web/flow/table-driven-executor

# What - Replaces the *massive* switch/case block for stages with a lookup table. # Why - Because it was a massive switch/case block calling 22 different functions with the *exact same* signatures, and that created both a ton of duplication in the code as well as introduced last-line risks.
Merge branch 'main' into web/flow/table-driven-executor
2026-05-12 01:47:06 +02:00 · 2024-11-21 14:25:02 -08:00 · 2024-11-21 13:57:01 -08:00 · 2024-11-21 09:59:52 -08:00 · 2024-11-20 10:23:54 -08:00 · 2024-11-15 12:47:17 -08:00
2613 changed files with 123091 additions and 298414 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -0,0 +1,32 @@
 [bumpversion]
 current_version = 2024.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
 serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 [bumpversion:part:rc_t]
 values = 
 	rc
 	final
 optional_value = final
 [bumpversion:file:pyproject.toml]
 [bumpversion:file:package.json]
 [bumpversion:file:docker-compose.yml]
 [bumpversion:file:schema.yml]
 [bumpversion:file:blueprints/schema.json]
 [bumpversion:file:authentik/__init__.py]
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/common/constants.ts]
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,15 +1,12 @@
 htmlcov
 *.env.yml
 node_modules
 **/node_modules
 dist/**
 build/**
 build_docs/**
 *Dockerfile
 **/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
 .venv
--- a/.editorconfig
+++ b/.editorconfig
@@ -7,9 +7,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 [*.toml]
 indent_size = 2
 [*.html]
 indent_size = 2
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
-<!--
+-   authentik version: [e.g. 2021.8.5]
 Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
 -->
 -   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@@ -1,22 +0,0 @@
 ---
 name: Documentation issue
 about: Suggest an improvement or report a problem
 title: ""
 labels: documentation
 assignees: ""
 ---
 **Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
 A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
 **Provide the URL or link to the exact page in the documentation to which you are referring.**
 If there are multiple pages, list them all, and be sure to state the header or section where the content is.
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Additional context**
 Add any other context or screenshots about the documentation issue here.
 **Consider opening a PR!**
 If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
-<!--
+-   authentik version: [e.g. 2021.8.5]
 Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
 -->
 -   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/actions/cherry-pick/action.yml
+++ b/.github/actions/cherry-pick/action.yml
@@ -1,267 +0,0 @@
 name: "Cherry-picker"
 description: "Cherry-pick PRs based on their labels"
 inputs:
  token:
    description: "GitHub Token"
    required: true
  git_user:
    description: "Git user for pushing the cherry-pick PR"
    required: true
  git_user_email:
    description: "Git user email for pushing the cherry-pick PR"
    required: true
 runs:
  using: "composite"
  steps:
    - name: Check if workflow should run
      id: should_run
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
      run: |
        set -e -o pipefail
        # For issues events, check if it's actually a PR
        if [ "${{ github.event_name }}" = "issues" ]; then
          # Check if this issue is actually a PR
          PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} 2>/dev/null || echo "null")
          if [ "$PR_DATA" = "null" ]; then
            echo "should_run=false" >> $GITHUB_OUTPUT
            echo "reason=not_a_pr" >> $GITHUB_OUTPUT
            echo "This is an issue, not a PR. Skipping."
            exit 0
          fi
          # Get PR data
          PR_MERGED=$(echo "$PR_DATA" | jq -r '.merged')
          PR_NUMBER="${{ github.event.issue.number }}"
          MERGE_COMMIT_SHA=$(echo "$PR_DATA" | jq -r '.merge_commit_sha')
          # Check if it's a backport label
          LABEL_NAME="${{ github.event.label.name }}"
          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
            if [ "$PR_MERGED" = "true" ]; then
              echo "should_run=true" >> $GITHUB_OUTPUT
              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
              exit 0
            else
              echo "should_run=false" >> $GITHUB_OUTPUT
              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
              echo "Backport label added to open PR. Will run after PR is merged."
              exit 0
            fi
          else
            echo "should_run=false" >> $GITHUB_OUTPUT
            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
            exit 0
          fi
        fi
        # For pull_request and pull_request_target events
        PR_NUMBER="${{ github.event.pull_request.number }}"
        MERGE_COMMIT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
        # Case 1: PR was just merged (closed + merged = true)
        if [ "${{ github.event.action }}" = "closed" ] && [ "${{ github.event.pull_request.merged }}" = "true" ]; then
          echo "should_run=true" >> $GITHUB_OUTPUT
          echo "reason=pr_merged" >> $GITHUB_OUTPUT
          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
          echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
          exit 0
        fi
        # Case 2: Label was added
        if [ "${{ github.event.action }}" = "labeled" ]; then
          LABEL_NAME="${{ github.event.label.name }}"
          # Check if it's a backport label
          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
            # Check if PR is already merged
            if [ "${{ github.event.pull_request.merged }}" = "true" ]; then
              echo "should_run=true" >> $GITHUB_OUTPUT
              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
              exit 0
            else
              echo "should_run=false" >> $GITHUB_OUTPUT
              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
              echo "Backport label added to open PR. Will run after PR is merged."
              exit 0
            fi
          else
            echo "should_run=false" >> $GITHUB_OUTPUT
            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
            exit 0
          fi
        fi
        echo "should_run=false" >> $GITHUB_OUTPUT
        echo "reason=unknown" >> $GITHUB_OUTPUT
    - name: Configure Git
      if: steps.should_run.outputs.should_run == 'true'
      shell: bash
      env:
        user: ${{ inputs.git_user }}
        email: ${{ inputs.git_user_email }}
      run: |
        git config --global user.name "${user}"
        git config --global user.email "${email}"
    - name: Get PR details and extract backport labels
      if: steps.should_run.outputs.should_run == 'true'
      id: pr_details
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
      run: |
        set -e -o pipefail
        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
        # Get PR details
        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
        # Determine which labels to process
        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
          # Only process the specific label that was just added
          if [ "${{ github.event_name }}" = "issues" ]; then
            LABEL_NAME="${{ github.event.label.name }}"
          else
            LABEL_NAME="${{ github.event.label.name }}"
          fi
          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
            echo "labels=$LABEL_NAME" >> $GITHUB_OUTPUT
          else
            echo "Label $LABEL_NAME does not match backport pattern"
            echo "labels=" >> $GITHUB_OUTPUT
          fi
        else
          # PR was just merged, process all backport labels
          LABELS=$(gh pr view $PR_NUMBER --json labels --jq '.labels[].name' | grep '^backport/' | tr '\n' ' ' || true)
          echo "labels=$LABELS" >> $GITHUB_OUTPUT
        fi
    - name: Cherry-pick to target branches
      if: steps.should_run.outputs.should_run == 'true' && steps.pr_details.outputs.labels != ''
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.token }}
      run: |
        set -e -o pipefail
        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
        LABELS='${{ steps.pr_details.outputs.labels }}'
        echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
        echo "Found backport labels: $LABELS"
        # Process each backport label
        for label in $LABELS; do
          if [[ "$label" =~ ^backport/(.+)$ ]]; then
            TARGET_BRANCH="${BASH_REMATCH[1]}"
            echo "Processing backport to branch: $TARGET_BRANCH"
            # Check if target branch exists
            if ! git ls-remote --heads origin "$TARGET_BRANCH" | grep -q "$TARGET_BRANCH"; then
              echo "❌ Target branch $TARGET_BRANCH does not exist, skipping"
              # Comment on the original PR about the missing branch
              gh pr comment $PR_NUMBER --body "⚠️ Cannot backport to \`$TARGET_BRANCH\`: branch does not exist."
              continue
            fi
            # Create a unique branch name for the cherry-pick
            CHERRY_PICK_BRANCH="cherry-pick-${PR_NUMBER}-to-${TARGET_BRANCH}"
            # Check if a cherry-pick PR already exists
            EXISTING_PR=$(gh pr list --head "$CHERRY_PICK_BRANCH" --json number --jq '.[0].number' 2>/dev/null || echo "")
            if [ -n "$EXISTING_PR" ]; then
              echo "⚠️ Cherry-pick PR already exists: #$EXISTING_PR"
              gh pr comment $PR_NUMBER --body "Cherry-pick to \`$TARGET_BRANCH\` already exists: #$EXISTING_PR"
              continue
            fi
            # Fetch and checkout target branch
            git fetch origin "$TARGET_BRANCH"
            git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"
            # Attempt cherry-pick
            if git cherry-pick "$COMMIT_SHA"; then
              echo "✅ Cherry-pick successful for $TARGET_BRANCH"
              # Push the cherry-pick branch
              git push origin "$CHERRY_PICK_BRANCH"
              # Create PR for the cherry-pick
              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER)"
              CHERRY_PICK_BODY="Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
        **Original PR:** #$PR_NUMBER
        **Original Author:** @$PR_AUTHOR
        **Cherry-picked commit:** $COMMIT_SHA"
              NEW_PR=$(gh pr create \
                --title "$CHERRY_PICK_TITLE" \
                --body "$CHERRY_PICK_BODY" \
                --base "$TARGET_BRANCH" \
                --head "$CHERRY_PICK_BRANCH" \
                --label "cherry-pick")
              echo "✅ Created cherry-pick PR $NEW_PR for $TARGET_BRANCH"
              # Comment on original PR
              gh pr comment $PR_NUMBER --body "🍒 Cherry-pick to \`$TARGET_BRANCH\` created: $NEW_PR"
            else
              echo "⚠️ Cherry-pick failed for $TARGET_BRANCH, creating conflict resolution PR"
              # Add conflicted files and commit
              git add .
              git commit -m "Cherry-pick #$PR_NUMBER to $TARGET_BRANCH (with conflicts)
        This cherry-pick has conflicts that need manual resolution.
        Original PR: #$PR_NUMBER
        Original commit: $COMMIT_SHA"
              # Push the branch with conflicts
              git push origin "$CHERRY_PICK_BRANCH"
              # Create PR with conflict notice
              CONFLICT_TITLE="$PR_TITLE (backport of #$PR_NUMBER)"
              CONFLICT_BODY="⚠️ **This cherry-pick has conflicts that require manual resolution.**
        Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
        **Original PR:** #$PR_NUMBER
        **Original Author:** @$PR_AUTHOR
        **Cherry-picked commit:** $COMMIT_SHA
        **Please resolve the conflicts in this PR before merging.**"
              NEW_PR=$(gh pr create \
                --title "$CONFLICT_TITLE" \
                --body "$CONFLICT_BODY" \
                --base "$TARGET_BRANCH" \
                --head "$CHERRY_PICK_BRANCH" \
                --label "cherry-pick")
              echo "⚠️ Created conflict resolution PR $NEW_PR for $TARGET_BRANCH"
              # Comment on original PR
              gh pr comment $PR_NUMBER --body "⚠️ Cherry-pick to \`$TARGET_BRANCH\` has conflicts: $NEW_PR"
            fi
            # Clean up - go back to main branch
            git checkout main
            git branch -D "$CHERRY_PICK_BRANCH" 2>/dev/null || true
          fi
        done
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@@ -35,6 +35,14 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```
            For arm64, use these values:
            ```shell
            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@@ -52,6 +60,18 @@ runs:
                    tag: ${{ inputs.tag }}
            ```
            For arm64, use these values:
            ```yaml
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            global:
                image:
                    repository: ghcr.io/goauthentik/dev-server
                    tag: ${{ inputs.tag }}-arm64
            ```
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@@ -9,14 +9,11 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
  release:
    required: true
    description: "True if this is a release build, false if this is a dev/PR build"
 outputs:
-  shouldPush:
+  shouldBuild:
-    description: "Whether to push the image or not"
+    description: "Whether to build image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+    value: ${{ steps.ev.outputs.shouldBuild }}
  sha:
    description: "sha"
@@ -32,40 +29,25 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
  imageTagsJSON:
    description: "Docker image tags, as a JSON array"
    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
  cacheTo:
    description: "cache-to value for the docker build step"
    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
  imageBuildArgs:
    description: "Docker image build args"
    value: ${{ steps.ev.outputs.imageBuildArgs }}
 runs:
  using: "composite"
  steps:
    - name: Setup authentik env
      uses: ./.github/actions/setup
      with:
        dependencies: "python"
    - name: Generate config
      id: ev
      shell: bash
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        REF: ${{ github.ref }}
      run: |
-        uv run python3 ${{ github.action_path }}/push_vars.py
+        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -1,19 +1,13 @@
 """Helper script to get the actual branch name, docker safe"""
 import configparser
 import os
 from json import dumps
 from time import time
-from authentik import authentik_version
+parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
-# Decide if we should push the image or not
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
    should_push = False
 if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
    # Don't push on the internal repo
    should_push = False
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -29,7 +23,7 @@ is_release = "dev" not in image_names[0]
 sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
 # 2042.1.0 or 2042.1.0-rc1
-version = authentik_version()
+version = parser.get("bumpversion", "current_version")
 # 2042.1
 version_family = ".".join(version.split("-", 1)[0].split(".")[:-1])
 prerelease = "-" in version
@@ -42,11 +36,12 @@ if is_release:
        ]
        if not prerelease:
            image_tags += [
                f"{name}:latest",
                f"{name}:{version_family}",
            ]
 else:
    suffix = ""
-    if image_arch:
+    if image_arch and image_arch != "amd64":
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@@ -68,31 +63,12 @@ def get_attest_image_names(image_with_tags: list[str]):
    return ",".join(set(image_tags))
 # Generate `cache-to` param
 cache_to = ""
 if should_push:
    _cache_tag = "buildcache"
    if image_arch:
        _cache_tag += f"-{image_arch}"
    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
 image_build_args = []
 if os.getenv("RELEASE", "false").lower() == "true":
    image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
    image_build_args = [f"GIT_BUILD_HASH={sha}"]
 image_build_args = "\n".join(image_build_args)
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
    print(f"cacheTo={cache_to}", file=_output)
    print(f"imageBuildArgs={image_build_args}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@@ -1,18 +1,7 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 # Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,authentik/server \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
    GITHUB_REPOSITORY=goauthentik/authentik \
    python $SCRIPT_DIR/push_vars.py
 # Pushing PR/main
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,authentik/server \
    GITHUB_REPOSITORY=goauthentik/authentik \
    DOCKER_USERNAME=foo \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -2,9 +2,6 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 inputs:
  dependencies:
    description: "List of dependencies to setup"
    default: "system,python,node,go,runtime"
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
@@ -12,54 +9,36 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
+    - name: Install poetry & deps
      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      shell: bash
      run: |
-        sudo apt-get remove --purge man-db
+        pipx install poetry || true
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
+    - name: Setup python and restore poetry
      if: ${{ contains(inputs.dependencies, 'python') }}
      uses: astral-sh/setup-uv@v5
      with:
        enable-cache: true
    - name: Setup python
      if: ${{ contains(inputs.dependencies, 'python') }}
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-    - name: Install Python deps
+        cache: "poetry"
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
      run: uv sync --all-extras --dev --frozen
    - name: Setup node
      if: ${{ contains(inputs.dependencies, 'node') }}
      uses: actions/setup-node@v4
      with:
        node-version-file: web/package.json
        cache: "npm"
        cache-dependency-path: web/package-lock.json
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
        poetry install
        cd web && npm ci
    - name: Generate config
-      if: ${{ contains(inputs.dependencies, 'python') }}
+      shell: poetry run python {0}
      shell: uv run python {0}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@@ -11,7 +11,7 @@ services:
      - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
    ports:
      - 6379:6379
    restart: always
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@@ -0,0 +1,2 @@
 enabled: true
 preservePullRequestTitle: true
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@@ -1,32 +1,7 @@
 akadmin
 asgi
 assertIn
 authentik
 authn
 crate
 docstrings
 entra
 goauthentik
 gunicorn
 hass
 jwe
 jwks
 keypair
 keypairs
-kubernetes
+hass
 oidc
 ontext
 openid
 passwordless
 plex
 saml
 scim
 singed
 slo
 sso
 totp
 traefik
 # https://github.com/codespell-project/codespell/issues/1224
 upToDate
 warmup
-webauthn
+ontext
 singed
 assertIn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,13 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
-      - "/web/packages/sfe"
+      - "/web/sfe"
      - "/web/packages/core"
      - "/packages/esbuild-plugin-live-reload"
      - "/packages/prettier-config"
      - "/packages/tsconfig"
      - "/packages/docusaurus-config"
      - "/packages/eslint-config"
    schedule:
      interval: daily
      time: "04:00"
@@ -74,15 +68,6 @@ updates:
      wdio:
        patterns:
          - "@wdio/*"
      goauthentik:
        patterns:
          - "@goauthentik/*"
      react:
        patterns:
          - "react"
          - "react-dom"
          - "@types/react"
          - "@types/react-dom"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@@ -97,33 +82,7 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
-      build:
+  - package-ecosystem: pip
        patterns:
          - "@swc/*"
          - "swc-*"
          - "lightningcss*"
          - "@rspack/binding*"
      goauthentik:
        patterns:
          - "@goauthentik/*"
      eslint:
        patterns:
          - "@eslint/*"
          - "@typescript-eslint/*"
          - "eslint-*"
          - "eslint"
          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
  - package-ecosystem: uv
    directory: "/"
    schedule:
      interval: daily
@@ -143,15 +102,3 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
  - package-ecosystem: docker-compose
    directories:
      # - /scripts # Maybe
      - /tests/e2e
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core:"
    labels:
      - dependencies
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -31,4 +31,4 @@ If changes to the frontend have been made
 If applicable
 -   [ ] The documentation has been updated
-   [ ] The documentation has been formatted (`make docs`)
+-   [ ] The documentation has been formatted (`make website`)
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -1,99 +0,0 @@
 ---
 # Re-usable workflow for a single-architecture build
 name: Reusable - Single-arch Container build
 on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      image_arch:
        required: true
        type: string
      runs-on:
        required: true
        type: string
      registry_dockerhub:
        default: false
        type: boolean
      registry_ghcr:
        default: false
        type: boolean
      release:
        default: false
        type: boolean
    outputs:
      image-digest:
        value: ${{ jobs.build.outputs.image-digest }}
 jobs:
  build:
    name: Build ${{ inputs.image_arch }}
    runs-on: ${{ inputs.runs-on }}
    outputs:
      image-digest: ${{ steps.push.outputs.digest }}
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
      # Needed for checkout
      contents: read
    steps:
      - uses: actions/checkout@v5
      - uses: docker/setup-qemu-action@v3.6.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
          image-arch: ${{ inputs.image_arch }}
          release: ${{ inputs.release }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: make empty clients
        if: ${{ inputs.release }}
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: generate ts client
        if: ${{ !inputs.release }}
        run: make gen-client-ts
      - name: Build Docker Image
        uses: docker/build-push-action@v6
        id: push
        with:
          context: .
