Merge branch 'main' into dev

* main:
  website/docs: add links and tweaks to existing docs on flow executors (#10340)
  sources/saml: fix pickle error, add saml auth tests (#10348)
  web: bump API Client version (#10351)
  core: applications api: add option to only list apps with launch url (#10336)
  website/integrations: minio: configure openid on web (#9874)
  website/docs: integrations: gitea: specify callback url (#10180)
  providers/saml: fix metadata import error handling (#10349)
  core, web: update translations (#10341)
  core: bump twilio from 9.2.2 to 9.2.3 (#10343)
  core: bump google-api-python-client from 2.135.0 to 2.136.0 (#10344)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#10339)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#10338)
  web: bump the storybook group in /web with 7 updates (#10263)
  web: lintpicking (#10212)

authentik/core/api/applications.py

@@ -147,6 +147,13 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
+    def _filter_applications_with_launch_url(self, pagined_apps: Iterator[Application]) -> list[Application]:
+        applications = []
+        for app in pagined_apps:
+            if app.get_launch_url():
+                applications.append(app)
+        return applications
+
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -204,6 +211,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
+            OpenApiParameter(
+                name="only_with_launch_url",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -216,6 +228,8 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
+        only_with_launch_url = str(request.query_params.get("only_with_launch_url", "false")).lower()
+
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -251,6 +265,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
+
+        if only_with_launch_url == "true":
+            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
+
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/models.py

@@ -1,6 +1,7 @@
 """authentik core models"""
 
 from datetime import datetime
+from functools import lru_cache
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@@ -475,6 +476,10 @@ class Application(SerializerModel, PolicyBindingModel):
             return self.meta_icon.name
         return self.meta_icon.url
 
+    # maxsize is set as 2 since that is called once to check
+    # if we should return applications with a launch URL
+    # and a second time to actually get the launch_url
+    @lru_cache(maxsize=2)
     def get_launch_url(self, user: Optional["User"] = None) -> str | None:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
         url = None

authentik/providers/saml/api/providers.py

@@ -268,7 +268,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
         except ValueError as exc:  # pragma: no cover
             LOGGER.warning(str(exc))
             raise ValidationError(
-                _("Failed to import Metadata: {messages}".format_map({"message": str(exc)})),
+                _("Failed to import Metadata: {messages}".format_map({"messages": str(exc)})),
             ) from None
         return Response(status=204)
 

authentik/sources/saml/processors/response.py

@@ -10,6 +10,7 @@ from django.core.cache import cache
 from django.core.exceptions import SuspiciousOperation
 from django.http import HttpRequest
 from django.utils.timezone import now
+from lxml import etree  # nosec
 from structlog.stdlib import get_logger
 
 from authentik.core.models import (
@@ -240,7 +241,7 @@ class ResponseProcessor:
             name_id.text,
             delete_none_values(self.get_attributes()),
         )
-        flow_manager.policy_context["saml_response"] = self._root
+        flow_manager.policy_context["saml_response"] = etree.tostring(self._root)
         return flow_manager
 
 

authentik/stages/user_write/stage.py

@@ -6,6 +6,7 @@ from django.contrib.auth import update_session_auth_hash
 from django.db import transaction
 from django.db.utils import IntegrityError, InternalError
 from django.http import HttpRequest, HttpResponse
+from django.utils.functional import SimpleLazyObject
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ValidationError
 
@@ -118,6 +119,14 @@ class UserWriteStageView(StageView):
                 UserWriteStageView.write_attribute(user, key, value)
             # User has this key already
             elif hasattr(user, key):
+                if isinstance(user, SimpleLazyObject):
+                    user._setup()
+                    user = user._wrapped
+                attr = getattr(type(user), key)
+                if isinstance(attr, property):
+                    if not attr.fset:
+                        self.logger.info("discarding key", key=key)
+                        continue
                 setattr(user, key, value)
             # If none of the cases above matched, we have an attribute that the user doesn't have,
             # has no setter for, is not a nested attributes value and as such is invalid

poetry.lock

@@ -1707,13 +1707,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]
 
 [[package]]
 name = "google-api-python-client"
-version = "2.135.0"
+version = "2.136.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google-api-python-client-2.135.0.tar.gz", hash = "sha256:b552a28123ed95493035698db80e8ed78c9106a8b422e63a175150b9b55b704e"},
-    {file = "google_api_python_client-2.135.0-py2.py3-none-any.whl", hash = "sha256:91742fa4c779d48456c0256ef346fa1cc185ba427176d3277e35141fa3268026"},
+    {file = "google-api-python-client-2.136.0.tar.gz", hash = "sha256:161c722c8864e7ed39393e2b7eea76ef4e1c933a6a59f9d7c70409b6635f225d"},
+    {file = "google_api_python_client-2.136.0-py2.py3-none-any.whl", hash = "sha256:5a554c8b5edf0a609b905d89d7ced82e8f6ac31da1e4d8d5684ef63dbc0e49f5"},
 ]
 
 [package.dependencies]
@@ -4532,13 +4532,13 @@ wsproto = ">=0.14"
 
 [[package]]
 name = "twilio"
-version = "9.2.2"
+version = "9.2.3"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-9.2.2-py2.py3-none-any.whl", hash = "sha256:3c758cc9383ab3b8d740628e6811301dca450c6e10e128e13687b8605c34024f"},
-    {file = "twilio-9.2.2.tar.gz", hash = "sha256:0849fa11b1a8d3a2c3a783c2fe230d7dd9457a086eddc9d9979fba8bb4702b80"},
+    {file = "twilio-9.2.3-py2.py3-none-any.whl", hash = "sha256:76bfc39aa8d854510907cb7f9465814dfdea9e91ec199bb44f0785f05746f4cc"},
+    {file = "twilio-9.2.3.tar.gz", hash = "sha256:da2255b5f3753cb3bf647fc6c50edbdb367ebc3cde6802806f6f863058a65f75"},
 ]
 
