_logged_out(sender, request: HttpRequest, user: User, **_):
@@ -18,3 +46,89 @@ def on_user_logged_out(sender, request: HttpRequest, user: User, **_):
     if user.attributes.get(USER_ATTRIBUTE_DELETE_ON_LOGOUT, False):
         LOGGER.debug("Deleted temporary user", user=user)
         user.delete()
+
+
+@receiver(flow_pre_user_logout)
+def handle_saml_source_pre_user_logout(
+    sender, request: HttpRequest, user: User, executor: FlowExecutorView, **kwargs
+):
+    """Handle SAML source SP-initiated SLO when user logs out via flow.
+    Injects a stage into the logout flow to redirect the user to the IdP's SLO URL."""
+    if not isinstance(executor.current_stage, UserLogoutStage):
+        return
+
+    if not user.is_authenticated:
+        return
+
+    auth_session = AuthenticatedSession.from_request(request, user)
+    if not auth_session:
+        return
+
+    # Find SAMLSourceSessions for this user's current session
+    saml_source_sessions = SAMLSourceSession.objects.filter(
+        session=auth_session,
+        user=user,
+    ).select_related("source")
+
+    for saml_session in saml_source_sessions:
+        source = saml_session.source
+        if not source.slo_url or not source.enabled:
+            continue
+
+        try:
+            # Use the flow executor URL as relay_state so that after the IdP
+            # processes the LogoutRequest and sends a LogoutResponse, the user
+            # is redirected back to the flow to continue remaining stages.
+            relay_state = request.build_absolute_uri(
+                reverse(
+                    "authentik_core:if-flow",
+                    kwargs={"flow_slug": executor.flow.slug},
+                )
+            )
+
+            # Stash the outbound relay_state so the SLOView can redirect to a
+            # server-known value rather than trusting the echoed request param.
+            executor.plan.context[PLAN_CONTEXT_SAML_RELAY_STATE] = relay_state
+
+            processor = LogoutRequestProcessor(
+                source=source,
+                http_request=request,
+                destination=source.slo_url,
+                name_id=saml_session.name_id,
+                name_id_format=saml_session.name_id_format,
+                session_index=saml_session.session_index,
+                relay_state=relay_state,
+            )
+
+            # Insert before terminal stages (SessionEndStage, NativeLogoutStageView)
+            # so the SLO redirect runs before the flow ends or the user is
+            # redirected away. Provider logout stages (at index 1/2) still run
+            # first since they're inserted earlier.
+            if source.slo_binding == SAMLSLOBindingTypes.REDIRECT:
+                redirect_url = processor.get_redirect_url()
+                stage = in_memory_stage(RedirectStage, destination=redirect_url)
+            else:
+                # POST binding
+                form_data = processor.get_post_form_data()
+                executor.plan.context[PLAN_CONTEXT_TITLE] = f"Logging out of {source.name}..."
+                executor.plan.context[PLAN_CONTEXT_URL] = source.slo_url
+                executor.plan.context[PLAN_CONTEXT_ATTRS] = form_data
+                stage = in_memory_stage(AutosubmitStageView)
+
+            _insert_before_terminal_stage(executor.plan, stage)
+
+            LOGGER.debug(
+                "Injected SAML source SLO into logout flow",
+                source=source.name,
+                binding=source.slo_binding,
+            )
+
+        except (KeyError, AttributeError) as exc:
+            LOGGER.warning(
+                "Failed to generate SAML source logout request",
+                source=source.name,
+                exc=exc,
+            )
+
+    # Clean up SAMLSourceSessions for this auth session
+    saml_source_sessions.delete()

authentik/sources/saml/stages.py

@@ -0,0 +1,71 @@
+"""SAML Source stages and flow manager"""
+
+from django.http import HttpRequest, HttpResponse
+from structlog.stdlib import get_logger
+
+from authentik.core.models import AuthenticatedSession, User
+from authentik.core.sources.flow_manager import SourceFlowManager
+from authentik.core.sources.stage import PostSourceStage
+from authentik.flows.models import Flow, Stage, in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
+from authentik.sources.saml.models import (
+    GroupSAMLSourceConnection,
+    SAMLSource,
+    SAMLSourceSession,
+    UserSAMLSourceConnection,
+)
+
+LOGGER = get_logger()
+
+PLAN_CONTEXT_SAML_SESSION_DATA = "saml_session_data"
+
+
+class SAMLPostSourceStage(PostSourceStage):
+    """Extends PostSourceStage to also create SAMLSourceSession for SLO support."""
+
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
+        response = super().dispatch(request)
+
+        session_data = self.executor.plan.context.get(PLAN_CONTEXT_SAML_SESSION_DATA)
+        if not session_data:
+            return response
+
+        source = self.executor.plan.context.get(PLAN_CONTEXT_SOURCE)
+        if not isinstance(source, SAMLSource):
+            return response
+
+        user: User = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
+        if not user or not user.pk:
+            return response
+
+        auth_session = AuthenticatedSession.from_request(request, user)
+        if not auth_session:
+            return response
+
+        SAMLSourceSession.objects.create(
+            source=source,
+            user=user,
+            session=auth_session,
+            session_index=session_data.get("session_index", ""),
+            name_id=session_data.get("name_id", ""),
+            name_id_format=session_data.get("name_id_format", ""),
+        )
+        LOGGER.debug(
+            "Created SAMLSourceSession",
+            source=source.name,
+            user=user,
+            session_index=session_data.get("session_index", ""),
+        )
+        return response
+
+
+class SAMLSourceFlowManager(SourceFlowManager):
+    """Source flow manager for SAML Sources"""
+
+    user_connection_type = UserSAMLSourceConnection
+    group_connection_type = GroupSAMLSourceConnection
+
+    def get_stages_to_append(self, flow: Flow) -> list[Stage]:
+        return [
+            in_memory_stage(SAMLPostSourceStage),
+        ]

authentik/sources/saml/tests/test_property_mappings.py

@@ -4,7 +4,6 @@ from base64 import b64encode
 
 from defusedxml.lxml import fromstring
 from django.test import TestCase
-from freezegun import freeze_time
 
 from authentik.common.saml.constants import NS_SAML_ASSERTION
 from authentik.core.tests.utils import RequestFactory, create_test_flow
@@ -35,7 +34,6 @@ class TestPropertyMappings(TestCase):
             pre_authentication_flow=create_test_flow(),
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_user_base_properties(self):
         """Test user base properties"""
         properties = self.source.get_base_user_properties(
@@ -63,7 +61,6 @@ class TestPropertyMappings(TestCase):
             properties = self.source.get_base_group_properties(root=ROOT, group_id=group_id)
             self.assertEqual(properties, {"name": group_id})
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_user_property_mappings(self):
         """Test user property mappings"""
         self.source.user_property_mappings.add(
@@ -97,7 +94,6 @@ class TestPropertyMappings(TestCase):
             },
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_group_property_mappings(self):
         """Test group property mappings"""
         self.source.group_property_mappings.add(

authentik/sources/saml/tests/test_response.py

@@ -3,7 +3,6 @@
 from base64 import b64encode
 
 from django.test import TestCase
-from freezegun import freeze_time
 
 from authentik.core.tests.utils import RequestFactory, create_test_cert, create_test_flow
 from authentik.crypto.models import CertificateKeyPair
@@ -47,7 +46,6 @@ class TestResponseProcessor(TestCase):
         ):
             ResponseProcessor(self.source, request).parse()
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_success(self):
         """Test success"""
         request = self.factory.post(
@@ -74,7 +72,6 @@ class TestResponseProcessor(TestCase):
             },
         )
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_success_with_status_message_and_detail(self):
         """Test success with StatusMessage and StatusDetail present (should not raise error)"""
         request = self.factory.post(
@@ -91,7 +88,6 @@ class TestResponseProcessor(TestCase):
         sfm = parser.prepare_flow_manager()
         self.assertEqual(sfm.user_properties["username"], "jens@goauthentik.io")
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_error_with_message_and_detail(self):
         """Test error status with StatusMessage and StatusDetail includes both in error"""
         request = self.factory.post(
@@ -109,7 +105,6 @@ class TestResponseProcessor(TestCase):
         self.assertIn("User account is disabled", str(ctx.exception))
         self.assertIn("Authentication failed", str(ctx.exception))
 
-    @freeze_time("2024-08-07T15:48:09.325Z")
     def test_encrypted_correct(self):
         """Test encrypted"""
         key = load_fixture("fixtures/encrypted-key.pem")
@@ -147,7 +142,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaises(InvalidEncryption):
             parser.parse()
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_verification_assertion(self):
         """Test verifying signature inside assertion"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -170,7 +164,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2014-07-17T01:02:18Z")
     def test_verification_assertion_duplicate(self):
         """Test verifying signature inside assertion, where the response has another assertion
         before our signed assertion"""
@@ -193,35 +186,9 @@ class TestResponseProcessor(TestCase):
 
         parser = ResponseProcessor(self.source, request)
         parser.parse()
-        self.assertNotEqual(parser._get_name_id()[1], "bad")
-        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
+        self.assertNotEqual(parser._get_name_id().text, "bad")
+        self.assertEqual(parser._get_name_id().text, "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
 
-    @freeze_time("2022-10-14T14:15:00")
-    def test_name_id_comment(self):
-        """Test comment in name ID"""
-        fixture = load_fixture("fixtures/response_signed_assertion_dup.xml")
-        fixture = fixture.replace(
-            "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7",
-            "_ce3d2948b4cf20146dee0a0b3dd6f<!--x-->69b6cf86f62d7",
-        )
-        key = load_fixture("fixtures/signature_cert.pem")
-        kp = CertificateKeyPair.objects.create(
-            name=generate_id(),
-            certificate_data=key,
-        )
-        self.source.verification_kp = kp
-        self.source.signed_assertion = True
-        self.source.signed_response = False
-        request = self.factory.post(
-            "/",
-            data={"SAMLResponse": b64encode(fixture.encode()).decode()},
-        )
-
-        parser = ResponseProcessor(self.source, request)
-        parser.parse()
-        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
-
-    @freeze_time("2014-07-17T01:02:18Z")
     def test_verification_response(self):
         """Test verifying signature inside response"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -244,7 +211,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2024-01-18T06:20:48Z")
     def test_verification_response_and_assertion(self):
         """Test verifying signature inside response and assertion"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -291,7 +257,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaisesMessage(InvalidSignature, ""):
             parser.parse()
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_verification_no_signature(self):
         """Test rejecting response without signature when signed_assertion is True"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -338,7 +303,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaisesMessage(InvalidSignature, ""):
             parser.parse()
 
-    @freeze_time("2025-10-30T05:45:47.619Z")
     def test_signed_encrypted_response(self):
         """Test signed & encrypted response"""
         verification_key = load_fixture("fixtures/signature_cert2.pem")
@@ -366,7 +330,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2026-01-21T14:23")
     def test_transient(self):
         """Test SAML transient NameID"""
         verification_key = load_fixture("fixtures/signature_cert2.pem")

authentik/sources/saml/tests/test_views.py

@@ -4,7 +4,6 @@ from base64 import b64encode
 
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
-from freezegun import freeze_time
 
 from authentik.core.tests.utils import create_test_flow
 from authentik.flows.planner import PLAN_CONTEXT_REDIRECT, FlowPlan
@@ -27,7 +26,6 @@ class TestViews(TestCase):
             pre_authentication_flow=create_test_flow(),
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_enroll(self):
         """Enroll"""
         flow = create_test_flow()
@@ -54,7 +52,6 @@ class TestViews(TestCase):
         plan: FlowPlan = self.client.session.get(SESSION_KEY_PLAN)
         self.assertIsNotNone(plan)
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_enroll_redirect(self):
         """Enroll when attempting to access a provider"""
         initial_redirect = f"http://{generate_id()}"

authentik/sources/saml/views.py

@@ -3,7 +3,6 @@
 from urllib.parse import parse_qsl, urlparse, urlunparse
 
 from django.contrib.auth import logout
-from django.contrib.auth.mixins import LoginRequiredMixin
 from django.core.exceptions import SuspiciousOperation
 from django.http import Http404, HttpRequest, HttpResponse
 from django.http.response import HttpResponseBadRequest
@@ -13,9 +12,13 @@ from django.utils.http import urlencode
 from django.utils.translation import gettext as _
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
+from lxml import etree  # nosec
 from structlog.stdlib import get_logger
 from xmlsec import InternalError, VerificationError
 
+from authentik.common.saml.exceptions import CannotHandleAssertion
+from authentik.common.saml.parsers.logout_request import LogoutRequestParser
+from authentik.common.saml.parsers.logout_response import LogoutResponseParser
 from authentik.flows.challenge import (
     PLAN_CONTEXT_ATTRS,
     PLAN_CONTEXT_TITLE,
@@ -33,7 +36,7 @@ from authentik.flows.planner import (
     FlowPlan,
     FlowPlanner,
 )
-from authentik.flows.stage import ChallengeStageView
+from authentik.flows.stage import ChallengeStageView, RedirectStage, SessionEndStage
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
@@ -44,7 +47,13 @@ from authentik.sources.saml.exceptions import (
     MissingSAMLResponse,
     UnsupportedNameIDFormat,
 )
-from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
+from authentik.sources.saml.models import (
+    SAMLBindingTypes,
+    SAMLSLOBindingTypes,
+    SAMLSource,
+    SAMLSourceSession,
+)
+from authentik.sources.saml.processors.logout_response import LogoutResponseBuilder
 from authentik.sources.saml.processors.metadata import MetadataProcessor
 from authentik.sources.saml.processors.request import RequestProcessor
 from authentik.sources.saml.processors.response import ResponseProcessor
@@ -52,6 +61,8 @@ from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_HEADER, ConsentS
 
 LOGGER = get_logger()
 
+PLAN_CONTEXT_SAML_RELAY_STATE = "goauthentik.io/sources/saml/relay_state"
+
 
 class AutosubmitStageView(ChallengeStageView):
     """Wrapper stage to create an autosubmit challenge from plan context variables"""
@@ -181,16 +192,195 @@ class ACSView(View):
             return bad_request_message(request, str(exc))
 
 
-class SLOView(LoginRequiredMixin, View):
-    """Single-Logout-View"""
+@method_decorator(csrf_exempt, name="dispatch")
+class SLOView(View):
+    """Single-Logout-View: handles SP-initiated SLO, IdP-initiated LogoutRequest,
+    and LogoutResponse from IdP"""
 
-    def dispatch(self, request: HttpRequest, source_slug: str) -> HttpResponse:
-        """Log user out and redirect them to the IdP's SLO URL."""
+    def get(self, request: HttpRequest, source_slug: str) -> HttpResponse:
+        """Handle GET requests: LogoutResponse, LogoutRequest, or initiate SLO."""
         source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
         if not source.enabled:
             raise Http404
-        logout(request)
-        return redirect(source.slo_url)
+
+        if "SAMLResponse" in request.GET:
+            return self._handle_logout_response(
+                request,
+                request.GET["SAMLResponse"],
+                relay_state=request.GET.get("RelayState"),
+            )
+
+        if "SAMLRequest" in request.GET:
+            return self._handle_logout_request(
+                request, source, request.GET["SAMLRequest"], is_post=False
+            )
+
+        # No SAML message, initiate SP-initiated SLO
+        return self._initiate_logout(request)
+
+    def post(self, request: HttpRequest, source_slug: str) -> HttpResponse:
+        """Handle POST requests: LogoutResponse or LogoutRequest from the IdP."""
+        source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
+        if not source.enabled:
+            raise Http404
+
+        if "SAMLResponse" in request.POST:
+            return self._handle_logout_response(
+                request,
+                request.POST["SAMLResponse"],
+                relay_state=request.POST.get("RelayState"),
+            )
+
+        if "SAMLRequest" in request.POST:
+            return self._handle_logout_request(
+                request, source, request.POST["SAMLRequest"], is_post=True
+            )
+
+        return bad_request_message(request, "Missing SAMLRequest or SAMLResponse")
+
+    def _initiate_logout(self, request: HttpRequest) -> HttpResponse:
+        """Initiate logout using the brand's invalidation flow.
+
+        The invalidation flow contains a UserLogoutStage which fires the
+        flow_pre_user_logout signal. Our signal handler in signals.py picks that up,
+        finds the SAMLSourceSession, and injects the SLO redirect/POST stage."""
+        # Sources do not have an invalidation flow, use the brand's
+        flow = request.brand.flow_invalidation
+        if not flow:
+            logout(request)
+            return redirect("authentik_core:root-redirect")
+
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        try:
+            plan = planner.plan(request)
+        except FlowNonApplicableException:
+            logout(request)
+            return redirect("authentik_core:root-redirect")
+        plan.append_stage(in_memory_stage(SessionEndStage))
+        return plan.to_redirect(request, flow)
+
+    def _handle_logout_request(
+        self,
+        request: HttpRequest,
+        source: SAMLSource,
+        raw_request: str,
+        is_post: bool = False,
+    ) -> HttpResponse:
+        """Handle an incoming LogoutRequest from the IdP (IdP-initiated SLO).
+
+        Parses the request, deletes the SAMLSourceSession (to prevent circular
+        redirect back to the IdP), runs the invalidation flow, and appends a
+        final stage to send the LogoutResponse back to the IdP."""
+        parser = LogoutRequestParser()
+        try:
+            if is_post:
+                logout_request = parser.parse(raw_request)
+            else:
+                logout_request = parser.parse_detached(raw_request)
+        except (CannotHandleAssertion, ValueError) as exc:
+            LOGGER.warning("Failed to parse LogoutRequest from IdP", exc=exc)
+            return bad_request_message(request, str(exc))
+
+        relay_state = (
+            request.GET.get("RelayState") if not is_post else request.POST.get("RelayState")
+        )
+
+        # Delete SAMLSourceSession so the source signal handler doesn't try to
+        # redirect back to the IdP (which would be circular)
+        SAMLSourceSession.objects.filter(
+            source=source,
+            user=request.user,
+        ).delete()
+
+        # Build the LogoutResponse to send back to the IdP after logout
+        response_builder = LogoutResponseBuilder(
+            source=source,
+            http_request=request,
+            destination=source.slo_url,
+            in_response_to=logout_request.id,
+        )
+
+        # Sources do not have an invalidation flow, use the brand's
+        flow = request.brand.flow_invalidation
+        if not flow:
+            logout(request)
+            return self._send_logout_response(response_builder, relay_state)
+
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        try:
+            plan = planner.plan(request)
+        except FlowNonApplicableException:
+            logout(request)
+            return self._send_logout_response(response_builder, relay_state)
+
+        # Append logout response stage, then session end
+        self._append_response_stage(plan, source, response_builder, relay_state)
+        plan.append_stage(in_memory_stage(SessionEndStage))
+        return plan.to_redirect(request, flow)
+
+    def _send_logout_response(
+        self,
+        response_builder: LogoutResponseBuilder,
+        relay_state: str | None = None,
+    ) -> HttpResponse:
+        """Send LogoutResponse back to the IdP directly (no flow).
+        Without a flow we can't render an autosubmit form, so always redirect."""
+        return redirect(response_builder.get_redirect_url(relay_state))
+
+    def _append_response_stage(
+        self,
+        plan: FlowPlan,
+        source: SAMLSource,
+        response_builder: LogoutResponseBuilder,
+        relay_state: str | None = None,
+    ):
+        """Append a stage to send the LogoutResponse back to the IdP."""
+        if source.slo_binding == SAMLSLOBindingTypes.REDIRECT:
+            redirect_url = response_builder.get_redirect_url(relay_state)
+            plan.append_stage(in_memory_stage(RedirectStage, destination=redirect_url))
+        else:
+            # POST binding — use autosubmit form
+            form_data = response_builder.get_post_form_data(relay_state)
+            plan.context[PLAN_CONTEXT_TITLE] = f"Logging out of {source.name}..."
+            plan.context[PLAN_CONTEXT_URL] = source.slo_url
+            plan.context[PLAN_CONTEXT_ATTRS] = form_data
+            plan.append_stage(in_memory_stage(AutosubmitStageView))
+
+    def _handle_logout_response(
+        self, request: HttpRequest, raw_response: str, relay_state: str | None = None
+    ) -> HttpResponse:
+        """Parse and handle a LogoutResponse from the IdP."""
+        processor = LogoutResponseParser(raw_response)
+        try:
+            processor.parse()
+        except (ValueError, etree.XMLSyntaxError) as exc:
+            LOGGER.warning("Failed to parse LogoutResponse", exc=exc)
+            return redirect("authentik_core:root-redirect")
+
+        processor.verify_status()
+
+        # If a RelayState was provided (e.g. the flow executor URL), advance
+        # past the current stage (RedirectStage) in the plan so the flow
+        # continues to the next stage instead of looping. Only redirect to the
+        # value stashed in the plan context on outbound — never to the value
+        # echoed back in the request, which is attacker-controllable.
+        if relay_state and SESSION_KEY_PLAN in request.session:
+            plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+            stored_relay_state = plan.context.get(PLAN_CONTEXT_SAML_RELAY_STATE, "")
+            if relay_state != stored_relay_state:
+                LOGGER.warning(
+                    "SAML logout relay_state mismatch, possible open redirect attempt",
+                    received_relay_state=relay_state,
+                    stored_relay_state=stored_relay_state,
+                )
+            if plan.bindings:
+                plan.pop()
+                request.session[SESSION_KEY_PLAN] = plan
+            if stored_relay_state:
+                return redirect(stored_relay_state)
+        return redirect("authentik_core:root-redirect")
 
 
 class MetadataView(View):

blueprints/example/flow-default-account-lockdown.yaml

@@ -36,10 +36,14 @@ entries:
       attrs:
         order: 50
         initial_value: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          pending_user = user if getattr(user, "is_authenticated", False) else None
-          target_uuid = str(getattr(pending_user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          pending_user = None
+          if target_uuid and not is_self_service:
+              from authentik.core.models import User
+
+              pending_user = User.objects.filter(pk=target_uuid).first()
           if is_self_service:
               return (
                   "<p><strong>You are about to lock down your own account.</strong></p>"
@@ -59,15 +63,14 @@ entries:
           from django.utils.html import escape
 
           if pending_user:
-              detail = pending_user.email or pending_user.name
-              user_html = f"<code>{escape(pending_user.username)}</code>"
-              if detail and detail != pending_user.username:
-                  user_html = f"{user_html} ({escape(detail)})"
+              email = escape(pending_user.email or pending_user.name or "No email")
+              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
           else:
-              user_html = "the account selected when this one-time lockdown link was created"
+              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
 
           return (
-              f"<p><strong>You are about to lock down the following account:</strong> {user_html}</p>"
+              "<p><strong>You are about to lock down the following account:</strong></p>"
+              f"{user_html}"
               "<p>This is an emergency action for cutting off access to the account right away. "
               "It does not lock the administrator who opened this page.</p>"
               "<p><strong>This will immediately:</strong></p>"
@@ -96,9 +99,9 @@ entries:
       attrs:
         order: 100
         initial_value: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          target_uuid = str(getattr(user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
           if is_self_service:
               info = (
                   "Use this if you no longer trust your current password or sessions. "
@@ -131,9 +134,9 @@ entries:
       attrs:
         order: 200
         placeholder: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          target_uuid = str(getattr(user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
           if is_self_service:
               return "Describe why you are locking your account..."
           return "Describe why this account is being locked down..."
@@ -181,10 +184,14 @@ entries:
       attrs:
         order: 300
         initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
           from django.utils.html import escape
+          from authentik.core.models import User
 