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            ${{ steps.ev.outputs.imageBuildArgs }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/${{ inputs.image_arch }}
          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
      - uses: actions/attest-build-provenance@v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -1,105 +0,0 @@
 ---
 # Re-usable workflow for a multi-architecture build
 name: Reusable - Multi-arch container build
 on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      registry_dockerhub:
        default: false
        type: boolean
      registry_ghcr:
        default: true
        type: boolean
      release:
        default: false
        type: boolean
    outputs: {}
 jobs:
  build-server-amd64:
    uses: ./.github/workflows/_reusable-docker-build-single.yml
    secrets: inherit
    with:
      image_name: ${{ inputs.image_name }}
      image_arch: amd64
      runs-on: ubuntu-latest
      registry_dockerhub: ${{ inputs.registry_dockerhub }}
      registry_ghcr: ${{ inputs.registry_ghcr }}
      release: ${{ inputs.release }}
  build-server-arm64:
    uses: ./.github/workflows/_reusable-docker-build-single.yml
    secrets: inherit
    with:
      image_name: ${{ inputs.image_name }}
      image_arch: arm64
      runs-on: ubuntu-22.04-arm
      registry_dockerhub: ${{ inputs.registry_dockerhub }}
      registry_ghcr: ${{ inputs.registry_ghcr }}
      release: ${{ inputs.release }}
  get-tags:
    runs-on: ubuntu-latest
    needs:
      - build-server-amd64
      - build-server-arm64
    outputs:
      tags: ${{ steps.ev.outputs.imageTagsJSON }}
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
      - uses: actions/checkout@v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
  merge-server:
    runs-on: ubuntu-latest
    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
    needs:
      - get-tags
      - build-server-amd64
      - build-server-arm64
    strategy:
      fail-fast: false
      matrix:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
      - uses: actions/checkout@v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: int128/docker-manifest-create-action@v2
        id: build
        with:
          tags: ${{ matrix.tag }}
          sources: |
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
      - uses: actions/attest-build-provenance@v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@@ -0,0 +1,65 @@
 name: authentik-api-py-publish
 on:
  push:
    branches: [main]
    paths:
      - "schema.yml"
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Install poetry & deps
        shell: bash
        run: |
          pipx install poetry || true
          sudo apt-get update
          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
      - name: Setup python and restore poetry
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
        working-directory: gen-py-api/
        run: |
          poetry build
      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          packages-dir: gen-py-api/dist/
      # We can't easily upgrade the API client being used due to poetry being poetry
      # so we'll have to rely on dependabot
      # - name: Upgrade /
      #   run: |
      #     export VERSION=$(cd gen-py-api && poetry version -s)
      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
      # - uses: peter-evans/create-pull-request@v6
      #   id: cpr
      #   with:
      #     token: ${{ steps.generate_token.outputs.token }}
      #     branch: update-root-api-client
      #     commit-message: "root: bump API Client version"
      #     title: "root: bump API Client version"
      #     body: "root: bump API Client version"
      #     delete-branch: true
      #     signoff: true
      #     # ID from https://api.github.com/users/authentik-automation[bot]
      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
      # - uses: peter-evans/enable-pull-request-automerge@v3
      #   with:
      #     token: ${{ steps.generate_token.outputs.token }}
      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
      #     merge-method: squash
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -1,16 +1,12 @@
---
+name: authentik-api-ts-publish
 name: API - Publish Typescript client
 on:
  push:
    branches: [main]
    paths:
      - "schema.yml"
  workflow_dispatch:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
@@ -18,10 +14,10 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          registry-url: "https://registry.npmjs.org"
@@ -30,8 +26,8 @@ jobs:
      - name: Publish package
        working-directory: gen-ts-api/
        run: |
-          npm i
+          npm ci
-          npm publish --tag generated
+          npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
@@ -56,7 +52,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -1,95 +0,0 @@
 ---
 name: CI - API Docs
 on:
  push:
    branches:
      - main
      - next
      - version-*
  pull_request:
    branches:
      - main
      - version-*
 jobs:
  lint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        command:
          - prettier-check
    steps:
      - uses: actions/checkout@v5
      - name: Install Dependencies
        working-directory: website/
        run: npm ci
      - name: Lint
        working-directory: website/
        run: npm run ${{ matrix.command }}
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        name: Install Dependencies
        run: npm ci
      - uses: actions/cache@v4
        with:
          path: |
            ${{ github.workspace }}/website/api/.docusaurus
            ${{ github.workspace }}/website/api/**/.cache
          key: |
            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
          restore-keys: |
            ${{ runner.os }}-docusaurus-${{ hashFiles('**/package-lock.json') }}
      - name: Build API Docs via Docusaurus
        working-directory: website
        env:
          NODE_ENV: production
        run: npm run build -w api
      - uses: actions/upload-artifact@v4
        with:
          name: api-docs
          path: website/api/build
          retention-days: 7
  deploy:
    runs-on: ubuntu-latest
    needs:
      - lint
      - build
    steps:
      - uses: actions/checkout@v5
      - uses: actions/download-artifact@v5
        with:
          name: api-docs
          path: website/api/build
      - uses: actions/setup-node@v5
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - name: Deploy Netlify (Production)
        working-directory: website/api
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        env:
          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
        run: npx netlify deploy --no-build --prod
      - name: Deploy Netlify (Preview)
        if: github.event_name == 'pull_request' || github.ref != 'refs/heads/main'
        working-directory: website/api
        env:
          NETLIFY_SITE_ID: authentik-api-docs.netlify.app
          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
        run: |
          if [ -n "${VAR}" ]; then
            npx netlify deploy --no-build --alias=deploy-preview-${{ github.event.number }}
          fi
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -1,47 +0,0 @@
 ---
 name: CI - AWS cfn
 on:
  push:
    branches:
      - main
      - next
      - version-*
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v5
        with:
          node-version-file: lifecycle/aws/package.json
          cache: "npm"
          cache-dependency-path: lifecycle/aws/package-lock.json
      - working-directory: lifecycle/aws/
        run: |
          npm ci
      - name: Check changes have been applied
        run: |
          uv run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
    needs:
      - check-changes-applied
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -1,124 +0,0 @@
 ---
 name: CI - Docs
 on:
  push:
    branches:
      - main
      - next
      - version-*
  pull_request:
    branches:
      - main
      - version-*
 jobs:
  lint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        command:
          - prettier-check
    steps:
      - uses: actions/checkout@v5
      - name: Install dependencies
        working-directory: website/
        run: npm ci
      - name: Lint
        working-directory: website/
        run: npm run ${{ matrix.command }}
  build-docs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        name: Install Dependencies
        run: npm ci
      - name: Build Documentation via Docusaurus
        working-directory: website/
        run: npm run build
  build-integrations:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        name: Install Dependencies
        run: npm ci
      - name: Build Integrations via Docusaurus
        working-directory: website/
        run: npm run build -w integrations
  build-container:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
      - uses: actions/attest-build-provenance@v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  ci-website-mark:
    if: always()
    needs:
      - lint
      - build-docs
      - build-integrations
      - build-container
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}
          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -1,29 +0,0 @@
 ---
 name: CI - Main daily
 on:
  workflow_dispatch:
  schedule:
    # Every night at 3am
    - cron: "0 3 * * *"
 jobs:
  test-container:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        version:
          - docs
          - version-2025-4
          - version-2025-2
    steps:
      - uses: actions/checkout@v5
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
          mkdir -p $dir
          cd $dir
          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
          ${current}/scripts/test_docker.sh
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Main
+name: authentik-ci-main
 on:
  push:
@@ -17,12 +17,6 @@ env:
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 permissions:
  # Needed for checkout
  contents: read
  # Needed for codecov OIDC token
  id-token: write
 jobs:
  lint:
    strategy:
@@ -36,46 +30,36 @@ jobs:
          - ruff
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-make-seed:
    runs-on: ubuntu-latest
    steps:
      - id: seed
        run: |
          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
    outputs:
      seed: ${{ steps.seed.outputs.seed }}
  test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
          - 15-alpine
          - 16-alpine
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: checkout stable
        run: |
          # Delete all poetry envs
          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
@@ -88,7 +72,7 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@@ -96,83 +80,76 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
          # Delete previous poetry env
          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make test
  test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }}
    runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 30
    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
          - 15-alpine
          - 16-alpine
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run unittest
        env:
          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
          flags: unit
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: unit
          file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@v1.10.0
      - name: run integration
        run: |
-          uv run coverage run manage.py test tests/integration
+          poetry run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
          flags: integration
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: integration
          file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
    name: test-e2e (${{ matrix.job.name }})
    runs-on: ubuntu-latest
@@ -198,7 +175,7 @@ jobs:
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
@@ -208,7 +185,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@@ -216,24 +193,22 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run e2e
        run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
          flags: e2e
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: e2e
          file: unittest.xml
-          use_oidc: true
+          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
    if: always()
    needs:
      - lint
      - test-migrations
@@ -243,24 +218,70 @@ jobs:
      - test-e2e
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  build:
    strategy:
      fail-fast: false
      matrix:
        arch:
          - amd64
          - arm64
    needs: ci-core-mark
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-      # Needed for checkout
+    timeout-minutes: 120
-      contents: read
+    steps:
-    needs: ci-core-mark
+      - uses: actions/checkout@v4
-    uses: ./.github/workflows/_reusable-docker-build.yml
+        with:
-    secrets: inherit
+          ref: ${{ github.event.pull_request.head.sha }}
-    with:
+      - name: Set up QEMU
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
+        uses: docker/setup-qemu-action@v3.2.0
-      release: false
+      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-server
          image-arch: ${{ matrix.arch }}
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: generate ts client
        run: make gen-client-ts
      - name: Build Docker Image
        uses: docker/build-push-action@v6
        id: push
        with:
          context: .