 [package.dependencies]

schema.yml

@@ -2682,6 +2682,10 @@ paths:
         name: name
         schema:
           type: string
+      - in: query
+        name: only_with_launch_url
+        schema:
+          type: boolean
       - name: ordering
         required: false
         in: query

tests/e2e/test-saml-idp/saml20-sp-remote.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+ */
+
+$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
+    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
+    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+);
+
+if (null != getenv('SIMPLESAMLPHP_SP_NAME_ID_FORMAT')) {
+    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('NameIDFormat' => getenv('SIMPLESAMLPHP_SP_NAME_ID_FORMAT')));
+}
+
+if (null != getenv('SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE')) {
+    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('simplesaml.nameidattribute' => getenv('SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE')));
+}
+
+if (null != getenv('SIMPLESAMLPHP_SP_SIGN_ASSERTION')) {
+    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('saml20.sign.assertion' => ('true' == getenv('SIMPLESAMLPHP_SP_SIGN_ASSERTION'))));
+}

tests/e2e/test_source_saml.py

@@ -1,5 +1,6 @@
 """test SAML Source"""
 
+from pathlib import Path
 from time import sleep
 from typing import Any
 
@@ -88,8 +89,20 @@ class TestSourceSAML(SeleniumTestCase):
                 interval=5 * 1_000 * 1_000_000,
                 start_period=1 * 1_000 * 1_000_000,
             ),
+            "volumes": {
+                str(
+                    (Path(__file__).parent / Path("test-saml-idp/saml20-sp-remote.php")).absolute()
+                ): {
+                    "bind": "/var/www/simplesamlphp/metadata/saml20-sp-remote.php",
+                    "mode": "ro",
+                }
+            },
             "environment": {
                 "SIMPLESAMLPHP_SP_ENTITY_ID": "entity-id",
+                "SIMPLESAMLPHP_SP_NAME_ID_FORMAT": (
+                    "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+                ),
+                "SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE": "email",
                 "SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE": (
                     self.url("authentik_sources_saml:acs", source_slug=self.slug)
                 ),
@@ -318,3 +331,109 @@ class TestSourceSAML(SeleniumTestCase):
             .exclude(pk=self.user.pk)
             .first()
         )
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint(
+        "default/flow-default-source-authentication.yaml",
+        "default/flow-default-source-enrollment.yaml",
+        "default/flow-default-source-pre-authentication.yaml",
+    )
+    def test_idp_post_auto_enroll_auth(self):
+        """test SAML Source With post binding (auto redirect)"""
+        # Bootstrap all needed objects
+        authentication_flow = Flow.objects.get(slug="default-source-authentication")
+        enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
+        pre_authentication_flow = Flow.objects.get(slug="default-source-pre-authentication")
+        keypair = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=IDP_CERT,
+            key_data=IDP_KEY,
+        )
+
+        source = SAMLSource.objects.create(
+            name=generate_id(),
+            slug=self.slug,
+            authentication_flow=authentication_flow,
+            enrollment_flow=enrollment_flow,
+            pre_authentication_flow=pre_authentication_flow,
+            issuer="entity-id",
+            sso_url=f"http://{self.host}:8080/simplesaml/saml2/idp/SSOService.php",
+            binding_type=SAMLBindingTypes.POST_AUTO,
+            signing_kp=keypair,
+        )
+        ident_stage = IdentificationStage.objects.first()
+        ident_stage.sources.set([source])
+        ident_stage.save()
+
+        self.driver.get(self.live_server_url)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
+            ec.presence_of_element_located(
+                (By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button")
+            )
+        )
+        identification_stage.find_element(
+            By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button"
+        ).click()
+
+        # Now we should be at the IDP, wait for the username field
+        self.wait.until(ec.presence_of_element_located((By.ID, "username")))
+        self.driver.find_element(By.ID, "username").send_keys("user1")
+        self.driver.find_element(By.ID, "password").send_keys("user1pass")
+        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
+
+        # Wait until we're logged in
+        self.wait_for_url(self.if_user_url("/library"))
+        self.driver.get(self.if_user_url("/settings"))
+
+        self.assert_user(
+            User.objects.exclude(username="akadmin")
+            .exclude(username__startswith="ak-outpost")
+            .exclude_anonymous()
+            .exclude(pk=self.user.pk)
+            .first()
+        )
+
+        # Clear all cookies and log in again
+        self.driver.delete_all_cookies()
+        self.driver.get(self.live_server_url)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
+            ec.presence_of_element_located(
+                (By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button")
+            )
+        )
+        identification_stage.find_element(
+            By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button"
+        ).click()
+
+        # Now we should be at the IDP, wait for the username field
+        self.wait.until(ec.presence_of_element_located((By.ID, "username")))
+        self.driver.find_element(By.ID, "username").send_keys("user1")
+        self.driver.find_element(By.ID, "password").send_keys("user1pass")
+        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
+
+        # Wait until we're logged in
+        self.wait_for_url(self.if_user_url("/library"))
+        self.driver.get(self.if_user_url("/settings"))
+
+        # sleep(999999)
+        self.assert_user(
+            User.objects.exclude(username="akadmin")
+            .exclude(username__startswith="ak-outpost")
+            .exclude_anonymous()
+            .exclude(pk=self.user.pk)
+            .first()
+        )