-          if getattr(user, "is_authenticated", False):
-              return f"<p><code>{escape(user.username)}</code> has been locked down.</p>"
+          if target_uuid:
+              target = User.objects.filter(pk=target_uuid).first()
+              if target:
+                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
 
           return "<p>The selected account has been locked down.</p>"
         initial_value_expression: true
@@ -214,9 +221,9 @@ entries:
       attrs:
         name: default-account-lockdown-admin-policy
         expression: |
-          actor_uuid = str(getattr(request.http_request.user, "pk", ""))
-          target_uuid = str(getattr(request.user, "pk", ""))
-          return bool(target_uuid) and target_uuid != actor_uuid
+          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != current_user_uuid
       identifiers:
         name: default-account-lockdown-admin-policy
       id: admin-policy

blueprints/schema.json

@@ -6094,18 +6094,22 @@
                             "authentik_sources_saml.add_groupsamlsourceconnection",
                             "authentik_sources_saml.add_samlsource",
                             "authentik_sources_saml.add_samlsourcepropertymapping",
+                            "authentik_sources_saml.add_samlsourcesession",
                             "authentik_sources_saml.add_usersamlsourceconnection",
                             "authentik_sources_saml.change_groupsamlsourceconnection",
                             "authentik_sources_saml.change_samlsource",
                             "authentik_sources_saml.change_samlsourcepropertymapping",
+                            "authentik_sources_saml.change_samlsourcesession",
                             "authentik_sources_saml.change_usersamlsourceconnection",
                             "authentik_sources_saml.delete_groupsamlsourceconnection",
                             "authentik_sources_saml.delete_samlsource",
                             "authentik_sources_saml.delete_samlsourcepropertymapping",
+                            "authentik_sources_saml.delete_samlsourcesession",
                             "authentik_sources_saml.delete_usersamlsourceconnection",
                             "authentik_sources_saml.view_groupsamlsourceconnection",
                             "authentik_sources_saml.view_samlsource",
                             "authentik_sources_saml.view_samlsourcepropertymapping",
+                            "authentik_sources_saml.view_samlsourcesession",
                             "authentik_sources_saml.view_usersamlsourceconnection",
                             "authentik_sources_scim.add_scimsource",
                             "authentik_sources_scim.add_scimsourcegroup",
@@ -11860,18 +11864,22 @@
                             "authentik_sources_saml.add_groupsamlsourceconnection",
                             "authentik_sources_saml.add_samlsource",
                             "authentik_sources_saml.add_samlsourcepropertymapping",
+                            "authentik_sources_saml.add_samlsourcesession",
                             "authentik_sources_saml.add_usersamlsourceconnection",
                             "authentik_sources_saml.change_groupsamlsourceconnection",
                             "authentik_sources_saml.change_samlsource",
                             "authentik_sources_saml.change_samlsourcepropertymapping",
+                            "authentik_sources_saml.change_samlsourcesession",
                             "authentik_sources_saml.change_usersamlsourceconnection",
                             "authentik_sources_saml.delete_groupsamlsourceconnection",
                             "authentik_sources_saml.delete_samlsource",
                             "authentik_sources_saml.delete_samlsourcepropertymapping",
+                            "authentik_sources_saml.delete_samlsourcesession",
                             "authentik_sources_saml.delete_usersamlsourceconnection",
                             "authentik_sources_saml.view_groupsamlsourceconnection",
                             "authentik_sources_saml.view_samlsource",
                             "authentik_sources_saml.view_samlsourcepropertymapping",
+                            "authentik_sources_saml.view_samlsourcesession",
                             "authentik_sources_saml.view_usersamlsourceconnection",
                             "authentik_sources_scim.add_scimsource",
                             "authentik_sources_scim.add_scimsourcegroup",
@@ -13696,6 +13704,15 @@
                     ],
                     "title": "Binding type"
                 },
+                "slo_binding": {
+                    "type": "string",
+                    "enum": [
+                        "REDIRECT",
+                        "POST"
+                    ],
+                    "title": "SLO Binding",
+                    "description": "Binding type for Single Logout requests to the IdP."
+                },
                 "verification_kp": {
                     "type": "string",
                     "format": "uuid",
@@ -13752,6 +13769,16 @@
                 "signed_response": {
                     "type": "boolean",
                     "title": "Signed response"
+                },
+                "sign_authn_request": {
+                    "type": "boolean",
+                    "title": "Sign AuthnRequest",
+                    "description": "Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set."
+                },
+                "sign_logout_request": {
+                    "type": "boolean",
+                    "title": "Sign LogoutRequest",
+                    "description": "Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set."
                 }
             },
             "required": []

go.mod

@@ -7,10 +7,10 @@ require (
 	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/coreos/go-oidc/v3 v3.18.0
-	github.com/getsentry/sentry-go v0.46.2
+	github.com/getsentry/sentry-go v0.46.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.13
-	github.com/go-openapi/runtime v0.29.5
+	github.com/go-openapi/runtime v0.29.4
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -57,7 +57,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
 	github.com/go-openapi/loads v0.23.3 // indirect
 	github.com/go-openapi/spec v0.22.4 // indirect
-	github.com/go-openapi/strfmt v0.26.2 // indirect
+	github.com/go-openapi/strfmt v0.26.1 // indirect
 	github.com/go-openapi/swag/conv v0.26.0 // indirect
 	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
 	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
@@ -90,10 +90,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.46.2 h1:1jhYwrKGa3sIpo/y5iDNXS5wDoT7I1KNzMHrnK6ojns=
-github.com/getsentry/sentry-go v0.46.2/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
+github.com/getsentry/sentry-go v0.46.1 h1:mZyQFaQYkPxAdDG4HR8gDg6j4CnKYVWt4TF92N7i3XY=
+github.com/getsentry/sentry-go v0.46.1/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -51,12 +51,12 @@ github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe
 github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
 github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
 github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
-github.com/go-openapi/runtime v0.29.5 h1:uc5+/TtqLIfDBTUxnF3uppoGMt+9DzonwUWsviINlrY=
-github.com/go-openapi/runtime v0.29.5/go.mod h1:D9IUbWccdYv+km8QwmAm90FZvDcQk47vP2Y7y5as/D8=
+github.com/go-openapi/runtime v0.29.4 h1:k2lDxrGoSAJRdhFG2tONKMpkizY/4X1cciSdtzk4Jjo=
+github.com/go-openapi/runtime v0.29.4/go.mod h1:K0k/2raY6oqXJnZAgWJB2i/12QKrhUKpZcH4PfV9P18=
 github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
 github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
-github.com/go-openapi/strfmt v0.26.2 h1:ysjheCh4i1rmFEo2LanhELDNucNzfWTZhUDKgWWPaFM=
-github.com/go-openapi/strfmt v0.26.2/go.mod h1:fXh1e449cyUn2NYuz+wb3wARBUdMl7qPEZwX00nqivY=
+github.com/go-openapi/strfmt v0.26.1 h1:7zGCHji7zSYDC2tCXIusoxYQz/48jAf2q+sF6wXTG+c=
+github.com/go-openapi/strfmt v0.26.1/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
 github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
 github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
 github.com/go-openapi/swag/fileutils v0.26.0 h1:WJoPRvsA7QRiiWluowkLJa9jaYR7FCuxmDvnCgaRRxU=
@@ -77,10 +77,10 @@ github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFu
 github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE=
 github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
 github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0 h1:3hZD1fwydvCx/cc1R2uYNQirHqf2s6lqpKV3FcNTURA=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0/go.mod h1:TvDZKBH7ZbMaF3EqH2AwTvNQCmzyZq8K1agRjf1B+Nk=
-github.com/go-openapi/testify/v2 v2.5.0 h1:UOCr63aAsMIDydZbZGqo5Ev01D4eydItRbekDuZMJLw=
-github.com/go-openapi/testify/v2 v2.5.0/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
+github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
+github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
 github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
 github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -216,8 +216,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -227,8 +227,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -245,8 +245,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -258,8 +258,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/outpost/proxyv2/application/mode_common.go

@@ -110,6 +110,17 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) (*url.URL, error) {
 
 // getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
 func (a *Application) getNginxForwardUrl(r *http.Request) (*url.URL, error) {
+	ou := r.Header.Get("X-Original-URI")
+	if ou != "" {
+		// Turn this full URL into a relative URL
+		u := &url.URL{
+			Host:   "",
+			Scheme: "",
+			Path:   ou,
+		}
+		a.log.WithField("url", u.String()).Info("building forward URL from X-Original-URI")
+		return u, nil
+	}
 	h := r.Header.Get("X-Original-URL")
 	if len(h) < 1 {
 		return nil, errors.New("no forward URL found")

internal/outpost/proxyv2/application/mode_forward_nginx_test.go

@@ -5,8 +5,10 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
+	"goauthentik.io/internal/outpost/proxyv2/types"
 	api "goauthentik.io/packages/client-go"
 )
 
@@ -45,6 +47,67 @@ func TestForwardHandleNginx_Single_Headers(t *testing.T) {
 	assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
 }
 
+func TestForwardHandleNginx_Single_URI(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "https://foo.bar/outpost.goauthentik.io/auth/nginx", nil)
+	req.Header.Set("X-Original-URI", "/app")
+
+	rr := httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+
+	s, _ := a.sessions.Get(req, a.SessionName())
+	assert.Equal(t, "/app", s.Values[constants.SessionRedirect])
+}
+
+func TestForwardHandleNginx_Single_Claims(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
+	req.Header.Set("X-Original-URI", "/")
+
+	rr := httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	s, _ := a.sessions.Get(req, a.SessionName())
+	s.ID = uuid.New().String()
+	s.Options.MaxAge = 86400
+	s.Values[constants.SessionClaims] = types.Claims{
+		Sub: "foo",
+		Proxy: &types.ProxyClaims{
+			UserAttributes: map[string]any{
+				"username": "foo",
+				"password": "bar",
+				"additionalHeaders": map[string]any{
+					"foo": "bar",
+				},
+			},
+		},
+	}
+	err := a.sessions.Save(req, rr, s)
+	if err != nil {
+		panic(err)
+	}
+
+	rr = httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	h := rr.Result().Header
+
+	assert.Equal(t, []string{"Basic Zm9vOmJhcg=="}, h["Authorization"])
+	assert.Equal(t, []string{"bar"}, h["Foo"])
+	assert.Equal(t, []string{""}, h["User-Agent"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Email"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Groups"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Jwt"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-App"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Jwks"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Outpost"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Name"])
+	assert.Equal(t, []string{"foo"}, h["X-Authentik-Uid"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Username"])
+}
+
 func TestForwardHandleNginx_Domain_Blank(t *testing.T) {
 	a := newTestApplication()
 	a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()

lifecycle/ak

@@ -38,10 +38,6 @@ function run_authentik {
             echo cargo run -- "$@"
         fi
         ;;
-    manage)
-        shift 1
-        echo python -m manage "$@"
-        ;;
     *)
         echo "$@"
         ;;

lifecycle/container/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:4f2b45e32dc7d2caf66b6dbd59fac50e32f8077769efe0ef4d4c3f114672537d AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:735dd688da64d22ebd9dd374b3e7e5a874635668fd2a6ec20ca1f99264294086 AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -228,7 +228,8 @@ RUN apt-get update && \
     # Required for runtime
     apt-get install -y --no-install-recommends \
     libpq5 libmaxminddb0 ca-certificates \
-    libkadm5clnt-mit12 libkadm5clnt7t64-heimdal \
+    krb5-multidev libkrb5-3 libkdb5-10 libkadm5clnt-mit12 \
+    heimdal-multidev libkadm5clnt7t64-heimdal \
     libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-13 05:39+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -226,10 +226,6 @@ msgstr ""
 msgid "The slug '{slug}' is reserved and cannot be used for applications."
 msgstr ""
 
-#: authentik/core/api/groups.py
-msgid "User does not have permission to add members to this group."
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -260,14 +256,6 @@ msgstr ""
 msgid "Setting a user to internal service account is not allowed."
 msgstr ""
 
-#: authentik/core/api/users.py
-msgid "User does not have permission to add members to a superuser group."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "User does not have permission to assign roles."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "Can't modify internal service account users"
 msgstr ""

locale/en/dictionaries/people.txt

@@ -11,4 +11,3 @@ Naur
 Wärting
 Aadit
 Kilby
-Kahmen

locale/en/dictionaries/software-terms.txt

@@ -164,4 +164,3 @@ yamltags
 zxcvbn
 ~uuid
 ~uuids
-wreply

packages/client-ts/src/apis/SourcesApi.ts

@@ -101,6 +101,7 @@ import type {
     SCIMSourceUser,
     SCIMSourceUserRequest,
     SignatureAlgorithmEnum,
+    SloBindingEnum,
     Source,
     SourceType,
     SyncStatus,
@@ -749,10 +750,13 @@ export interface SourcesSamlListRequest {
     policyEngineMode?: PolicyEngineMode;
     preAuthenticationFlow?: string;
     search?: string;
+    signAuthnRequest?: boolean;
+    signLogoutRequest?: boolean;
     signatureAlgorithm?: SignatureAlgorithmEnum;
     signedAssertion?: boolean;
     signedResponse?: boolean;
     signingKp?: string;
+    sloBinding?: SloBindingEnum;
     sloUrl?: string;
     slug?: string;
     ssoUrl?: string;
@@ -7734,6 +7738,14 @@ export class SourcesApi extends runtime.BaseAPI {
             queryParameters["search"] = requestParameters["search"];
         }
 
+        if (requestParameters["signAuthnRequest"] != null) {
+            queryParameters["sign_authn_request"] = requestParameters["signAuthnRequest"];
+        }
+
+        if (requestParameters["signLogoutRequest"] != null) {
+            queryParameters["sign_logout_request"] = requestParameters["signLogoutRequest"];
+        }
+
         if (requestParameters["signatureAlgorithm"] != null) {
             queryParameters["signature_algorithm"] = requestParameters["signatureAlgorithm"];
         }
@@ -7750,6 +7762,10 @@ export class SourcesApi extends runtime.BaseAPI {
             queryParameters["signing_kp"] = requestParameters["signingKp"];
         }
 
+        if (requestParameters["sloBinding"] != null) {
+            queryParameters["slo_binding"] = requestParameters["sloBinding"];
+        }
+
         if (requestParameters["sloUrl"] != null) {
             queryParameters["slo_url"] = requestParameters["sloUrl"];
         }

packages/client-ts/src/models/ExpiringBaseGrantModel.ts

@@ -12,8 +12,8 @@
  * Do not edit the class manually.
  */
 
-import type { Provider } from "./Provider";
-import { ProviderFromJSON, ProviderToJSON } from "./Provider";
+import type { OAuth2Provider } from "./OAuth2Provider";
+import { OAuth2ProviderFromJSON, OAuth2ProviderToJSON } from "./OAuth2Provider";
 import type { User } from "./User";
 import { UserFromJSON, UserToJSON } from "./User";
 
@@ -31,10 +31,10 @@ export interface ExpiringBaseGrantModel {
     readonly pk: number;
     /**
      *
-     * @type {Provider}
+     * @type {OAuth2Provider}
      * @memberof ExpiringBaseGrantModel
      */
-    provider: Provider;
+    provider: OAuth2Provider;
     /**
      *
      * @type {User}
@@ -86,7 +86,7 @@ export function ExpiringBaseGrantModelFromJSONTyped(
     }
     return {
         pk: json["pk"],
-        provider: ProviderFromJSON(json["provider"]),
+        provider: OAuth2ProviderFromJSON(json["provider"]),
         user: UserFromJSON(json["user"]),
         isExpired: json["is_expired"],
         expires: json["expires"] == null ? undefined : new Date(json["expires"]),
@@ -107,7 +107,7 @@ export function ExpiringBaseGrantModelToJSONTyped(
     }
 
     return {
-        provider: ProviderToJSON(value["provider"]),
+        provider: OAuth2ProviderToJSON(value["provider"]),
         user: UserToJSON(value["user"]),
         expires: value["expires"] == null ? value["expires"] : value["expires"].toISOString(),
         scope: value["scope"],

packages/client-ts/src/models/PatchedSAMLSourceRequest.ts

@@ -30,6 +30,8 @@ import {
     SignatureAlgorithmEnumFromJSON,
     SignatureAlgorithmEnumToJSON,
 } from "./SignatureAlgorithmEnum";
+import type { SloBindingEnum } from "./SloBindingEnum";
+import { SloBindingEnumFromJSON, SloBindingEnumToJSON } from "./SloBindingEnum";
 import type { UserMatchingModeEnum } from "./UserMatchingModeEnum";
 import { UserMatchingModeEnumFromJSON, UserMatchingModeEnumToJSON } from "./UserMatchingModeEnum";
 
@@ -165,6 +167,12 @@ export interface PatchedSAMLSourceRequest {
      * @memberof PatchedSAMLSourceRequest
      */
     bindingType?: BindingTypeEnum;
+    /**
+     * Binding type for Single Logout requests to the IdP.
+     * @type {SloBindingEnum}
+     * @memberof PatchedSAMLSourceRequest
+     */
+    sloBinding?: SloBindingEnum;
     /**
      * When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.
      * @type {string}
@@ -213,6 +221,18 @@ export interface PatchedSAMLSourceRequest {
      * @memberof PatchedSAMLSourceRequest
      */
     signedResponse?: boolean;
+    /**
+     * Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set.
+     * @type {boolean}
+     * @memberof PatchedSAMLSourceRequest
+     */
+    signAuthnRequest?: boolean;
+    /**
+     * Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set.
+     * @type {boolean}
+     * @memberof PatchedSAMLSourceRequest
+     */
+    signLogoutRequest?: boolean;
 }
 
 /**
@@ -278,6 +298,8 @@ export function PatchedSAMLSourceRequestFromJSONTyped(
             json["binding_type"] == null
                 ? undefined
                 : BindingTypeEnumFromJSON(json["binding_type"]),
+        sloBinding:
+            json["slo_binding"] == null ? undefined : SloBindingEnumFromJSON(json["slo_binding"]),
         verificationKp: json["verification_kp"] == null ? undefined : json["verification_kp"],
         signingKp: json["signing_kp"] == null ? undefined : json["signing_kp"],
         digestAlgorithm:
@@ -295,6 +317,10 @@ export function PatchedSAMLSourceRequestFromJSONTyped(
         encryptionKp: json["encryption_kp"] == null ? undefined : json["encryption_kp"],
         signedAssertion: json["signed_assertion"] == null ? undefined : json["signed_assertion"],
         signedResponse: json["signed_response"] == null ? undefined : json["signed_response"],
+        signAuthnRequest:
+            json["sign_authn_request"] == null ? undefined : json["sign_authn_request"],
+        signLogoutRequest:
+            json["sign_logout_request"] == null ? undefined : json["sign_logout_request"],
     };
 }
 