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: ${{ steps.ev.outputs.imageTags }}
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
          platforms: linux/${{ matrix.arch }}
      - uses: actions/attest-build-provenance@v1
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  pr-comment:
    needs:
      - build
@@ -271,18 +292,18 @@ jobs:
      pull-requests: write
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-server
      - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: ./.github/actions/comment-pr-instructions
        with:
          tag: ${{ steps.ev.outputs.imageMainTag }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -1,5 +1,5 @@
 ---
-name: CI - Outpost
+name: authentik-ci-outpost
 on:
  push:
@@ -16,8 +16,8 @@ jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout 5000s --verbose
@@ -37,8 +37,8 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
@@ -49,17 +49,13 @@ jobs:
        run: |
          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
  ci-outpost-mark:
    if: always()
    needs:
      - lint-golint
      - test-unittest
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@@ -73,28 +69,28 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -108,16 +104,16 @@ jobs:
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
@@ -138,13 +134,13 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -1,5 +1,4 @@
---
+name: authentik-ci-web
 name: CI - Web
 on:
  push:
@@ -31,8 +30,8 @@ jobs:
          - command: lit-analyse
            project: web
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: ${{ matrix.project }}/package.json
          cache: "npm"
@@ -48,8 +47,8 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
@@ -62,22 +61,19 @@ jobs:
        working-directory: web/
        run: npm run build
  ci-web-mark:
    if: always()
    needs:
      - build
      - lint
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  test:
    needs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@@ -0,0 +1,71 @@
 name: authentik-ci-website
 on:
  push:
    branches:
      - main
      - next
      - version-*
  pull_request:
    branches:
      - main
      - version-*
 jobs:
  lint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        command:
          - lint:lockfile
          - prettier-check
    steps:
      - uses: actions/checkout@v4
      - working-directory: website/
        run: npm ci
      - name: Lint
        working-directory: website/
        run: npm run ${{ matrix.command }}
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
      - name: test
        working-directory: website/
        run: npm test
  build:
    runs-on: ubuntu-latest
    name: ${{ matrix.job }}
    strategy:
      fail-fast: false
      matrix:
        job:
          - build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
      - name: build
        working-directory: website/
        run: npm run ${{ matrix.job }}
  ci-website-mark:
    needs:
      - lint
      - test
      - build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,9 +1,8 @@
---
+name: "CodeQL"
 name: QA - CodeQL
 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
@@ -24,7 +23,7 @@ jobs:
        language: ["go", "javascript", "python"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -1,10 +1,8 @@
---
+name: authentik-gen-update-webauthn-mds
 name: Gen - Webauthn MDS
 on:
  workflow_dispatch:
  schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'
 env:
  POSTGRES_DB: authentik
@@ -13,7 +11,6 @@ env:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
@@ -21,12 +18,12 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
+      - run: poetry run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
@@ -39,7 +36,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -1,36 +0,0 @@
 name: GH - Cherry-pick
 on:
  pull_request_target:
    types: [closed, labeled]
 jobs:
  cherry-pick:
    runs-on: ubuntu-latest
    steps:
      - id: app-token
        name: Generate app token
        uses: actions/create-github-app-token@v2
        if: ${{ env.GH_APP_ID != '' }}
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
        env:
          GH_APP_ID: ${{ secrets.GH_APP_ID }}
      - uses: actions/checkout@v5
        if: ${{ steps.app-token.outcome != 'skipped' }}
        with:
          fetch-depth: 0
          token: "${{ steps.app-token.outputs.token }}"
      - id: get-user-id
        if: ${{ steps.app-token.outcome != 'skipped' }}
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
      - uses: ./.github/actions/cherry-pick
        if: ${{ steps.app-token.outcome != 'skipped' }}
        with:
          token: ${{ steps.app-token.outputs.token }}
          git_user: ${{ steps.app-token.outputs.app-slug }}[bot]
          git_user_email: '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -1,7 +1,6 @@
 ---
 # See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-name: GH - Cleanup actions cache after PR is closed
+name: Cleanup cache after PR is closed
 on:
  pull_request:
    types:
@@ -16,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Cleanup
        run: |
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -1,5 +1,4 @@
---
+name: ghcr-retention
 name: GH - GHCR retention
 on:
  # schedule:
@@ -8,7 +7,6 @@ on:
 jobs:
  clean-ghcr:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    name: Delete old unused container images
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -1,5 +1,5 @@
 ---
-name: Gen - Compress images
+name: authentik-compress-images
 on:
  push:
@@ -33,7 +33,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
@@ -53,7 +53,6 @@ jobs:
          body: ${{ steps.compress.outputs.markdown }}
          delete-branch: true
          signoff: true
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -1,50 +0,0 @@
 ---
 name: Packages - Publish NPM packages
 on:
  push:
    branches: [main]
    paths:
      - packages/docusaurus-config/**
      - packages/eslint-config/**
      - packages/prettier-config/**
      - packages/tsconfig/**
      - packages/esbuild-plugin-live-reload/**
  workflow_dispatch:
 jobs:
  publish:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        package:
          - packages/docusaurus-config
          - packages/eslint-config
          - packages/prettier-config
          - packages/tsconfig
          - packages/esbuild-plugin-live-reload
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v5
        with:
          node-version-file: ${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            ${{ matrix.package }}/package.json
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ${{ matrix.package }}
        run: |
          npm ci
          npm run build
          npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@@ -1,5 +1,4 @@
---
+name: authentik-publish-source-docs
 name: CI - Source code docs
 on:
  push:
@@ -13,17 +12,16 @@ env:
 jobs:
  publish-source-docs:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          uv run make migrate
+          poetry run make migrate
-          uv run ak build_source_docs
+          poetry run ak build_source_docs
      - name: Publish
        uses: netlify/actions/cli@master
        with:
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -1,30 +0,0 @@
 ---
 name: QA - Semgrep
 on:
  workflow_dispatch: {}
  pull_request: {}
  push:
    branches:
      - main
      - master
    paths:
      - .github/workflows/qa-semgrep.yml
  schedule:
    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
    - cron: '12 15 * * *'
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
    container:
      image: semgrep/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@v5
      - run: semgrep ci
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -1,86 +0,0 @@
 ---
 name: Release - Branch-off
 on:
  workflow_dispatch:
    inputs:
      next_version:
        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
        required: true
        type: string
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  check-inputs:
    name: Check inputs validity
    runs-on: ubuntu-latest
    steps:
      - run: |
          echo "${{ inputs.next_version }}" | grep -E "^[0-9]{4}\.[0-9]{1,2}$"
  branch-off:
    name: Branch-off
    needs:
      - check-inputs
    runs-on: ubuntu-latest
    steps:
      - id: app-token
        name: Generate app token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Checkout main
        uses: actions/checkout@v5
        with:
          ref: main
          token: "${{ steps.app-token.outputs.token }}"
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
          dependencies: python
      - name: Create version branch
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
        run: |
          current_major_version="$(uv version --short | grep -oE "^[0-9]{4}\.[0-9]{1,2}")"
          git checkout -b "version-${current_major_version}"
          git push origin "version-${current_major_version}"
          gh label create "backport/version-${current_major_version}" --description "Add this label to PRs to backport changes to version-${current_major_version}" --color "fbca04"
  bump-version-pr:
    name: Open version bump PR
    needs:
      - branch-off
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Checkout main
        uses: actions/checkout@v5
        with:
          ref: main
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Run migrations
        run: make migrate
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
      - name: Create pull request
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: release-bump-${{ inputs.next_version }}
          commit-message: "root: bump version to ${{ inputs.next_version }}.0-rc1"
          title: "root: bump version to ${{ inputs.next_version }}.0-rc1"
          body: "root: bump version to ${{ inputs.next_version }}.0-rc1"
          delete-branch: true
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -1,5 +1,4 @@
---
+name: authentik-on-release-next-branch
 name: Release - Update next branch
 on:
  schedule:
@@ -12,11 +11,10 @@ permissions:
 jobs:
  update-next:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          ref: main
      - run: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -1,5 +1,5 @@
 ---
-name: Release - On publish
+name: authentik-on-release
 on:
  release:
@@ -7,60 +7,56 @@ on:
 jobs:
  build-server:
    uses: ./.github/workflows/_reusable-docker-build.yml
    secrets: inherit
    permissions:
      contents: read
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    with:
      image_name: ghcr.io/goauthentik/server,authentik/server
      release: true
      registry_dockerhub: true
      registry_ghcr: true
  build-docs:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
+      # Needed to upload contianer images to ghcr.io
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
-          image-name: ghcr.io/goauthentik/docs
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
      - name: Docker Login Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: make empty clients
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@v6
        id: push
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: true
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@v3
+          push: true
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            VERSION=${{ github.ref }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/amd64,linux/arm64
      - uses: actions/attest-build-provenance@v1
        id: attest
        if: true
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
@@ -68,8 +64,7 @@ jobs:
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      contents: read
+      # Needed to upload contianer images to ghcr.io
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@@ -83,21 +78,21 @@ jobs:
          - radius
          - rac
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
-          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
+          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
      - name: make empty clients
        run: |
          mkdir -p ./gen-ts-api
@@ -105,8 +100,8 @@ jobs:
      - name: Docker Login Registry
        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
+          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
@@ -124,7 +119,7 @@ jobs:
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@v3
+      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -146,11 +141,11 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
@@ -174,27 +169,6 @@ jobs:
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
  upload-aws-cfn-template:
    permissions:
      # Needed for AWS login
      id-token: write
      contents: read
    needs:
      - build-server
      - build-outpost
    env:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
@@ -202,7 +176,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Run test suite in final docker images
        run: |
          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
@@ -218,12 +192,12 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/server
      - name: Get static files from docker image
@@ -232,13 +206,13 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@v1
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: authentik-security-inc
          SENTRY_PROJECT: authentik
        with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
          sourcemaps: "./web/dist"
          url_prefix: "~/static/dist"
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -1,195 +1,48 @@
 ---
-name: Release - Tag new version
+name: authentik-on-tag
 on:
-  workflow_dispatch:
+  push:
-    inputs:
+    tags:
-      version:
+      - "version/*"
        description: Version
        required: true
        type: string
      release_reason:
        description: Release reason
        required: true
        type: choice
        options:
          - bugfix
          - feature
          - security
          - other
          - prerelease
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
-  check-inputs:
+  build:
-    name: Check inputs validity
+    name: Create Release from Tag
    runs-on: ubuntu-latest
    steps:
-      - id: check
+      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          echo "${{ inputs.version }}" | grep -E '^[0-9]{4}\.(0?[1-9]|1[0-2])\.[0-9]+(-rc[0-9]+)?$'
+          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-      - id: changelog-url
+          docker buildx install
-        run: |
+          mkdir -p ./gen-ts-api
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+          docker build -t testing:latest .
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
+          echo "AUTHENTIK_IMAGE=testing" >> .env
-          else
+          echo "AUTHENTIK_TAG=latest" >> .env
-            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
+          docker compose up --no-start
-          fi
+          docker compose start postgresql redis
-          echo "changelog_url=${changelog_url}" >> "$GITHUB_OUTPUT"
+          docker compose run -u root server test-all
-    outputs:
+      - id: generate_token
-      major_version: "${{ steps.check.outputs.major_version }}"
+        uses: tibdex/github-app-token@v2
      changelog_url: "${{ steps.changelog-url.outputs.changelog_url }}"
  test:
    name: Pre-release test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - run: make test-docker
  bump-authentik:
    name: Bump authentik version
    needs:
      - check-inputs
      - test
    runs-on: ubuntu-latest
    steps:
      - id: app-token
        name: Generate app token
        uses: actions/create-github-app-token@v2
        with:
-          app-id: ${{ secrets.GH_APP_ID }}
+          app_id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - id: get-user-id
+      - name: prepare variables
-        name: Get GitHub app user ID
+        uses: ./.github/actions/docker-push-variables
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        id: ev
        env:
-          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      - uses: actions/checkout@v5
        with:
-          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
+          image-name: ghcr.io/goauthentik/server
          token: "${{ steps.app-token.outputs.token }}"
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Run migrations
        run: make migrate
      - name: Bump version
        run: "make bump version=${{ inputs.version }}"
      - name: Commit and push
        run: |
          # ID from https://api.github.com/users/authentik-automation[bot]
          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
          git commit -a -m "release: ${{ inputs.version }}" --allow-empty
          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
          git push --follow-tags
      - name: Create Release
-        uses: softprops/action-gh-release@v2
+        id: create_release
        uses: actions/create-release@v1.1.4
        env:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        with:
-          token: "${{ steps.app-token.outputs.token }}"
+          tag_name: ${{ github.ref }}
-          tag_name: "version/${{ inputs.version }}"
+          release_name: Release ${{ steps.ev.outputs.version }}
          name: Release ${{ inputs.version }}
          draft: true
-          prerelease: ${{ inputs.release_reason == 'prerelease' }}
+          prerelease: ${{ steps.ev.outputs.prerelease == 'true' }}
          generate_release_notes: true
          body: |
            See ${{ needs.check-inputs.outputs.changelog_url }}
  bump-helm:
    name: Bump Helm version
    if: ${{ inputs.release_reason != 'prerelease' }}
    needs:
      - bump-authentik
    runs-on: ubuntu-latest
    steps:
      - id: app-token
        name: Generate app token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
          repositories: helm
      - id: get-user-id
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
      - uses: actions/checkout@v5
        with:
          repository: "${{ github.repository_owner }}/helm"
          token: "${{ steps.app-token.outputs.token }}"
      - name: Bump version
        run: |
          sed -i 's/^version: .*/version: ${{ inputs.version }}/' charts/authentik/Chart.yaml
          sed -i 's/^appVersion: .*/appVersion: ${{ inputs.version }}/' charts/authentik/Chart.yaml
          sed -i 's/upgrade to authentik .*/upgrade to authentik ${{ inputs.version }}/' charts/authentik/Chart.yaml
          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
          ./scripts/helm-docs.sh
      - name: Create pull request
        uses: peter-evans/create-pull-request@v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
          commit-message: "charts/authentik: bump to ${{ inputs.version }}"
          title: "charts/authentik: bump to ${{ inputs.version }}"
          body: "charts/authentik: bump to ${{ inputs.version }}"
          delete-branch: true
          signoff: true
          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
  bump-version:
    name: Bump version repository
    if: ${{ inputs.release_reason != 'prerelease' }}
    needs:
      - check-inputs
      - bump-authentik
    runs-on: ubuntu-latest
    steps:
      - id: app-token
        name: Generate app token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
          repositories: version
      - id: get-user-id
        name: Get GitHub app user ID
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
      - uses: actions/checkout@v5
        with:
          repository: "${{ github.repository_owner }}/version"
          token: "${{ steps.app-token.outputs.token }}"
      - name: Bump version
        if: "${{ inputs.release_reason == 'feature' }}"
        run: |
          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}"
          jq \
            --arg version "${{ inputs.version }}" \
            --arg changelog "See ${changelog_url}" \
            --arg changelog_url "${changelog_url}" \
            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
          mv version.new.json version.json
      - name: Bump version
        if: "${{ inputs.release_reason != 'feature' }}"
        run: |
          changelog_url="https://docs.goauthentik.io/docs/releases/${{ needs.check-inputs.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version}} | sed 's/\.//g')"
          jq \
            --arg version "${{ inputs.version }}" \
            --arg changelog "See ${changelog_url}" \
            --arg changelog_url "${changelog_url}" \
            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
          mv version.new.json version.json
      - name: Create pull request
        uses: peter-evans/create-pull-request@v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
          commit-message: "version: bump to ${{ inputs.version }}"
          title: "version: bump to ${{ inputs.version }}"
          body: "version: bump to ${{ inputs.version }}"
          delete-branch: true
          signoff: true
          author: "${{ steps.app-token.outputs.app-slug }}[bot] <${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com>"
--- a/.github/workflows/repo-mirror-cleanup.yml
+++ b/.github/workflows/repo-mirror-cleanup.yml
@@ -1,22 +0,0 @@
 ---
 name: Repo - Cleanup internal mirror
 on:
  workflow_dispatch:
 jobs:
  to_internal:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
        with:
          target_repo_url: git@github.com:goauthentik/authentik-internal.git
          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
          args: --tags --force --prune
        env:
          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@@ -1,21 +0,0 @@
 ---
 name: Repo - Mirror to internal
 on: [push, delete]
 jobs:
  to_internal:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
        with:
          target_repo_url: git@github.com:goauthentik/authentik-internal.git
          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
          args: --tags --force
        env:
          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -1,9 +1,8 @@
---
+name: 'authentik-repo-stale'
 name: Repo - Mark and close stale issues
 on:
  schedule:
-    - cron: "30 1 * * *"
+    - cron: '30 1 * * *'
  workflow_dispatch:
 permissions:
@@ -12,7 +11,6 @@ permissions:
 jobs:
  stale:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
@@ -20,13 +18,13 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@v10
+      - uses: actions/stale@v9
        with:
          repo-token: ${{ steps.generate_token.outputs.token }}
          days-before-stale: 60
          days-before-close: 7
          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: status/stale
+          stale-issue-label: wontfix
          stale-issue-message: >
            This issue has been automatically marked as stale because it has not had
            recent activity. It will be closed if no further activity occurs. Thank you
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@@ -1,5 +1,4 @@
---
+name: authentik-translation-advice
 name: Translation - Post advice
 on:
  pull_request:
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -1,14 +1,9 @@
 ---
-name: Translation - Extract and compile
+name: authentik-backend-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
@@ -17,34 +12,26 @@ env:
 jobs:
  compile:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
        if: ${{ github.event_name != 'pull_request' }}
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/checkout@v5
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Generate API
        run: make gen-client-ts
      - name: run extract
        run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
      - name: run compile
        run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
@@ -54,6 +41,3 @@ jobs:
          body: "core, web: update translations"
          delete-branch: true
          signoff: true
          labels: dependencies
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@@ -1,7 +1,6 @@
 ---
 # Rename transifex pull requests to have a correct naming
 # Also enables auto squash-merge
-name: Translation - Auto-rename Transifex PRs
+name: authentik-translation-transifex-rename
 on:
  pull_request:
@@ -16,7 +15,6 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
      - uses: actions/checkout@v5
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
@@ -27,13 +25,23 @@ jobs:
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
          echo "title=${title}" >> "$GITHUB_OUTPUT"
      - name: Rename
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
+          curl -L \
            -X PATCH \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.gitignore
+++ b/.gitignore
@@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media
 # Node
 node_modules
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
 out/
 sdist/
 var/
 wheels/
@@ -100,6 +95,9 @@ ipython_config.py
 # pyenv
 .python-version
 # celery beat schedule file
 celerybeat-schedule
 # SageMath parsed files
 *.sage.py
@@ -163,6 +161,8 @@ dmypy.json
 # pyenv
 # celery beat schedule file
 # SageMath parsed files
 # Environments
@@ -209,6 +209,3 @@ source_docs/
 ### Golang ###
 /vendor/
 ### Docker ###
 docker-compose.override.yml
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,48 +0,0 @@
 # Prettier Ignorefile
 ## Static Files
 **/LICENSE
 authentik/stages/**/*
 ## Build asset directories
 coverage
 dist
 out
 .docusaurus
 # TODO Replace after moving website to docs
 website/api/reference
 ## Environment
 *.env
 ## Secrets
 *.secrets
 ## Yarn
 .yarn/**/*
 ## Node
 node_modules
 coverage
 ## Configs
 *.log
 *.yaml
 *.yml
 # Templates
 # TODO: Rename affected files to *.template.* or similar.
 *.html
 *.mdx
 *.md
 ## Import order matters
 poly.ts
 src/locale-codes.ts
 src/locales/
 # Storybook
 storybook-static/
 .storybook/css-import-maps*
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -2,7 +2,6 @@
    "recommendations": [
        "bashmish.es6-string-css",
        "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
        "charliermarsh.ruff",
        "dbaeumer.vscode-eslint",
        "EditorConfig.EditorConfig",
        "esbenp.prettier-vscode",
@@ -11,12 +10,12 @@
        "Gruntfuggly.todo-tree",
        "mechatroner.rainbow-csv",
        "ms-python.black-formatter",
-        "ms-python.black-formatter",
+        "charliermarsh.ruff",
        "ms-python.debugpy",
        "ms-python.python",
        "ms-python.vscode-pylance",
        "ms-python.black-formatter",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
    ]
 }
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -2,76 +2,26 @@
    "version": "0.2.0",
    "configurations": [
        {
-            "name": "Debug: Attach Server Core",
+            "name": "Python: PDB attach Server",
-            "type": "debugpy",
+            "type": "python",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 9901
+                "port": 6800
            },
-            "pathMappings": [
+            "justMyCode": true,
                {
                    "localRoot": "${workspaceFolder}",
                    "remoteRoot": "."