web/package.json

@@ -43,7 +43,7 @@
         "@codemirror/theme-one-dark": "^6.1.2",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.5.2",
-        "@goauthentik/api": "^2024.6.0-1719577139",
+        "@goauthentik/api": "^2024.6.0-1720022184",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.1",
         "@lit/reactive-element": "^2.0.4",
@@ -86,13 +86,13 @@
         "@lit/localize-tools": "^0.7.2",
         "@rollup/plugin-replace": "^5.0.7",
         "@spotlightjs/spotlight": "^2.0.0",
-        "@storybook/addon-essentials": "^8.1.10",
-        "@storybook/addon-links": "^8.1.10",
+        "@storybook/addon-essentials": "^8.1.11",
+        "@storybook/addon-links": "^8.1.11",
         "@storybook/api": "^7.6.17",
         "@storybook/blocks": "^8.0.8",
-        "@storybook/manager-api": "^8.1.10",
-        "@storybook/web-components": "^8.1.10",
-        "@storybook/web-components-vite": "^8.1.10",
+        "@storybook/manager-api": "^8.1.11",
+        "@storybook/web-components": "^8.1.11",
+        "@storybook/web-components-vite": "^8.1.11",
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
         "@types/chart.js": "^2.9.41",
         "@types/codemirror": "5.60.15",
@@ -127,7 +127,7 @@
         "react-dom": "^18.3.1",
         "rollup-plugin-modify": "^3.0.0",
         "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^8.1.10",
+        "storybook": "^8.1.11",
         "storybook-addon-mock": "^5.0.0",
         "ts-lit-plugin": "^2.0.2",
         "ts-node": "^10.9.2",

web/src/admin/applications/ApplicationViewPage.ts

@@ -2,6 +2,7 @@ import "@goauthentik/admin/applications/ApplicationAuthorizeChart";
 import "@goauthentik/admin/applications/ApplicationCheckAccessForm";
 import "@goauthentik/admin/applications/ApplicationForm";
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { PFSize } from "@goauthentik/common/enums.js";
 import "@goauthentik/components/ak-app-icon";
@@ -11,7 +12,6 @@ import "@goauthentik/elements/EmptyState";
 import "@goauthentik/elements/PageHeader";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/SpinnerButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/blueprints/BlueprintListPage.ts

@@ -1,4 +1,5 @@
 import "@goauthentik/admin/blueprints/BlueprintForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { getRelativeTime } from "@goauthentik/common/utils";
@@ -7,7 +8,6 @@ import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/brands/BrandListPage.ts

@@ -1,11 +1,11 @@
 import "@goauthentik/admin/brands/BrandForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-status-label";
 import "@goauthentik/components/ak-status-label";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/crypto/CertificateKeyPairListPage.ts

@@ -1,12 +1,12 @@
 import "@goauthentik/admin/crypto/CertificateGenerateForm";
 import "@goauthentik/admin/crypto/CertificateKeyPairForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-status-label";
 import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/enterprise/EnterpriseLicenseListPage.ts

@@ -1,4 +1,5 @@
 import "@goauthentik/admin/enterprise/EnterpriseLicenseForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { getRelativeTime } from "@goauthentik/common/utils";
 import { PFColor } from "@goauthentik/elements/Label";
@@ -7,7 +8,6 @@ import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/cards/AggregateCard";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/events/RuleListPage.ts

@@ -1,12 +1,11 @@
 import "@goauthentik/admin/events/RuleForm";
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { severityToLabel } from "@goauthentik/common/labels";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/events/TransportListPage.ts

@@ -1,11 +1,10 @@
 import "@goauthentik/admin/events/TransportForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/flows/FlowViewPage.ts

@@ -3,13 +3,13 @@ import "@goauthentik/admin/flows/FlowDiagram";
 import "@goauthentik/admin/flows/FlowForm";
 import { DesignationToLabel } from "@goauthentik/admin/flows/utils";
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { AndNext, DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/events/ObjectChangelog";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/PageHeader";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/SpinnerButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html } from "lit";

web/src/admin/groups/GroupViewPage.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/groups/GroupForm";
 import "@goauthentik/admin/groups/RelatedUserList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import "@goauthentik/components/ak-status-label";
@@ -11,7 +12,6 @@ import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg, str } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/outposts/OutpostListPage.ts

@@ -3,13 +3,13 @@ import "@goauthentik/admin/outposts/OutpostDeploymentModal";
 import "@goauthentik/admin/outposts/OutpostForm";
 import "@goauthentik/admin/outposts/OutpostHealth";
 import "@goauthentik/admin/outposts/OutpostHealthSimple";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { PFSize } from "@goauthentik/common/enums.js";
 import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/outposts/ServiceConnectionListPage.ts

@@ -2,6 +2,7 @@ import "@goauthentik/admin/outposts/OutpostHealth";
 import "@goauthentik/admin/outposts/ServiceConnectionDockerForm";
 import "@goauthentik/admin/outposts/ServiceConnectionKubernetesForm";
 import "@goauthentik/admin/outposts/ServiceConnectionWizard";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-status-label";
 import { PFColor } from "@goauthentik/elements/Label";
@@ -9,7 +10,6 @@ import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
 import "@goauthentik/elements/forms/ProxyForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/policies/PolicyListPage.ts

@@ -6,13 +6,13 @@ import "@goauthentik/admin/policies/expiry/ExpiryPolicyForm";
 import "@goauthentik/admin/policies/expression/ExpressionPolicyForm";
 import "@goauthentik/admin/policies/password/PasswordPolicyForm";
 import "@goauthentik/admin/policies/reputation/ReputationPolicyForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { PFColor } from "@goauthentik/elements/Label";
 import "@goauthentik/elements/forms/ConfirmationForm";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
 import "@goauthentik/elements/forms/ProxyForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/policies/reputation/ReputationListPage.ts

@@ -1,10 +1,10 @@
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { getRelativeTime } from "@goauthentik/common/utils";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/property-mappings/PropertyMappingListPage.ts

@@ -8,11 +8,11 @@ import "@goauthentik/admin/property-mappings/PropertyMappingSCIMForm";
 import "@goauthentik/admin/property-mappings/PropertyMappingScopeForm";
 import "@goauthentik/admin/property-mappings/PropertyMappingTestForm";
 import "@goauthentik/admin/property-mappings/PropertyMappingWizard";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
 import "@goauthentik/elements/forms/ProxyForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { getURLParam, updateURLParams } from "@goauthentik/elements/router/RouteMatch";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";

web/src/admin/providers/google_workspace/GoogleWorkspaceProviderViewPage.ts

@@ -1,6 +1,7 @@
 import "@goauthentik/admin/providers/google_workspace/GoogleWorkspaceProviderForm";
 import "@goauthentik/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList";
 import "@goauthentik/admin/providers/google_workspace/GoogleWorkspaceProviderUserList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import "@goauthentik/components/events/ObjectChangelog";
@@ -10,7 +11,6 @@ import "@goauthentik/elements/SyncStatusCard";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/ModalButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/providers/ldap/LDAPProviderViewPage.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/providers/RelatedApplicationButton";
 import "@goauthentik/admin/providers/ldap/LDAPProviderForm";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { me } from "@goauthentik/common/users";
@@ -9,7 +10,6 @@ import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderViewPage.ts