@@ -332,6 +358,7 @@ export function PatchedSAMLSourceRequestToJSONTyped(
         force_authn: value["forceAuthn"],
         name_id_policy: SAMLNameIDPolicyEnumToJSON(value["nameIdPolicy"]),
         binding_type: BindingTypeEnumToJSON(value["bindingType"]),
+        slo_binding: SloBindingEnumToJSON(value["sloBinding"]),
         verification_kp: value["verificationKp"],
         signing_kp: value["signingKp"],
         digest_algorithm: DigestAlgorithmEnumToJSON(value["digestAlgorithm"]),
@@ -340,5 +367,7 @@ export function PatchedSAMLSourceRequestToJSONTyped(
         encryption_kp: value["encryptionKp"],
         signed_assertion: value["signedAssertion"],
         signed_response: value["signedResponse"],
+        sign_authn_request: value["signAuthnRequest"],
+        sign_logout_request: value["signLogoutRequest"],
     };
 }

packages/client-ts/src/models/SAMLSource.ts

@@ -30,6 +30,8 @@ import {
     SignatureAlgorithmEnumFromJSON,
     SignatureAlgorithmEnumToJSON,
 } from "./SignatureAlgorithmEnum";
+import type { SloBindingEnum } from "./SloBindingEnum";
+import { SloBindingEnumFromJSON, SloBindingEnumToJSON } from "./SloBindingEnum";
 import type { ThemedUrls } from "./ThemedUrls";
 import { ThemedUrlsFromJSON } from "./ThemedUrls";
 import type { UserMatchingModeEnum } from "./UserMatchingModeEnum";
@@ -215,6 +217,12 @@ export interface SAMLSource {
      * @memberof SAMLSource
      */
     bindingType?: BindingTypeEnum;
+    /**
+     * Binding type for Single Logout requests to the IdP.
+     * @type {SloBindingEnum}
+     * @memberof SAMLSource
+     */
+    sloBinding?: SloBindingEnum;
     /**
      * When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.
      * @type {string}
@@ -263,6 +271,18 @@ export interface SAMLSource {
      * @memberof SAMLSource
      */
     signedResponse?: boolean;
+    /**
+     * Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set.
+     * @type {boolean}
+     * @memberof SAMLSource
+     */
+    signAuthnRequest?: boolean;
+    /**
+     * Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set.
+     * @type {boolean}
+     * @memberof SAMLSource
+     */
+    signLogoutRequest?: boolean;
 }
 
 /**
@@ -343,6 +363,8 @@ export function SAMLSourceFromJSONTyped(json: any, ignoreDiscriminator: boolean)
             json["binding_type"] == null
                 ? undefined
                 : BindingTypeEnumFromJSON(json["binding_type"]),
+        sloBinding:
+            json["slo_binding"] == null ? undefined : SloBindingEnumFromJSON(json["slo_binding"]),
         verificationKp: json["verification_kp"] == null ? undefined : json["verification_kp"],
         signingKp: json["signing_kp"] == null ? undefined : json["signing_kp"],
         digestAlgorithm:
@@ -360,6 +382,10 @@ export function SAMLSourceFromJSONTyped(json: any, ignoreDiscriminator: boolean)
         encryptionKp: json["encryption_kp"] == null ? undefined : json["encryption_kp"],
         signedAssertion: json["signed_assertion"] == null ? undefined : json["signed_assertion"],
         signedResponse: json["signed_response"] == null ? undefined : json["signed_response"],
+        signAuthnRequest:
+            json["sign_authn_request"] == null ? undefined : json["sign_authn_request"],
+        signLogoutRequest:
+            json["sign_logout_request"] == null ? undefined : json["sign_logout_request"],
     };
 }
 
@@ -407,6 +433,7 @@ export function SAMLSourceToJSONTyped(
         force_authn: value["forceAuthn"],
         name_id_policy: SAMLNameIDPolicyEnumToJSON(value["nameIdPolicy"]),
         binding_type: BindingTypeEnumToJSON(value["bindingType"]),
+        slo_binding: SloBindingEnumToJSON(value["sloBinding"]),
         verification_kp: value["verificationKp"],
         signing_kp: value["signingKp"],
         digest_algorithm: DigestAlgorithmEnumToJSON(value["digestAlgorithm"]),
@@ -415,5 +442,7 @@ export function SAMLSourceToJSONTyped(
         encryption_kp: value["encryptionKp"],
         signed_assertion: value["signedAssertion"],
         signed_response: value["signedResponse"],
+        sign_authn_request: value["signAuthnRequest"],
+        sign_logout_request: value["signLogoutRequest"],
     };
 }

packages/client-ts/src/models/SAMLSourceRequest.ts

@@ -30,6 +30,8 @@ import {
     SignatureAlgorithmEnumFromJSON,
     SignatureAlgorithmEnumToJSON,
 } from "./SignatureAlgorithmEnum";
+import type { SloBindingEnum } from "./SloBindingEnum";
+import { SloBindingEnumFromJSON, SloBindingEnumToJSON } from "./SloBindingEnum";
 import type { UserMatchingModeEnum } from "./UserMatchingModeEnum";
 import { UserMatchingModeEnumFromJSON, UserMatchingModeEnumToJSON } from "./UserMatchingModeEnum";
 
@@ -165,6 +167,12 @@ export interface SAMLSourceRequest {
      * @memberof SAMLSourceRequest
      */
     bindingType?: BindingTypeEnum;
+    /**
+     * Binding type for Single Logout requests to the IdP.
+     * @type {SloBindingEnum}
+     * @memberof SAMLSourceRequest
+     */
+    sloBinding?: SloBindingEnum;
     /**
      * When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.
      * @type {string}
@@ -213,6 +221,18 @@ export interface SAMLSourceRequest {
      * @memberof SAMLSourceRequest
      */
     signedResponse?: boolean;
+    /**
+     * Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set.
+     * @type {boolean}
+     * @memberof SAMLSourceRequest
+     */
+    signAuthnRequest?: boolean;
+    /**
+     * Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set.
+     * @type {boolean}
+     * @memberof SAMLSourceRequest
+     */
+    signLogoutRequest?: boolean;
 }
 
 /**
@@ -280,6 +300,8 @@ export function SAMLSourceRequestFromJSONTyped(
             json["binding_type"] == null
                 ? undefined
                 : BindingTypeEnumFromJSON(json["binding_type"]),
+        sloBinding:
+            json["slo_binding"] == null ? undefined : SloBindingEnumFromJSON(json["slo_binding"]),
         verificationKp: json["verification_kp"] == null ? undefined : json["verification_kp"],
         signingKp: json["signing_kp"] == null ? undefined : json["signing_kp"],
         digestAlgorithm:
@@ -297,6 +319,10 @@ export function SAMLSourceRequestFromJSONTyped(
         encryptionKp: json["encryption_kp"] == null ? undefined : json["encryption_kp"],
         signedAssertion: json["signed_assertion"] == null ? undefined : json["signed_assertion"],
         signedResponse: json["signed_response"] == null ? undefined : json["signed_response"],
+        signAuthnRequest:
+            json["sign_authn_request"] == null ? undefined : json["sign_authn_request"],
+        signLogoutRequest:
+            json["sign_logout_request"] == null ? undefined : json["sign_logout_request"],
     };
 }
 
@@ -334,6 +360,7 @@ export function SAMLSourceRequestToJSONTyped(
         force_authn: value["forceAuthn"],
         name_id_policy: SAMLNameIDPolicyEnumToJSON(value["nameIdPolicy"]),
         binding_type: BindingTypeEnumToJSON(value["bindingType"]),
+        slo_binding: SloBindingEnumToJSON(value["sloBinding"]),
         verification_kp: value["verificationKp"],
         signing_kp: value["signingKp"],
         digest_algorithm: DigestAlgorithmEnumToJSON(value["digestAlgorithm"]),
@@ -342,5 +369,7 @@ export function SAMLSourceRequestToJSONTyped(
         encryption_kp: value["encryptionKp"],
         signed_assertion: value["signedAssertion"],
         signed_response: value["signedResponse"],
+        sign_authn_request: value["signAuthnRequest"],
+        sign_logout_request: value["signLogoutRequest"],
     };
 }

packages/client-ts/src/models/SloBindingEnum.ts

@@ -0,0 +1,57 @@
+/* tslint:disable */
+/* eslint-disable */
+/**
+ * authentik
+ * Making authentication simple.
+ *
+ * The version of the OpenAPI document: 2026.5.0-rc1
+ * Contact: hello@goauthentik.io
+ *
+ * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech).
+ * https://openapi-generator.tech
+ * Do not edit the class manually.
+ */
+
+/**
+ *
+ * @export
+ */
+export const SloBindingEnum = {
+    Redirect: "REDIRECT",
+    Post: "POST",
+    UnknownDefaultOpenApi: "11184809",
+} as const;
+export type SloBindingEnum = (typeof SloBindingEnum)[keyof typeof SloBindingEnum];
+
+export function instanceOfSloBindingEnum(value: any): boolean {
+    for (const key in SloBindingEnum) {
+        if (Object.prototype.hasOwnProperty.call(SloBindingEnum, key)) {
+            if (SloBindingEnum[key as keyof typeof SloBindingEnum] === value) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+export function SloBindingEnumFromJSON(json: any): SloBindingEnum {
+    return SloBindingEnumFromJSONTyped(json, false);
+}
+
+export function SloBindingEnumFromJSONTyped(
+    json: any,
+    ignoreDiscriminator: boolean,
+): SloBindingEnum {
+    return json as SloBindingEnum;
+}
+
+export function SloBindingEnumToJSON(value?: SloBindingEnum | null): any {
+    return value as any;
+}
+
+export function SloBindingEnumToJSONTyped(
+    value: any,
+    ignoreDiscriminator: boolean,
+): SloBindingEnum {
+    return value as SloBindingEnum;
+}

packages/client-ts/src/models/TokenModel.ts

@@ -12,8 +12,8 @@
  * Do not edit the class manually.
  */
 
-import type { Provider } from "./Provider";
-import { ProviderFromJSON, ProviderToJSON } from "./Provider";
+import type { OAuth2Provider } from "./OAuth2Provider";
+import { OAuth2ProviderFromJSON, OAuth2ProviderToJSON } from "./OAuth2Provider";
 import type { User } from "./User";
 import { UserFromJSON, UserToJSON } from "./User";
 
@@ -31,10 +31,10 @@ export interface TokenModel {
     readonly pk: number;
     /**
      *
-     * @type {Provider}
+     * @type {OAuth2Provider}
      * @memberof TokenModel
      */
-    provider: Provider;
+    provider: OAuth2Provider;
     /**
      *
      * @type {User}
@@ -96,7 +96,7 @@ export function TokenModelFromJSONTyped(json: any, ignoreDiscriminator: boolean)
     }
     return {
         pk: json["pk"],
-        provider: ProviderFromJSON(json["provider"]),
+        provider: OAuth2ProviderFromJSON(json["provider"]),
         user: UserFromJSON(json["user"]),
         isExpired: json["is_expired"],
         expires: json["expires"] == null ? undefined : new Date(json["expires"]),
@@ -119,7 +119,7 @@ export function TokenModelToJSONTyped(
     }
 
     return {
-        provider: ProviderToJSON(value["provider"]),
+        provider: OAuth2ProviderToJSON(value["provider"]),
         user: UserToJSON(value["user"]),
         expires: value["expires"] == null ? value["expires"] : value["expires"].toISOString(),
         scope: value["scope"],

packages/client-ts/src/models/index.ts

@@ -771,6 +771,7 @@ export * from "./SettingsRequest";
 export * from "./SeverityEnum";
 export * from "./ShellChallenge";
 export * from "./SignatureAlgorithmEnum";
+export * from "./SloBindingEnum";
 export * from "./Software";
 export * from "./SoftwareRequest";
 export * from "./Source";

packages/logger-js/lib/shared.js

@@ -60,7 +60,7 @@ export const LogLevels = /** @type {Level[]} */ (Object.keys(LogLevelLabel));
 /**
  * @callback LoggerFactory
  * @param {string | null} [prefix]
- * @param {...string[]} args
+ * @param {...string} args
  * @returns {Logger}
  */
 
@@ -207,7 +207,7 @@ export function pinoLight(options) {
  * Creates a logger with the given prefix.
  *
  * @param {string} [prefix]
- * @param {...string[]} args
+ * @param {...string} args
  * @returns {Logger}
  *
  */

packages/logger-js/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/logger-js",
-    "version": "1.1.2",
+    "version": "1.1.1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/logger-js",
-            "version": "1.1.2",
+            "version": "1.1.1",
             "license": "MIT",
             "devDependencies": {
                 "@eslint/js": "^9.39.3",
@@ -68,7 +68,7 @@
         },
         "../tsconfig": {
             "name": "@goauthentik/tsconfig",
-            "version": "1.0.9",
+            "version": "1.0.8",
             "dev": true,
             "license": "MIT",
             "engines": {

packages/logger-js/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/logger-js",
-    "version": "1.1.2",
+    "version": "1.1.1",
     "description": "Pino-based logger for authentik",
     "license": "MIT",
     "repository": {

pyproject.toml

@@ -7,7 +7,7 @@ requires-python = "==3.14.*"
 dependencies = [
   "ak-guardian==3.2.0",
   "argon2-cffi==25.1.0",
-  "cachetools==7.1.1",
+  "cachetools==7.0.6",
   "channels==4.3.2",
   "cryptography==48.0.0",
   "dacite==1.9.2",
@@ -36,7 +36,7 @@ dependencies = [
   "fido2==2.2.0",
   "geoip2==5.2.0",
   "geopy==2.4.1",
-  "google-api-python-client==2.195.0",
+  "google-api-python-client==2.194.0",
   "gssapi==1.11.1",
   "gunicorn==25.3.0",
   "jsonpatch==1.33",
@@ -47,22 +47,22 @@ dependencies = [
   "msgraph-sdk==1.56.0",
   "opencontainers==0.0.15",
   "packaging==26.2",
-  "paramiko==5.0.0",
+  "paramiko==4.0.0",
   "psycopg[c,pool]==3.3.4",
   "pydantic-scim==0.0.8",
-  "pydantic==2.13.4",
+  "pydantic==2.13.3",
   "pyjwt==2.11.0",
   "pyrad==2.5.4",
-  "python-kadmin-rs==0.7.2",
+  "python-kadmin-rs==0.7.0",
   "pyyaml==6.0.3",
   "requests-oauthlib==2.0.0",
   "scim2-filter-parser==0.7.0",
-  "sentry-sdk==2.59.0",
+  "sentry-sdk==2.58.0",
   "service-identity==24.2.0",
   "setproctitle==1.3.7",
   "structlog==25.5.0",
   "swagger-spec-validator==3.0.4",
-  "twilio==9.10.9",
+  "twilio==9.10.5",
   "ua-parser==1.0.2",
   "unidecode==1.4.0",
   "urllib3<3",
@@ -76,7 +76,7 @@ dependencies = [
 
 [dependency-groups]
 dev = [
-  "aws-cdk-lib==2.252.0",
+  "aws-cdk-lib==2.251.0",
   "bandit==1.9.4",
   "black==26.3.1",
   "bpython==0.26",
@@ -107,7 +107,7 @@ dev = [
   "types-docker==7.1.0.20260409",
   "types-jwcrypto==1.5.7.20260409",
   "types-ldap3==2.9.13.20260408",
-  "types-requests==2.33.0.20260503",
+  "types-requests==2.33.0.20260408",
   "types-zxcvbn==4.5.0.20260408",
 ]
 
@@ -192,6 +192,7 @@ ignore_missing_imports = true
 
 [[tool.mypy.overrides]]
 module = [
+  "authentik.common.*",
   "authentik.admin.*",
   "authentik.api.*",
   "authentik.blueprints.*",

schema.yml

@@ -5386,8 +5386,6 @@ paths:
         using this object
       tags:
       - endpoints
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -5432,8 +5430,6 @@ paths:
         using this object
       tags:
       - endpoints
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -5457,8 +5453,6 @@ paths:
           application/json:
             schema:
               $ref: '#/components/schemas/DeviceFactsRequest'
-      security:
-      - {}
       responses:
         '204':
           description: Successfully checked in
@@ -5479,8 +5473,6 @@ paths:
             schema:
               $ref: '#/components/schemas/EnrollRequest'
         required: true
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -24415,6 +24407,14 @@ paths:
           type: string
           format: uuid
       - $ref: '#/components/parameters/QuerySearch'
+      - in: query
+        name: sign_authn_request
+        schema:
+          type: boolean
+      - in: query
+        name: sign_logout_request
+        schema:
+          type: boolean
       - in: query
         name: signature_algorithm
         schema:
@@ -24432,6 +24432,14 @@ paths:
         schema:
           type: string
           format: uuid
+      - in: query
+        name: slo_binding
+        schema:
+          allOf:
+          - $ref: '#/components/schemas/SloBindingEnum'
+          description: |+
+            Binding type for Single Logout requests to the IdP.
+
       - in: query
         name: slo_url
         schema:
@@ -39086,7 +39094,7 @@ components:
           readOnly: true
           title: ID
         provider:
-          $ref: '#/components/schemas/Provider'
+          $ref: '#/components/schemas/OAuth2Provider'
         user:
           $ref: '#/components/schemas/User'
         is_expired:
@@ -50883,6 +50891,10 @@ components:
             no Policy is sent.
         binding_type:
           $ref: '#/components/schemas/BindingTypeEnum'
+        slo_binding:
+          allOf:
+          - $ref: '#/components/schemas/SloBindingEnum'
+          description: Binding type for Single Logout requests to the IdP.
         verification_kp:
           type: string
           format: uuid
@@ -50920,6 +50932,16 @@ components:
           type: boolean
         signed_response:
           type: boolean
+        sign_authn_request:
+          type: boolean
+          title: Sign AuthnRequest
+          description: Whether to sign outgoing AuthnRequests. Requires a Signing
+            Keypair to be set.
+        sign_logout_request:
+          type: boolean
+          title: Sign LogoutRequest
+          description: Whether to sign outgoing LogoutRequests. Requires a Signing
+            Keypair to be set.
     PatchedSCIMMappingRequest:
       type: object
       description: SCIMMapping Serializer
@@ -54666,6 +54688,10 @@ components:
             no Policy is sent.
         binding_type:
           $ref: '#/components/schemas/BindingTypeEnum'
+        slo_binding:
+          allOf:
+          - $ref: '#/components/schemas/SloBindingEnum'
+          description: Binding type for Single Logout requests to the IdP.
         verification_kp:
           type: string
           format: uuid
@@ -54702,6 +54728,16 @@ components:
           type: boolean
         signed_response:
           type: boolean
+        sign_authn_request:
+          type: boolean
+          title: Sign AuthnRequest
+          description: Whether to sign outgoing AuthnRequests. Requires a Signing
+            Keypair to be set.
+        sign_logout_request:
+          type: boolean
+          title: Sign LogoutRequest
+          description: Whether to sign outgoing LogoutRequests. Requires a Signing
+            Keypair to be set.
       required:
       - component
       - icon_themed_urls
@@ -54870,6 +54906,10 @@ components:
             no Policy is sent.
         binding_type:
           $ref: '#/components/schemas/BindingTypeEnum'
+        slo_binding:
+          allOf:
+          - $ref: '#/components/schemas/SloBindingEnum'
+          description: Binding type for Single Logout requests to the IdP.
         verification_kp:
           type: string
           format: uuid
@@ -54907,6 +54947,16 @@ components:
           type: boolean
         signed_response:
           type: boolean
+        sign_authn_request:
+          type: boolean
+          title: Sign AuthnRequest
+          description: Whether to sign outgoing AuthnRequests. Requires a Signing
+            Keypair to be set.
+        sign_logout_request:
+          type: boolean
+          title: Sign LogoutRequest
+          description: Whether to sign outgoing LogoutRequests. Requires a Signing
+            Keypair to be set.
       required:
       - name
       - pre_authentication_flow
@@ -56170,6 +56220,11 @@ components:
       - http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
       - http://www.w3.org/2000/09/xmldsig#dsa-sha1
       type: string
+    SloBindingEnum:
+      enum:
+      - REDIRECT
+      - POST
+      type: string
     Software:
       type: object
       properties:
@@ -57261,7 +57316,7 @@ components:
           readOnly: true
           title: ID
         provider:
-          $ref: '#/components/schemas/Provider'
+          $ref: '#/components/schemas/OAuth2Provider'
         user:
           $ref: '#/components/schemas/User'
         is_expired:

uv.lock

@@ -316,7 +316,7 @@ dev = [
 requires-dist = [
     { name = "ak-guardian", editable = "packages/ak-guardian" },
     { name = "argon2-cffi", specifier = "==25.1.0" },
-    { name = "cachetools", specifier = "==7.1.1" },
+    { name = "cachetools", specifier = "==7.0.6" },
     { name = "channels", specifier = "==4.3.2" },
     { name = "cryptography", specifier = "==48.0.0" },
     { name = "dacite", specifier = "==1.9.2" },
@@ -345,7 +345,7 @@ requires-dist = [
     { name = "fido2", specifier = "==2.2.0" },
     { name = "geoip2", specifier = "==5.2.0" },
     { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.195.0" },
+    { name = "google-api-python-client", specifier = "==2.194.0" },
     { name = "gssapi", specifier = "==1.11.1" },
     { name = "gunicorn", specifier = "==25.3.0" },
     { name = "jsonpatch", specifier = "==1.33" },
@@ -356,22 +356,22 @@ requires-dist = [
     { name = "msgraph-sdk", specifier = "==1.56.0" },
     { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
     { name = "packaging", specifier = "==26.2" },
-    { name = "paramiko", specifier = "==5.0.0" },
+    { name = "paramiko", specifier = "==4.0.0" },
     { name = "psycopg", extras = ["c", "pool"], specifier = "==3.3.4" },
-    { name = "pydantic", specifier = "==2.13.4" },
+    { name = "pydantic", specifier = "==2.13.3" },
     { name = "pydantic-scim", specifier = "==0.0.8" },
     { name = "pyjwt", specifier = "==2.11.0" },
     { name = "pyrad", specifier = "==2.5.4" },
-    { name = "python-kadmin-rs", specifier = "==0.7.2" },
+    { name = "python-kadmin-rs", specifier = "==0.7.0" },
     { name = "pyyaml", specifier = "==6.0.3" },
     { name = "requests-oauthlib", specifier = "==2.0.0" },
     { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.59.0" },
+    { name = "sentry-sdk", specifier = "==2.58.0" },
     { name = "service-identity", specifier = "==24.2.0" },
     { name = "setproctitle", specifier = "==1.3.7" },
     { name = "structlog", specifier = "==25.5.0" },
     { name = "swagger-spec-validator", specifier = "==3.0.4" },
-    { name = "twilio", specifier = "==9.10.9" },
+    { name = "twilio", specifier = "==9.10.5" },
     { name = "ua-parser", specifier = "==1.0.2" },
     { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
@@ -385,7 +385,7 @@ requires-dist = [
 
