web: Make viewing the in-page documentation optional

After talking with @GirlBossRush, I realized that my architecture would be simplified by separating the style controller from the renderer. Lit uses Controllers just for that purpose, so: 1. A renderer that either puts down the button or puts down the documentation 2. A controller that monitors the button for its state and, when that state changes, updates the host's CSS to fit within the page correctly when the button is rotated. 3. Some helper styles the container needs to help the button display correctly. Run the thing and click on the button. This changes the look and feel of the application to a small degree. Screenshots may need to be updated. None. \# What \# Why \# How \# Designs \# Test Steps \# Other Notes
Added comments around the unusual styling system.
2025-01-24 08:41:01 -08:00 · 2025-01-22 15:18:57 -08:00 · 2025-01-22 15:09:49 -08:00 · 2025-01-22 10:09:24 -08:00 · 2025-01-22 08:15:22 -08:00 · 2025-01-22 16:06:02 +00:00
543 changed files with 33374 additions and 12846 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.12.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}

 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final
@ -31,4 +31,4 @@ optional_value = final

 [bumpversion:file:web/src/common/constants.ts]

-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]
+[bumpversion:file:lifecycle/aws/template.yaml]
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -35,14 +35,6 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```

-            For arm64, use these values:
-
-            ```shell
-            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
-            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
-            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            ```
-
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -60,18 +52,6 @@ runs:
                    tag: ${{ inputs.tag }}
            ```

-            For arm64, use these values:
-
-            ```yaml
-            authentik:
-                outposts:
-                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
-            ```
-
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -9,6 +9,9 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
+  release:
+    required: true
+    description: "True if this is a release build, false if this is a dev/PR build"

 outputs:
  shouldPush:
@ -29,15 +32,24 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
+  imageTagsJSON:
+    description: "Docker image tags, as a JSON array"
+    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
+  cacheTo:
+    description: "cache-to value for the docker build step"
+    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
+  imageBuildArgs:
+    description: "Docker image build args"
+    value: ${{ steps.ev.outputs.imageBuildArgs }}

 runs:
  using: "composite"
@ -48,6 +60,8 @@ runs:
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
+        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        REF: ${{ github.ref }}
      run: |
        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -2,6 +2,7 @@

 import configparser
 import os
+from json import dumps
 from time import time

 parser = configparser.ConfigParser()
@ -48,7 +49,7 @@ if is_release:
            ]
 else:
    suffix = ""
-    if image_arch and image_arch != "amd64":
+    if image_arch:
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@ -70,12 +71,31 @@ def get_attest_image_names(image_with_tags: list[str]):
    return ",".join(set(image_tags))


+# Generate `cache-to` param
+cache_to = ""
+if should_push:
+    _cache_tag = "buildcache"
+    if image_arch:
+        _cache_tag += f"-{image_arch}"
+    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
+
+
+image_build_args = []
+if os.getenv("RELEASE", "false").lower() == "true":
+    image_build_args = [f"VERSION={os.getenv('REF')}"]
+else:
+    image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args = "\n".join(image_build_args)
+
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
+    print(f"cacheTo={cache_to}", file=_output)
+    print(f"imageBuildArgs={image_build_args}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@ -1,7 +1,18 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    python $SCRIPT_DIR/push_vars.py
+
+# Pushing PR/main
+GITHUB_OUTPUT=/dev/stdout \
+    GITHUB_REF=ref \
+    GITHUB_SHA=sha \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    DOCKER_USERNAME=foo \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -82,6 +82,16 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
+  - package-ecosystem: npm
+    directory: "/lifecycle/aws"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "lifecycle/aws:"
+    labels:
+      - dependencies
  - package-ecosystem: pip
    directory: "/"
    schedule:
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -0,0 +1,95 @@
+# Re-usable workflow for a single-architecture build
+name: Single-arch Container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      image_arch:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: false
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs:
+      image-digest:
+        value: ${{ jobs.build.outputs.image-digest }}
+
+jobs:
+  build:
+    name: Build ${{ inputs.image_arch }}
+    runs-on: ${{ inputs.runs-on }}
+    outputs:
+      image-digest: ${{ steps.push.outputs.digest }}
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.3.0
+      - uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+          image-arch: ${{ inputs.image_arch }}
+          release: ${{ inputs.release }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        if: ${{ inputs.release }}
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: generate ts client
+        if: ${{ !inputs.release }}
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            ${{ steps.ev.outputs.imageBuildArgs }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-to: ${{ steps.ev.outputs.cacheTo }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -0,0 +1,102 @@
+# Re-usable workflow for a multi-architecture build
+name: Multi-arch container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: true
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs: {}
+
+jobs:
+  build-server-amd64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: amd64
+      runs-on: ubuntu-latest
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  build-server-arm64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: arm64
+      runs-on: ubuntu-22.04-arm
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  get-tags:
+    runs-on: ubuntu-latest
+    needs:
+      - build-server-amd64
+      - build-server-arm64
+    outputs:
+      tags: ${{ steps.ev.outputs.imageTagsJSON }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+  merge-server:
+    runs-on: ubuntu-latest
+    needs:
+      - get-tags
+      - build-server-amd64
+      - build-server-arm64
+    strategy:
+      fail-fast: false
+      matrix:
+        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: int128/docker-manifest-create-action@v2
+        id: build
+        with:
+          tags: ${{ matrix.tag }}
+          sources: |
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -25,10 +25,10 @@ jobs:
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: lifecycle/aws/package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: lifecycle/aws/package-lock.json
+      - working-directory: lifecycle/aws/
        run: |
          npm ci
      - name: Check changes have been applied
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -134,7 +134,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.11.0