                }
            ],
            "django": true
        },
        {
-            "name": "Debug: Attach Worker",
+            "name": "Python: PDB attach Worker",
-            "type": "debugpy",
+            "type": "python",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 9901
+                "port": 6900
            },
-            "pathMappings": [
+            "justMyCode": true,
                {
                    "localRoot": "${workspaceFolder}",
                    "remoteRoot": "."
                }
            ],
            "django": true
        },
        {
            "name": "Debug: Start Server Router",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/server",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start LDAP Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/ldap",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start Proxy Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/proxy",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start RAC Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/rac",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start Radius Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/radius",
            "cwd": "${workspaceFolder}"
        }
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,4 +1,26 @@
 {
    "cSpell.words": [
        "akadmin",
        "asgi",
        "authentik",
        "authn",
        "entra",
        "goauthentik",
        "jwe",
        "jwks",
        "kubernetes",
        "oidc",
        "openid",
        "passwordless",
        "plex",
        "saml",
        "scim",
        "slo",
        "sso",
        "totp",
        "traefik",
        "webauthn"
    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
@@ -6,22 +28,16 @@
        "!Context scalar",
        "!Enumerate sequence",
        "!Env scalar",
        "!Env sequence",
        "!File scalar",
        "!File sequence",
        "!Find sequence",
        "!FindObject sequence",
        "!Format sequence",
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar",
+        "!Value scalar"
        "!AtIndex scalar",
        "!ParseJSON scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -34,9 +50,7 @@
            "ignoreCase": false
        }
    ],
-    "go.testFlags": [
+    "go.testFlags": ["-count=1"],
        "-count=1"
    ],
    "github-actions.workflows.pinned.workflows": [
        ".github/workflows/ci-main.yml"
    ]
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -3,7 +3,7 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
@@ -12,7 +12,7 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
@@ -43,15 +43,15 @@
            "group": "build"
        },
        {
-            "label": "authentik/docs: make",
+            "label": "authentik/website: make",
            "command": "make",
-            "args": ["docs"],
+            "args": ["website"],
            "group": "build"
        },
        {
-            "label": "authentik/docs: watch",
+            "label": "authentik/website: watch",
            "command": "make",
-            "args": ["docs-watch"],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@@ -60,7 +60,7 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "uv",
+            "command": "poetry",
            "args": ["run", "make", "gen"],
            "group": "build"
        }
--- a/62
+++ b/62
@@ -1,44 +1,28 @@
 # Fallback
-*                                       @goauthentik/backend @goauthentik/frontend
+*                               @goauthentik/backend @goauthentik/frontend
 # Backend
-authentik/                              @goauthentik/backend
+authentik/                      @goauthentik/backend
-blueprints/                             @goauthentik/backend
+blueprints/                     @goauthentik/backend
-cmd/                                    @goauthentik/backend
+cmd/                            @goauthentik/backend
-internal/                               @goauthentik/backend
+internal/                       @goauthentik/backend
-lifecycle/                              @goauthentik/backend
+lifecycle/                      @goauthentik/backend
-schemas/                                @goauthentik/backend
+schemas/                        @goauthentik/backend
-scripts/                                @goauthentik/backend
+scripts/                        @goauthentik/backend
-tests/                                  @goauthentik/backend
+tests/                          @goauthentik/backend
-pyproject.toml                          @goauthentik/backend
+pyproject.toml                  @goauthentik/backend
-uv.lock                                 @goauthentik/backend
+poetry.lock                     @goauthentik/backend
-go.mod                                  @goauthentik/backend
+go.mod                          @goauthentik/backend
-go.sum                                  @goauthentik/backend
+go.sum                          @goauthentik/backend
 # Infrastructure
-.github/                                @goauthentik/infrastructure
+.github/                        @goauthentik/infrastructure
-lifecycle/aws/                          @goauthentik/infrastructure
+Dockerfile                      @goauthentik/infrastructure
-Dockerfile                              @goauthentik/infrastructure
+*Dockerfile                     @goauthentik/infrastructure
-*Dockerfile                             @goauthentik/infrastructure
+.dockerignore                   @goauthentik/infrastructure
-.dockerignore                           @goauthentik/infrastructure
+docker-compose.yml              @goauthentik/infrastructure
 docker-compose.yml                      @goauthentik/infrastructure
 Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
 packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
 packages/prettier-config                @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
-web/                                    @goauthentik/frontend
+web/                            @goauthentik/frontend
-# Locale
+tests/wdio/                     @goauthentik/frontend
-locale/                                 @goauthentik/backend @goauthentik/frontend
+# Docs & Website
-web/xliff/                              @goauthentik/backend @goauthentik/frontend
+website/                        @goauthentik/docs
 # Docs
 website/                                @goauthentik/docs
 CODE_OF_CONDUCT.md                      @goauthentik/docs
 # Security
-SECURITY.md                             @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security
 website/security/                       @goauthentik/security @goauthentik/docs
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +0,0 @@
 # Contributing to authentik
 Thanks for your interest in contributing! Please see our [contributing guide](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github) for more information.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1 @@
 website/developer-docs/index.md
--- a/148
+++ b/148
@@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1
-# Stage 1: Build webui
+# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
 ENV NODE_ENV=production
 WORKDIR /work/website
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
    npm ci --include=dev
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
 COPY ./schema.yml /work/
 COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -13,20 +32,18 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci
+    npm ci --include=dev
 COPY ./package.json /work
 COPY ./web /work/web/
 # TODO: Update this after moving website to docs
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
-RUN npm run build && \
+RUN npm run build
    npm run build:sfe
-# Stage 2: Build go proxy
+# Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder
 ARG TARGETOS
 ARG TARGETARCH
@@ -50,8 +67,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -59,102 +76,74 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server
-# Stage 3: MaxMind GeoIP
+# Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
-# Stage 4: Download uv
+# Stage 5: Python dependencies
-FROM ghcr.io/astral-sh/uv:0.8.15 AS uv
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-trixie-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
    UV_COMPILE_BYTECODE=1 \
    UV_LINK_MODE=copy \
    UV_NATIVE_TLS=1 \
    UV_PYTHON_DOWNLOADS=0
 WORKDIR /ak-root/
 COPY --from=uv /uv /uvx /bin/
 # Stage 6: Python dependencies
 FROM python-base AS python-deps
 ARG TARGETARCH
 ARG TARGETVARIANT
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry
-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
    POETRY_VIRTUALENVS_CREATE=false \
    PATH="/ak-root/venv/bin:$PATH"
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends \
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
    # Build essentials
    build-essential pkg-config libffi-dev git \
    # cryptography
    curl \
    # libxml
    libxslt-dev zlib1g-dev \
    # postgresql
    libpq-dev \
    # python-kadmin-rs
    clang libkrb5-dev sccache \
    # xmlsec
    libltdl-dev && \
    curl https://sh.rustup.rs -sSf | sh -s -- -y
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
    pip3 install --upgrade pip && \
    pip3 install poetry && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
    pip install --force-reinstall /wheels/*"
-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
+# Stage 6: Run
-    --mount=type=bind,target=uv.lock,src=uv.lock \
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
    --mount=type=bind,target=packages,src=packages \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev
 # Stage 7: Run
 FROM python-base AS final-image
 ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
-LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+LABEL org.opencontainers.image.url=https://goauthentik.io
-    org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
+LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
-    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
+LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
+LABEL org.opencontainers.image.version=${VERSION}
-    org.opencontainers.image.revision=${GIT_BUILD_HASH} \
+LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
    org.opencontainers.image.title="authentik server image" \
    org.opencontainers.image.url="https://goauthentik.io" \
    org.opencontainers.image.vendor="Authentik Security Inc." \
    org.opencontainers.image.version=${VERSION}
 WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    apt-get upgrade -y && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    pip3 install --no-cache-dir --upgrade pip && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@@ -165,7 +154,7 @@ RUN apt-get update && \
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
@@ -174,11 +163,10 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY ./packages/ /ak-root/packages
+COPY --from=python-deps /ak-root/venv /ak-root/venv
-RUN  ln -s /ak-root/packages /packages
+COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=node-builder /work/web/dist/ /web/dist/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=node-builder /work/web/authentik/ /web/authentik/
 COPY --from=geoip /usr/share/GeoIP /geoip
 USER 1000
@@ -186,7 +174,11 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
-    GOFIPS=1
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
    POETRY_VIRTUALENVS_CREATE=false
 ENV GOFIPS=1
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/245
+++ b/245
@@ -1,41 +1,36 @@
-.PHONY: gen dev-reset all clean test web docs
+.PHONY: gen dev-reset all clean test web website
-SHELL := /usr/bin/env bash
+.SHELLFLAGS += ${SHELLFLAGS} -e
 .SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
+NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik packages tests scripts lifecycle .github
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
-GEN_API_TS = gen-ts-api
+GEN_API_TS = "gen-ts-api"
-GEN_API_PY = gen-py-api
+GEN_API_PY = "gen-py-api"
-GEN_API_GO = gen-go-api
+GEN_API_GO = "gen-go-api"
-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)
-UNAME := $(shell uname)
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
 		-S 'website/docs/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
 		website/docs \
 		website/integrations \
 		website/src
-# For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
+all: lint-fix lint test gen web  ## Lint, build, and test everything
 # to prevent SAML-related tests from failing and ensure correct pip dependency compilation
 ifeq ($(UNAME), Darwin)
 # Only add for brew users who installed libxmlsec1
 	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
 	ifdef BREW_EXISTS
 		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
 		ifdef LIBXML2_EXISTS
 			BREW_LDFLAGS := -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
 			BREW_CPPFLAGS := -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
 			BREW_PKG_CONFIG_PATH := $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
 		endif
 	endif
 endif
 all: lint-fix lint gen web test  ## Lint, build, and test everything
 HELP_WIDTH := $(shell grep -h '^[a-z][^ ]*:.*\#\#' $(MAKEFILE_LIST) 2>/dev/null | \
 	cut -d':' -f1 | awk '{printf "%d\n", length}' | sort -rn | head -1)
@@ -50,48 +45,41 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...
 test-docker:  ## Run all tests in a docker-compose
 	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
 	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
 	docker compose run -u root server test-all
 	rm -f .env
 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
+	coverage run manage.py test --keepdb authentik
-	uv run coverage html
+	coverage html
-	uv run coverage report
+	coverage report
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
+	black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)
 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	codespell -w $(CODESPELL_ARGS)
 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
 	golangci-lint run -v
 core-install:
-ifdef LIBXML2_EXISTS
+	poetry install
 # Clear cache to ensure fresh compilation
 	uv cache clean
 # Force compilation from source for lxml and xmlsec with correct environment
 	LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
 else
 	uv sync --frozen
 endif
 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	python -m lifecycle.migrate
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 aws-cfn:
 	cd lifecycle/aws && npm i && uv run npm run aws-cfn
 run-server:  ## Run the main authentik server process
 	uv run ak server
 run-worker:  ## Run the main authentik worker process
 	uv run ak worker
 core-i18n-extract:
-	uv run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -101,34 +89,19 @@ core-i18n-extract:
 		--ignore website \
 		-l en
-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
 dev-drop-db:
-	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
+	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
-	redis-cli -n ${redis_db} flushall
+	redis-cli -n 0 flushall
 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 update-test-mmdb:  ## Update test GeoIP and ASN Databases
 	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
 	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
 	$(error Usage: make bump version=20xx.xx.xx )
 endif
 	sed -i 's/^version = ".*"/version = "$(version)"/' pyproject.toml
 	sed -i 's/^VERSION = ".*"/VERSION = "$(version)"/' authentik/__init__.py
 	$(MAKE) gen-build gen-compose aws-cfn
 	npm version --no-git-tag-version --allow-same-version $(version)
 	cd ${PWD}/web && npm version --no-git-tag-version --allow-same-version $(version)
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
 #########################
 ## API Schema
 #########################
@@ -137,14 +110,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		ak spectacular --file schema.yml
 gen-compose:
 	uv run scripts/generate_docker_compose.py
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -163,20 +133,15 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	sed -i 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md
-gen-clean-ts:  ## Remove generated API client for TypeScript
+gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ${PWD}/${GEN_API_TS}/
+	rm -rf ./${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+	rm -rf ./web/node_modules/@goauthentik/api/
 gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/
 ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	make -C ${PWD}/${GEN_API_GO} clean
 else
 	rm -rf ${PWD}/${GEN_API_GO}
 endif
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ./${GEN_API_PY}/
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
@@ -184,7 +149,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@@ -192,15 +157,15 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-
+	mkdir -p web/node_modules/@goauthentik/api
-	cd ${PWD}/${GEN_API_TS} && npm link
+	cd ./${GEN_API_TS} && npm i
-	cd ${PWD}/web && npm link @goauthentik/api
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.15.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@@ -208,40 +173,42 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	pip install ./${GEN_API_PY}
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-else
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
-	cd ${PWD}/${GEN_API_GO} && git pull
+	cp schema.yml ./${GEN_API_GO}/
-endif
+	docker run \
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
-	make -C ${PWD}/${GEN_API_GO} build
+		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/ \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	python -m scripts.generate_config
 gen: gen-build gen-client-ts
 #########################
 ## Node.js
 #########################
 node-install:  ## Install the necessary libraries to build Node.js packages
 	npm ci
 	npm ci --prefix web
 #########################
 ## Web
 #########################
-web-build: node-install  ## Build the Authentik UI
+web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
 web-test: ## Run tests for the Authentik UI
 	cd web && npm run test
@@ -268,40 +235,22 @@ web-i18n-extract:
 	cd web && npm run extract-locales
 #########################
-## Docs
+## Website
 #########################
-docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
+website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it
-docs-install:
+website-install:
-	npm ci --prefix website
+	cd website && npm ci
-docs-lint-fix: lint-codespell
+website-lint-fix: lint-codespell
-	npm run prettier --prefix website
+	cd website && npm run prettier
-docs-build:
+website-build:
-	npm run build --prefix website
+	cd website && npm run build
-docs-watch:  ## Build and watch the topics documentation
+website-watch:  ## Build and watch the documentation website, updating automatically
-	npm run start --prefix website
+	cd website && npm run watch
 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
 integrations-build:
 	npm run build --prefix website -w integrations
 integrations-watch:  ## Build and watch the Integrations documentation
 	npm run start --prefix website -w integrations
 docs-api-build:
 	npm run build --prefix website -w api
 docs-api-watch:  ## Build and watch the API documentation
 	npm run build:api --prefix website -w api
 	npm run start --prefix website -w api
 docs-api-clean: ## Clean generated API documentation
 	npm run build:api:clean --prefix website -w api
 #########################
 ## Docker
@@ -311,9 +260,6 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 test-docker:
 	BUILD=true ${PWD}/scripts/test_docker.sh
 #########################
 ## CI
 #########################
@@ -325,21 +271,16 @@ ci--meta-debug:
 	node --version
 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)
 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)
 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	codespell $(CODESPELL_ARGS) -s
 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES)
 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
+	ak makemigrations --check
 ci-test: ci--meta-debug
 	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
 	uv run coverage report
 	uv run coverage xml
--- a/README.md
+++ b/README.md
@@ -9,22 +9,21 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-![Docker pulls](https://img.shields.io/docker/pulls/authentik/server.svg?style=for-the-badge)
+![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
-![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
+![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
 ## What is authentik?
-authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.
+authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
-Our [enterprise offering](https://goauthentik.io/pricing) is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.
+Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
 ## Installation
- Docker Compose: recommended for small/test setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/docker-compose/).
+For small/test setups it is recommended to use Docker Compose; refer to the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github).
- Kubernetes (Helm Chart): recommended for larger setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/kubernetes/) and the Helm chart [repository](https://github.com/goauthentik/helm).
+
- AWS CloudFormation: deploy on AWS using our official templates. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/aws/).
+For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github).
 - DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the [app listing](https://marketplace.digitalocean.com/apps/authentik).
 ## Screenshots
@@ -33,20 +32,14 @@ Our [enterprise offering](https://goauthentik.io/pricing) is available for organ
 | ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
 | ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
-## Development and contributions
+## Development
-See the [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/) for information about setting up local build environments, testing your contributions, and our contribution process.
+See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
 ## Security
-Please see [SECURITY.md](SECURITY.md).
+See [SECURITY.md](SECURITY.md)
-## Adoption
+## Adoption and Contributions
-Using authentik? We'd love to hear your story and feature your logo. Email us at [hello@goauthentik.io](mailto:hello@goauthentik.io) or open a GitHub Issue/PR!