 [package.metadata.requires-dev]
 dev = [
-    { name = "aws-cdk-lib", specifier = "==2.252.0" },
+    { name = "aws-cdk-lib", specifier = "==2.251.0" },
     { name = "bandit", specifier = "==1.9.4" },
     { name = "black", specifier = "==26.3.1" },
     { name = "bpython", specifier = "==0.26" },
@@ -416,7 +416,7 @@ dev = [
     { name = "types-docker", specifier = "==7.1.0.20260409" },
     { name = "types-jwcrypto", specifier = "==1.5.7.20260409" },
     { name = "types-ldap3", specifier = "==2.9.13.20260408" },
-    { name = "types-requests", specifier = "==2.33.0.20260503" },
+    { name = "types-requests", specifier = "==2.33.0.20260408" },
     { name = "types-zxcvbn", specifier = "==4.5.0.20260408" },
 ]
 
@@ -495,7 +495,7 @@ wheels = [
 
 [[package]]
 name = "aws-cdk-lib"
-version = "2.252.0"
+version = "2.251.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aws-cdk-asset-awscli-v1" },
@@ -506,9 +506,9 @@ dependencies = [
     { name = "publication" },
     { name = "typeguard" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/0b/2e/468ed756570af782831bc0518b4f187773b036342ce1b6f3d4e13e6127d8/aws_cdk_lib-2.252.0.tar.gz", hash = "sha256:2498d771ab141599c48494bd2564ee9a4fbaade54befa9356811e9454616d0a0", size = 49479070, upload-time = "2026-04-30T12:31:54.452Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b8/6c/d60d96e1848aabf1882e6a1d30a27de4a592affc9437d6918848f0e06497/aws_cdk_lib-2.251.0.tar.gz", hash = "sha256:ed69e7ea6896c62ac2ce01857083601baf541d5d875370bee6d213d641e8921e", size = 49353237, upload-time = "2026-04-24T23:21:04.805Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ae/94/32c21ad93dc21554286955fd5ebc68cb91149cc5f7f3154b07927c3fc693/aws_cdk_lib-2.252.0-py3-none-any.whl", hash = "sha256:c96d02582d344ee81ea2ef8a5e22b6e680789973804720ec9f0e95a050257db1", size = 50157828, upload-time = "2026-04-30T12:31:11.041Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/fb/ab682b518e3ca5d18b23b252832e0fade4e6617a2c0f2b0ae0d8d2e74312/aws_cdk_lib-2.251.0-py3-none-any.whl", hash = "sha256:a684f3461d096443ac688adbf559abe1af2d50dd5c8e0fa7dbf4a5f361702db8", size = 50035969, upload-time = "2026-04-24T23:20:18.952Z" },
 ]
 
 [[package]]
@@ -688,11 +688,11 @@ wheels = [
 
 [[package]]
 name = "cachetools"
-version = "7.1.1"
+version = "7.0.6"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ff/e2/85f227594656000ff4d8adadae91a21f536d4a84c6c716a86bd6685874be/cachetools-7.1.1.tar.gz", hash = "sha256:27bdf856d68fd3c71c26c01b5edc312124ed427524d1ddb31aa2b7746fe20d4b", size = 40202, upload-time = "2026-05-03T20:00:29.391Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/76/7b/1755ed2c6bfabd1d98b37ae73152f8dcf94aa40fee119d163c19ed484704/cachetools-7.0.6.tar.gz", hash = "sha256:e5d524d36d65703a87243a26ff08ad84f73352adbeafb1cde81e207b456aaf24", size = 37526, upload-time = "2026-04-20T19:02:23.289Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/bf/0f/f897abe4ea0a8c408ae65c8c83bffab4936ad65d6032d4fb4cd35bbdc3ee/cachetools-7.1.1-py3-none-any.whl", hash = "sha256:0335cd7a0952d2b22327441fb0628139e234c565559eeb91a8a4ac7551c5353d", size = 16775, upload-time = "2026-05-03T20:00:27.857Z" },
+    { url = "https://files.pythonhosted.org/packages/fe/c4/cf76242a5da1410917107ff14551764aa405a5fd10cd10cf9a5ca8fa77f4/cachetools-7.0.6-py3-none-any.whl", hash = "sha256:4e94956cfdd3086f12042cdd29318f5ced3893014f7d0d059bf3ead3f85b7f8b", size = 13976, upload-time = "2026-04-20T19:02:21.187Z" },
 ]
 
 [[package]]
@@ -1597,7 +1597,7 @@ wheels = [
 
 [[package]]
 name = "google-api-python-client"
-version = "2.195.0"
+version = "2.194.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "google-api-core" },
@@ -1606,9 +1606,9 @@ dependencies = [
     { name = "httplib2" },
     { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/69/07/08d759b9cb10f48af14b25262dd0d6685ca8cda6c1f9e8a8109f57457205/google_api_python_client-2.195.0.tar.gz", hash = "sha256:c72cf2661c3addf01c880ce60541e83e1df354644b874f7f9d8d5ed2070446ae", size = 14584819, upload-time = "2026-04-30T21:51:50.638Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/60/ab/e83af0eb043e4ccc49571ca7a6a49984e9d00f4e9e6e6f1238d60bc84dce/google_api_python_client-2.194.0.tar.gz", hash = "sha256:db92647bd1a90f40b79c9618461553c2b20b6a43ce7395fa6de07132dc14f023", size = 14443469, upload-time = "2026-04-08T23:07:35.757Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/21/b9/2c71095e31fff57668fec7c07ac897df065f15521d070e63229e13689590/google_api_python_client-2.195.0-py3-none-any.whl", hash = "sha256:753e62057f23049a89534bea0162b60fe391b85fb86d80bcdf884d05ec91c5bf", size = 15162418, upload-time = "2026-04-30T21:51:47.444Z" },
+    { url = "https://files.pythonhosted.org/packages/b0/34/5a624e49f179aa5b0cb87b2ce8093960299030ff40423bfbde09360eb908/google_api_python_client-2.194.0-py3-none-any.whl", hash = "sha256:61eaaac3b8fc8fdf11c08af87abc3d1342d1b37319cc1b57405f86ef7697e717", size = 15016514, upload-time = "2026-04-08T23:07:33.093Z" },
 ]
 
 [[package]]
@@ -2589,7 +2589,7 @@ wheels = [
 
 [[package]]
 name = "paramiko"
-version = "5.0.0"
+version = "4.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "bcrypt" },
@@ -2597,9 +2597,9 @@ dependencies = [
     { name = "invoke" },
     { name = "pynacl" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/62/93/dcc25d52f49022ae6175d15e6bd751f1acc99b98bc61fc55e5155a7be2e7/paramiko-5.0.0.tar.gz", hash = "sha256:36763b5b95c2a0dcfdf1abc48e48156ee425b21efe2f0e787c2dd5a95c0e5e79", size = 1548586, upload-time = "2026-05-09T18:28:52.256Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/1f/e7/81fdcbc7f190cdb058cffc9431587eb289833bdd633e2002455ca9bb13d4/paramiko-4.0.0.tar.gz", hash = "sha256:6a25f07b380cc9c9a88d2b920ad37167ac4667f8d9886ccebd8f90f654b5d69f", size = 1630743, upload-time = "2025-08-04T01:02:03.711Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/82/5b/eadf6d45de38d30ab603f49393b6cd2cbe7e233af8cf90197e32782b68a9/paramiko-5.0.0-py3-none-any.whl", hash = "sha256:b7044611c30140d9a75261653210e2002977b71a0497ff3ba0d98d7edbf62f7c", size = 208919, upload-time = "2026-05-09T18:28:50.295Z" },
+    { url = "https://files.pythonhosted.org/packages/a9/90/a744336f5af32c433bd09af7854599682a383b37cfd78f7de263de6ad6cb/paramiko-4.0.0-py3-none-any.whl", hash = "sha256:0e20e00ac666503bf0b4eda3b6d833465a2b7aff2e2b3d79a8bba5ef144ee3b9", size = 223932, upload-time = "2025-08-04T01:02:02.029Z" },
 ]
 
 [[package]]
@@ -2813,7 +2813,7 @@ wheels = [
 
 [[package]]
 name = "pydantic"
-version = "2.13.4"
+version = "2.13.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "annotated-types" },
@@ -2821,9 +2821,9 @@ dependencies = [
     { name = "typing-extensions" },
     { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/18/a5/b60d21ac674192f8ab0ba4e9fd860690f9b4a6e51ca5df118733b487d8d6/pydantic-2.13.4.tar.gz", hash = "sha256:c40756b57adaa8b1efeeced5c196f3f3b7c435f90e84ea7f443901bec8099ef6", size = 844775, upload-time = "2026-05-06T13:43:05.343Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d9/e4/40d09941a2cebcb20609b86a559817d5b9291c49dd6f8c87e5feffbe703a/pydantic-2.13.3.tar.gz", hash = "sha256:af09e9d1d09f4e7fe37145c1f577e1d61ceb9a41924bf0094a36506285d0a84d", size = 844068, upload-time = "2026-04-20T14:46:43.632Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fd/7b/122376b1fd3c62c1ed9dc80c931ace4844b3c55407b6fb2d199377c9736f/pydantic-2.13.4-py3-none-any.whl", hash = "sha256:45a282cde31d808236fd7ea9d919b128653c8b38b393d1c4ab335c62924d9aba", size = 472262, upload-time = "2026-05-06T13:43:02.641Z" },
+    { url = "https://files.pythonhosted.org/packages/f3/0a/fd7d723f8f8153418fb40cf9c940e82004fce7e987026b08a68a36dd3fe7/pydantic-2.13.3-py3-none-any.whl", hash = "sha256:6db14ac8dfc9a1e57f87ea2c0de670c251240f43cb0c30a5130e9720dc612927", size = 471981, upload-time = "2026-04-20T14:46:41.402Z" },
 ]
 