@@ -1,6 +1,7 @@
 import "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderFormPage";
 import "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList";
 import "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderUserList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import "@goauthentik/components/events/ObjectChangelog";
@@ -10,7 +11,6 @@ import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/events/LogViewer";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/providers/proxy/ProxyProviderViewPage.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/providers/RelatedApplicationButton";
 import "@goauthentik/admin/providers/proxy/ProxyProviderForm";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { convertToSlug } from "@goauthentik/common/utils";
@@ -21,7 +22,6 @@ import { Replacer } from "@goauthentik/elements/Markdown";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 import { getURLParam } from "@goauthentik/elements/router/RouteMatch";
 
 import { msg } from "@lit/localize";

web/src/admin/providers/rac/EndpointList.ts

@@ -1,10 +1,10 @@
 import "@goauthentik/admin/policies/BoundPoliciesList";
 import "@goauthentik/admin/providers/rac/EndpointForm";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse, Table } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";

web/src/admin/providers/rac/RACProviderViewPage.ts

@@ -3,6 +3,7 @@ import "@goauthentik/admin/providers/rac/ConnectionTokenList";
 import "@goauthentik/admin/providers/rac/EndpointForm";
 import "@goauthentik/admin/providers/rac/EndpointList";
 import "@goauthentik/admin/providers/rac/RACProviderForm";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import "@goauthentik/components/ak-status-label";
@@ -12,7 +13,6 @@ import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/providers/radius/RadiusProviderViewPage.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/providers/RelatedApplicationButton";
 import "@goauthentik/admin/providers/radius/RadiusProviderForm";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import "@goauthentik/components/events/ObjectChangelog";
@@ -8,7 +9,6 @@ import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/providers/saml/SAMLProviderViewPage.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/providers/RelatedApplicationButton";
 import "@goauthentik/admin/providers/saml/SAMLProviderForm";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { MessageLevel } from "@goauthentik/common/messages";
@@ -14,7 +15,6 @@ import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import { showMessage } from "@goauthentik/elements/messages/MessageContainer";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/providers/scim/SCIMProviderViewPage.ts

@@ -1,6 +1,7 @@
 import "@goauthentik/admin/providers/scim/SCIMProviderForm";
 import "@goauthentik/admin/providers/scim/SCIMProviderGroupList";
 import "@goauthentik/admin/providers/scim/SCIMProviderUserList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import "@goauthentik/components/events/ObjectChangelog";
@@ -11,7 +12,6 @@ import "@goauthentik/elements/SyncStatusCard";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/ModalButton";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, html } from "lit";

web/src/admin/rbac/ObjectPermissionModal.ts

@@ -1,7 +1,7 @@
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/forms/ModalForm";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/rbac/ObjectPermissionsPage.ts

@@ -1,11 +1,11 @@
+import "@goauthentik/admin/rbac/RoleObjectPermissionTable";
+import "@goauthentik/admin/rbac/UserObjectPermissionTable";
 import "@goauthentik/admin/roles/RoleAssignedGlobalPermissionsTable";
 import "@goauthentik/admin/roles/RoleAssignedObjectPermissionTable";
 import "@goauthentik/admin/users/UserAssignedGlobalPermissionsTable";
 import "@goauthentik/admin/users/UserAssignedObjectPermissionsTable";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/Tabs";
-import "@goauthentik/elements/rbac/RoleObjectPermissionTable";
-import "@goauthentik/elements/rbac/UserObjectPermissionTable";
 
 import { msg } from "@lit/localize";
 import { html, nothing } from "lit";

web/src/admin/rbac/RoleObjectPermissionTable.ts

@@ -1,7 +1,7 @@
+import "@goauthentik/admin/rbac/RoleObjectPermissionForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/RoleObjectPermissionForm";
 import { PaginatedResponse, Table, TableColumn } from "@goauthentik/elements/table/Table";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 

web/src/admin/rbac/UserObjectPermissionTable.ts

@@ -1,7 +1,7 @@
+import "@goauthentik/admin/rbac/UserObjectPermissionForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/UserObjectPermissionForm";
 import { PaginatedResponse, Table, TableColumn } from "@goauthentik/elements/table/Table";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 

web/src/admin/roles/RolePermissionForm.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/PermissionSelectModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/chips/Chip";
@@ -6,7 +7,6 @@ import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
 import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/rbac/PermissionSelectModal";
 
 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
@@ -36,7 +36,7 @@ export class RolePermissionForm extends ModelForm<RolePermissionAssign, number>
         return msg("Successfully assigned permission.");
     }
 
-    async send(data: RolePermissionAssign): Promise<unknown> {
+    async send(data: RolePermissionAssign) {
         await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByRolesAssignCreate({
             uuid: this.roleUuid || "",
             permissionAssignRequest: {
@@ -44,7 +44,6 @@ export class RolePermissionForm extends ModelForm<RolePermissionAssign, number>
             },
         });
         this.permissionsToAdd = [];
-        return;
     }
 
     renderForm(): TemplateResult {

web/src/admin/roles/RoleViewPage.ts

@@ -1,4 +1,5 @@
 import "@goauthentik/admin/groups/RelatedGroupList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/roles/RoleForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
@@ -9,7 +10,6 @@ import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/PageHeader";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg, str } from "@lit/localize";
 import { css, html, nothing } from "lit";

web/src/admin/sources/ldap/LDAPSourceViewPage.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/sources/ldap/LDAPSourceConnectivity";
 import "@goauthentik/admin/sources/ldap/LDAPSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
@@ -10,7 +11,6 @@ import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/sources/oauth/OAuthSourceViewPage.ts