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
 ## License
 [![MIT License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
 [![CC BY-SA 4.0](https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey?style=for-the-badge)](website/LICENSE)
 [![authentik EE License](https://img.shields.io/badge/License-EE-orange?style=for-the-badge)](authentik/enterprise/LICENSE)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 ## Independent audits and pentests
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 ## What authentik classifies as a CVE
@@ -20,33 +20,12 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
-| 2025.6.x  | ✅        |
+| 2024.8.x  | ✅        |
-| 2025.8.x  | ✅        |
+| 2024.10.x | ✅        |
 ## Reporting a Vulnerability
-If you discover a potential vulnerability, please report it responsibly through one of the following channels:
+To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the issue.
 - **Email**: [security@goauthentik.io](mailto:security@goauthentik.io)
 - **GitHub**: Submit a private security advisory via our [repository’s advisory portal](https://github.com/goauthentik/authentik/security/advisories/new)
 When submitting a report, please include as much detail as possible, such as:
 - **Affected version(s)**: The version of authentik where the issue was identified.
 - **Steps to reproduce**: A clear description or proof of concept to help us verify the issue.
 - **Impact assessment**: How the vulnerability could be exploited and its potential effect.
 - **Additional information**: Logs, configuration details (if relevant), or any suggested mitigations.
 We kindly ask that you do not disclose the vulnerability publicly until we have confirmed and addressed the issue.
 Our team will:
 - Acknowledge receipt of your report as quickly as possible.
 - Keep you updated on the investigation and resolution progress.
 ## Researcher Recognition
 We value contributions from the security community. For each valid report, we will publish a dedicated entry on our Security Advisory page that optionally includes the reporter’s name (or preferred alias). Please note that while we do not currently offer monetary bounties, we are committed to giving researchers appropriate credit for their efforts in keeping authentik secure.
 ## Severity levels
--- a/authentik/init.py
+++ b/authentik/init.py
@@ -1,28 +1,20 @@
 """authentik root module"""
 from functools import lru_cache
 from os import environ
-VERSION = "2025.10.0-rc1"
+__version__ = "2024.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
-@lru_cache
+def get_build_hash(fallback: str | None = None) -> str:
 def authentik_version() -> str:
    return VERSION
@lru_cache
 def authentik_build_hash(fallback: str | None = None) -> str:
    """Get build hash"""
    build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
    return fallback if build_hash == "" and fallback else build_hash
-@lru_cache
+def get_full_version() -> str:
 def authentik_full_version() -> str:
    """Get full version, with build hash appended"""
-    version = authentik_version()
+    version = __version__
-    if (build_hash := authentik_build_hash()) != "":
+    if (build_hash := get_build_hash()) != "":
-        return f"{version}+{build_hash}"
+        version += "." + build_hash
    return version
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@@ -0,0 +1,79 @@
 """authentik administration metrics"""
 from datetime import timedelta
 from django.db.models.functions import ExtractHour
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import EventAction
 class CoordinateSerializer(PassiveSerializer):
    """Coordinates for diagrams"""
    x_cord = IntegerField(read_only=True)
    y_cord = IntegerField(read_only=True)
 class LoginMetricsSerializer(PassiveSerializer):
    """Login Metrics per 1h"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get successful authorizations per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class AdministrationMetricsViewSet(APIView):
    """Login Metrics per 1h"""
    permission_classes = [IsAuthenticated]
    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Login Metrics per 1h"""
        serializer = LoginMetricsSerializer(True)
        serializer.context["user"] = request.user
        return Response(serializer.data)
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@@ -7,16 +7,14 @@ from sys import version as python_version
 from typing import TypedDict
 from cryptography.hazmat.backends.openssl.backend import backend
 from django.conf import settings
 from django.utils.timezone import now
 from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
-from authentik import authentik_full_version
+from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
@@ -54,16 +52,10 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        for key, value in request.META.items():
            if not isinstance(value, str):
                continue
-            actual_value = value
+            headers[key] = value
            if raw_session is not None and raw_session in actual_value:
                actual_value = actual_value.replace(
                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
                )
            headers[key] = actual_value
        return headers
    def get_http_host(self, request: Request) -> str:
@@ -78,7 +70,7 @@ class SystemInfoSerializer(PassiveSerializer):
        """Get versions"""
        return {
            "architecture": platform.machine(),
-            "authentik_version": authentik_full_version(),
+            "authentik_version": get_full_version(),
            "environment": get_env(),
            "openssl_fips_enabled": (
                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@@ -1,7 +1,6 @@
 """authentik administration overview"""
 from django.core.cache import cache
 from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -10,11 +9,10 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
 from authentik.tenants.utils import get_current_tenant
 class VersionSerializer(PassiveSerializer):
@@ -29,20 +27,18 @@ class VersionSerializer(PassiveSerializer):
    def get_build_hash(self, _) -> str:
        """Get build hash, if version is not latest or released"""
-        return authentik_build_hash()
+        return get_build_hash()
    def get_version_current(self, _) -> str:
        """Get current version"""
-        return authentik_version()
+        return __version__
    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
        if get_current_tenant().schema_name == get_public_schema_name():
            return authentik_version()
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
-            update_latest_version.send()
+            update_latest_version.delay()
-            return authentik_version()
+            return __version__
        return version_in_cache
    def get_version_latest_valid(self, _) -> bool:
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@@ -0,0 +1,26 @@
 """authentik administration overview"""
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.fields import IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
 class WorkerView(APIView):
    """Get currently connected worker count."""
    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
    def get(self, request: Request) -> Response:
        """Get currently connected worker count."""
        count = len(CELERY_APP.control.ping(timeout=0.5))
        # In debug we run with `task_always_eager`, so tasks are ran on the main process
        if settings.DEBUG:  # pragma: no cover
            count += 1
        return Response({"count": count})
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@@ -1,13 +1,11 @@
 """authentik admin app config"""
-from prometheus_client import Info
+from prometheus_client import Gauge, Info
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 class AuthentikAdminConfig(ManagedAppConfig):
@@ -17,31 +15,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
    label = "authentik_admin"
    verbose_name = "authentik Admin"
    default = True
    @ManagedAppConfig.reconcile_global
    def clear_update_notifications(self):
        """Clear update notifications on startup if the notification was for the version
        we're running now."""
        from packaging.version import parse
        from authentik.admin.tasks import LOCAL_VERSION
        from authentik.events.models import EventAction, Notification
        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
            if "new_version" not in notification.event.context:
                continue
            notification_version = notification.event.context["new_version"]
            if LOCAL_VERSION >= parse(notification_version):
                notification.delete()
    @property
    def global_schedule_specs(self) -> list[ScheduleSpec]:
        from authentik.admin.tasks import update_latest_version
        return [
            ScheduleSpec(
                actor=update_latest_version,
                crontab=f"{fqdn_rand('admin_latest_version')} * * * *",
                paused=CONFIG.get_bool("disable_update_check"),
            ),
        ]
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@@ -0,0 +1,13 @@
 """authentik admin settings"""
 from celery.schedules import crontab
 from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@@ -0,0 +1,14 @@
 """admin signals"""
 from django.dispatch import receiver
 from authentik.admin.apps import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
@receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
    """Set worker gauge"""
    count = len(CELERY_APP.control.ping(timeout=0.5))
    GAUGE_WORKERS.set(count)
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@@ -1,44 +1,59 @@
 """authentik admin tasks"""
 from django.core.cache import cache
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from django_dramatiq_postgres.middleware import CurrentTask
 from dramatiq import actor
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
-from authentik import authentik_build_hash, authentik_version
+from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
-from authentik.tasks.models import Task
+from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-LOCAL_VERSION = parse(authentik_version())
+LOCAL_VERSION = parse(__version__)
 def _set_prom_info():
    """Set prometheus info for version"""
    PROM_INFO.info(
        {
-            "version": authentik_version(),
+            "version": __version__,
            "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": authentik_build_hash(),
+            "build_hash": get_build_hash(),
        }
    )
-@actor(description=_("Update latest version info."))
+@CELERY_APP.task(
-def update_latest_version():
+    throws=(DatabaseError, ProgrammingError, InternalError),
-    self: Task = CurrentTask.get_task()
+)
 def clear_update_notifications():
    """Clear update notifications on startup if the notification was for the version
    we're running now."""
    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
        if "new_version" not in notification.event.context:
            continue
        notification_version = notification.event.context["new_version"]
        if LOCAL_VERSION >= parse(notification_version):
            notification.delete()
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def update_latest_version(self: SystemTask):
    """Update latest version info"""
    if CONFIG.get_bool("disable_update_check"):
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        self.info("Version check disabled.")
+        self.set_status(TaskStatus.WARNING, "Version check disabled.")
        return
    try:
        response = get_http_session().get(
@@ -48,7 +63,7 @@ def update_latest_version():
        data = response.json()
        upstream_version = data.get("stable", {}).get("version")
        cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
-        self.info("Successfully updated latest Version")
+        self.set_status(TaskStatus.SUCCESSFUL, "Successfully updated latest Version")
        _set_prom_info()
        # Check if upstream version is newer than what we're running,
        # and if no event exists yet, create one.
@@ -71,7 +86,7 @@ def update_latest_version():
            ).save()
    except (RequestException, IndexError) as exc:
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
-        raise exc
+        self.set_error(exc)
 _set_prom_info()
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@@ -5,7 +5,7 @@ from json import loads
 from django.test import TestCase
 from django.urls import reverse
-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
 from authentik.lib.generators import generate_id
@@ -27,7 +27,19 @@ class TestAdminAPI(TestCase):
        response = self.client.get(reverse("authentik_api:admin_version"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["version_current"], authentik_version())
+        self.assertEqual(body["version_current"], __version__)
    def test_workers(self):
        """Test Workers API"""
        response = self.client.get(reverse("authentik_api:admin_workers"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(body["count"], 0)
    def test_metrics(self):
        """Test metrics API"""
        response = self.client.get(reverse("authentik_api:admin_metrics"))
        self.assertEqual(response.status_code, 200)
    def test_apps(self):
        """Test apps API"""
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@@ -1,12 +1,12 @@
 """test admin tasks"""
 from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 from authentik.admin.tasks import (
    VERSION_CACHE_KEY,
    clear_update_notifications,
    update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@@ -30,7 +30,7 @@ class TestAdminTasks(TestCase):
        """Test Update checker with valid response"""
        with Mocker() as mocker, CONFIG.patch("disable_update_check", False):
            mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
            self.assertTrue(
                Event.objects.filter(
@@ -40,7 +40,7 @@ class TestAdminTasks(TestCase):
                ).exists()
            )
            # test that a consecutive check doesn't create a duplicate event
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(
                len(
                    Event.objects.filter(
@@ -56,7 +56,7 @@ class TestAdminTasks(TestCase):
        """Test Update checker with invalid response"""
        with Mocker() as mocker:
            mocker.get("https://version.goauthentik.io/version.json", status_code=400)
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
            self.assertFalse(
                Event.objects.filter(
@@ -67,19 +67,17 @@ class TestAdminTasks(TestCase):
    def test_version_disabled(self):
        """Test Update checker while its disabled"""
        with CONFIG.patch("disable_update_check", True):
-            update_latest_version.send()
+            update_latest_version.delay().get()
            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
    def test_clear_update_notifications(self):
        """Test clear of previous notification"""
        admin_config = apps.get_app_config("authentik_admin")
        Event.objects.create(
-            action=EventAction.UPDATE_AVAILABLE,
+            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
            context={"new_version": "99999999.9999999.9999999"},
        )
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@@ -3,14 +3,22 @@
 from django.urls import path
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
    path(
        "admin/metrics/",
        AdministrationMetricsViewSet.as_view(),
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
    path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@@ -1,13 +1,12 @@
 """authentik API AppConfig"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
    """authentik API Config"""
    name = "authentik.api"
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
    default = True
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -1,12 +1,9 @@
 """API Authentication"""
 from hmac import compare_digest
 from pathlib import Path
 from tempfile import gettempdir
 from typing import Any
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@@ -14,17 +11,11 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger
 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 LOGGER = get_logger()
 _tmp = Path(gettempdir())
 try:
    with open(_tmp / "authentik-core-ipc.key") as _f:
        ipc_key = _f.read()
 except OSError:
    ipc_key = None
 def validate_auth(header: bytes) -> str | None:
@@ -82,11 +73,6 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
    if user:
        CTX_AUTH_VIA.set("secret_key")
        return user
    # then try to auth via secret key (for embedded outpost/etc)
    user = token_ipc(auth_credentials)
    if user:
        CTX_AUTH_VIA.set("ipc")
        return user
    raise AuthenticationFailed("Token invalid/expired")
@@ -104,43 +90,6 @@ def token_secret_key(value: str) -> User | None:
    return outpost.user
 class IPCUser(AnonymousUser):
    """'Virtual' user for IPC communication between authentik core and the authentik router"""
    username = "authentik:system"
    is_active = True
    is_superuser = True
    @property
    def type(self):
        return UserTypes.INTERNAL_SERVICE_ACCOUNT
    def has_perm(self, perm, obj=None):
        return True
    def has_perms(self, perm_list, obj=None):
        return True
    def has_module_perms(self, module):
        return True
    @property
    def is_anonymous(self):
        return False
    @property
    def is_authenticated(self):
        return True
 def token_ipc(value: str) -> User | None:
    """Check if the token is the secret key
    and return the service account for the managed outpost"""
    if not ipc_key or not compare_digest(value, ipc_key):
        return None
    return IPCUser()
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@@ -0,0 +1,67 @@
 """API Authorization"""
 from django.conf import settings
 from django.db.models import Model
 from django.db.models.query import QuerySet
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 from authentik.api.authentication import validate_auth
 from authentik.rbac.filters import ObjectFilter
 class OwnerFilter(BaseFilterBackend):
    """Filter objects by their owner"""
    owner_key = "user"
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        if request.user.is_superuser:
            return queryset
        return queryset.filter(**{self.owner_key: request.user})
 class SecretKeyFilter(DjangoFilterBackend):
    """Allow access to all objects when authenticated with secret key as token.