 [package.optional-dependencies]
@@ -2833,43 +2833,43 @@ email = [
 
 [[package]]
 name = "pydantic-core"
-version = "2.46.4"
+version = "2.46.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9d/56/921726b776ace8d8f5db44c4ef961006580d91dc52b803c489fafd1aa249/pydantic_core-2.46.4.tar.gz", hash = "sha256:62f875393d7f270851f20523dd2e29f082bcc82292d66db2b64ea71f64b6e1c1", size = 471464, upload-time = "2026-05-06T13:37:06.98Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/2a/ef/f7abb56c49382a246fd2ce9c799691e3c3e7175ec74b14d99e798bcddb1a/pydantic_core-2.46.3.tar.gz", hash = "sha256:41c178f65b8c29807239d47e6050262eb6bf84eb695e41101e62e38df4a5bc2c", size = 471412, upload-time = "2026-04-20T14:40:56.672Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/8d/74/228a26ddad29c6672b805d9fd78e8d251cd04004fa7eed0e622096cd0250/pydantic_core-2.46.4-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:428e04521a40150c85216fc8b85e8d39fece235a9cf5e383761238c7fa9b96fb", size = 2102079, upload-time = "2026-05-06T13:38:41.019Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/1f/8970b150a4b4365623ae00fc88603491f763c627311ae8031e3111356d6e/pydantic_core-2.46.4-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:23ace664830ee0bfe014a0c7bc248b1f7f25ed7ad103852c317624a1083af462", size = 1952179, upload-time = "2026-05-06T13:36:59.812Z" },
-    { url = "https://files.pythonhosted.org/packages/95/30/5211a831ae054928054b2f79731661087a2bc5c01e825c672b3a4a8f1b3e/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ce5c1d2a8b27468f433ca974829c44060b8097eedc39933e3c206a90ee49c4a9", size = 1978926, upload-time = "2026-05-06T13:37:39.933Z" },
-    { url = "https://files.pythonhosted.org/packages/57/e9/689668733b1eb67adeef047db3c2e8788fcf65a7fd9c9e2b46b7744fe245/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7283d57845ecf5a163403eb0702dfc220cc4fbdd18919cb5ccea4f95ee1cdab4", size = 2046785, upload-time = "2026-05-06T13:38:01.995Z" },
-    { url = "https://files.pythonhosted.org/packages/60/d9/6715260422ff50a2109878fd24d948a6c3446bb2664f34ee78cd972b3acd/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8daafc69c93ee8a0204506a3b6b30f586ef54028f52aeeeb5c4cfc5184fd5914", size = 2228733, upload-time = "2026-05-06T13:40:50.371Z" },
-    { url = "https://files.pythonhosted.org/packages/18/ae/fdb2f64316afca925640f8e70bb1a564b0ec2721c1389e25b8eb4bf9a299/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd2213145bcc2ba85884d0ac63d222fece9209678f77b9b4d76f054c561adb28", size = 2307534, upload-time = "2026-05-06T13:37:21.531Z" },
-    { url = "https://files.pythonhosted.org/packages/89/1d/8eff589b45bb8190a9d12c49cfad0f176a5cbd1534908a6b5125e2886239/pydantic_core-2.46.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7a5f930472650a82629163023e630d160863fce524c616f4e5186e5de9d9a49b", size = 2099732, upload-time = "2026-05-06T13:39:31.942Z" },
-    { url = "https://files.pythonhosted.org/packages/06/d5/ee5a3366637fee41dee51a1fc91562dcf12ddbc68fda34e6b253da2324bb/pydantic_core-2.46.4-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:c1b3f518abeca3aa13c712fd202306e145abf59a18b094a6bafb2d2bbf59192c", size = 2129627, upload-time = "2026-05-06T13:37:25.033Z" },
-    { url = "https://files.pythonhosted.org/packages/94/33/2414be571d2c6a6c4d08be21f9292b6d3fdb08949a97b6dfe985017821db/pydantic_core-2.46.4-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:1a7dd0b3ee80d90150e3495a3a13ac34dbcbfd4f012996a6a1d8900e91b5c0fb", size = 2179141, upload-time = "2026-05-06T13:37:14.046Z" },
-    { url = "https://files.pythonhosted.org/packages/7b/79/7daa95be995be0eecc4cf75064cb33f9bbbfe3fe0158caf2f0d4a996a5c7/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:3fb702cd90b0446a3a1c5e470bfa0dd23c0233b676a9099ddcc964fa6ca13898", size = 2184325, upload-time = "2026-05-06T13:36:53.615Z" },
-    { url = "https://files.pythonhosted.org/packages/9f/cb/d0a382f5c0de8a222dc61c65348e0ce831b1f68e0a018450d31c2cace3a5/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:b8458003118a712e66286df6a707db01c52c0f52f7db8e4a38f0da1d3b94fc4e", size = 2323990, upload-time = "2026-05-06T13:40:29.971Z" },
-    { url = "https://files.pythonhosted.org/packages/05/db/d9ba624cc4a5aced1598e88c04fdbd8310c8a69b9d38b9a3d39ce3a61ed7/pydantic_core-2.46.4-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:372429a130e469c9cd698925ce5fc50940b7a1336b0d82038e63d5bbc4edc519", size = 2369978, upload-time = "2026-05-06T13:37:23.027Z" },
-    { url = "https://files.pythonhosted.org/packages/f2/20/d15df15ba918c423461905802bfd2981c3af0bfa0e40d05e13edbfa48bc3/pydantic_core-2.46.4-cp314-cp314-win32.whl", hash = "sha256:85bb3611ff1802f3ee7fdd7dbff26b56f343fb432d57a4728fdd49b6ef35e2f4", size = 1966354, upload-time = "2026-05-06T13:38:03.499Z" },
-    { url = "https://files.pythonhosted.org/packages/fc/b6/6b8de4c0a7d7ab3004c439c80c5c1e0a3e8d78bbae19379b01960383d9e5/pydantic_core-2.46.4-cp314-cp314-win_amd64.whl", hash = "sha256:811ff8e9c313ab425368bcbb36e5c4ebd7108c2bbf4e4089cfbb0b01eff63fac", size = 2072238, upload-time = "2026-05-06T13:39:40.807Z" },
-    { url = "https://files.pythonhosted.org/packages/32/36/51eb763beec1f4cf59b1db243a7dcc39cbb41230f050a09b9d69faaf0a48/pydantic_core-2.46.4-cp314-cp314-win_arm64.whl", hash = "sha256:bfec22eab3c8cc2ceec0248aec886624116dc079afa027ecc8ad4a7e62010f8a", size = 2018251, upload-time = "2026-05-06T13:37:26.72Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/91/855af51d625b23aa987116a19e231d2aaef9c4a415273ddc189b79a45fee/pydantic_core-2.46.4-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:af8244b2bef6aaad6d92cda81372de7f8c8d36c9f0c3ea36e827c60e7d9467a0", size = 2099593, upload-time = "2026-05-06T13:39:47.682Z" },
-    { url = "https://files.pythonhosted.org/packages/fb/1b/8784a54c65edb5f49f0a14d6977cf1b209bba85a4c77445b255c2de58ab3/pydantic_core-2.46.4-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:5a4330cdbc57162e4b3aa303f588ba752257694c9c9be3e7ebb11b4aca659b5d", size = 1935226, upload-time = "2026-05-06T13:40:40.428Z" },
-    { url = "https://files.pythonhosted.org/packages/e8/e7/1955d28d1afc56dd4b3ad7cc0cf39df1b9852964cf16e5d13912756d6d6b/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:29c61fc04a3d840155ff08e475a04809278972fe6aef51e2720554e96367e34b", size = 1974605, upload-time = "2026-05-06T13:37:32.029Z" },
-    { url = "https://files.pythonhosted.org/packages/93/e2/3fedbf0ba7a22850e6e9fd78117f1c0f10f950182344d8a6c535d468fdd8/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c50f2528cf200c5eed56faf3f4e22fcd5f38c157a8b78576e6ba3168ec35f000", size = 2030777, upload-time = "2026-05-06T13:38:55.239Z" },
-    { url = "https://files.pythonhosted.org/packages/f8/61/46be275fcaaba0b4f5b9669dd852267ce1ff616592dccf7a7845588df091/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0cbe8b01f948de4286c74cdd6c667aceb38f5c1e26f0693b3983d9d74887c65e", size = 2236641, upload-time = "2026-05-06T13:37:08.096Z" },
-    { url = "https://files.pythonhosted.org/packages/60/db/12e93e46a8bac9988be3c016860f83293daea8c716c029c9ace279036f2f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:617d7e2ca7dcb8c5cf6bcb8c59b8832c94b36196bbf1cbd1bfb56ed341905edd", size = 2286404, upload-time = "2026-05-06T13:40:20.221Z" },
-    { url = "https://files.pythonhosted.org/packages/e2/4a/4d8b19008f38d31c53b8219cfedc2e3d5de5fe99d90076b7e767de29274f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7027560ee92211647d0d34e3f7cd6f50da56399d26a9c8ad0da286d3869a53f3", size = 2109219, upload-time = "2026-05-06T13:38:12.153Z" },
-    { url = "https://files.pythonhosted.org/packages/88/70/3cbc40978fefb7bb09c6708d40d4ad1a5d70fd7213c3d17f971de868ec1f/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:f99626688942fb746e545232e7726926f3be91b5975f8b55327665fafda991c7", size = 2110594, upload-time = "2026-05-06T13:40:02.971Z" },
-    { url = "https://files.pythonhosted.org/packages/9d/20/b8d36736216e29491125531685b2f9e61aa5b4b2599893f8268551da3338/pydantic_core-2.46.4-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fc3e9034a63de20e15e8ade85358bc6efc614008cab72898b4b4952bea0509ff", size = 2159542, upload-time = "2026-05-06T13:39:27.506Z" },
-    { url = "https://files.pythonhosted.org/packages/1d/a2/367df868eb584dacf6bf82a389272406d7178e301c4ac82545ab98bc2dd9/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:97e7cf2be5c77b7d1a9713a05605d49460d02c6078d38d8bef3cbe323c548424", size = 2168146, upload-time = "2026-05-06T13:38:31.93Z" },
-    { url = "https://files.pythonhosted.org/packages/c1/b8/4460f77f7e201893f649a29ab355dddd3beee8a97bcb1a320db414f9a06e/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:3bf92c5d0e00fefaab325a4d27828fe6b6e2a21848686b5b60d2d9eeb09d76c6", size = 2306309, upload-time = "2026-05-06T13:37:44.717Z" },
-    { url = "https://files.pythonhosted.org/packages/64/c4/be2639293acd87dc8ddbcec41a73cee9b2ebf996fe6d892a1a74e88ad3f7/pydantic_core-2.46.4-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:3ecbc122d18468d06ca279dc26a8c2e2d5acb10943bb35e36ae92096dc3b5565", size = 2369736, upload-time = "2026-05-06T13:37:05.645Z" },
-    { url = "https://files.pythonhosted.org/packages/30/a6/9f9f380dbb301f67023bf8f707aaa75daadf84f7152d95c410fd7e81d994/pydantic_core-2.46.4-cp314-cp314t-win32.whl", hash = "sha256:e846ae7835bf0703ae43f534ab79a867146dadd59dc9ca5c8b53d5c8f7c9ef02", size = 1955575, upload-time = "2026-05-06T13:38:51.116Z" },
-    { url = "https://files.pythonhosted.org/packages/40/1f/f1eb9eb350e795d1af8586289746f5c5677d16043040d63710e22abc43c9/pydantic_core-2.46.4-cp314-cp314t-win_amd64.whl", hash = "sha256:2108ba5c1c1eca18030634489dc544844144ee36357f2f9f780b93e7ddbb44b5", size = 2051624, upload-time = "2026-05-06T13:38:21.672Z" },
-    { url = "https://files.pythonhosted.org/packages/f6/d2/42dd53d0a85c27606f316d3aa5d2869c4e8470a5ed6dec30e4a1abe19192/pydantic_core-2.46.4-cp314-cp314t-win_arm64.whl", hash = "sha256:4fcbe087dbc2068af7eda3aa87634eba216dbda64d1ae73c8684b621d33f6596", size = 2017325, upload-time = "2026-05-06T13:40:52.723Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/db/a7bcb4940183fda36022cd18ba8dd12f2dff40740ec7b58ce7457befa416/pydantic_core-2.46.3-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:afa3aa644f74e290cdede48a7b0bee37d1c35e71b05105f6b340d484af536d9b", size = 2097614, upload-time = "2026-04-20T14:44:38.374Z" },
+    { url = "https://files.pythonhosted.org/packages/24/35/e4066358a22e3e99519db370494c7528f5a2aa1367370e80e27e20283543/pydantic_core-2.46.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ced3310e51aa425f7f77da8bbbb5212616655bedbe82c70944320bc1dbe5e018", size = 1951896, upload-time = "2026-04-20T14:40:53.996Z" },
+    { url = "https://files.pythonhosted.org/packages/87/92/37cf4049d1636996e4b888c05a501f40a43ff218983a551d57f9d5e14f0d/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e29908922ce9da1a30b4da490bd1d3d82c01dcfdf864d2a74aacee674d0bfa34", size = 1979314, upload-time = "2026-04-20T14:41:49.446Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/36/9ff4d676dfbdfb2d591cf43f3d90ded01e15b1404fd101180ed2d62a2fd3/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0c9ff69140423eea8ed2d5477df3ba037f671f5e897d206d921bc9fdc39613e7", size = 2056133, upload-time = "2026-04-20T14:42:23.574Z" },
+    { url = "https://files.pythonhosted.org/packages/bc/f0/405b442a4d7ba855b06eec8b2bf9c617d43b8432d099dfdc7bf999293495/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b675ab0a0d5b1c8fdb81195dc5bcefea3f3c240871cdd7ff9a2de8aa50772eb2", size = 2228726, upload-time = "2026-04-20T14:44:22.816Z" },
+    { url = "https://files.pythonhosted.org/packages/e7/f8/65cd92dd5a0bd89ba277a98ecbfaf6fc36bbd3300973c7a4b826d6ab1391/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0087084960f209a9a4af50ecd1fb063d9ad3658c07bb81a7a53f452dacbfb2ba", size = 2301214, upload-time = "2026-04-20T14:44:48.792Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/86/ef96a4c6e79e7a2d0410826a68fbc0eccc0fd44aa733be199d5fcac3bb87/pydantic_core-2.46.3-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ed42e6cc8e1b0e2b9b96e2276bad70ae625d10d6d524aed0c93de974ae029f9f", size = 2099927, upload-time = "2026-04-20T14:41:40.196Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/53/269caf30e0096e0a8a8f929d1982a27b3879872cca2d917d17c2f9fdf4fe/pydantic_core-2.46.3-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:f1771ce258afb3e4201e67d154edbbae712a76a6081079fe247c2f53c6322c22", size = 2128789, upload-time = "2026-04-20T14:41:15.868Z" },
+    { url = "https://files.pythonhosted.org/packages/00/b0/1a6d9b6a587e118482910c244a1c5acf4d192604174132efd12bf0ac486f/pydantic_core-2.46.3-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a7610b6a5242a6c736d8ad47fd5fff87fcfe8f833b281b1c409c3d6835d9227f", size = 2173815, upload-time = "2026-04-20T14:44:25.152Z" },
+    { url = "https://files.pythonhosted.org/packages/87/56/e7e00d4041a7e62b5a40815590114db3b535bf3ca0bf4dca9f16cef25246/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:ff5e7783bcc5476e1db448bf268f11cb257b1c276d3e89f00b5727be86dd0127", size = 2181608, upload-time = "2026-04-20T14:41:28.933Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/22/4bd23c3d41f7c185d60808a1de83c76cf5aeabf792f6c636a55c3b1ec7f9/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:9d2e32edcc143bc01e95300671915d9ca052d4f745aa0a49c48d4803f8a85f2c", size = 2326968, upload-time = "2026-04-20T14:42:03.962Z" },
+    { url = "https://files.pythonhosted.org/packages/24/ac/66cd45129e3915e5ade3b292cb3bc7fd537f58f8f8dbdaba6170f7cabb74/pydantic_core-2.46.3-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:6e42d83d1c6b87fa56b521479cff237e626a292f3b31b6345c15a99121b454c1", size = 2369842, upload-time = "2026-04-20T14:41:35.52Z" },
+    { url = "https://files.pythonhosted.org/packages/a2/51/dd4248abb84113615473aa20d5545b7c4cd73c8644003b5259686f93996c/pydantic_core-2.46.3-cp314-cp314-win32.whl", hash = "sha256:07bc6d2a28c3adb4f7c6ae46aa4f2d2929af127f587ed44057af50bf1ce0f505", size = 1959661, upload-time = "2026-04-20T14:41:00.042Z" },
+    { url = "https://files.pythonhosted.org/packages/20/eb/59980e5f1ae54a3b86372bd9f0fa373ea2d402e8cdcd3459334430f91e91/pydantic_core-2.46.3-cp314-cp314-win_amd64.whl", hash = "sha256:8940562319bc621da30714617e6a7eaa6b98c84e8c685bcdc02d7ed5e7c7c44e", size = 2071686, upload-time = "2026-04-20T14:43:16.471Z" },
+    { url = "https://files.pythonhosted.org/packages/8c/db/1cf77e5247047dfee34bc01fa9bca134854f528c8eb053e144298893d370/pydantic_core-2.46.3-cp314-cp314-win_arm64.whl", hash = "sha256:5dcbbcf4d22210ced8f837c96db941bdb078f419543472aca5d9a0bb7cddc7df", size = 2026907, upload-time = "2026-04-20T14:43:31.732Z" },
+    { url = "https://files.pythonhosted.org/packages/57/c0/b3df9f6a543276eadba0a48487b082ca1f201745329d97dbfa287034a230/pydantic_core-2.46.3-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:d0fe3dce1e836e418f912c1ad91c73357d03e556a4d286f441bf34fed2dbeecf", size = 2095047, upload-time = "2026-04-20T14:42:37.982Z" },
+    { url = "https://files.pythonhosted.org/packages/66/57/886a938073b97556c168fd99e1a7305bb363cd30a6d2c76086bf0587b32a/pydantic_core-2.46.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:9ce92e58abc722dac1bf835a6798a60b294e48eb0e625ec9fd994b932ac5feee", size = 1934329, upload-time = "2026-04-20T14:43:49.655Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/7c/b42eaa5c34b13b07ecb51da21761297a9b8eb43044c864a035999998f328/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a03e6467f0f5ab796a486146d1b887b2dc5e5f9b3288898c1b1c3ad974e53e4a", size = 1974847, upload-time = "2026-04-20T14:42:10.737Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/9b/92b42db6543e7de4f99ae977101a2967b63122d4b6cf7773812da2d7d5b5/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:2798b6ba041b9d70acfb9071a2ea13c8456dd1e6a5555798e41ba7b0790e329c", size = 2041742, upload-time = "2026-04-20T14:40:44.262Z" },
+    { url = "https://files.pythonhosted.org/packages/0f/19/46fbe1efabb5aa2834b43b9454e70f9a83ad9c338c1291e48bdc4fecf167/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9be3e221bdc6d69abf294dcf7aff6af19c31a5cdcc8f0aa3b14be29df4bd03b1", size = 2236235, upload-time = "2026-04-20T14:41:27.307Z" },
+    { url = "https://files.pythonhosted.org/packages/77/da/b3f95bc009ad60ec53120f5d16c6faa8cabdbe8a20d83849a1f2b8728148/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f13936129ce841f2a5ddf6f126fea3c43cd128807b5a59588c37cf10178c2e64", size = 2282633, upload-time = "2026-04-20T14:44:33.271Z" },
+    { url = "https://files.pythonhosted.org/packages/cc/6e/401336117722e28f32fb8220df676769d28ebdf08f2f4469646d404c43a3/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:28b5f2ef03416facccb1c6ef744c69793175fd27e44ef15669201601cf423acb", size = 2109679, upload-time = "2026-04-20T14:44:41.065Z" },
+    { url = "https://files.pythonhosted.org/packages/fc/53/b289f9bc8756a32fe718c46f55afaeaf8d489ee18d1a1e7be1db73f42cc4/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:830d1247d77ad23852314f069e9d7ddafeec5f684baf9d7e7065ed46a049c4e6", size = 2108342, upload-time = "2026-04-20T14:42:50.144Z" },
+    { url = "https://files.pythonhosted.org/packages/10/5b/8292fc7c1f9111f1b2b7c1b0dcf1179edcd014fc3ea4517499f50b829d71/pydantic_core-2.46.3-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d0793c90c1a3c74966e7975eaef3ed30ebdff3260a0f815a62a22adc17e4c01c", size = 2157208, upload-time = "2026-04-20T14:42:08.133Z" },
+    { url = "https://files.pythonhosted.org/packages/2b/9e/f80044e9ec07580f057a89fc131f78dda7a58751ddf52bbe05eaf31db50f/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:d2d0aead851b66f5245ec0c4fb2612ef457f8bbafefdf65a2bf9d6bac6140f47", size = 2167237, upload-time = "2026-04-20T14:42:25.412Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/84/6781a1b037f3b96be9227edbd1101f6d3946746056231bf4ac48cdff1a8d/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:2f40e4246676beb31c5ce77c38a55ca4e465c6b38d11ea1bd935420568e0b1ab", size = 2312540, upload-time = "2026-04-20T14:40:40.313Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/db/19c0839feeb728e7df03255581f198dfdf1c2aeb1e174a8420b63c5252e5/pydantic_core-2.46.3-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:cf489cf8986c543939aeee17a09c04d6ffb43bfef8ca16fcbcc5cfdcbed24dba", size = 2369556, upload-time = "2026-04-20T14:41:09.427Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/15/3228774cb7cd45f5f721ddf1b2242747f4eb834d0c491f0c02d606f09fed/pydantic_core-2.46.3-cp314-cp314t-win32.whl", hash = "sha256:ffe0883b56cfc05798bf994164d2b2ff03efe2d22022a2bb080f3b626176dd56", size = 1949756, upload-time = "2026-04-20T14:41:25.717Z" },
+    { url = "https://files.pythonhosted.org/packages/b8/2a/c79cf53fd91e5a87e30d481809f52f9a60dd221e39de66455cf04deaad37/pydantic_core-2.46.3-cp314-cp314t-win_amd64.whl", hash = "sha256:706d9d0ce9cf4593d07270d8e9f53b161f90c57d315aeec4fb4fd7a8b10240d8", size = 2051305, upload-time = "2026-04-20T14:43:18.627Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/db/d8182a7f1d9343a032265aae186eb063fe26ca4c40f256b21e8da4498e89/pydantic_core-2.46.3-cp314-cp314t-win_arm64.whl", hash = "sha256:77706aeb41df6a76568434701e0917da10692da28cb69d5fb6919ce5fdb07374", size = 2026310, upload-time = "2026-04-20T14:41:01.778Z" },
 ]
 
 [[package]]
@@ -3083,18 +3083,18 @@ wheels = [
 
 [[package]]
 name = "python-kadmin-rs"
-version = "0.7.2"
+version = "0.7.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ab/96/f5ed764f06621d1c06b469ec2a24c2da64a0fdb9f13d1c7005c70fd7804d/python_kadmin_rs-0.7.2.tar.gz", hash = "sha256:1f57ab7b61540c420eb684154e56638d42e4bafe2ac66362c2d667cda7d0ce8c", size = 119177, upload-time = "2026-05-11T13:31:19.071Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c6/18/2773570703e5ab13fc0390797685cb6c09b8002d96438c57a8e887cc3234/python_kadmin_rs-0.7.0.tar.gz", hash = "sha256:e8a539fda1a1006fe5f0868c0e59a36b3b90d451da9c0c2bc3a9bfc7173efbdc", size = 112469, upload-time = "2026-01-15T17:49:10.467Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/63/f2/e86b79e1cc8d43c8865f65b5b9c7b06fbfb56e56b812bd279c38faa100cd/python_kadmin_rs-0.7.2-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:2c77b425805669831e2c4eb316304b9f4690ac27a74cb34e2b92dc0979ab0d3c", size = 512988, upload-time = "2026-05-11T13:31:01.655Z" },
-    { url = "https://files.pythonhosted.org/packages/17/d6/200dd8ca05bbdf48d77050a0a75c183fca740f2d33e59c8083832514d300/python_kadmin_rs-0.7.2-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:403c04a395f42d87cbfa46d60f9145841a8b5c6d8ac1f2dab0f457e3e3b7049c", size = 527527, upload-time = "2026-05-11T13:31:03.528Z" },
-    { url = "https://files.pythonhosted.org/packages/54/03/e9ebb35c7c1441722ced8097c19c1737b1db28c18d9a0c219fe12fe94257/python_kadmin_rs-0.7.2-cp314-cp314-manylinux_2_28_aarch64.whl", hash = "sha256:5f1560747e1a936cc9509c87d45180e351096b3be47c8af81a6f3dd4516ca34b", size = 564813, upload-time = "2026-05-11T13:31:05.464Z" },
-    { url = "https://files.pythonhosted.org/packages/f9/d8/c2706859bec76cc629d7665effd6fd540d31b10631d800796269806c86cc/python_kadmin_rs-0.7.2-cp314-cp314-manylinux_2_28_x86_64.whl", hash = "sha256:cb51f980597383c4f4adb308e3e4c0c796e5dba560f68b17e4b3cd269c043ae2", size = 562188, upload-time = "2026-05-11T13:31:06.875Z" },
-    { url = "https://files.pythonhosted.org/packages/00/ad/808be9b2b5a52ff0244e323a4d2ec00b66c21c98e49088399a744da15085/python_kadmin_rs-0.7.2-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:08fea0f139d5cfdcda24446355578071b8ac02223bb9433077b895df6655cb9e", size = 511783, upload-time = "2026-05-11T13:31:08.291Z" },
-    { url = "https://files.pythonhosted.org/packages/0c/9a/73ab8930b37eafa3a41341c245df6066d38a5b8076cae4f39d7f59eab7bb/python_kadmin_rs-0.7.2-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:ff124a363e6c8707d738191969e22c08d2cef73b3d6fc0ce86f1dcd81715e170", size = 526356, upload-time = "2026-05-11T13:31:10.137Z" },
-    { url = "https://files.pythonhosted.org/packages/b8/26/acddc2766900537b94e923ecd12c9f4d5ee6a0f551ffe7998826055c8193/python_kadmin_rs-0.7.2-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:5124b7f27b67d034c6c13ebfbb65c036e197e30bc47c457853489e08d535cb3c", size = 561923, upload-time = "2026-05-11T13:31:11.843Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/4e/42b317789b5e204995431762b7dcede1544581ee5caacebac36d8991f478/python_kadmin_rs-0.7.2-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:0741de2fd55338b356a424899c2cc400314dd57ae2031ed879a2765edfc2f0a1", size = 562006, upload-time = "2026-05-11T13:31:13.206Z" },
+    { url = "https://files.pythonhosted.org/packages/71/05/94e7575a69ea5d3fc23d4df4a8e4d5acb6f6d3633f23b0a8b6b6360da775/python_kadmin_rs-0.7.0-cp314-cp314-macosx_14_0_arm64.whl", hash = "sha256:d1418825ba6c161d504b7905a99ef475d5ec1fdf15e6f5b72e4641f350fbc261", size = 510261, upload-time = "2026-01-15T17:48:52.002Z" },
+    { url = "https://files.pythonhosted.org/packages/d7/16/58671c341caef38a492e327cf3e0b24aba2842419da15566f8e3d42c9382/python_kadmin_rs-0.7.0-cp314-cp314-macosx_14_0_x86_64.whl", hash = "sha256:b247bc5f5a075107088cdcec22c67125aa6706fdcd2e264a99a478f1bedecd7d", size = 527751, upload-time = "2026-01-15T17:48:53.504Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/d1/505e34ce204601aae0fcecaf56c66e808803426199948d3a26a6c16a9e5b/python_kadmin_rs-0.7.0-cp314-cp314-manylinux_2_28_aarch64.whl", hash = "sha256:8e6d8ea17a02bb0527219abadac08a63a47f97351f41c79fade77dd11a380795", size = 552634, upload-time = "2026-01-15T17:48:54.96Z" },
+    { url = "https://files.pythonhosted.org/packages/0b/51/391a3d8ee99aeb2466efe499e52ef6a7479d7ac426635d92cd050a5fe3f9/python_kadmin_rs-0.7.0-cp314-cp314-manylinux_2_28_x86_64.whl", hash = "sha256:82107ee5ea3dc1a3b716323687febc64ed2fa462ebd986565fba7394add04792", size = 554659, upload-time = "2026-01-15T17:48:56.408Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/77/6a2fe8a9bef6e3d94f842492db7216c4d0a47c5a67a8a7265c126ed5be58/python_kadmin_rs-0.7.0-cp314-cp314t-macosx_14_0_arm64.whl", hash = "sha256:ed58ec35dd89a381408fa92f0404d6321f2e6687c58c974f820f113a7052f39f", size = 512638, upload-time = "2026-01-15T17:48:58.519Z" },
+    { url = "https://files.pythonhosted.org/packages/ef/e4/ddd909d4b5ff00a3ed277699f3e2204785367a52088dcb41465b8e01f733/python_kadmin_rs-0.7.0-cp314-cp314t-macosx_14_0_x86_64.whl", hash = "sha256:6a6b63680e10a450e553a84a15216f61af838d86d623caec1fb1c2977907d1ef", size = 530752, upload-time = "2026-01-15T17:49:00.108Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/b2/7d4ea81b768a4ea6be57d9bc70f1841828483a092598b60243a7ad8c798c/python_kadmin_rs-0.7.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:e48cdf80bdece9fdcc70d9ef9237821ae9366cf7944742cd412ac2ebd07a40cc", size = 553270, upload-time = "2026-01-15T17:49:01.682Z" },
+    { url = "https://files.pythonhosted.org/packages/26/b7/87851916c895f31e67a9fe827dabfe3a2f09cf8ecf090cb4ac513f100157/python_kadmin_rs-0.7.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:e63aec5daa1a8469f5b617aa8a5b5a689e2b18241026c7e666ca0f8b5e8688c8", size = 556308, upload-time = "2026-01-15T17:49:03.199Z" },
 ]
 