@@ -1,4 +1,5 @@
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/sources/oauth/OAuthSourceDiagram";
 import "@goauthentik/admin/sources/oauth/OAuthSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
@@ -9,7 +10,6 @@ import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/sources/plex/PlexSourceViewPage.ts

@@ -1,4 +1,5 @@
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/sources/plex/PlexSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
@@ -8,7 +9,6 @@ import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/sources/saml/SAMLSourceViewPage.ts

@@ -1,4 +1,5 @@
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/sources/saml/SAMLSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
@@ -9,7 +10,6 @@ import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/sources/scim/SCIMSourceViewPage.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/sources/scim/SCIMSourceForm";
 import "@goauthentik/admin/sources/scim/SCIMSourceGroups";
 import "@goauthentik/admin/sources/scim/SCIMSourceUsers";
@@ -10,7 +11,6 @@ import "@goauthentik/elements/buttons/ActionButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/buttons/TokenCopyButton";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";

web/src/admin/stages/StageListPage.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import "@goauthentik/admin/stages/StageWizard";
 import "@goauthentik/admin/stages/authenticator_duo/AuthenticatorDuoStageForm";
 import "@goauthentik/admin/stages/authenticator_duo/DuoDeviceImportForm";
@@ -24,14 +25,13 @@ import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
 import "@goauthentik/elements/forms/ProxyForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
 import { msg, str } from "@lit/localize";
-import { TemplateResult, html } from "lit";
+import { TemplateResult, html, nothing } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -94,26 +94,23 @@ export class StageListPage extends TablePage<Stage> {
         </ak-forms-delete-bulk>`;
     }
 
-    renderStageActions(stage: Stage): TemplateResult {
-        switch (stage.component) {
-            case "ak-stage-authenticator-duo-form":
-                return html`<ak-forms-modal>
-                    <span slot="submit">${msg("Import")}</span>
-                    <span slot="header">${msg("Import Duo device")}</span>
-                    <ak-stage-authenticator-duo-device-import-form
-                        slot="form"
-                        .instancePk=${stage.pk}
-                    >
-                    </ak-stage-authenticator-duo-device-import-form>
-                    <button slot="trigger" class="pf-c-button pf-m-plain">
-                        <pf-tooltip position="top" content=${msg("Import devices")}>
-                            <i class="fas fa-file-import" aria-hidden="true"></i>
-                        </pf-tooltip>
-                    </button>
-                </ak-forms-modal>`;
-            default:
-                return html``;
-        }
+    renderStageActions(stage: Stage) {
+        return stage.component === "ak-stage-authenticator-duo-form"
+            ? html`<ak-forms-modal>
+                  <span slot="submit">${msg("Import")}</span>
+                  <span slot="header">${msg("Import Duo device")}</span>
+                  <ak-stage-authenticator-duo-device-import-form
+                      slot="form"
+                      .instancePk=${stage.pk}
+                  >
+                  </ak-stage-authenticator-duo-device-import-form>
+                  <button slot="trigger" class="pf-c-button pf-m-plain">
+                      <pf-tooltip position="top" content=${msg("Import devices")}>
+                          <i class="fas fa-file-import" aria-hidden="true"></i>
+                      </pf-tooltip>
+                  </button>
+              </ak-forms-modal>`
+            : nothing;
     }
 
     row(item: Stage): TemplateResult[] {

web/src/admin/stages/invitation/InvitationListPage.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import "@goauthentik/admin/stages/invitation/InvitationForm";
 import "@goauthentik/admin/stages/invitation/InvitationListLink";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
@@ -6,7 +7,6 @@ import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/stages/prompt/PromptListPage.ts

@@ -1,10 +1,10 @@
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import "@goauthentik/admin/stages/prompt/PromptForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/tokens/TokenListPage.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import "@goauthentik/admin/tokens/TokenForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { intentToLabel } from "@goauthentik/common/labels";
@@ -7,7 +8,6 @@ import "@goauthentik/elements/buttons/Dropdown";
 import "@goauthentik/elements/buttons/TokenCopyButton";
 import "@goauthentik/elements/forms/DeleteBulkForm";
 import "@goauthentik/elements/forms/ModalForm";
-import "@goauthentik/elements/rbac/ObjectPermissionModal";
 import { PaginatedResponse } from "@goauthentik/elements/table/Table";
 import { TableColumn } from "@goauthentik/elements/table/Table";
 import { TablePage } from "@goauthentik/elements/table/TablePage";

web/src/admin/users/UserPermissionForm.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/rbac/PermissionSelectModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/chips/Chip";
@@ -6,7 +7,6 @@ import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
 import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/rbac/PermissionSelectModal";
 
 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
@@ -36,7 +36,7 @@ export class UserPermissionForm extends ModelForm<UserPermissionAssign, number>
         return msg("Successfully assigned permission.");
     }
 