    Replaces both DjangoFilterBackend and ObjectFilter"""
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        auth_header = get_authorization_header(request)
        token = validate_auth(auth_header)
        if token and token == settings.SECRET_KEY:
            return queryset
        queryset = ObjectFilter().filter_queryset(request, queryset, view)
        return super().filter_queryset(request, queryset, view)
 class OwnerPermissions(BasePermission):
    """Authorize requests by an object's owner matching the requesting user"""
    owner_key = "user"
    def has_permission(self, request: Request, view) -> bool:
        """If the user is authenticated, we allow all requests here. For listing, the
        object-level permissions are done by the filter backend"""
        return request.user.is_authenticated
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        """Check if the object's owner matches the currently logged in user"""
        if not hasattr(obj, self.owner_key):
            return False
        owner = getattr(obj, self.owner_key)
        if owner != request.user:
            return False
        return True
 class OwnerSuperuserPermissions(OwnerPermissions):
    """Similar to OwnerPermissions, except always allow access for superusers"""
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        if request.user.is_superuser:
            return True
        return super().has_object_permission(request, view, obj)
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@@ -8,6 +8,8 @@ API Browser - {{ brand.branding_title }}
 {% block head %}
 <script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
 {% block body %}
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.blueprints.models import BlueprintInstance
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required
@@ -39,7 +39,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        """Ensure the path (if set) specified is retrievable"""
        if path == "" or path.startswith(OCI_PREFIX):
            return path
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
        if path not in [file["path"] for file in files]:
            raise ValidationError(_("Blueprint file does not exist"))
        return path
@@ -115,7 +115,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def available(self, request: Request) -> Response:
        """Get blueprints"""
-        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
+        files: list[dict] = blueprints_find_dict.delay().get()
        return Response(files)
    @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -129,5 +129,5 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    def apply(self, request: Request, *args, **kwargs) -> Response:
        """Apply a blueprint"""
        blueprint = self.get_object()
-        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
+        apply_blueprint.delay(str(blueprint.pk)).get()
        return self.retrieve(request, *args, **kwargs)
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@@ -6,12 +6,9 @@ from inspect import ismethod
 from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
 from dramatiq.broker import get_broker
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.lib.utils.time import fqdn_rand
 from authentik.root.signals import startup
 from authentik.tasks.schedules.common import ScheduleSpec
 class ManagedAppConfig(AppConfig):
@@ -37,7 +34,7 @@ class ManagedAppConfig(AppConfig):
    def import_related(self):
        """Automatically import related modules which rely on just being imported
-        to register themselves (mainly django signals and tasks)"""
+        to register themselves (mainly django signals and celery tasks)"""
        def import_relative(rel_module: str):
            try:
@@ -83,16 +80,6 @@ class ManagedAppConfig(AppConfig):
        func._authentik_managed_reconcile = ManagedAppConfig.RECONCILE_GLOBAL_CATEGORY
        return func
    @property
    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
        """Get a list of schedule specs that must exist in each tenant"""
        return []
    @property
    def global_schedule_specs(self) -> list[ScheduleSpec]:
        """Get a list of schedule specs that must exist in the default tenant"""
        return []
    def _reconcile_tenant(self) -> None:
        """reconcile ourselves for tenanted methods"""
        from authentik.tenants.models import Tenant
@@ -113,12 +100,8 @@ class ManagedAppConfig(AppConfig):
        """
        from django_tenants.utils import get_public_schema_name, schema_context
-        try:
+        with schema_context(get_public_schema_name()):
-            with schema_context(get_public_schema_name()):
+            self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
                self._reconcile(self.RECONCILE_GLOBAL_CATEGORY)
        except (DatabaseError, ProgrammingError, InternalError) as exc:
            self.logger.debug("Failed to access database to run reconcile", exc=exc)
            return
 class AuthentikBlueprintsConfig(ManagedAppConfig):
@@ -129,29 +112,19 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
    verbose_name = "authentik Blueprints"
    default = True
    @ManagedAppConfig.reconcile_global
    def load_blueprints_v1_tasks(self):
        """Load v1 tasks"""
        self.import_module("authentik.blueprints.v1.tasks")
    @ManagedAppConfig.reconcile_tenant
    def blueprints_discovery(self):
        """Run blueprint discovery"""
        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
        blueprints_discovery.delay()
        clear_failed_blueprints.delay()
    def import_models(self):
        super().import_models()
        self.import_module("authentik.blueprints.v1.meta.apply_blueprint")
    @ManagedAppConfig.reconcile_global
    def tasks_middlewares(self):
        from authentik.blueprints.v1.tasks import BlueprintWatcherMiddleware
        get_broker().add_middleware(BlueprintWatcherMiddleware())
    @property
    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
        return [
            ScheduleSpec(
                actor=blueprints_discovery,
                crontab=f"{fqdn_rand('blueprints_v1_discover')} * * * *",
                send_on_startup=True,
            ),
            ScheduleSpec(
                actor=clear_failed_blueprints,
                crontab=f"{fqdn_rand('blueprints_v1_cleanup')} * * * *",
                send_on_startup=True,
            ),
        ]
--- a/authentik/blueprints/management/commands/blueprint_shell.py
+++ b/authentik/blueprints/management/commands/blueprint_shell.py
@@ -1,68 +0,0 @@
 """Test and debug Blueprints"""
 import atexit
 import readline
 from pathlib import Path
 from pprint import pformat
 from sys import exit as sysexit
 from textwrap import indent
 from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 from yaml import load
 from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
 from authentik.core.management.commands.shell import get_banner_text
 from authentik.lib.utils.errors import exception_to_string
 LOGGER = get_logger()
 class Command(BaseCommand):
    """Test and debug Blueprints"""
    lines = []
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
        histfolder.mkdir(parents=True, exist_ok=True)
        histfile = histfolder / Path("blueprint_shell_history")
        readline.parse_and_bind("tab: complete")
        readline.parse_and_bind("set editing-mode vi")
        try:
            readline.read_history_file(str(histfile))
        except FileNotFoundError:
            pass
        atexit.register(readline.write_history_file, str(histfile))
    @no_translations
    def handle(self, *args, **options):
        """Interactively debug blueprint files"""
        self.stdout.write(get_banner_text("Blueprint shell"))
        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
        def do_eval():
            yaml_input = "\n".join([line for line in self.lines if line])
            data = load(yaml_input, BlueprintLoader)
            self.stdout.write(pformat(data))
            self.lines = []
        while True:
            try:
                line = input("> ")
                if line == ".eval":
                    do_eval()
                else:
                    self.lines.append(line)
            except EntryInvalidError as exc:
                self.stdout.write("Failed to evaluate expression:")
                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
            except EOFError:
                break
            except KeyboardInterrupt:
                self.stdout.write()
                sysexit(0)
        self.stdout.write()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@@ -11,7 +11,7 @@ from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
-from authentik import authentik_version
+from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -48,7 +48,7 @@ class Command(BaseCommand):
            "$schema": "http://json-schema.org/draft-07/schema",
            "$id": "https://goauthentik.io/blueprints/schema.json",
            "type": "object",
-            "title": f"authentik {authentik_version()} Blueprint schema",
+            "title": f"authentik {__version__} Blueprint schema",
            "required": ["version", "entries"],
            "properties": {
                "version": {
@@ -72,33 +72,20 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
-                    "anyOf": [
+                    "type": "array",
-                        {
+                    "items": {
-                            "type": "array",
+                        "oneOf": [],
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
+                    },
                        },
                        {
                            "type": "object",
                            "additionalProperties": {
                                "type": "array",
                                "items": {"$ref": "#/$defs/blueprint_entry"},
                            },
                        },
                    ],
                },
            },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
        }
    def add_arguments(self, parser):
        parser.add_argument("--file", type=str)
    @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        with open(file, "w") as _schema:
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
    @staticmethod
    def json_default(value: Any) -> Any:
@@ -125,7 +112,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )
@@ -139,7 +126,7 @@ class Command(BaseCommand):
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        template = {
+        return {
            "type": "object",
            "required": ["model", "identifiers"],
            "properties": {
@@ -147,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@@ -156,11 +143,6 @@ class Command(BaseCommand):
                "identifiers": {"$ref": def_path},
            },
        }
        # Meta models don't require identifiers, as there's no matching database model to find
        if issubclass(model, BaseMetaModel):
            del template["properties"]["identifiers"]
            template["required"].remove("identifiers")
        return template
    def field_to_jsonschema(self, field: Field) -> dict:
        """Convert a single field to json schema"""
@@ -218,7 +200,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@@ -3,7 +3,6 @@
 from pathlib import Path
 from uuid import uuid4
 from django.contrib.contenttypes.fields import GenericRelation
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -72,13 +71,6 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):
    enabled = models.BooleanField(default=True)
    managed_models = ArrayField(models.TextField(), default=list)
    # Manual link to tasks instead of using TasksModel because of loop imports
    tasks = GenericRelation(
        "authentik_tasks.Task",
        content_type_field="rel_obj_content_type",
        object_id_field="rel_obj_id",
    )
    class Meta:
        verbose_name = _("Blueprint Instance")
        verbose_name_plural = _("Blueprint Instances")
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@@ -0,0 +1,18 @@
 """blueprint Settings"""
 from celery.schedules import crontab
 from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "blueprints_v1_discover": {
        "task": "authentik.blueprints.v1.tasks.blueprints_discovery",
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
    "blueprints_v1_cleanup": {
        "task": "authentik.blueprints.v1.tasks.clear_failed_blueprints",
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_cleanup"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
 }
--- a/authentik/blueprints/tasks.py
+++ b/authentik/blueprints/tasks.py
@@ -1,2 +0,0 @@
 # Import all v1 tasks for auto task discovery
 from authentik.blueprints.v1.tasks import *  # noqa: F403
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
+    - identifiers:
-      - identifiers:
+          name: "%(id)s"
-            name: "%(id)s"
+          slug: "%(id)s"
-            slug: "%(id)s"
+      model: authentik_flows.flow
-        model: authentik_flows.flow
+      state: present
-        state: present
+      attrs:
-        attrs:
+          designation: stage_configuration
-            designation: stage_configuration
+          title: foo
            title: foo
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@@ -12,8 +12,8 @@ context:
    context1: context-nested-value
    context2: !Context context1
 entries:
-    - model: !Format ["%%s", authentik_sources_oauth.oauthsource]
+    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
-      state: !Format ["%%s", present]
+      state: !Format ["%s", present]
      identifiers:
          slug: test
      attrs:
@@ -27,23 +27,19 @@ entries:
                  [slug, default-source-authentication],
              ]
          enrollment_flow:
-              !Find [!Format  ["%%s", authentik_flows.Flow], [slug, default-source-enrollment]]
+              !Find [!Format  ["%s", authentik_flows.Flow], [slug, default-source-enrollment]]
    - attrs:
          expression: return True
      identifiers:
-          name: !Format [foo-%%s-%%s-%%s, !Context foo, !Context bar, qux]
+          name: !Format [foo-%s-%s-%s, !Context foo, !Context bar, qux]
      id: policy
      model: authentik_policies_expression.expressionpolicy
    - attrs:
          attributes:
              env_null: !Env [bar-baz, null]
              file_content: !File '%(file_name)s'
              file_default: !File ['%(file_default_name)s', 'default']
              file_non_existent: !File '/does-not-exist'
              json_parse: !ParseJSON '{"foo": "bar"}'
              policy_pk1:
                  !Format [
-                      "%%s-%%s",
+                      "%s-%s",
                      !Find [
                          authentik_policies_expression.expressionpolicy,
                          [
@@ -54,29 +50,29 @@ entries:
                      ],
                      suffix,
                  ]
-              policy_pk2: !Format ["%%s-%%s", !KeyOf policy, suffix]
+              policy_pk2: !Format ["%s-%s", !KeyOf policy, suffix]
              boolAnd:
-                  !Condition [AND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [AND, !Context foo, !Format ["%s", "a_string"], 1]
              boolNand:
-                  !Condition [NAND, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [NAND, !Context foo, !Format ["%s", "a_string"], 1]
              boolOr:
                  !Condition [
                      OR,
                      !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                      null,
                  ]
              boolNor:
                  !Condition [
                      NOR,
                      !Context foo,
-                      !Format ["%%s", "a_string"],
+                      !Format ["%s", "a_string"],
                      null,
                  ]
              boolXor:
-                  !Condition [XOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XOR, !Context foo, !Format ["%s", "a_string"], 1]
              boolXnor:
-                  !Condition [XNOR, !Context foo, !Format ["%%s", "a_string"], 1]
+                  !Condition [XNOR, !Context foo, !Format ["%s", "a_string"], 1]
              boolComplex:
                  !Condition [
                      XNOR,
@@ -92,7 +88,7 @@ entries:
                              {
                                  with: { keys: "and_values" },
                                  and_nested_custom_tags:
-                                      !Format ["foo-%%s", !Context foo],
+                                      !Format ["foo-%s", !Context foo],
                              },
                      },
                      null,
@@ -101,7 +97,7 @@ entries:
                  !If [
                      !Condition [AND, false],
                      null,
-                      [list, with, items, !Format ["foo-%%s", !Context foo]],
+                      [list, with, items, !Format ["foo-%s", !Context foo]],
                  ]
              if_true_simple: !If [!Context foo, true, text]
              if_short: !If [!Context foo]
@@ -109,22 +105,22 @@ entries:
              enumerate_mapping_to_mapping: !Enumerate [
                  !Context mapping,
                  MAP,
-                  [!Format ["prefix-%%s", !Index 0], !Format ["other-prefix-%%s", !Value 0]]
+                  [!Format ["prefix-%s", !Index 0], !Format ["other-prefix-%s", !Value 0]]
              ]
              enumerate_mapping_to_sequence: !Enumerate [
                  !Context mapping,
                  SEQ,
-                  !Format ["prefixed-pair-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-pair-%s-%s", !Index 0, !Value 0]
              ]
              enumerate_sequence_to_sequence: !Enumerate [
                  !Context sequence,
                  SEQ,
-                  !Format ["prefixed-items-%%s-%%s", !Index 0, !Value 0]
+                  !Format ["prefixed-items-%s-%s", !Index 0, !Value 0]
              ]
              enumerate_sequence_to_mapping: !Enumerate [
                  !Context sequence,
                  MAP,
-                  [!Format ["index: %%d", !Index 0], !Value 0]
+                  [!Format ["index: %d", !Index 0], !Value 0]
              ]
              nested_complex_enumeration: !Enumerate [
                  !Context sequence,
@@ -135,9 +131,9 @@ entries:
                          !Context mapping,
                          MAP,
                          [
-                              !Format ["%%s", !Index 0],
+                              !Format ["%s", !Index 0],
                              [
-                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%%s", !Value 0]],
+                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%s", !Value 0]],
                                  {
                                    outer_value: !Value 1,
                                    outer_index: !Index 1,
@@ -150,11 +146,6 @@ entries:
                  ]
              ]
              nested_context: !Context context2
              at_index_sequence: !AtIndex [!Context sequence, 0]
              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
              at_index_mapping: !AtIndex [!Context mapping, "key2"]
              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
              find_object: !AtIndex [!FindObject [authentik_providers_oauth2.scopemapping, [scope_name, openid]], managed]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_managed_app_config.py
+++ b/authentik/blueprints/tests/test_managed_app_config.py
@@ -1,14 +0,0 @@
 from django.test import TestCase
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.utils.reflection import get_apps
 class TestManagedAppConfig(TestCase):
    def test_apps_use_managed_app_config(self):
        for app in get_apps():
            if app.name.startswith("authentik.enterprise"):
                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
            else:
                self.assertIn(ManagedAppConfig, app.__class__.__bases__)
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:
 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
+    if "local" in str(blueprint_file):
        continue
    setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))
--- a/authentik/blueprints/tests/test_serializer_models.py
+++ b/authentik/blueprints/tests/test_serializer_models.py
@@ -5,6 +5,7 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase
 from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken
@@ -21,13 +22,10 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
            return
        model_class = test_model()
        self.assertTrue(isinstance(model_class, SerializerModel))
        # Models that have subclasses don't have to have a serializer
        if len(test_model.__subclasses__()) > 0:
            return
        self.assertIsNotNone(model_class.serializer)
        if model_class.serializer.Meta().model == RefreshToken:
            return
-        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))
+        self.assertEqual(model_class.serializer.Meta().model, test_model)
    return tester
@@ -36,6 +34,6 @@ for app in apps.get_app_configs():
    if not app.label.startswith("authentik"):
        continue
    for model in app.get_models():
-        if not issubclass(model, SerializerModel):
+        if not is_model_allowed(model):
            continue
        setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@@ -1,11 +1,9 @@
 """Test blueprints v1"""
-from os import chmod, environ, unlink, write
+from os import environ
 from tempfile import mkstemp
 from django.test import TransactionTestCase
 from authentik.blueprints.tests import apply_blueprint
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.core.models import Group
@@ -128,119 +126,97 @@ class TestBlueprintsV1(TransactionTestCase):
        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
    @apply_blueprint("system/providers-oauth2.yaml")
    def test_import_yaml_tags(self):
        """Test some yaml tags"""
        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
        Group.objects.filter(name="test").delete()
        environ["foo"] = generate_id()
-        file, file_name = mkstemp()
+        importer = Importer.from_string(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
        write(file, b"foo")
        _, file_default_name = mkstemp()
        chmod(file_default_name, 0o000)  # Remove all permissions so we can't read the file
        importer = Importer.from_string(
            load_fixture(
                "fixtures/tags.yaml",
                file_name=file_name,
                file_default_name=file_default_name,
            ),
            {"bar": "baz"},
        )
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
        self.assertTrue(policy)
-        group = Group.objects.filter(name="test").first()
+        self.assertTrue(