 [[package]]
@@ -3332,15 +3332,15 @@ wheels = [
 
 [[package]]
 name = "sentry-sdk"
-version = "2.59.0"
+version = "2.58.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/65/e0/9bf5e5fc7442b10880f3ec0eff0ef4208b84a099606f343ec4f5445227fb/sentry_sdk-2.59.0.tar.gz", hash = "sha256:cd265808ef8bf3f3edf69b527c0a0b2b6b1322762679e55b8987db2e9584aec1", size = 447331, upload-time = "2026-05-04T12:19:06.538Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/26/b3/fb8291170d0e844173164709fc0fa0c221ed75a5da740c8746f2a83b4eb1/sentry_sdk-2.58.0.tar.gz", hash = "sha256:c1144d947352d54e5b7daa63596d9f848adf684989c06c4f5a659f0c85a18f6f", size = 438764, upload-time = "2026-04-13T17:23:26.265Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/bf/00/b8cc413748fb6383d1582e7cda51314f99743351c462a92dc690d5b5853b/sentry_sdk-2.59.0-py2.py3-none-any.whl", hash = "sha256:abcf65ee9a9d9cdebf9ad369782408ecca9c1c792686ef06ba34f5ab233527fe", size = 468432, upload-time = "2026-05-04T12:19:04.741Z" },
+    { url = "https://files.pythonhosted.org/packages/fa/eb/d875669993b762556ae8b2efd86219943b4c0864d22204d622a9aee3052b/sentry_sdk-2.58.0-py2.py3-none-any.whl", hash = "sha256:688d1c704ddecf382ea3326f21a67453d4caa95592d722b7c780a36a9d23109e", size = 460919, upload-time = "2026-04-13T17:23:24.675Z" },
 ]
 
 [[package]]
@@ -3524,7 +3524,7 @@ wheels = [
 
 [[package]]
 name = "twilio"
-version = "9.10.9"
+version = "9.10.5"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aiohttp" },
@@ -3532,9 +3532,9 @@ dependencies = [
     { name = "pyjwt" },
     { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/30/af/275130be4783c6e2b2122d3b278b63da0007611d1dc073d6414adcc6be03/twilio-9.10.9.tar.gz", hash = "sha256:eb74fc026c85a89372836414f57e262119efaa160b9419cf4d05b59056b8e89d", size = 1762839, upload-time = "2026-05-07T17:34:38.162Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b5/97/c439bc2c058f8a24edd732f5cc82adedd8794bcc2da0836c2eff1e2dbe91/twilio-9.10.5.tar.gz", hash = "sha256:d9f93b9280349ee7b52e7f17a0600fd7bfd0f7ff88eb00c40270164bc058743f", size = 1641690, upload-time = "2026-04-14T09:52:09.392Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ed/6b/df08b499d01ba6b9f7f42f9dd51b82aab1eb26c93602f3b89179a520494f/twilio-9.10.9-py2.py3-none-any.whl", hash = "sha256:1c50bfb394b5dbc044bacab24b2e3b550bee0c08da51c4a1fa4816293303e66c", size = 2452983, upload-time = "2026-05-07T17:34:36.459Z" },
+    { url = "https://files.pythonhosted.org/packages/4a/97/4fdde5e54fcbb789aa1a70c371f2f33d7eb1e58e8a6131fdbd8a98490976/twilio-9.10.5-py2.py3-none-any.whl", hash = "sha256:7972db54496fbf501b238f34d1f717f80ff22720313dc706632787aad5934997", size = 2284944, upload-time = "2026-04-14T09:52:07.333Z" },
 ]
 
 [[package]]
@@ -3663,14 +3663,14 @@ wheels = [
 
 [[package]]
 name = "types-requests"
-version = "2.33.0.20260503"
+version = "2.33.0.20260408"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a1/b8/57e94268c0d82ac3eaa2fc35aa8ca7bbc2542f726b67dcf90b0b00a3b14d/types_requests-2.33.0.20260503.tar.gz", hash = "sha256:9721b2d9dbee7131f2fb39f20f0ebb1999c18cef4b512c9a7932f3722de7c5f4", size = 23931, upload-time = "2026-05-03T05:20:08.882Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/69/6a/749dc53a54a3f35842c1f8197b3ca6b54af6d7458a1bfc75f6629b6da666/types_requests-2.33.0.20260408.tar.gz", hash = "sha256:95b9a86376807a216b2fb412b47617b202091c3ea7c078f47cc358d5528ccb7b", size = 23882, upload-time = "2026-04-08T04:34:49.33Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c3/82/959113a6351f3ca046cd0a8cd2cee071d7ea47473560557a01eeae9a6fe2/types_requests-2.33.0.20260503-py3-none-any.whl", hash = "sha256:02aaa7e3577a13471715bb1bddb693cc985ea514f754b503bf033e6a09a3e528", size = 20736, upload-time = "2026-05-03T05:20:07.858Z" },
+    { url = "https://files.pythonhosted.org/packages/90/b8/78fd6c037de4788c040fdd323b3369804400351b7827473920f6c1d03c10/types_requests-2.33.0.20260408-py3-none-any.whl", hash = "sha256:81f31d5ea4acb39f03be7bc8bed569ba6d5a9c5d97e89f45ac43d819b68ca50f", size = 20739, upload-time = "2026-04-08T04:34:48.325Z" },
 ]
 
 [[package]]
@@ -3791,11 +3791,11 @@ wheels = [
 
 [[package]]
 name = "urllib3"
-version = "2.7.0"
+version = "2.6.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" },
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]
 
 [package.optional-dependencies]

web/icons/brand.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="d" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 3064.87 487.37"><defs><symbol id="a" viewBox="0 0 2865.3 437.72"><g style="isolation:isolate;"><path d="M238.73,125.38h76.4v304.5h-76.4v-32.18c-14.91,14.18-29.87,24.4-44.87,30.65-15,6.25-31.26,9.37-48.78,9.37-39.32,0-73.33-15.25-102.04-45.76C14.35,361.45,0,323.53,0,278.19s13.89-85.54,41.65-115.58c27.77-30.04,61.5-45.06,101.19-45.06,18.26,0,35.4,3.45,51.43,10.35,16.03,6.91,30.84,17.26,44.45,31.07v-33.58ZM158.41,188.07c-23.62,0-43.24,8.35-58.86,25.05-15.62,16.7-23.43,38.11-23.43,64.23s7.95,47.96,23.84,64.93c15.9,16.98,35.47,25.47,58.72,25.47s43.89-8.35,59.69-25.05c15.8-16.7,23.71-38.57,23.71-65.63s-7.9-47.95-23.71-64.37c-15.81-16.42-35.8-24.63-59.97-24.63Z" style="fill:#fd4b2d;"/><path d="M403.16,125.38h77.24v146.65c0,28.55,1.96,48.37,5.89,59.47,3.93,11.1,10.24,19.73,18.94,25.89,8.69,6.16,19.4,9.24,32.12,9.24s23.52-3.03,32.4-9.1c8.88-6.06,15.47-14.97,19.78-26.73,3.18-8.77,4.77-27.52,4.77-56.25V125.38h76.41v129.02c0,53.18-4.2,89.56-12.59,109.15-10.26,23.88-25.38,42.22-45.34,54.99-19.97,12.78-45.34,19.17-76.13,19.17-33.4,0-60.41-7.46-81.02-22.39-20.62-14.92-35.13-35.73-43.52-62.41-5.97-18.47-8.96-52.06-8.96-100.75v-126.78Z" style="fill:#fd4b2d;"/><path d="M796.76,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M999.76,7.84h75.85v148.33c14.93-12.88,29.95-22.53,45.06-28.97,15.11-6.44,30.41-9.65,45.9-9.65,30.23,0,55.7,10.45,76.41,31.34,17.73,18.1,26.59,44.69,26.59,79.76v201.23h-75.29v-133.5c0-35.27-1.68-59.15-5.04-71.65-3.36-12.5-9.09-21.83-17.21-27.99-8.12-6.15-18.15-9.23-30.09-9.23-15.49,0-28.78,5.13-39.88,15.39-11.11,10.26-18.8,24.26-23.09,41.98-2.24,9.14-3.36,30.04-3.36,62.69v122.3h-75.85V7.84Z" style="fill:#fd4b2d;"/><path d="M1688.63,299.74h-245.45c3.54,21.65,13.01,38.86,28.41,51.64,15.39,12.78,35.03,19.17,58.91,19.17,28.55,0,53.08-9.98,73.6-29.95l64.37,30.23c-16.05,22.77-35.26,39.6-57.65,50.52-22.39,10.91-48.98,16.37-79.76,16.37-47.77,0-86.67-15.06-116.71-45.2-30.04-30.13-45.06-67.87-45.06-113.21s14.97-85.03,44.92-115.73c29.95-30.69,67.49-46.04,112.65-46.04,47.95,0,86.95,15.35,116.99,46.04,30.04,30.69,45.06,71.23,45.06,121.61l-.28,14.55ZM1612.22,239.57c-5.05-16.98-15-30.79-29.86-41.42-14.86-10.63-32.1-15.95-51.72-15.95-21.3,0-40,5.98-56.07,17.91-10.09,7.47-19.44,20.62-28.03,39.46h165.68Z" style="fill:#fd4b2d;"/><path d="M1790.6,125.38h76.41v31.21c17.33-14.61,33.02-24.77,47.09-30.48,14.06-5.71,28.46-8.57,43.18-8.57,30.18,0,55.8,10.54,76.85,31.62,17.7,17.91,26.55,44.41,26.55,79.48v201.23h-75.57v-133.35c0-36.34-1.63-60.47-4.89-72.4-3.26-11.93-8.93-21.01-17.03-27.26-8.1-6.24-18.1-9.36-30.01-9.36-15.45,0-28.71,5.17-39.78,15.51-11.08,10.35-18.76,24.65-23.04,42.91-2.24,9.5-3.35,30.1-3.35,61.78v122.16h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2183.92,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M2416.46,0c13.39,0,24.88,4.85,34.46,14.55,9.58,9.7,14.38,21.46,14.38,35.27s-4.75,25.24-14.24,34.84c-9.49,9.61-20.84,14.41-34.04,14.41s-25.16-4.9-34.75-14.69c-9.58-9.79-14.37-21.69-14.37-35.68s4.74-24.91,14.23-34.43c9.49-9.51,20.93-14.27,34.33-14.27ZM2378.26,125.38h76.41v304.5h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2564.75,7.84h76.41v243.09l112.51-125.54h95.96l-131.17,145.94,146.86,158.56h-94.85l-129.3-140.34v140.34h-76.41V7.84Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="2865.3" height="437.72" transform="translate(99.78 24.83)" xlink:href="#a"/></svg>
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 144.29"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M106,41.08h25.39v101.2H106v-10.7a50,50,0,0,1-14.92,10.19,41.84,41.84,0,0,1-16.21,3.11q-19.61,0-33.91-15.21T26.64,91.86q0-23.43,13.85-38.41t33.63-15a42.78,42.78,0,0,1,17.09,3.44A46.82,46.82,0,0,1,106,52.24ZM79.29,61.91a25.65,25.65,0,0,0-19.56,8.33q-7.78,8.33-7.79,21.34t7.93,21.58a25.66,25.66,0,0,0,19.51,8.47,26.15,26.15,0,0,0,19.84-8.33q7.88-8.33,7.88-21.81,0-13.2-7.88-21.39T79.29,61.91Z"/><path class="cls-1" d="M168.39,41.08h25.67V89.82q0,14.22,2,19.76a17.24,17.24,0,0,0,6.29,8.61A18.06,18.06,0,0,0,213,121.26a18.6,18.6,0,0,0,10.77-3,17.7,17.7,0,0,0,6.57-8.88q1.59-4.36,1.59-18.7V41.08h25.39V84q0,26.51-4.18,36.27a39.6,39.6,0,0,1-15.07,18.28q-10,6.38-25.3,6.37-16.65,0-26.93-7.44T171.36,116.7q-3-9.21-3-33.49Z"/><path class="cls-1" d="M297.3,3.78h25.39v37.3h15.07V62.93H322.69v79.35H297.3V62.93h-13V41.08h13Z"/><path class="cls-1" d="M362.86,2h25.21v49.3a57.74,57.74,0,0,1,15-9.63,38.56,38.56,0,0,1,15.25-3.21,34.36,34.36,0,0,1,25.39,10.42q8.83,9,8.84,26.51v66.88h-25V97.91q0-17.58-1.68-23.81t-5.71-9.3a16.07,16.07,0,0,0-10-3.07,18.85,18.85,0,0,0-13.26,5.11q-5.53,5.11-7.67,14-1.12,4.56-1.12,20.84v40.65H362.86Z"/><path class="cls-1" d="M589.91,99H508.33q1.77,10.78,9.44,17.16t19.58,6.37a33.86,33.86,0,0,0,24.46-10l21.4,10a50.54,50.54,0,0,1-19.16,16.79q-11.16,5.44-26.51,5.44-23.82,0-38.79-15t-15-37.63q0-23.16,14.93-38.46t37.44-15.3q23.91,0,38.88,15.3t15,40.42Zm-25.4-20a25.48,25.48,0,0,0-9.92-13.77A28.81,28.81,0,0,0,537.4,60a30.42,30.42,0,0,0-18.64,5.95q-5,3.72-9.31,13.12Z"/><path class="cls-1" d="M621.89,41.08h25.39V51.45q8.64-7.29,15.65-10.13a37.82,37.82,0,0,1,14.35-2.85A34.77,34.77,0,0,1,702.83,49q8.82,8.94,8.82,26.42v66.88H686.54V98q0-18.12-1.63-24.06a16.44,16.44,0,0,0-5.66-9.06,15.8,15.8,0,0,0-10-3.11,18.73,18.73,0,0,0-13.23,5.15Q650.53,72,648.4,81.14q-1.12,4.74-1.12,20.54v40.6H621.89Z"/><path class="cls-1" d="M750.71,3.78H776.1v37.3h15.07V62.93H776.1v79.35H750.71V62.93h-13V41.08h13Z"/><path class="cls-1" d="M826.09-.6a15.55,15.55,0,0,1,11.45,4.84A16.08,16.08,0,0,1,842.31,16a15.87,15.87,0,0,1-4.72,11.58,15.34,15.34,0,0,1-11.32,4.79,15.6,15.6,0,0,1-11.55-4.88A16.35,16.35,0,0,1,810,15.59a15.57,15.57,0,0,1,4.73-11.44A15.53,15.53,0,0,1,826.09-.6Z"/><rect class="cls-1" x="813.39" y="41.08" width="25.39" height="101.2"/><path class="cls-1" d="M873.47,2h25.39V82.8l37.39-41.72h31.89l-43.59,48.5,48.81,52.7H941.83l-43-46.64v46.64H873.47Z"/></svg>

web/icons/icon.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="c" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1000 1000"><defs><symbol id="a" viewBox="0 0 998.94 763.82"><path d="M829.67,0h-425.28c-93.1,0-169.27,76.17-169.27,169.27v425.28c0,93.1,76.17,169.27,169.27,169.27h50.18v-165.68h324.96v165.68h50.14c93.1,0,169.27-76.17,169.27-169.27V169.27C998.94,76.17,922.77,0,829.67,0ZM755.98,463.53H235.4v-114.49h268.96v-158.97h43.68v94.7h25.61v-94.7h30.88v69.64h25.61v-69.64h30.88v116.35h25.61v-116.35h43.68v158.97h25.69v114.49Z" style="fill:#fd4b2d;"/><g id="b"><path d="M237.36,342.19h-.02c-25.34-34.27-63.32-69.15-105.42-69.15-48.4.03-92.89,26.58-115.91,69.15-48.08,83.85,18.39,196.94,115.91,194.36,75.46,0,137.69-111.95,137.69-131.75,0-8.76-12.18-35.49-32.25-62.61ZM77.32,342.19c27.16-23.43,66.59-30.27,95.1,0h.02c21.51,19.51,40.28,47.91,47.08,62.35-84.6,176.88-232.87,26.13-142.2-62.35Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="998.94" height="763.82" transform="translate(1 117.03)" xlink:href="#a"/></svg>
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 1000"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><rect class="cls-1" x="546.66" y="275.34" width="34.99" height="99.97"/><rect class="cls-1" x="637.66" y="271.13" width="34.99" height="78.19"/><path class="cls-1" d="M127.64,385.31a127.57,127.57,0,0,0-112.13,66.9H74.82c26.27-22.67,64.42-29.28,92,0h62.8C205.11,419.06,168.36,385.31,127.64,385.31Z"/><path class="cls-1" d="M212.39,512.53C130.55,683.65-12.89,537.81,74.82,452.21H15.51C-31,533.33,33.3,642.73,127.64,640.24c73,0,133.2-108.3,133.2-127.46,0-8.47-11.78-34.33-31.2-60.57h-62.8C187.65,471.08,205.81,498.56,212.39,512.53Zm2.17-5h0Z"/><path class="cls-1" d="M999.94,274.11V725.89c0,86.58-70.42,157.06-157.05,157.06H776.22V729.12H457.88V883H391.22c-86.64,0-157.06-70.48-157.06-157.06V583.81H738.87V312.11H495.24V464.76H234.16V274.11a151.29,151.29,0,0,1,1.06-18,154.4,154.4,0,0,1,3.88-21.15c.58-2.23,1.23-4.46,1.88-6.64a13.66,13.66,0,0,1,.52-1.64c.36-1.12.71-2.17,1.06-3.23s.76-2.17,1.18-3.23c.47-1.23.88-2.41,1.35-3.58s1-2.35,1.47-3.53a159,159,0,0,1,14.27-26.49c.06-.06.12-.17.17-.23,1.41-2.06,2.88-4.11,4.41-6.17,1.29-1.7,2.58-3.35,3.88-5,1.52-1.82,3.11-3.7,4.69-5.46s3.12-3.47,4.76-5.11l.18-.18a36.53,36.53,0,0,1,2.64-2.64,159.75,159.75,0,0,1,18.68-15.63c1.76-1.29,3.64-2.52,5.52-3.76,2.11-1.35,4.23-2.64,6.4-3.93,4.11-2.41,8.28-4.64,12.63-6.64,1.35-.64,2.76-1.29,4.11-1.88a152.81,152.81,0,0,1,18.38-6.63c2.41-.71,4.82-1.35,7.29-1.94,1.17-.3,2.35-.59,3.58-.82a158.5,158.5,0,0,1,21.26-3.12l3.12-.17c.52,0,1-.06,1.52-.06,2.35-.12,4.76-.18,7.17-.18H842.89c2.4,0,4.81.06,7.16.18.53,0,1,.06,1.53.06l3.11.17A158.26,158.26,0,0,1,876,120.58c1.24.23,2.41.52,3.59.82,2.46.59,4.87,1.23,7.28,1.94A152.81,152.81,0,0,1,905.2,130c1.35.59,2.76,1.24,4.11,1.88,4.35,2,8.52,4.23,12.63,6.64,2.18,1.29,4.29,2.58,6.4,3.93,1.88,1.24,3.76,2.47,5.52,3.76a157.53,157.53,0,0,1,21.5,18.45c1.65,1.64,3.23,3.34,4.76,5.11s3.17,3.64,4.7,5.46c1.29,1.64,2.58,3.29,3.87,5,1.53,2.06,3,4.11,4.41,6.17.06.06.12.17.18.23a159.71,159.71,0,0,1,14.27,26.49c.47,1.18,1,2.35,1.47,3.53s.88,2.35,1.35,3.58c.41,1.06.82,2.11,1.17,3.23s.71,2.11,1.06,3.23a15.74,15.74,0,0,1,.53,1.64c.64,2.18,1.29,4.41,1.88,6.64a155.92,155.92,0,0,1,3.87,21.15A151.29,151.29,0,0,1,999.94,274.11Z"/><path class="cls-1" d="M973.27,186.59H260.84A157.05,157.05,0,0,1,391.2,117.07H842.9A157.08,157.08,0,0,1,973.27,186.59Z"/><path class="cls-1" d="M998.94,256.1H235.16a155.35,155.35,0,0,1,25.68-69.51H973.27A155.34,155.34,0,0,1,998.94,256.1Z"/><path class="cls-1" d="M1000,274.11v51.51H738.87V312.11H495.24v13.51H234.1V274.11a153.41,153.41,0,0,1,1.06-18H998.94A151.29,151.29,0,0,1,1000,274.11Z"/><rect class="cls-1" x="234.1" y="325.62" width="261.13" height="69.54"/><rect class="cls-1" x="738.87" y="325.62" width="261.13" height="69.54"/><rect class="cls-1" x="234.1" y="395.16" width="261.13" height="69.48"/><rect class="cls-1" x="738.87" y="395.16" width="261.13" height="69.48"/></svg>