-    async send(data: UserPermissionAssign): Promise<unknown> {
+    async send(data: UserPermissionAssign) {
         await new RbacApi(DEFAULT_CONFIG).rbacPermissionsAssignedByUsersAssignCreate({
             id: this.userId || 0,
             permissionAssignRequest: {
@@ -44,7 +44,6 @@ export class UserPermissionForm extends ModelForm<UserPermissionAssign, number>
             },
         });
         this.permissionsToAdd = [];
-        return;
     }
 
     renderForm(): TemplateResult {

web/src/admin/users/UserViewPage.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/groups/RelatedGroupList";
 import "@goauthentik/admin/providers/rac/ConnectionTokenList";
+import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import "@goauthentik/admin/users/UserActiveForm";
 import "@goauthentik/admin/users/UserApplicationTable";
 import "@goauthentik/admin/users/UserChart";
@@ -33,7 +34,6 @@ import "@goauthentik/elements/buttons/SpinnerButton";
 import "@goauthentik/elements/forms/ModalForm";
 import "@goauthentik/elements/oauth/UserAccessTokenList";
 import "@goauthentik/elements/oauth/UserRefreshTokenList";
-import "@goauthentik/elements/rbac/ObjectPermissionsPage";
 import "@goauthentik/elements/user/SessionList";
 import "@goauthentik/elements/user/UserConsentList";
 import "@goauthentik/elements/user/UserReputationList";

web/src/user/LibraryPage/ak-library.ts

@@ -70,6 +70,7 @@ export class LibraryPage extends AKElement {
             ordering: "name",
             page,
             pageSize: 100,
+            onlyWithLaunchUrl: true,
         });
 
         const applicationListFetch = await coreApi().coreApplicationsList(applicationListParams(1));

web/xliff/de.xlf

@@ -6697,6 +6697,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -6963,6 +6963,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -6614,6 +6614,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="fr" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>L'URL &quot;
-        <x id="0" equiv-text="${this.url}"/>&quot; n'a pas été trouvée.</target>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <target>L'URL "
+        <x id="0" equiv-text="${this.url}"/>" n'a pas été trouvée.</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1040,8 +1040,8 @@
         
       </trans-unit>
       <trans-unit id="sa8384c9c26731f83">
-        <source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-        <target>Pour permettre n'importe quelle URI de redirection, définissez cette valeur sur &quot;.*&quot;. Soyez conscient des possibles implications de sécurité que cela peut avoir.</target>
+        <source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
+        <target>Pour permettre n'importe quelle URI de redirection, définissez cette valeur sur ".*". Soyez conscient des possibles implications de sécurité que cela peut avoir.</target>
         
       </trans-unit>
       <trans-unit id="s55787f4dfcdce52b">
@@ -1598,7 +1598,7 @@
       </trans-unit>
       <trans-unit id="s33ed903c210a6209">
         <source>Token to authenticate with. Currently only bearer authentication is supported.</source>
-        <target>Jeton d'authentification à utiliser. Actuellement, seule l'authentification &quot;bearer authentication&quot; est prise en charge.</target>
+        <target>Jeton d'authentification à utiliser. Actuellement, seule l'authentification "bearer authentication" est prise en charge.</target>
         
       </trans-unit>
       <trans-unit id="sfc8bb104e2c05af8">
@@ -1766,8 +1766,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>Entrez une URL complète, un chemin relatif ou utilisez 'fa://fa-test' pour utiliser l'icône Font Awesome &quot;fa-test&quot;.</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <target>Entrez une URL complète, un chemin relatif ou utilisez 'fa://fa-test' pour utiliser l'icône Font Awesome "fa-test".</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -2855,7 +2855,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s33683c3b1dbaf264">
         <source>To use SSL instead, use 'ldaps://' and disable this option.</source>
-        <target>Pour utiliser SSL à la base, utilisez &quot;ldaps://&quot; et désactviez cette option.</target>
+        <target>Pour utiliser SSL à la base, utilisez "ldaps://" et désactviez cette option.</target>
         
       </trans-unit>
       <trans-unit id="s2221fef80f4753a2">
@@ -2944,8 +2944,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ &quot;memberUid&quot;, la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ "memberUid", la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'</target>
         
       </trans-unit>
       <trans-unit id="s026555347e589f0e">
@@ -3240,7 +3240,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s3198c384c2f68b08">
         <source>Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.</source>
-        <target>Moment où les utilisateurs temporaires doivent être supprimés. Cela ne s'applique que si votre IDP utilise le format NameID &quot;transient&quot; et que l'utilisateur ne se déconnecte pas manuellement.</target>
+        <target>Moment où les utilisateurs temporaires doivent être supprimés. Cela ne s'applique que si votre IDP utilise le format NameID "transient" et que l'utilisateur ne se déconnecte pas manuellement.</target>
         
       </trans-unit>
       <trans-unit id="sb32e9c1faa0b8673">
@@ -3392,7 +3392,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s9f8aac89fe318acc">
         <source>Optionally set the 'FriendlyName' value of the Assertion attribute.</source>
-        <target>Indiquer la valeur &quot;FriendlyName&quot; de l'attribut d'assertion (optionnel)</target>
+        <target>Indiquer la valeur "FriendlyName" de l'attribut d'assertion (optionnel)</target>
         
       </trans-unit>
       <trans-unit id="s851c108679653d2a">
@@ -3706,8 +3706,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
-        <target>En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à &quot;minutes=5&quot;.</target>
+        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
+        <target>En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à "minutes=5".</target>
         
       </trans-unit>
       <trans-unit id="s44536d20bb5c8257">
@@ -3883,10 +3883,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
         <target>Êtes-vous sûr de vouloir mettre à jour
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot;?</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="1" equiv-text="${this.obj?.name}"/>"?</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4962,8 +4962,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-        <target>Un authentificateur &quot;itinérant&quot;, comme une YubiKey</target>
+        <source>A "roaming" authenticator, like a YubiKey</source>
+        <target>Un authentificateur "itinérant", comme une YubiKey</target>
         
       </trans-unit>
       <trans-unit id="sfffba7b23d8fb40c">
@@ -5288,7 +5288,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s5170f9ef331949c0">
         <source>Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.</source>
-        <target>Afficher des champs de saisie arbitraires à l'utilisateur, par exemple pendant l'inscription. Les données sont enregistrées dans le contexte du flux sous la variable &quot;prompt_data&quot;.</target>
+        <target>Afficher des champs de saisie arbitraires à l'utilisateur, par exemple pendant l'inscription. Les données sont enregistrées dans le contexte du flux sous la variable "prompt_data".</target>
         