-        self.assertIsNotNone(group)
+            Group.objects.filter(
-        self.assertEqual(
+                attributes={
-            group.attributes,
+                    "policy_pk1": str(policy.pk) + "-suffix",
-            {
+                    "policy_pk2": str(policy.pk) + "-suffix",
-                "policy_pk1": str(policy.pk) + "-suffix",
+                    "boolAnd": True,
-                "policy_pk2": str(policy.pk) + "-suffix",
+                    "boolNand": False,
-                "boolAnd": True,
+                    "boolOr": True,
-                "boolNand": False,
+                    "boolNor": False,
-                "boolOr": True,
+                    "boolXor": True,
-                "boolNor": False,
+                    "boolXnor": False,
-                "boolXor": True,
+                    "boolComplex": True,
-                "boolXnor": False,
+                    "if_true_complex": {
-                "boolComplex": True,
+                        "dictionary": {
-                "if_true_complex": {
+                            "with": {"keys": "and_values"},
-                    "dictionary": {
+                            "and_nested_custom_tags": "foo-bar",
-                        "with": {"keys": "and_values"},
+                        }
                        "and_nested_custom_tags": "foo-bar",
                    }
                },
                "if_false_complex": ["list", "with", "items", "foo-bar"],
                "if_true_simple": True,
                "if_short": True,
                "if_false_simple": 2,
                "enumerate_mapping_to_mapping": {
                    "prefix-key1": "other-prefix-value",
                    "prefix-key2": "other-prefix-2",
                },
                "enumerate_mapping_to_sequence": [
                    "prefixed-pair-key1-value",
                    "prefixed-pair-key2-2",
                ],
                "enumerate_sequence_to_sequence": [
                    "prefixed-items-0-foo",
                    "prefixed-items-1-bar",
                ],
                "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
                "nested_complex_enumeration": {
                    "0": {
                        "key1": [
                            ["prefixed-f", "prefixed-o", "prefixed-o"],
                            {
                                "outer_value": "foo",
                                "outer_index": 0,
                                "middle_value": "value",
                                "middle_index": "key1",
                            },
                        ],
                        "key2": [
                            ["prefixed-f", "prefixed-o", "prefixed-o"],
                            {
                                "outer_value": "foo",
                                "outer_index": 0,
                                "middle_value": 2,
                                "middle_index": "key2",
                            },
                        ],
                    },
-                    "1": {
+                    "if_false_complex": ["list", "with", "items", "foo-bar"],
-                        "key1": [
+                    "if_true_simple": True,
-                            ["prefixed-b", "prefixed-a", "prefixed-r"],
+                    "if_short": True,
-                            {
+                    "if_false_simple": 2,
-                                "outer_value": "bar",
+                    "enumerate_mapping_to_mapping": {
-                                "outer_index": 1,
+                        "prefix-key1": "other-prefix-value",
-                                "middle_value": "value",
+                        "prefix-key2": "other-prefix-2",
                                "middle_index": "key1",
                            },
                        ],
                        "key2": [
                            ["prefixed-b", "prefixed-a", "prefixed-r"],
                            {
                                "outer_value": "bar",
                                "outer_index": 1,
                                "middle_value": 2,
                                "middle_index": "key2",
                            },
                        ],
                    },
-                },
+                    "enumerate_mapping_to_sequence": [
-                "nested_context": "context-nested-value",
+                        "prefixed-pair-key1-value",
-                "env_null": None,
+                        "prefixed-pair-key2-2",
-                "file_content": "foo",
+                    ],
-                "file_default": "default",
+                    "enumerate_sequence_to_sequence": [
-                "file_non_existent": None,
+                        "prefixed-items-0-foo",
-                "json_parse": {"foo": "bar"},
+                        "prefixed-items-1-bar",
-                "at_index_sequence": "foo",
+                    ],
-                "at_index_sequence_default": "non existent",
+                    "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
-                "at_index_mapping": 2,
+                    "nested_complex_enumeration": {
-                "at_index_mapping_default": "non existent",
+                        "0": {
-                "find_object": "goauthentik.io/providers/oauth2/scope-openid",
+                            "key1": [
-            },
+                                ["prefixed-f", "prefixed-o", "prefixed-o"],
                                {
                                    "outer_value": "foo",
                                    "outer_index": 0,
                                    "middle_value": "value",
                                    "middle_index": "key1",
                                },
                            ],
                            "key2": [
                                ["prefixed-f", "prefixed-o", "prefixed-o"],
                                {
                                    "outer_value": "foo",
                                    "outer_index": 0,
                                    "middle_value": 2,
                                    "middle_index": "key2",
                                },
                            ],
                        },
                        "1": {
                            "key1": [
                                ["prefixed-b", "prefixed-a", "prefixed-r"],
                                {
                                    "outer_value": "bar",
                                    "outer_index": 1,
                                    "middle_value": "value",
                                    "middle_index": "key1",
                                },
                            ],
                            "key2": [
                                ["prefixed-b", "prefixed-a", "prefixed-r"],
                                {
                                    "outer_value": "bar",
                                    "outer_index": 1,
                                    "middle_value": 2,
                                    "middle_index": "key2",
                                },
                            ],
                        },
                    },
                    "nested_context": "context-nested-value",
                    "env_null": None,
                }
            ).exists()
        )
        self.assertTrue(
            OAuthSource.objects.filter(
@@ -248,8 +224,6 @@ class TestBlueprintsV1(TransactionTestCase):
                consumer_key=environ["foo"],
            )
        )
        unlink(file_name)
        unlink(file_default_name)
    def test_export_validate_import_policies(self):
        """Test export and validate it"""
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@@ -54,7 +54,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
            file.seek(0)
            file_hash = sha512(file.read().encode()).hexdigest()
            file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
            instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
            self.assertEqual(instance.last_applied_hash, file_hash)
            self.assertEqual(
@@ -82,7 +82,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
            blueprint = BlueprintInstance.objects.filter(name="foo").first()
            self.assertEqual(
                blueprint.last_applied_hash,
@@ -107,7 +107,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discovery.send()
+            blueprints_discovery()
            blueprint.refresh_from_db()
            self.assertEqual(
                blueprint.last_applied_hash,
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@@ -6,7 +6,6 @@ from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
 from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
 from typing import Any, Literal, Union
@@ -18,19 +17,12 @@ from django.db.models import Model, Q
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 LOGGER = get_logger()
 class UNSET:
    """Used to test whether a key has not been set."""
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
    """Get object's attributes via their serializer, and convert it to a normal dict"""
@@ -168,7 +160,9 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))
-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
        self, blueprint: "Blueprint"
    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
@@ -195,25 +189,15 @@ class Blueprint:
    """Dataclass used for a full export"""
    version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
    context: dict = field(default_factory=dict)
    metadata: BlueprintMetadata | None = field(default=None)
    def iter_entries(self) -> Iterable[BlueprintEntry]:
        if isinstance(self.entries, dict):
            for _section, entries in self.entries.items():
                yield from entries
        else:
            yield from self.entries
 class YAMLTag:
    """Base class for all YAML Tags"""
    def __repr__(self) -> str:
        return str(self.resolve(BlueprintEntry(""), Blueprint()))
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        """Implement yaml tag logic"""
        raise NotImplementedError
@@ -237,7 +221,7 @@ class KeyOf(YAMLTag):
        self.id_from = node.value
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
            if _entry.id == self.id_from and _entry._state.instance:
                # Special handling for PolicyBindingModels, as they'll have a different PK
                # which is used when creating policy bindings
@@ -271,34 +255,6 @@ class Env(YAMLTag):
        return getenv(self.key) or self.default
 class File(YAMLTag):
    """Lookup file with optional default"""
    path: str
    default: Any | None
    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
        super().__init__()
        self.default = None
        if isinstance(node, ScalarNode):
            self.path = node.value
        if isinstance(node, SequenceNode):
            self.path = loader.construct_object(node.value[0])
            self.default = loader.construct_object(node.value[1])
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        try:
            with open(self.path, encoding="utf8") as _file:
                return _file.read().strip()
        except OSError as exc:
            LOGGER.warning(
                "Failed to read file. Falling back to default value",
                path=self.path,
                exc=exc,
            )
            return self.default
 class Context(YAMLTag):
    """Lookup key from instance context"""
@@ -323,22 +279,6 @@ class Context(YAMLTag):
        return value
 class ParseJSON(YAMLTag):
    """Parse JSON from context/env/etc value"""
    raw: str
    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
        super().__init__()
        self.raw = node.value
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        try:
            return loads(self.raw)
        except JSONDecodeError as exc:
            raise EntryInvalidError.from_entry(exc, entry) from exc
 class Format(YAMLTag):
    """Format a string"""
@@ -367,7 +307,7 @@ class Format(YAMLTag):
 class Find(YAMLTag):
-    """Find any object primary key"""
+    """Find any object"""
    model_name: str | YAMLTag
    conditions: list[list]
@@ -382,7 +322,7 @@ class Find(YAMLTag):
                values.append(loader.construct_object(node_values))
            self.conditions.append(values)
-    def _get_instance(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        if isinstance(self.model_name, YAMLTag):
            model_name = self.model_name.resolve(entry, blueprint)
        else:
@@ -404,29 +344,12 @@ class Find(YAMLTag):
            else:
                query_value = cond[1]
            query &= Q(**{query_key: query_value})
-        return model_class.objects.filter(query).first()
+        instance = model_class.objects.filter(query).first()
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        instance = self._get_instance(entry, blueprint)
        if instance:
            return instance.pk
        return None
 class FindObject(Find):
    """Find any object"""
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        instance = self._get_instance(entry, blueprint)
        if not instance:
            return None
        if not isinstance(instance, SerializerModel):
            raise EntryInvalidError.from_entry(
                f"Model {self.model_name} is not resolvable through FindObject", entry
            )
        return instance.serializer(instance=instance).data
 class Condition(YAMLTag):
    """Convert all values to a single boolean"""
@@ -633,53 +556,6 @@ class Value(EnumeratedItem):
            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
 class AtIndex(YAMLTag):
    """Get value at index of a sequence or mapping"""
    obj: YAMLTag | dict | list | tuple
    attribute: int | str | YAMLTag
    default: Any | UNSET
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
        self.obj = loader.construct_object(node.value[0])
        self.attribute = loader.construct_object(node.value[1])
        if len(node.value) == 2:  # noqa: PLR2004
            self.default = UNSET
        else:
            self.default = loader.construct_object(node.value[2])
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        if isinstance(self.obj, YAMLTag):
            obj = self.obj.resolve(entry, blueprint)
        else:
            obj = self.obj
        if isinstance(self.attribute, YAMLTag):
            attribute = self.attribute.resolve(entry, blueprint)
        else:
            attribute = self.attribute
        if isinstance(obj, list | tuple):
            try:
                return obj[attribute]
            except TypeError as exc:
                raise EntryInvalidError.from_entry(
                    f"Invalid index for list: {attribute}", entry
                ) from exc
            except IndexError as exc:
                if self.default is UNSET:
                    raise EntryInvalidError.from_entry(
                        f"Index out of range: {attribute}", entry
                    ) from exc
                return self.default
        if attribute in obj:
            return obj[attribute]
        else:
            if self.default is UNSET:
                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
            return self.default
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""
@@ -722,18 +598,14 @@ class BlueprintLoader(SafeLoader):
        super().__init__(*args, **kwargs)
        self.add_constructor("!KeyOf", KeyOf)
        self.add_constructor("!Find", Find)
        self.add_constructor("!FindObject", FindObject)
        self.add_constructor("!Context", Context)
        self.add_constructor("!Format", Format)
        self.add_constructor("!Condition", Condition)
        self.add_constructor("!If", If)
        self.add_constructor("!Env", Env)
        self.add_constructor("!File", File)
        self.add_constructor("!Enumerate", Enumerate)
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
        self.add_constructor("!AtIndex", AtIndex)
        self.add_constructor("!ParseJSON", ParseJSON)
 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -36,7 +36,6 @@ from authentik.core.models import (
    GroupSourceConnection,
    PropertyMapping,
    Provider,
    Session,
    Source,
    User,
    UserSourceConnection,
@@ -51,12 +50,13 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderGroup,
    MicrosoftEntraProviderUser,
 )
-from authentik.enterprise.providers.ssf.models import StreamEvent
+from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDevice,
    EndpointDeviceConnection,
 )
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
@@ -65,18 +65,11 @@ from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
    AccessToken,
    AuthorizationCode,
    DeviceToken,
    RefreshToken,
 )
 from authentik.providers.rac.models import ConnectionToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tasks.models import Task
 from authentik.tenants.models import Tenant
 # Context set when the serializer is created in a blueprint context
@@ -109,7 +102,6 @@ def excluded_models() -> list[type[Model]]:
        Policy,
        PolicyBindingModel,
        # Classes that have other dependencies
        Session,
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
@@ -118,7 +110,7 @@ def excluded_models() -> list[type[Model]]:
        SCIMProviderGroup,
        SCIMProviderUser,
        Tenant,
-        Task,
+        SystemTask,
        ConnectionToken,
        AuthorizationCode,
        AccessToken,
@@ -133,8 +125,6 @@ def excluded_models() -> list[type[Model]]:
        MicrosoftEntraProviderGroup,
        EndpointDevice,
        EndpointDeviceConnection,
        DeviceToken,
        StreamEvent,
    )
@@ -384,7 +374,7 @@ class Importer:
    def _apply_models(self, raise_errors=False) -> bool:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
            model_app_label, model_name = entry.get_model(self._import).split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
--- a/authentik/blueprints/v1/meta/apply_blueprint.py
+++ b/authentik/blueprints/v1/meta/apply_blueprint.py
@@ -44,7 +44,7 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):
            return MetaResult()
        LOGGER.debug("Applying blueprint from meta model", blueprint=self.blueprint_instance)
-        apply_blueprint(self.blueprint_instance.pk)
+        apply_blueprint(str(self.blueprint_instance.pk))
        return MetaResult()
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models
    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@@ -4,17 +4,12 @@ from dataclasses import asdict, dataclass, field
 from hashlib import sha512
 from pathlib import Path
 from sys import platform
 from uuid import UUID
 from dacite.core import from_dict
 from django.conf import settings
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_dramatiq_postgres.middleware import CurrentTask, CurrentTaskNotFound
 from dramatiq.actor import actor
 from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
 from watchdog.events import (
    FileCreatedEvent,
@@ -36,14 +31,15 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
 from authentik.lib.config import CONFIG
-from authentik.tasks.apps import PRIORITY_HIGH
+from authentik.root.celery import CELERY_APP
 from authentik.tasks.models import Task
 from authentik.tasks.schedules.models import Schedule
 from authentik.tenants.models import Tenant
 LOGGER = get_logger()
 _file_watcher_started = False
@dataclass
@@ -57,21 +53,22 @@ class BlueprintFile:
    meta: BlueprintMetadata | None = field(default=None)
-class BlueprintWatcherMiddleware(Middleware):
+def start_blueprint_watcher():
-    def start_blueprint_watcher(self):
+    """Start blueprint watcher, if it's not running already."""
-        """Start blueprint watcher"""
+    # This function might be called twice since it's called on celery startup
        observer = Observer()
        kwargs = {}
        if platform.startswith("linux"):
            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
        observer.schedule(
            BlueprintEventHandler(), CONFIG.get("blueprints_dir"), recursive=True, **kwargs
        )
        observer.start()
-    def after_worker_boot(self, broker, worker):
+    global _file_watcher_started  # noqa: PLW0603
-        if not settings.TEST:
+    if _file_watcher_started:
-            self.start_blueprint_watcher()
+        return
    observer = Observer()
    kwargs = {}
    if platform.startswith("linux"):
        kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
    observer.schedule(
        BlueprintEventHandler(), CONFIG.get("blueprints_dir"), recursive=True, **kwargs
    )
    observer.start()
    _file_watcher_started = True
 class BlueprintEventHandler(FileSystemEventHandler):
@@ -95,7 +92,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
        LOGGER.debug("new blueprint file created, starting discovery")
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
-                Schedule.dispatch_by_actor(blueprints_discovery)
+                blueprints_discovery.delay()
    def on_modified(self, event: FileSystemEvent):
        """Process file modification"""
@@ -106,15 +103,14 @@ class BlueprintEventHandler(FileSystemEventHandler):
            with tenant:
                for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                    LOGGER.debug("modified blueprint file, starting apply", instance=instance)
-                    apply_blueprint.send_with_options(args=(instance.pk,), rel_obj=instance)
+                    apply_blueprint.delay(instance.pk.hex)
-@actor(
+@CELERY_APP.task(
    description=_("Find blueprints as `blueprints_find` does, but return a safe dict."),
    throws=(DatabaseError, ProgrammingError, InternalError),
    priority=PRIORITY_HIGH,
 )
 def blueprints_find_dict():
    """Find blueprints as `blueprints_find` does, but return a safe dict"""
    blueprints = []
    for blueprint in blueprints_find():
        blueprints.append(sanitize_dict(asdict(blueprint)))
@@ -150,19 +146,21 @@ def blueprints_find() -> list[BlueprintFile]:
    return blueprints
-@actor(
+@CELERY_APP.task(
-    description=_("Find blueprints and check if they need to be created in the database."),
+    throws=(DatabaseError, ProgrammingError, InternalError), base=SystemTask, bind=True
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
-def blueprints_discovery(path: str | None = None):
+@prefill_task
-    self: Task = CurrentTask.get_task()
+def blueprints_discovery(self: SystemTask, path: str | None = None):
    """Find blueprints and check if they need to be created in the database"""
    count = 0
    for blueprint in blueprints_find():
        if path and blueprint.path != path:
            continue
        check_blueprint_v1_file(blueprint)
        count += 1
-    self.info(f"Successfully imported {count} files.")