web/icons/icon_left_brand.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><svg id="i" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 3767.3 592.89"><defs><symbol id="a" viewBox="0 0 998.94 763.82"><path d="M829.67,0h-425.28c-93.1,0-169.27,76.17-169.27,169.27v425.28c0,93.1,76.17,169.27,169.27,169.27h50.18v-165.68h324.96v165.68h50.14c93.1,0,169.27-76.17,169.27-169.27V169.27C998.94,76.17,922.77,0,829.67,0ZM755.98,463.53H235.4v-114.49h268.96v-158.97h43.68v94.7h25.61v-94.7h30.88v69.64h25.61v-69.64h30.88v116.35h25.61v-116.35h43.68v158.97h25.69v114.49Z" style="fill:#fd4b2d;"/><g id="b"><path d="M237.36,342.19h-.02c-25.34-34.27-63.32-69.15-105.42-69.15-48.4.03-92.89,26.58-115.91,69.15-48.08,83.85,18.39,196.94,115.91,194.36,75.46,0,137.69-111.95,137.69-131.75,0-8.76-12.18-35.49-32.25-62.61ZM77.32,342.19c27.16-23.43,66.59-30.27,95.1,0h.02c21.51,19.51,40.28,47.91,47.08,62.35-84.6,176.88-232.87,26.13-142.2-62.35Z" style="fill:#fd4b2d;"/></g></symbol><symbol id="c" viewBox="0 0 2865.3 437.72"><g style="isolation:isolate;"><path d="M238.73,125.38h76.4v304.5h-76.4v-32.18c-14.91,14.18-29.87,24.4-44.87,30.65-15,6.25-31.26,9.37-48.78,9.37-39.32,0-73.33-15.25-102.04-45.76C14.35,361.45,0,323.53,0,278.19s13.89-85.54,41.65-115.58c27.77-30.04,61.5-45.06,101.19-45.06,18.26,0,35.4,3.45,51.43,10.35,16.03,6.91,30.84,17.26,44.45,31.07v-33.58ZM158.41,188.07c-23.62,0-43.24,8.35-58.86,25.05-15.62,16.7-23.43,38.11-23.43,64.23s7.95,47.96,23.84,64.93c15.9,16.98,35.47,25.47,58.72,25.47s43.89-8.35,59.69-25.05c15.8-16.7,23.71-38.57,23.71-65.63s-7.9-47.95-23.71-64.37c-15.81-16.42-35.8-24.63-59.97-24.63Z" style="fill:#fd4b2d;"/><path d="M403.16,125.38h77.24v146.65c0,28.55,1.96,48.37,5.89,59.47,3.93,11.1,10.24,19.73,18.94,25.89,8.69,6.16,19.4,9.24,32.12,9.24s23.52-3.03,32.4-9.1c8.88-6.06,15.47-14.97,19.78-26.73,3.18-8.77,4.77-27.52,4.77-56.25V125.38h76.41v129.02c0,53.18-4.2,89.56-12.59,109.15-10.26,23.88-25.38,42.22-45.34,54.99-19.97,12.78-45.34,19.17-76.13,19.17-33.4,0-60.41-7.46-81.02-22.39-20.62-14.92-35.13-35.73-43.52-62.41-5.97-18.47-8.96-52.06-8.96-100.75v-126.78Z" style="fill:#fd4b2d;"/><path d="M796.76,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M999.76,7.84h75.85v148.33c14.93-12.88,29.95-22.53,45.06-28.97,15.11-6.44,30.41-9.65,45.9-9.65,30.23,0,55.7,10.45,76.41,31.34,17.73,18.1,26.59,44.69,26.59,79.76v201.23h-75.29v-133.5c0-35.27-1.68-59.15-5.04-71.65-3.36-12.5-9.09-21.83-17.21-27.99-8.12-6.15-18.15-9.23-30.09-9.23-15.49,0-28.78,5.13-39.88,15.39-11.11,10.26-18.8,24.26-23.09,41.98-2.24,9.14-3.36,30.04-3.36,62.69v122.3h-75.85V7.84Z" style="fill:#fd4b2d;"/><path d="M1688.63,299.74h-245.45c3.54,21.65,13.01,38.86,28.41,51.64,15.39,12.78,35.03,19.17,58.91,19.17,28.55,0,53.08-9.98,73.6-29.95l64.37,30.23c-16.05,22.77-35.26,39.6-57.65,50.52-22.39,10.91-48.98,16.37-79.76,16.37-47.77,0-86.67-15.06-116.71-45.2-30.04-30.13-45.06-67.87-45.06-113.21s14.97-85.03,44.92-115.73c29.95-30.69,67.49-46.04,112.65-46.04,47.95,0,86.95,15.35,116.99,46.04,30.04,30.69,45.06,71.23,45.06,121.61l-.28,14.55ZM1612.22,239.57c-5.05-16.98-15-30.79-29.86-41.42-14.86-10.63-32.1-15.95-51.72-15.95-21.3,0-40,5.98-56.07,17.91-10.09,7.47-19.44,20.62-28.03,39.46h165.68Z" style="fill:#fd4b2d;"/><path d="M1790.6,125.38h76.41v31.21c17.33-14.61,33.02-24.77,47.09-30.48,14.06-5.71,28.46-8.57,43.18-8.57,30.18,0,55.8,10.54,76.85,31.62,17.7,17.91,26.55,44.41,26.55,79.48v201.23h-75.57v-133.35c0-36.34-1.63-60.47-4.89-72.4-3.26-11.93-8.93-21.01-17.03-27.26-8.1-6.24-18.1-9.36-30.01-9.36-15.45,0-28.71,5.17-39.78,15.51-11.08,10.35-18.76,24.65-23.04,42.91-2.24,9.5-3.35,30.1-3.35,61.78v122.16h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2183.92,13.15h76.41v112.23h45.34v65.77h-45.34v238.73h-76.41v-238.73h-39.18v-65.77h39.18V13.15Z" style="fill:#fd4b2d;"/><path d="M2416.46,0c13.39,0,24.88,4.85,34.46,14.55,9.58,9.7,14.38,21.46,14.38,35.27s-4.75,25.24-14.24,34.84c-9.49,9.61-20.84,14.41-34.04,14.41s-25.16-4.9-34.75-14.69c-9.58-9.79-14.37-21.69-14.37-35.68s4.74-24.91,14.23-34.43c9.49-9.51,20.93-14.27,34.33-14.27ZM2378.26,125.38h76.41v304.5h-76.41V125.38Z" style="fill:#fd4b2d;"/><path d="M2564.75,7.84h76.41v243.09l112.51-125.54h95.96l-131.17,145.94,146.86,158.56h-94.85l-129.3-140.34v140.34h-76.41V7.84Z" style="fill:#fd4b2d;"/></g></symbol></defs><use width="998.94" height="763.82" transform="translate(28.54 36.14) scale(.68)" xlink:href="#a"/><use width="2865.3" height="437.72" transform="translate(802.22 67.81)" xlink:href="#c"/></svg>
+<svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 994.71 151.65"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M284.72,50.4H305.5v82.84H284.72v-8.76a40.79,40.79,0,0,1-12.21,8.34,34.14,34.14,0,0,1-13.27,2.55q-16.05,0-27.76-12.45T219.77,92q0-19.18,11.33-31.45t27.53-12.26a34.94,34.94,0,0,1,14,2.82,38.32,38.32,0,0,1,12.1,8.45ZM262.87,67.45a21,21,0,0,0-16,6.82q-6.37,6.81-6.38,17.47T247,109.4a21,21,0,0,0,16,6.93,21.42,21.42,0,0,0,16.24-6.81q6.45-6.81,6.45-17.86,0-10.8-6.45-17.51A21.71,21.71,0,0,0,262.87,67.45Z"/><path class="cls-1" d="M335.8,50.4h21V90.29q0,11.65,1.6,16.18a14.16,14.16,0,0,0,5.16,7,14.76,14.76,0,0,0,8.74,2.51,15.25,15.25,0,0,0,8.81-2.48,14.49,14.49,0,0,0,5.38-7.27q1.31-3.57,1.3-15.3V50.4h20.79V85.5q0,21.69-3.43,29.69a32.32,32.32,0,0,1-12.33,15q-8.16,5.22-20.71,5.22-13.64,0-22.05-6.09a32.2,32.2,0,0,1-11.84-17q-2.43-7.55-2.43-27.41Z"/><path class="cls-1" d="M441.32,19.86H462.1V50.4h12.34V68.29H462.1v65H441.32V68.29H430.66V50.4h10.66Z"/><path class="cls-1" d="M495,18.42h20.63V58.77a47.41,47.41,0,0,1,12.26-7.88,31.62,31.62,0,0,1,12.49-2.63,28.13,28.13,0,0,1,20.78,8.53q7.23,7.4,7.24,21.7v54.75H547.9V96.92q0-14.4-1.37-19.49a13.6,13.6,0,0,0-4.68-7.62,13.19,13.19,0,0,0-8.18-2.51,15.43,15.43,0,0,0-10.85,4.19,22.14,22.14,0,0,0-6.28,11.42q-.91,3.72-.92,17v33.28H495Z"/><path class="cls-1" d="M680.84,97.83H614.06a22.25,22.25,0,0,0,7.73,14q6.29,5.22,16,5.21a27.7,27.7,0,0,0,20-8.14l17.51,8.22a41.31,41.31,0,0,1-15.68,13.74q-9.13,4.46-21.7,4.46-19.5,0-31.75-12.3T594,92.27q0-19,12.22-31.48t30.65-12.53q19.56,0,31.82,12.53t12.26,33.08ZM660.05,81.46a20.87,20.87,0,0,0-8.12-11.27,23.61,23.61,0,0,0-14.08-4.34,24.88,24.88,0,0,0-15.25,4.88q-4.11,3-7.62,10.73Z"/><path class="cls-1" d="M707,50.4H727.8v8.49a50.15,50.15,0,0,1,12.81-8.3,31.08,31.08,0,0,1,11.75-2.33,28.44,28.44,0,0,1,20.91,8.61q7.22,7.31,7.22,21.62v54.75H759.93V97q0-14.83-1.33-19.7A13.48,13.48,0,0,0,754,69.85a13,13,0,0,0-8.16-2.55A15.32,15.32,0,0,0,735,71.52a22.6,22.6,0,0,0-6.27,11.67q-.9,3.89-.91,16.81v33.24H707Z"/><path class="cls-1" d="M812.46,19.86h20.79V50.4h12.33V68.29H833.25v65H812.46V68.29H801.8V50.4h10.66Z"/><path class="cls-1" d="M874.16,16.29a12.74,12.74,0,0,1,9.38,3.95,13.18,13.18,0,0,1,3.91,9.6,13,13,0,0,1-3.87,9.48,12.6,12.6,0,0,1-9.27,3.92,12.73,12.73,0,0,1-9.45-4A13.39,13.39,0,0,1,861,29.53a12.78,12.78,0,0,1,3.87-9.36A12.71,12.71,0,0,1,874.16,16.29Z"/><rect class="cls-1" x="863.77" y="50.4" width="20.79" height="82.84"/><path class="cls-1" d="M913,18.42h20.78V84.55L964.34,50.4h26.11L954.76,90.1l40,43.14h-25.8L933.73,95.06v38.18H913Z"/><rect class="cls-1" x="107.1" y="34.93" width="6.37" height="18.2"/><rect class="cls-1" x="123.67" y="34.16" width="6.37" height="14.23"/><path class="cls-1" d="M30.83,55A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,78.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/><path class="cls-1" d="M189.62,34.71V117A28.62,28.62,0,0,1,161,145.54H148.89v-28H90.94v28H78.81A28.62,28.62,0,0,1,50.22,117V91.08h91.87V41.62H97.74V69.41H50.22V34.71a27.43,27.43,0,0,1,.19-3.29,27.09,27.09,0,0,1,.71-3.84c.1-.41.22-.82.34-1.21a2.13,2.13,0,0,1,.09-.3c.07-.21.13-.4.2-.59s.14-.4.21-.59.16-.44.25-.65.18-.43.26-.64a29.35,29.35,0,0,1,2.6-4.82l0-.05c.26-.37.53-.75.81-1.12s.47-.61.7-.91.57-.67.86-1,.56-.63.86-.93l0,0a4.53,4.53,0,0,1,.49-.49,29.23,29.23,0,0,1,3.4-2.84c.32-.24.66-.46,1-.68s.77-.49,1.17-.72a23.78,23.78,0,0,1,2.29-1.21l.75-.34a27.84,27.84,0,0,1,3.35-1.21c.44-.13.88-.24,1.33-.35a6.19,6.19,0,0,1,.65-.15,28.86,28.86,0,0,1,3.87-.57l.56,0h.28c.43,0,.87,0,1.31,0H161c.43,0,.87,0,1.3,0h.28l.56,0a29.25,29.25,0,0,1,3.88.57c.22,0,.43.09.65.15.45.11.88.22,1.32.35a27.23,27.23,0,0,1,3.35,1.21l.75.34a25.19,25.19,0,0,1,2.3,1.21c.39.23.78.47,1.16.72s.69.44,1,.68a29.23,29.23,0,0,1,3.91,3.36q.45.45.87.93c.29.32.57.66.85,1l.71.91c.28.37.54.75.8,1.12l0,.05a28.61,28.61,0,0,1,2.6,4.82l.27.64.24.65c.08.19.15.39.22.59l.19.59c0,.09.06.19.1.3.11.39.23.8.34,1.21a28.56,28.56,0,0,1,.7,3.84A27.42,27.42,0,0,1,189.62,34.71Z"/><path class="cls-1" d="M184.76,18.78H55.07A28.59,28.59,0,0,1,78.8,6.12H161A28.59,28.59,0,0,1,184.76,18.78Z"/><path class="cls-1" d="M189.43,31.43H50.4a28.29,28.29,0,0,1,4.67-12.65H184.76A28.17,28.17,0,0,1,189.43,31.43Z"/><path class="cls-1" d="M189.63,34.71v9.37H142.09V41.62H97.74v2.46H50.21V34.71a27.43,27.43,0,0,1,.19-3.29h139A27.42,27.42,0,0,1,189.63,34.71Z"/><rect class="cls-1" x="50.21" y="44.08" width="47.54" height="12.66"/><rect class="cls-1" x="142.09" y="44.08" width="47.54" height="12.66"/><rect class="cls-1" x="50.21" y="56.74" width="47.54" height="12.65"/><rect class="cls-1" x="142.09" y="56.74" width="47.54" height="12.65"/></svg>

web/logger/browser.js

@@ -63,7 +63,7 @@ const LogLevelColors = /** @type {const} */ ({
  * Creates a logger with the given prefix.
  *
  * @param {string} [prefix]
- * @param {...string[]} args
+ * @param {...string} args
  * @returns {Logger}
  *
  */

web/package.json

@@ -97,7 +97,7 @@
         "@codemirror/theme-one-dark": "^6.1.3",
         "@eslint/js": "^9.39.3",
         "@floating-ui/dom": "^1.7.6",
-        "@formatjs/intl-listformat": "^8.3.5",
+        "@formatjs/intl-listformat": "^8.3.4",
         "@fortawesome/fontawesome-free": "^7.2.0",
         "@goauthentik/api": "0.0.0",
         "@goauthentik/core": "^1.0.0",
@@ -127,15 +127,14 @@
         "@types/codemirror": "^5.60.17",
         "@types/grecaptcha": "^3.0.9",
         "@types/guacamole-common-js": "^1.5.5",
-        "@types/node": "^25.6.2",
+        "@types/node": "^25.6.0",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
         "@typescript-eslint/eslint-plugin": "^8.57.2",
         "@typescript-eslint/parser": "^8.57.2",
         "@typescript-eslint/utils": "^8.57.2",
-        "@typescript/native-preview": "^7.0.0-dev.20260421.2",
-        "@vitest/browser": "^4.1.6",
-        "@vitest/browser-playwright": "^4.1.6",
+        "@vitest/browser": "^4.1.5",
+        "@vitest/browser-playwright": "^4.0.15",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "change-case": "^5.4.4",
@@ -152,28 +151,28 @@
         "eslint-plugin-lit": "^2.2.1",
         "eslint-plugin-wc": "^3.1.0",
         "fuse.js": "^7.3.0",
-        "globals": "^17.6.0",
+        "globals": "^17.5.0",
         "guacamole-common-js": "^1.5.0",
         "hastscript": "^9.0.1",
-        "knip": "^6.11.0",
+        "knip": "^6.9.0",
         "lex": "^2025.11.0",
         "lit": "^3.3.2",
         "lit-analyzer": "^2.0.3",
         "lit-element": "^4.2.2",
         "lit-html": "^3.3.2",
         "md-front-matter": "^1.0.4",
-        "mermaid": "^11.15.0",
+        "mermaid": "^11.14.0",
         "node-domexception": "^2025.11.0",
         "npm-run-all": "^4.1.5",
         "pino": "^10.3.1",
         "pino-pretty": "^13.1.2",
-        "playwright": "^1.60.0",
+        "playwright": "^1.58.2",
         "prettier": "^3.8.3",
         "prettier-plugin-packagejson": "^3.0.2",
         "pseudolocale": "^2.2.0",
         "rapidoc": "^9.3.8",
-        "react": "^19.2.6",
-        "react-dom": "^19.2.6",
+        "react": "^19.2.5",
+        "react-dom": "^19.2.5",
         "rehype-highlight": "^7.0.2",
         "rehype-mermaid": "^3.0.0",
         "rehype-parse": "^9.0.1",
@@ -184,7 +183,6 @@
         "remark-mdx-frontmatter": "^5.2.0",
         "storybook": "^10.2.1",
         "style-mod": "^4.1.3",
-        "stylelint": "^17.11.0",
         "trusted-types": "^2.0.0",
         "ts-pattern": "^5.9.0",
         "turnstile-types": "^1.2.3",
@@ -192,8 +190,8 @@
         "typescript": "^6.0.3",
         "typescript-eslint": "^8.57.2",
         "unist-util-visit": "^5.1.0",
-        "vite": "^8.0.12",
-        "vitest": "^4.1.6",
+        "vite": "^8.0.10",
+        "vitest": "^4.1.1",
         "webcomponent-qr-code": "^1.3.0",
         "wireit": "^0.14.12",
         "yaml": "^2.8.4"
@@ -204,7 +202,8 @@
         "@esbuild/linux-x64": "^0.28.0",
         "@rollup/rollup-darwin-arm64": "^4.57.1",
         "@rollup/rollup-linux-arm64-gnu": "^4.57.1",
-        "@rollup/rollup-linux-x64-gnu": "^4.57.1"
+        "@rollup/rollup-linux-x64-gnu": "^4.57.1",
+        "chromedriver": "^147.0.4"
     },
     "workspaces": [
         "./packages/*"
@@ -261,7 +260,10 @@
             "command": "lit-analyzer src"
         },
         "lint:types": {
-            "command": "tsgo -p .",
+            "command": "tsc -p .",
+            "env": {
+                "NODE_OPTIONS": "--max_old_space_size=8192"
+            },
             "dependencies": [
                 "build-locales"
             ]
@@ -290,7 +292,10 @@
             }
         },
         "tsc": {
-            "command": "tsgo -p .",
+            "command": "tsc -p .",
+            "env": {
+                "NODE_OPTIONS": "--max_old_space_size=8192"
+            },
             "dependencies": [
                 "build-locales"
             ]
@@ -327,8 +332,7 @@
             "typescript": "$typescript"
         },
         "@mrmarble/djangoql-completion": {
-            "lex": "$lex",
-            "lodash": "^4.18.1"
+            "lex": "$lex"
         },
         "@typescript-eslint/eslint-plugin": {
             "typescript": "$typescript"
@@ -336,9 +340,6 @@
         "@typescript-eslint/parser": {
             "typescript": "$typescript"
         },
-        "@typescript-eslint/typescript-estree": {
-            "typescript": "$typescript"
-        },
         "@typescript-eslint/utils": {
             "typescript": "$typescript"
         },
@@ -353,9 +354,6 @@
         },
         "typescript-eslint": {
             "typescript": "$typescript"
-        },
-        "wireit": {
-            "brace-expansion": "^1.1.14"
         }
     }
 }

web/packages/core/package.json

@@ -45,7 +45,7 @@
     },
     "dependencies": {
         "@goauthentik/tsconfig": "^1.0.9",
-        "@types/node": "^25.6.2",
+        "@types/node": "^25.6.0",
         "@types/semver": "^7.7.1",
         "semver": "^7.7.4",
         "typescript": "^6.0.3"

web/packages/lex/index.js

@@ -25,7 +25,7 @@
  *
  * @callback LexerAction
  * @this {Lexer}
- * @param {...string[]} match
+ * @param {...string} match
  * @returns {Token | Token[] | null | void}
  */
 

web/src/admin/sources/saml/SAMLSourceForm.ts

@@ -28,6 +28,7 @@ import {
     SAMLNameIDPolicyEnum,
     SAMLSource,
     SignatureAlgorithmEnum,
+    SloBindingEnum,
     SourcesApi,
     UsageEnum,
     UserMatchingModeEnum,
@@ -226,6 +227,32 @@ export class SAMLSourceForm extends BaseSourceForm<SAMLSource> {
                             ${msg("Optional URL if the IDP supports Single-Logout.")}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("SLO Binding")}
+                        required
+                        name="sloBinding"
+                    >
+                        <ak-radio
+                            .options=${[
+                                {
+                                    label: msg("Redirect binding"),
+                                    value: SloBindingEnum.Redirect,
+                                    default: true,
+                                },
+                                {
+                                    label: msg("Post binding"),
+                                    value: SloBindingEnum.Post,
+                                },
+                            ]}
+                            .value=${this.instance?.sloBinding}
+                        >
+                        </ak-radio>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "Binding type used for sending Single Logout requests to the IdP.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal label=${msg("Issuer")} name="issuer">
                         <input
                             type="text"
@@ -274,6 +301,22 @@ export class SAMLSourceForm extends BaseSourceForm<SAMLSource> {
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-switch-input
+                        name="signAuthnRequest"
+                        label=${msg("Sign AuthnRequest")}
+                        ?checked=${this.instance?.signAuthnRequest ?? false}
+                        help=${msg(
+                            "Whether to sign outgoing AuthnRequests. Requires a Signing Keypair to be set.",
+                        )}
+                    ></ak-switch-input>
+                    <ak-switch-input
+                        name="signLogoutRequest"
+                        label=${msg("Sign LogoutRequest")}
+                        ?checked=${this.instance?.signLogoutRequest ?? false}
+                        help=${msg(
+                            "Whether to sign outgoing LogoutRequests. Requires a Signing Keypair to be set.",
+                        )}
+                    ></ak-switch-input>
                     <ak-form-element-horizontal
                         label=${msg("Verification Certificate")}
                         name="verificationKp"

web/src/admin/users/UserViewPage.ts

@@ -54,7 +54,7 @@ import { ToggleUserActivationButton } from "#admin/users/UserActiveForm";
 import { UserForm } from "#admin/users/UserForm";
 import { UserImpersonateForm } from "#admin/users/UserImpersonateForm";
 