       </trans-unit>
       <trans-unit id="s36cb242ac90353bc">
@@ -5297,10 +5297,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s2d5f69929bb7221d">
-        <source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
+        <source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
         <target>
-        <x id="0" equiv-text="${prompt.name}"/>(&quot;
-        <x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, de type
+        <x id="0" equiv-text="${prompt.name}"/>("
+        <x id="1" equiv-text="${prompt.fieldKey}"/>", de type
         <x id="2" equiv-text="${prompt.type}"/>)</target>
         
       </trans-unit>
@@ -5349,8 +5349,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
-        <target>Si défini à une durée supérieure à 0, l'utilisateur aura la possibilité de choisir de &quot;rester connecté&quot;, ce qui prolongera sa session jusqu'à la durée spécifiée ici.</target>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <target>Si défini à une durée supérieure à 0, l'utilisateur aura la possibilité de choisir de "rester connecté", ce qui prolongera sa session jusqu'à la durée spécifiée ici.</target>
         
       </trans-unit>
       <trans-unit id="s542a71bb8f41e057">
@@ -6129,7 +6129,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
       </trans-unit>
       <trans-unit id="sa7fcf026bd25f231">
         <source>Can be in the format of 'unix://' when connecting to a local docker daemon, using 'ssh://' to connect via SSH, or 'https://:2376' when connecting to a remote system.</source>
-        <target>Peut être au format &quot;unix://&quot; pour une connexion à un service docker local, &quot;ssh://&quot; pour une connexion via SSH, ou &quot;https://:2376&quot; pour une connexion à un système distant.</target>
+        <target>Peut être au format "unix://" pour une connexion à un service docker local, "ssh://" pour une connexion via SSH, ou "https://:2376" pour une connexion à un système distant.</target>
         
       </trans-unit>
       <trans-unit id="saf1d289e3137c2ea">
@@ -7386,7 +7386,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
   <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Utilisez ce fournisseur avec l'option &quot;auth_request&quot; de Nginx ou &quot;forwardAuth&quot; de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, &quot;/outpost.goauthentik.io&quot; doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
+  <target>Utilisez ce fournisseur avec l'option "auth_request" de Nginx ou "forwardAuth" de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, "/outpost.goauthentik.io" doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
   <source>Default relay state</source>
@@ -7788,7 +7788,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <target>Utilisateur créé et ajouté au groupe <x id="0" equiv-text="${this.group.name}"/> avec succès</target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
   <target>Cet utilisateur sera ajouté au groupe &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;.</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -8816,7 +8816,40 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
   <target>Voir la documentation</target>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

web/xliff/ko.xlf

@@ -8542,6 +8542,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -8386,6 +8386,39 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -8812,6 +8812,39 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -6607,6 +6607,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -5530,6 +5530,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
 </trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -8809,12 +8809,48 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s11ec812e25ceef8a">
   <source>No messages found</source>
+  <target>未找到消息</target>
 </trans-unit>
 <trans-unit id="s23446284b56ca0cc">
   <source>Reputation score(s)</source>
+  <target>信誉分数</target>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+  <target>查看文档</target>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -6655,6 +6655,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_CN.xlf

@@ -6852,11 +6852,6 @@ Bindings to groups/users are checked against the user of the event.</source>
         <source>Powered by authentik</source>
         <target>由 authentik 强力驱动</target>
         
-      </trans-unit>
-      <trans-unit id="sdf34a5599d66f85c">
-        <source>Background image</source>
-        <target>背景图片</target>
-        
       </trans-unit>
       <trans-unit id="s7fa4e5e409d43573">
         <source>Error creating credential: <x id="0" equiv-text="${err}"/></source>
@@ -8819,6 +8814,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s23446284b56ca0cc">
   <source>Reputation score(s)</source>
   <target>信誉分数</target>
+</trans-unit>
+<trans-unit id="s7a64ac07061f85b2">
+  <source>See documentation</source>
+  <target>查看文档</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -8503,6 +8503,39 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s7a64ac07061f85b2">
   <source>See documentation</source>
+</trans-unit>
+<trans-unit id="se166e95fe447ebcd">
+  <source>Close dialog</source>
+</trans-unit>
+<trans-unit id="s3dc14a4b8129f989">
+  <source>Pagination</source>
+</trans-unit>
+<trans-unit id="s6d46b842e227be57">
+  <source>Application Details</source>
+</trans-unit>
+<trans-unit id="s76415a60e548cafe">
+  <source>Provider Configuration</source>
+</trans-unit>
+<trans-unit id="sde59c64619570b57">
+  <source>Submit Application</source>
+</trans-unit>
+<trans-unit id="sf2da0e95c78f2cb7">
+  <source>Restore Application Wizard Hint</source>
+</trans-unit>
+<trans-unit id="s76dc6d0d1a7db8e2">
+  <source>Your authentik password</source>
+</trans-unit>
+<trans-unit id="se3a34af2a05c5c98">
+  <source>Internal Service account</source>
+</trans-unit>
+<trans-unit id="s681c086b8f7afcae">
+  <source>Global</source>
+</trans-unit>
+<trans-unit id="s1b85e6ac2978a2c0">
+  <source>Outpost integrations</source>
+</trans-unit>
+<trans-unit id="sec55a3a7f18615ec">
+  <source>Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.</source>
 </trans-unit>
     </body>
   </file>

website/developer-docs/api/flow-executor.md

@@ -1,18 +1,18 @@
 ---
-title: Flow executor
+title: Flow executor (backend)
 ---
 
-A big focus of authentik is the flows system, which allows you to combine and build complex conditional processes using stages and policies. Normally, these flows are executed in the browser using the authentik inbuilt flow executor (/if/flows).
+A big focus of authentik is the flows system, which allows you to combine and build complex conditional processes using stages and policies. Normally, these flows are automatically executed in the browser using authentik's [standard browser-based flow executor (/if/flows)](/docs/flow/executors/if-flow).
 
-However, any flow can be executed via an API from anywhere, in fact that is what the Web flow executor does. This means, you can, with a few requests, execute flows from anywhere, and integrate authentik even better.
+However, any flow can be executed via an API from anywhere, in fact that is what the backend flow executor does. With a few requests you can execute flows from anywhere, and integrate authentik even better.
 