+    self.set_status(
        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
    )
 def check_blueprint_v1_file(blueprint: BlueprintFile):
@@ -189,26 +187,22 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
        )
    if instance.last_applied_hash != blueprint.hash:
        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
-        apply_blueprint.send_with_options(args=(instance.pk,), rel_obj=instance)
+        apply_blueprint.delay(str(instance.pk))
-@actor(description=_("Apply single blueprint."))
+@CELERY_APP.task(
-def apply_blueprint(instance_pk: UUID):
+    bind=True,
-    try:
+    base=SystemTask,
-        self: Task = CurrentTask.get_task()
+)
-    except CurrentTaskNotFound:
+def apply_blueprint(self: SystemTask, instance_pk: str):
-        self = Task()
+    """Apply single blueprint"""
-    self.set_uid(str(instance_pk))
+    self.save_on_success = False
    instance: BlueprintInstance | None = None
    try:
        instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
-        if not instance:
+        if not instance or not instance.enabled:
            self.warning(f"Could not find blueprint {instance_pk}, skipping")
            return
        self.set_uid(slugify(instance.name))
        if not instance.enabled:
            self.info(f"Blueprint {instance.name} is disabled, skipping")
            return
        blueprint_content = instance.retrieve()
        file_hash = sha512(blueprint_content.encode()).hexdigest()
        importer = Importer.from_string(blueprint_content, instance.context)
@@ -218,18 +212,19 @@ def apply_blueprint(instance_pk: UUID):
        if not valid:
            instance.status = BlueprintInstanceStatus.ERROR
            instance.save()
-            self.logs(logs)
+            self.set_status(TaskStatus.ERROR, *logs)
            return
        with capture_logs() as logs:
            applied = importer.apply()
            if not applied:
                instance.status = BlueprintInstanceStatus.ERROR
                instance.save()
-                self.logs(logs)
+                self.set_status(TaskStatus.ERROR, *logs)
                return
        instance.status = BlueprintInstanceStatus.SUCCESSFUL
        instance.last_applied_hash = file_hash
        instance.last_applied = now()
        self.set_status(TaskStatus.SUCCESSFUL)
    except (
        OSError,
        DatabaseError,
@@ -240,14 +235,15 @@ def apply_blueprint(instance_pk: UUID):
    ) as exc:
        if instance:
            instance.status = BlueprintInstanceStatus.ERROR
-        self.error(exc)
+        self.set_error(exc)
    finally:
        if instance:
            instance.save()
-@actor(description=_("Remove blueprints which couldn't be fetched."))
+@CELERY_APP.task()
 def clear_failed_blueprints():
    """Remove blueprints which couldn't be fetched"""
    # Exclude OCI blueprints as those might be temporarily unavailable
    for blueprint in BlueprintInstance.objects.exclude(path__startswith=OCI_PREFIX):
        try:
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@@ -3,10 +3,10 @@
 from typing import Any
 from django.db import models
-from drf_spectacular.utils import extend_schema, extend_schema_field
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
+from rest_framework.fields import CharField, ChoiceField, ListField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
@@ -14,12 +14,10 @@ from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.api.settings import FlagJSONField
 from authentik.tenants.flags import Flag
 from authentik.tenants.utils import get_current_tenant
@@ -51,8 +49,6 @@ class BrandSerializer(ModelSerializer):
            "branding_title",
            "branding_logo",
            "branding_favicon",
            "branding_custom_css",
            "branding_default_flow_background",
            "flow_authentication",
            "flow_invalidation",
            "flow_recovery",
@@ -61,7 +57,6 @@ class BrandSerializer(ModelSerializer):
            "flow_device_code",
            "default_application",
            "web_certificate",
            "client_certificates",
            "attributes",
        ]
        extra_kwargs = {
@@ -89,9 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
    matched_domain = CharField(source="domain")
    branding_title = CharField()
-    branding_logo = CharField(source="branding_logo_url")
+    branding_logo = CharField()
-    branding_favicon = CharField(source="branding_favicon_url")
+    branding_favicon = CharField()
    branding_custom_css = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
@@ -112,16 +106,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    flow_device_code = CharField(source="flow_device_code.slug", required=False)
    default_locale = CharField(read_only=True)
    flags = SerializerMethodField()
    @extend_schema_field(field=FlagJSONField)
    def get_flags(self, _):
        values = {}
        for flag in Flag.available():
            _flag = flag()
            if _flag.visibility == "public":
                values[_flag.key] = _flag.get()
        return values
 class BrandViewSet(UsedByMixin, ModelViewSet):
@@ -133,7 +117,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "domain",
        "branding_title",
        "web_certificate__name",
        "client_certificates__name",
    ]
    filterset_fields = [
        "brand_uuid",
@@ -142,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "branding_title",
        "branding_logo",
        "branding_favicon",
        "branding_default_flow_background",
        "flow_authentication",
        "flow_invalidation",
        "flow_recovery",
@@ -150,7 +132,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "flow_user_settings",
        "flow_device_code",
        "web_certificate",
        "client_certificates",
    ]
    ordering = ["domain"]
--- a/authentik/brands/apps.py
+++ b/authentik/brands/apps.py
@@ -1,16 +1,14 @@
 """authentik brands app"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
    """authentik Brand app"""
    name = "authentik.brands"
    label = "authentik_brands"
    verbose_name = "authentik Brands"
    default = True
    mountpoints = {
        "authentik.brands.urls_root": "",
    }
    default = True
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ken Sternberg	1a340eb437	web/flow/table-driven-executor # What - Replaces the massive switch/case block for stages with a lookup table. # Why - Because it was a massive switch/case block calling 22 different functions with the exact same signatures, and that created both a ton of duplication in the code as well as introduced last-line risks.	2024-11-21 14:25:02 -08:00
Ken Sternberg	8982798c95	Merge branch 'main' into web/flow/table-driven-executor * main: (23 commits) website/docs: update info about footer links to match new UI (#12120) website/docs: prepare release notes (#12142) providers/oauth2: fix migration (#12138) providers/oauth2: fix migration dependencies (#12123) web: bump API Client version (#12129) providers/oauth2: fix redirect uri input (#12122) providers/proxy: fix redirect_uri (#12121) website/docs: prepare release notes (#12119) web: bump API Client version (#12118) security: fix CVE 2024 52289 (#12113) security: fix CVE 2024 52307 (#12115) security: fix CVE 2024 52287 (#12114) website/docs: add CSP to hardening (#11970) core: bump uvicorn from 0.32.0 to 0.32.1 (#12103) core: bump google-api-python-client from 2.153.0 to 2.154.0 (#12104) core: bump pydantic from 2.9.2 to 2.10.0 (#12105) translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#12110) internal: add CSP header to files in `/media` (#12092) core, web: update translations (#12101) web: fix bug that prevented error reporting in current wizard. (#12033) ...	2024-11-21 13:57:01 -08:00
Ken Sternberg	c3b33fdb07	web/legible/disambiguate-footer-links # What - Replaces the "brand links" box at the bottom of FlowExecutor with a component for showing brand links. # Why - Confusion arose about what "footer links" mean in any given context, and breaking this out, labeling it "brand-links," reduces that confusion. It also isolates and reduces the testable surface area of the Executor.	2024-11-21 09:59:52 -08:00
Ken Sternberg	9809b94030	Merge branch 'main' into dev * main: (28 commits) providers/scim: accept string and int for SCIM IDs (#12093) website: bump the docusaurus group in /website with 9 updates (#12086) core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080) translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#12079) scripts: remove read_replicas from generated dev config (#12078) core: bump geoip2 from 4.8.0 to 4.8.1 (#12071) core: bump goauthentik.io/api/v3 from 3.2024100.2 to 3.2024102.2 (#12072) core: bump maxmind/geoipupdate from v7.0.1 to v7.1.0 (#12073) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12074) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12075) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12076) translate: Updates for file web/xliff/en.xlf in zh_CN (#12077) web/admin: auto-prefill user path for new users based on selected path (#12070) core: bump aiohttp from 3.10.2 to 3.10.11 (#12069) web/admin: fix brand title not respected in application list (#12068) core: bump pyjwt from 2.9.0 to 2.10.0 (#12063) web: add italian locale (#11958) web/admin: better footer links (#12004) core, web: update translations (#12052) core: bump twilio from 9.3.6 to 9.3.7 (#12061) ...	2024-11-20 10:23:54 -08:00
Ken Sternberg	e7527c551b	Merge branch 'main' into dev * main: translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12045) translate: Updates for file web/xliff/en.xlf in zh_CN (#12047) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12044) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12046) web/flows: fix invisible captcha call (#12048) rbac: fix incorrect object_description for object-level permissions (#12029) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#12036) core: bump coverage from 7.6.4 to 7.6.5 (#12037) ci: bump codecov/codecov-action from 4 to 5 (#12038) release: 2024.10.2 (#12031)	2024-11-15 12:47:17 -08:00
Ken Sternberg	36b10b434a	:wqge branch 'main' into dev * main: providers/ldap: fix global search_full_directory permission not being sufficient (#12028) website/docs: 2024.10.2 release notes (#12025) lifecycle: fix ak exit status not being passed (#12024) core: use versioned_script for path only (#12003) core, web: update translations (#12020) core: bump google-api-python-client from 2.152.0 to 2.153.0 (#12021) providers/oauth2: fix manual device code entry (#12017) crypto: validate that generated certificate's name is unique (#12015) core, web: update translations (#12006) core: bump google-api-python-client from 2.151.0 to 2.152.0 (#12007) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12011) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12010) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12012) translate: Updates for file web/xliff/en.xlf in zh_CN (#12013) providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968) website/docs: move S3 ad GeoIP to System Management/Operations (#11998) website/integrations: nextcloud: add SSE warning (#11976)	2024-11-14 11:29:13 -08:00
Ken Sternberg	831797b871	Merge branch 'main' into dev * main: (21 commits) web: bump API Client version (#11997) sources/kerberos: use new python-kadmin implementation (#11932) core: add ability to provide reason for impersonation (#11951) website/integrations: update vcenter integration docs (#11768) core, web: update translations (#11995) website: bump postcss from 8.4.48 to 8.4.49 in /website (#11996) web: bump API Client version (#11992) blueprints: add default Password policy (#11793) stages/captcha: Run interactive captcha in Frame (#11857) core, web: update translations (#11979) core: bump packaging from 24.1 to 24.2 (#11985) core: bump ruff from 0.7.2 to 0.7.3 (#11986) core: bump msgraph-sdk from 1.11.0 to 1.12.0 (#11987) website: bump the docusaurus group in /website with 9 updates (#11988) website: bump postcss from 8.4.47 to 8.4.48 in /website (#11989) stages/password: use recovery flow from brand (#11953) core: bump golang.org/x/sync from 0.8.0 to 0.9.0 (#11962) web: bump cookie, swagger-client and express in /web (#11966) core, web: update translations (#11959) core: bump debugpy from 1.8.7 to 1.8.8 (#11961) ...	2024-11-12 10:08:48 -08:00
Ken Sternberg	5cc2c0f45f	Merge branch 'main' into dev * main: ci: fix dockerfile warning (#11956)	2024-11-07 12:58:15 -08:00
Ken Sternberg	32442766f4	Merge branch 'main' into dev * main: website/docs: fix slug matching redirect URI causing broken refresh (#11950) website/integrations: jellyfin: update plugin catalog location (#11948) translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11942) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11946) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11947) website/docs: clarify traefik ingress setup (#11938) core: bump importlib-metadata from 8.4.0 to 8.5.0 (#11934) web: bump API Client version (#11930) root: backport version bump `2024.10.1` (#11929) website/docs: `2024.10.1` Release Notes (#11926) website: bump path-to-regexp from 1.8.0 to 1.9.0 in /website (#11924) core: bump sentry-sdk from 2.17.0 to 2.18.0 (#11918) website: bump the docusaurus group in /website with 9 updates (#11917) core: bump goauthentik.io/api/v3 from 3.2024100.1 to 3.2024100.2 (#11915) core, web: update translations (#11914)	2024-11-07 08:08:46 -08:00
Ken Sternberg	75790909a8	Merge branch 'main' into dev * main: web: bump API Client version (#11909) enterprise/rac: fix API Schema for invalidation_flow (#11907)	2024-11-04 13:20:15 -08:00
Ken Sternberg	e0d5df89ca	Merge branch 'main' into dev * main: core: add `None` check to a device's `extra_description` (#11904) providers/oauth2: fix size limited index for tokens (#11879) web: fix missing status code on failed build (#11903) website: bump docusaurus-theme-openapi-docs from 4.1.0 to 4.2.0 in /website (#11897) translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11891) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#11884) translate: Updates for file web/xliff/en.xlf in tr (#11878) translate: Updates for file locale/en/LC_MESSAGES/django.po in tr (#11866) core: bump google-api-python-client from 2.149.0 to 2.151.0 (#11885) core: bump selenium from 4.26.0 to 4.26.1 (#11886) core, web: update translations (#11896) website: bump docusaurus-plugin-openapi-docs from 4.1.0 to 4.2.0 in /website (#11898) core: bump watchdog from 5.0.3 to 6.0.0 (#11899) core: bump ruff from 0.7.1 to 0.7.2 (#11900) core: bump django-pglock from 1.6.2 to 1.7.0 (#11901) website/docs: fix release notes to say Federation (#11889)	2024-11-04 10:25:52 -08:00
Ken Sternberg	f25a9c624e	Merge branch 'main' into dev * main: website: bump elliptic from 6.5.7 to 6.6.0 in /website (#11869) core: bump selenium from 4.25.0 to 4.26.0 (#11875) core: bump goauthentik.io/api/v3 from 3.2024083.14 to 3.2024100.1 (#11876) website/docs: add info about invalidation flow, default flows in general (#11800) website: fix docs redirect (#11873) website: remove RC disclaimer for version 2024.10 (#11871) website: update supported versions (#11841) web: bump API Client version (#11870) root: backport version bump 2024.10.0 (#11868) website/docs: 2024.8.4 release notes (#11862) web/admin: provide default invalidation flows for LDAP and Radius (#11861)	2024-11-04 10:25:45 -08:00
Ken Sternberg	914993a788	Merge branch 'main' into dev * main: (43 commits) core, web: update translations (#11858) web/admin: fix code-based MFA toggle not working in wizard (#11854) sources/kerberos: add kiprop to ignored system principals (#11852) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11846) translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#11845) translate: Updates for file web/xliff/en.xlf in zh_CN (#11847) translate: Updates for file web/xliff/en.xlf in zh-Hans (#11848) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11849) translate: Updates for file web/xliff/en.xlf in it (#11850) website: 2024.10 Release Notes (#11839) translate: Updates for file web/xliff/en.xlf in zh-Hans (#11814) core, web: update translations (#11821) core: bump goauthentik.io/api/v3 from 3.2024083.13 to 3.2024083.14 (#11830) core: bump service-identity from 24.1.0 to 24.2.0 (#11831) core: bump twilio from 9.3.5 to 9.3.6 (#11832) core: bump pytest-randomly from 3.15.0 to 3.16.0 (#11833) website/docs: Update social-logins github (#11822) website/docs: remove � (#11823) lifecycle: fix kdc5-config missing (#11826) website/docs: update preview status of different features (#11817) ...	2024-10-30 10:04:59 -07:00
Ken Sternberg	89dad07a66	web: Add InvalidationFlow to Radius Provider dialogues ## What - Bugfix: adds the InvalidationFlow to the Radius Provider dialogues - Repairs: `{"invalidation_flow":["This field is required."]}` message, which was not propagated to the Notification. - Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/` ## Note Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the Property Mappings to the wizard, and yes, I know I'm going to have pain with the new version of the wizard. But this is a serious bug; you can't make Radius servers with either of the current dialogues at the moment.	2024-10-23 14:17:30 -07:00
		`@@ -0,0 +1,2 @@`
							`enabled: true`
							`preservePullRequestTitle: true`
		`@@ -1,4 +0,0 @@`
			`# Contributing to authentik`

			`Thanks for your interest in contributing! Please see our [contributing guide](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github) for more information.`
		`@@ -1,2 +0,0 @@`
			`# Import all v1 tasks for auto task discovery`
			`from authentik.blueprints.v1.tasks import * # noqa: F403`