-import { CapabilitiesEnum, CoreApi, ModelEnum, User, UserTypeEnum } from "@goauthentik/api";
+import { CapabilitiesEnum, CoreApi, ModelEnum, User } from "@goauthentik/api";
 
 import { msg, str } from "@lit/localize";
 import { css, html, PropertyValues, TemplateResult } from "lit";
@@ -192,10 +192,7 @@ export class UserViewPage extends WithLicenseSummary(
     protected renderActionButtons(user: User) {
         const showImpersonate =
             this.can(CapabilitiesEnum.CanImpersonate) && user.pk !== this.currentUser?.pk;
-        const showLockdown =
-            this.hasEnterpriseLicense &&
-            user.pk !== this.currentUser?.pk &&
-            user.type !== UserTypeEnum.InternalServiceAccount;
+        const showLockdown = this.hasEnterpriseLicense && user.pk !== this.currentUser?.pk;
 
         const displayName = formatUserDisplayName(user);
 

web/src/admin/users/ak-user-wizard.ts

@@ -78,7 +78,7 @@ export class ServiceAccountResultPage extends WizardPage<UserWizardState> {
     };
 
     public formatNextLabel(): SlottedTemplateResult | null {
-        return ButtonKindLabelRecord.close();
+        return ButtonKindLabelRecord.close;
     }
 
     public override nextCallback = async (): Promise<boolean> => true;

web/src/elements/ak-drawer/ak-drawer.component.ts

@@ -1,73 +1,32 @@
-import AKDrawer from "./ak-drawer.styles";
-import { DrawerResizeController } from "./drawerResizeController";
+import Style from "./ak-drawer.css";
 
-import { html, LitElement, nothing, PropertyValues } from "lit";
+import { AKElement } from "#elements/Base";
+import { classList } from "#elements/directives/class-list";
+
+import { html } from "lit";
 import { property } from "lit/decorators.js";
 
-export class DrawerExpandRequest extends Event {
-    static readonly eventName = "ak-drawer-expand-request";
-    expanded: boolean | null = null;
+import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
 
-    constructor(expanded: boolean | null = null) {
-        super(DrawerExpandRequest.eventName, { bubbles: true, composed: true });
-        this.expanded = expanded;
-    }
-}
-
-export class AkDrawer extends LitElement {
-    static readonly styles = [AKDrawer];
-
-    @property({ type: Boolean })
-    public resizable = false;
+export class Drawer extends AKElement {
+    static readonly styles = [PFDrawer, Style];
 
     @property({ type: Boolean, reflect: true })
-    public expanded = false;
+    public open = false;
 
-    @property({ type: Boolean, reflect: true })
-    public resizing = false;
+    render() {
+        const open = [(this.open && "pf-m-expanded") || "pf-m-collapsed"];
 
-    @property({ type: String, reflect: true })
-    public width = "33";
-
-    private resize = new DrawerResizeController(this);
-
-    onDrawerRequest = (ev: DrawerExpandRequest) => {
-        ev.stopPropagation();
-        this.expanded = ev.expanded === null ? !this.expanded : ev.expanded;
-    };
-
-    constructor() {
-        super();
-        this.addEventListener(DrawerExpandRequest.eventName, this.onDrawerRequest);
-    }
-
-    public override render() {
         return html`
-            <div class="ak-v2-c-drawer" part="drawer">
-                <div class="ak-v2-c-drawer__main" part="drawer-main">
-                    <div class="ak-v2-c-drawer__content" part="drawer-content">
-                        <div class="ak-v2-c-drawer__body" part="drawer-body">
-                            <slot></slot>
+            <div class="pf-c-page__drawer">
+                <div class="pf-c-drawer ${classList(open)}" id="flow-drawer">
+                    <div class="pf-c-drawer__main">
+                        <div class="pf-c-drawer__content">
+                            <div class="pf-c-drawer__body">
+                                <slot></slot>
+                            </div>
                         </div>
-                    </div>
-                    <div class="ak-v2-c-drawer__panel" part="drawer-panel">
-                        ${this.resizable
-                            ? html` <div
-                                  class="ak-v2-c-drawer__splitter"
-                                  part="drawer-splitter"
-                                  @mousedown=${this.resize.handleMouseDown}
-                                  @keydown=${this.resize.handleKeyDown}
-                                  @touchstart=${this.resize.handleTouchStart}
-                                  role="separator"
-                                  tabindex="0"
-                              >
-                                  <div
-                                      class="ak-v2-c-drawer__splitter-handle"
-                                      aria-hidden="true"
-                                  ></div>
-                              </div>`
-                            : nothing}
-                        <div class="ak-v2-c-drawer__panel-main" part="drawer-panel-main">
+                        <div class="pf-c-drawer__panel pf-m-width-33">
                             <slot name="panel"></slot>
                         </div>
                     </div>
@@ -75,26 +34,4 @@ export class AkDrawer extends LitElement {
             </div>
         `;
     }
-
-    public override updated(changed: PropertyValues<this>) {
-        super.updated(changed);
-
-        // Simulate the behavior of summary/details, another disclosure pattern.
-        const expanded = changed.get("expanded");
-        if (expanded !== undefined) {
-            const expandedMsg = (i: boolean) => (i ? "open" : "closed");
-            this.dispatchEvent(
-                new ToggleEvent("toggle", {
-                    newState: expandedMsg(this.expanded),
-                    oldState: expandedMsg(expanded),
-                }),
-            );
-        }
-    }
-}
-
-declare global {
-    interface GlobalEventHandlersEventMap {
-        [DrawerExpandRequest.eventName]: DrawerExpandRequest;
-    }
 }

web/src/elements/ak-drawer/ak-drawer.css

@@ -0,0 +1,40 @@
+slot {
+    display: content;
+}
+
+[data-theme="dark"] {
+    --pf-c-drawer__panel--BackgroundColor: var(--ak-dark-background);
+}
+
+.pf-c-drawer {
+    /* TODO: Revisit this after native <dialog> modals are implemented. */
+    --pf-c-drawer__content--ZIndex: auto;
+}
+
+.pf-c-drawer__body {
+    display: flex;
+    flex-flow: column;
+}
+
+.pf-c-drawer__content {
+    --pf-c-drawer__content--BackgroundColor: transparent;
+}
+
+.pf-c-drawer {
+    .pf-c-drawer__panel {
+        background-color: var(--pf-c-drawer__panel--BackgroundColor);
+
+        transition-behavior: allow-discrete;
+
+        gap: var(--pf-global--spacer--sm);
+
+        @media (width > 768px) {
+            flex-flow: row;
+
+            .pf-c-drawer__panel_content {
+                flex: 1 1 auto;
+                max-width: 33dvw;
+            }
+        }
+    }
+}

web/src/elements/ak-drawer/ak-drawer.root.css

@@ -1,141 +0,0 @@
-/* ----------- CSS Custom Properties for DRAWER  --------------------------- */
-
-:root {
-    --ak-v2-c-drawer__content--FlexBasis: 100%;
-    --ak-v2-c-drawer__content--BackgroundColor: var(--ak-v2-global--ContentSurface);
-    --ak-v2-c-drawer__content--ZIndex: var(--ak-v2-global--ZIndex--xs, auto);
-    --ak-v2-c-drawer__panel--MinWidth: 50%;
-    --ak-v2-c-drawer__panel--MaxHeight: auto;
-    --ak-v2-c-drawer__panel--ZIndex: var(--ak-v2-global--ZIndex--sm);
-    --ak-v2-c-drawer__panel--BackgroundColor: var(--ak-v2-global--ContentSurface);
-    --ak-v2-c-drawer__panel--TransitionDuration: var(--ak-v2-global--TransitionDuration);
-    --ak-v2-c-drawer__panel--TransitionProperty: margin, transform, box-shadow, flex-basis;
-    --ak-v2-c-drawer__panel--FlexBasis: 100%;
-    --ak-v2-c-drawer__panel--md--FlexBasis--min: 1.5rem;
-    --ak-v2-c-drawer__panel--md--FlexBasis: 50%;
-    --ak-v2-c-drawer__panel--md--FlexBasis--max: 100%;
-    --ak-v2-c-drawer__panel--xl--MinWidth: 28.125rem;
-    --ak-v2-c-drawer__panel--xl--FlexBasis: 28.125rem;
-    --ak-v2-c-drawer--m-panel-bottom__panel--md--MinHeight: 50%;
-    --ak-v2-c-drawer--m-panel-bottom__panel--xl--MinHeight: 18.75rem;
-    --ak-v2-c-drawer--m-panel-bottom__panel--xl--FlexBasis: 18.75rem;
-    --ak-v2-c-drawer__panel--m-resizable--FlexDirection: row;
-    --ak-v2-c-drawer__panel--m-resizable--md--FlexBasis--min: var(
-        --ak-v2-c-drawer__splitter--m-vertical--Width
-    );
-    --ak-v2-c-drawer__panel--m-resizable--MinWidth: 1.5rem;
-    --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--FlexDirection: column;
-    --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--md--FlexBasis--min: 1.5rem;
-    --ak-v2-c-drawer--m-panel-bottom__panel--m-resizable--MinHeight: 1.5rem;
-    --ak-v2-c-drawer__splitter--Height: 0.5625rem;
-    --ak-v2-c-drawer__splitter--Width: 100%;
-    --ak-v2-c-drawer__splitter--BackgroundColor: var(--ak-v2-global--ContentSurface);
-    --ak-v2-c-drawer__splitter--Cursor: row-resize;
-    --ak-v2-c-drawer__splitter--m-vertical--Height: 100%;
-    --ak-v2-c-drawer__splitter--m-vertical--Width: 0.5625rem;
-    --ak-v2-c-drawer__splitter--m-vertical--Cursor: col-resize;
-    --ak-v2-c-drawer--m-inline__splitter--focus--OutlineOffset: -0.0625rem;
-    --ak-v2-c-drawer__splitter--after--BorderColor: var(--ak-v2-global--BorderColor--100);
-    --ak-v2-c-drawer__splitter--after--border-width--base: var(--ak-v2-global--BorderWidth--sm);
-    --ak-v2-c-drawer__splitter--after--BorderTopWidth: 0;
-    --ak-v2-c-drawer__splitter--after--BorderRightWidth: var(
-        --ak-v2-c-drawer__splitter--after--border-width--base
-    );
-    --ak-v2-c-drawer__splitter--after--BorderBottomWidth: 0;
-    --ak-v2-c-drawer__splitter--after--BorderLeftWidth: 0;
-    --ak-v2-c-drawer--m-panel-left__splitter--after--BorderLeftWidth: var(
-        --ak-v2-c-drawer__splitter--after--border-width--base
-    );
-    --ak-v2-c-drawer--m-panel-bottom__splitter--after--BorderBottomWidth: var(
-        --ak-v2-c-drawer__splitter--after--border-width--base
-    );
-    --ak-v2-c-drawer--m-inline__splitter--m-vertical--Width: 0.625rem;
-    --ak-v2-c-drawer--m-inline__splitter-handle--Left: 50%;
-    --ak-v2-c-drawer--m-inline__splitter--after--BorderRightWidth: var(
-        --ak-v2-c-drawer__splitter--after--border-width--base
-    );
-    --ak-v2-c-drawer--m-inline__splitter--after--BorderLeftWidth: var(
-        --ak-v2-c-drawer__splitter--after--border-width--base
-    );
-    --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter--Height: 0.625rem;
-    --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter-handle--Top: 50%;
-    --ak-v2-c-drawer--m-inline--m-panel-bottom__splitter--after--BorderTopWidth: var(
-        --ak-v2-c-drawer__splitter--after--border-width--base
-    );
-    --ak-v2-c-drawer__splitter-handle--Top: 50%;
-    --ak-v2-c-drawer__splitter-handle--Left: calc(
-        50% - var(--ak-v2-c-drawer__splitter--after--border-width--base)
-    );
-    --ak-v2-c-drawer--m-panel-left__splitter-handle--Left: 50%;
-    --ak-v2-c-drawer--m-panel-bottom__splitter-handle--Top: calc(
-        50% - var(--ak-v2-c-drawer__splitter--after--border-width--base)
-    );
-    --ak-v2-c-drawer__splitter-handle--after--BorderColor: var(--ak-v2-global--Color--200);
-    --ak-v2-c-drawer__splitter-handle--after--BorderTopWidth: var(--ak-v2-global--BorderWidth--sm);
-    --ak-v2-c-drawer__splitter-handle--after--BorderRightWidth: 0;
-    --ak-v2-c-drawer__splitter-handle--after--BorderBottomWidth: var(
-        --ak-v2-global--BorderWidth--sm
-    );
-    --ak-v2-c-drawer__splitter-handle--after--BorderLeftWidth: 0;
-    --ak-v2-c-drawer__splitter--hover__splitter-handle--after--BorderColor: var(
-        --ak-v2-global--Color--100
-    );
-    --ak-v2-c-drawer__splitter--focus__splitter-handle--after--BorderColor: var(
-        --ak-v2-global--Color--100
-    );
-    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderTopWidth: 0;
-    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderRightWidth: var(
-        --ak-v2-global--BorderWidth--sm
-    );
-    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderBottomWidth: 0;
-    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--BorderLeftWidth: var(
-        --ak-v2-global--BorderWidth--sm
-    );
-    --ak-v2-c-drawer__splitter-handle--after--Width: 0.75rem;
-    --ak-v2-c-drawer__splitter-handle--after--Height: 0.25rem;
-    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--Width: 0.25rem;
-    --ak-v2-c-drawer__splitter--m-vertical__splitter-handle--after--Height: 0.75rem;
-}
-
-@media screen and (min-width: 1200px) {
-    :root {
-        --ak-v2-c-drawer__panel--MinWidth: var(--ak-v2-c-drawer__panel--xl--MinWidth);
-    }
-}
-
-:root {
-    --ak-v2-c-drawer__panel--BoxShadow: none;
-    --ak-v2-c-drawer--m-expanded--m-panel-bottom__panel--BoxShadow: var(
-        --ak-v2-global--BoxShadow--lg-top
-    );
-    --ak-v2-c-drawer--m-expanded__panel--BoxShadow: var(--ak-v2-global--BoxShadow--lg-left);
-}
-
-:root {
-    --ak-v2-c-drawer--m-expanded--m-panel-left__panel--BoxShadow: var(
-        --ak-v2-global--BoxShadow--lg-right
-    );
-}
-
-:root {
-    --ak-v2-c-drawer__panel--after--Width: var(--ak-v2-global--BorderWidth--sm);
-    --ak-v2-c-drawer--m-panel-bottom__panel--after--Height: var(--ak-v2-global--BorderWidth--sm);
-    --ak-v2-c-drawer__panel--after--BackgroundColor: transparent;
-    --ak-v2-c-drawer--m-inline--m-expanded__panel--after--BackgroundColor: var(
-        --ak-v2-global--BorderColor--100
-    );
-    --ak-v2-c-drawer--m-inline__panel--PaddingLeft: var(--ak-v2-c-drawer__panel--after--Width);
-    --ak-v2-c-drawer--m-panel-left--m-inline__panel--PaddingRight: var(
-        --ak-v2-c-drawer__panel--after--Width
-    );
-    --ak-v2-c-drawer--m-panel-bottom--m-inline__panel--PaddingTop: var(
-        --ak-v2-c-drawer__panel--after--Width
-    );
-}
-
-html[data-theme="dark"],
-.ak-t-dark,
-.pf-t-dark {
-    --ak-v2-c-drawer__panel--BackgroundColor: var(--ak-v2-global--ContentSurface);
-    --ak-v2-c-drawer__splitter--BackgroundColor: transparent;
-}

web/src/elements/ak-drawer/ak-drawer.stories.ts

@@ -1,151 +0,0 @@
-import "./ak-drawer";
-
-import { DrawerExpandRequest } from "./ak-drawer.component";
-
-import type { Meta, StoryObj } from "@storybook/web-components-vite";
-
-import { html, TemplateResult } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-const toggle = (e: Event) => {
-    const button = e.target as HTMLButtonElement;
-    button.dispatchEvent(new DrawerExpandRequest());
-};
-
-const contentBlock = html`
-    <div style="padding: 1rem;">
-        <h2>Main Content</h2>
-        <p><button @click=${toggle}>Toggle Drawer</button></p>
-        <p>
-            This is the drawer's main: fill it by inserting slotted content without a slot name.
-            This is the part that stays visible most of the time.
-        </p>
-        <p>
-            Macaroon lollipop croissant sweet biscuit croissant chocolate cake. Cake cake pastry
-            soufflé pudding. Tiramisu lollipop chocolate cake toffee oat cake muffin topping tootsie
-            roll. Carrot cake bonbon chupa chups sugar plum fruitcake. Brownie sweet halvah oat cake
-            cheesecake topping chocolate. Wafer macaroon topping lollipop powder cupcake sugar plum
-            donut. Muffin wafer icing danish jelly-o bonbon. Powder shortbread brownie caramels
-            tootsie roll dragée liquorice. Cake lemon drops powder danish toffee.
-        </p>
-    </div>
-`;
-
-const panelBlock = html`
-    <style>
-        [slot="panel"] {
-            padding: 1rem;
-            background-color: var(--pf-v5-global--BackgroundColor--200, #f0f0f0);
-        }
-    </style>
-    <div slot="panel">
-        <h3>Panel Content</h3>
-        <p>This is the side panel. This is where you put the secondary information.</p>
-        <ul>
-            <li>
-                Seasonal, steamed, con panna and rich ut aged cup decaffeinated single origin con
-                panna bar
-            </li>
-            <li>Skinny mazagran whipped, black iced beans carajillo eu cream</li>
-            <li>Americano pumpkin spice milk ristretto caffeine single shot</li>
-        </ul>
-        <p><button @click=${toggle}>Toggle Drawer</button></p>
-    </div>
-`;
-
-interface DrawerProps {
-    expanded?: boolean;
-    inline?: boolean;
-    static?: boolean;
-    resizable?: boolean;
-    width?: string;
-    position?: string;
-    content?: TemplateResult;
-    panel?: TemplateResult;
-}
-
-const meta = {
-    title: "Components/Drawer",
-    component: "ak-drawer",
-    tags: ["autodocs"],
-    decorators: [
-        (story) =>
-            html`<div style="min-height: 400px; border: 1px solid #d2d2d2; overflow: hidden;">
-                ${story()}
-            </div>`,
-    ],
-    argTypes: {
-        expanded: { control: "boolean" },
-        position: {
-            control: { type: "select" },
-            options: ["right", "left", "bottom"],
-        },
-        inline: { control: "boolean" },
-        static: { control: "boolean" },
-        resizable: { control: "boolean" },
-        width: {
-            control: { type: "select" },
-            options: ["25", "33", "50", "66", "75", "100"],
-        },
-    },
-} satisfies Meta;
-
-export default meta;
-type Story = StoryObj;
-
-const Template: Story = {
-    args: {
-        expanded: false,
-        inline: false,
-        static: false,
-        resizable: false,
-        width: undefined,
-        position: undefined,
-        content: contentBlock,
-        panel: panelBlock,
-    },
-    render: (args) => {
-        return html` <ak-drawer
-            ?expanded=${args.expanded}
-            ?inline=${args.inline}
-            ?resizable=${args.resizable}
-            position=${ifDefined(args.position)}
-            width=${ifDefined(args.width)}
-        >
-            ${args.content} ${args.panel}
-        </ak-drawer>`;
-    },
-};
-
-export const Default: Story = {
-    render: () => html` <ak-drawer> ${contentBlock} ${panelBlock} </ak-drawer> `,
-};
-
-export const story = (args: DrawerProps = {}, name?: string): Story => ({
-    ...Template,
-    ...(name ? { name } : {}),
-    args: {
-        ...Template.args,
-        ...args,
-    },
-});
-
-export const Expanded: Story = story({ expanded: true });
-
-export const PanelLeft: Story = story({ expanded: true, position: "left" });
-
-export const PanelBottom = story({ expanded: true, position: "bottom" });
-
-export const Inline = story({ expanded: true, inline: true });
-
-export const Static = story({ expanded: true, static: true });
-
-export const Resizable = story({ expanded: true, resizable: true });
-
-export const ResizableLeft = story({ expanded: true, resizable: true, position: "left" });
-
-export const ResizableBottom = story({ expanded: true, resizable: true, position: "bottom" });
-
-export const CustomWidth = story({ expanded: true, width: "33" });
-
-export const ResponsiveWidth = story({ expanded: true, width: "75-on-xl" });