 :::info
-Because the flow executor stores its state in the HTTP Session, so you need to ensure cookies between flow executor requests are persisted.
+Because the flow executor stores its state in the HTTP Session, so you need to ensure that cookies between flow executor requests are persisted.
 :::
 
 The main endpoint for flow execution is `/api/v3/flows/executor/:slug`.
 
-This endpoint accepts a query parameter called `query`, in which the flow executor sends the full Query-string.
+This endpoint accepts a query parameter called `query`, in which the flow executor sends the full query-string.
 
 To initiate a new flow, execute a GET request.
 

website/docs/core/brands.md

@@ -9,7 +9,7 @@ The main settings that brands influence are flows and branding.
 
 ## Flows
 
-authentik picks a default flow by picking the flow that is selected in the current brand, otherwise any flow that
+authentik picks a default flow by selecting the flow that is configured in the current brand, otherwise any flow that:
 
     - matches the required designation
     - comes first sorted by slug
@@ -19,4 +19,4 @@ This means that if you want to select a default flow based on policy, you can le
 
 ## Branding
 
-The brand configuration controls the branding title (shown in website document title and several other places), and the sidebar/header logo that appears in the upper left of the product interface.
+The brand configuration controls the branding title (shown in website document title and several other places), the sidebar/header logo that appears in the upper left of the product interface, and the favicon on a browser tab.

website/docs/flow/executors/headless.md

@@ -2,7 +2,7 @@
 title: Headless
 ---
 
-The headless flow executor is used by clients which don't have access to the web interface. It is currently used by the LDAP outpost to authenticate users.
+The headless flow executor is used by clients that don't have access to the web interface. It is currently used by the LDAP and Radius outposts to authenticate users.
 
 The following stages are supported:
 

website/docs/flow/executors/user-settings.md

@@ -6,9 +6,8 @@ title: User settings
 Requires authentik 2022.3
 :::
 
-The user interface (`/if/user/`) embeds a downsized flow executor to allow the user to configure their profile using custom stages and prompts.
+The user interface (/if/user/) uses a specialized flow executor to allow individual users to customize their profile. A user's profile consists of key/value fields, so this executor only supports Prompt or User Write stages. If the configured flow contains another stage, a button will be shown to open the default executor.
 
-This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
-Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
+Because the stages in a flow can change during its execution, be awre that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.
 
-To configure which flow is used for this, configure it in the brand settings.
+An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../core/brands.md) on the same authentik instance.

website/integrations/services/gitea/index.md

@@ -29,6 +29,10 @@ In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_
 Only settings that have been modified from default have been listed.
 :::
 
+**General Settings**
+
+-   Redirect URIs: `https://gitea.company/user/oauth2/authentik/callback`
+
 **Protocol Settings**
 
 -   Name: Gitea

website/integrations/services/minio/index.md

@@ -21,7 +21,7 @@ The following placeholders will be used:
 
 The primary way to manage access in MinIO is via [policies](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#minio-policy). We need to configure authentik to return a list of which MinIO policies should be applied to a user.
 
-Under _Customization_ -> _Property Mappings_, create a _Scope Mapping_. Give it a name like "OIDC-Scope-minio". Set the scope name to `minio` and the expression to the following
+Create a Scope Mapping: in the authentik Admin interface, navigate to **Customization -> Property Mappings**, click **Create**, and then select **Scope Mapping**. Give the property mapping a name like "OIDC-Scope-minio". Set the scope name to `minio` and the **Expression** to the following:
 
 ```python
 return {
@@ -29,7 +29,7 @@ return {
 }
 ```
 
-This mapping will result in the default MinIO `readwrite` policy being applied to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this
+This mapping applies the default MinIO `readwrite` policy to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this:
 
 ```python
 if ak_is_group_member(request.user, name="Minio admins"):
@@ -47,22 +47,45 @@ Note that you can assign multiple policies to a user by returning a list, and re
 
 ### Creating application and provider
 
-Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
+Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
 
 -   Client Type: `Confidential`
--   Scopes: OpenID, Email, Profile and the scope you created above
+-   Scopes: OpenID, Email, Profile, and the scope you created above
 -   Signing Key: Select any available key
 -   Redirect URIs: `https://minio.company/oauth_callback`
 
+Set the scope of the MinIO scope mapping that you created in the provider (previous step) in the **Advanced** area under **Protocol Settings -> Scopes**.
+
 Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
 
-## MinIO
+## MinIO configuration
+
+You can set up OpenID in two different ways: via the web interface or the command line.
+
+### Web Interface
+
+From the sidebar of the main page, go to **Identity -> OpenID**, click **Create**, and then define the configuration as follows:
+
+-   Name: MinIO
+-   Config URL: `https://minio.company/application/o/<minio slug>/.well-known/openid-configuration`
+-   Client ID: Your client ID from the previous step
+-   Client Secret: Your client secret from the previous step
+-   Scopes: `openid, email, profile, minio`
+-   Redirect URI: `https://minio.company/oauth_callback`
+
+Finally, click **Save** and follow the instructions in the popup to restart your instance.
+
+### Command Line
+
+You must install the MinIO binaries from [here](https://min.io/docs/minio/linux/reference/minio-mc.html). You then need to create an alias for your instance using: `mc alias set myminio https://minio.company <access key> <secret key>`. You can follow [this StackOverflow answer](https://stackoverflow.com/a/77645374) to create a secret key and access key.
+
+After that is done, run the following command to configure the OpenID provider:
 
 ```
 ~ mc admin config set myminio identity_openid \
-  config_url="https://authentik.company/application/o/<applicaiton-slug>/.well-known/openid-configuration" \
-  client_id="<client id from above>" \
-  client_secret="<client secret from above>" \
+  config_url="https://authentik.company/application/o/<minio slug>/.well-known/openid-configuration" \
+  client_id="<client id>" \
+  client_secret="<client secret>" \
   scopes="openid,profile,email,minio"
 ```