+        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
          poetry run coverage run manage.py test tests/integration
@ -223,68 +223,18 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-          - amd64
-          - arm64
-    needs: ci-core-mark
-    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-server
-          image-arch: ${{ matrix.arch }}
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: generate ts client
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          build-args: |
-            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
-          platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    needs: ci-core-mark
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
+    with:
+      image_name: ghcr.io/goauthentik/dev-server
+      release: false
  pr-comment:
    needs:
      - build
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -72,7 +72,7 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -82,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,64 +7,15 @@ on:

 jobs:
  build-server:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server,beryju/authentik
-      - name: Docker Login Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            VERSION=${{ github.ref }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
+    with:
+      image_name: ghcr.io/goauthentik/server,beryju/authentik
+      release: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -83,7 +34,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -188,8 +139,8 @@ jobs:
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -33,7 +33,8 @@
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar"
+        "!Value scalar",
+        "!AtIndex scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
--- a/4
+++ b/4
@ -15,6 +15,7 @@ go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
+lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
@ -25,6 +26,9 @@ CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
+# Locale
+locale/                         @goauthentik/backend @goauthentik/frontend
+web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
 CODE_OF_CONDUCT.md              @goauthentik/docs
--- a/34
+++ b/34
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT
@ -116,15 +116,30 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
-    pip3 install poetry && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip install --force-reinstall /wheels/*"
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -140,10 +155,12 @@ WORKDIR /

 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
+    apt-get upgrade -y && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
+    pip3 install --no-cache-dir --upgrade pip && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@ -176,9 +193,8 @@ ENV TMPDIR=/dev/shm/ \
    PYTHONUNBUFFERED=1 \
    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false
-
-ENV GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false \
+    GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

--- a/10
+++ b/10
@ -5,7 +5,7 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

 GEN_API_TS = "gen-ts-api"
@ -78,6 +78,9 @@ migrate: ## Run the Authentik Django server's migrations

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

+aws-cfn:
+	cd lifecycle/aws && npm run aws-cfn
+
 core-i18n-extract:
 	ak makemessages \
 		--add-location file \
@ -149,7 +152,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@ -252,9 +255,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch

-aws-cfn:
-	cd website && npm run aws-cfn
-
 #########################
 ## Docker
 #########################
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
+| 2024.12.x | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.10.5"
+__version__ = "2024.12.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


@ -16,5 +16,5 @@ def get_full_version() -> str:
    """Get full version, with build hash appended"""
    version = __version__
    if (build_hash := get_build_hash()) != "":
-        version += "." + build_hash
+        return f"{version}+{build_hash}"
    return version
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -7,7 +7,9 @@ from sys import version as python_version
 from typing import TypedDict

 from cryptography.hazmat.backends.openssl.backend import backend
+from django.conf import settings
 from django.utils.timezone import now
+from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
@ -52,10 +54,16 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
+        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        for key, value in request.META.items():
            if not isinstance(value, str):
                continue
-            headers[key] = value
+            actual_value = value
+            if raw_session in actual_value:
+                actual_value = actual_value.replace(
+                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
+                )
+            headers[key] = actual_value
        return headers

    def get_http_host(self, request: Request) -> str:
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -1,12 +1,16 @@
 """authentik administration overview"""

+from socket import gethostname
+
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from rest_framework.fields import IntegerField
+from packaging.version import parse
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

+from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP

@ -16,11 +20,38 @@ class WorkerView(APIView):

    permission_classes = [HasPermission("authentik_rbac.view_system_info")]

-    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
+    @extend_schema(
+        responses=inline_serializer(
+            "Worker",
+            fields={
+                "worker_id": CharField(),
+                "version": CharField(),
+                "version_matching": BooleanField(),
+            },
+            many=True,
+        )
+    )
    def get(self, request: Request) -> Response:
        """Get currently connected worker count."""
-        count = len(CELERY_APP.control.ping(timeout=0.5))
+        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+        our_version = parse(get_full_version())
+        response = []
+        for worker in raw:
+            key = list(worker.keys())[0]
+            version = worker[key].get("version")
+            version_matching = False
+            if version:
+                version_matching = parse(version) == our_version
+            response.append(
+                {"worker_id": key, "version": version, "version_matching": version_matching}
+            )
        # In debug we run with `task_always_eager`, so tasks are ran on the main process
        if settings.DEBUG:  # pragma: no cover
-            count += 1
-        return Response({"count": count})
+            response.append(
+                {
+                    "worker_id": f"authentik-debug@{gethostname()}",
+                    "version": get_full_version(),
+                    "version_matching": True,
+                }
+            )
+        return Response(response)
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -1,11 +1,10 @@
 """authentik admin app config"""

-from prometheus_client import Gauge, Info
+from prometheus_client import Info

 from authentik.blueprints.apps import ManagedAppConfig

 PROM_INFO = Info("authentik_version", "Currently running authentik version")
-GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")


 class AuthentikAdminConfig(ManagedAppConfig):
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@ -1,14 +1,35 @@
 """admin signals"""

 from django.dispatch import receiver
+from packaging.version import parse
+from prometheus_client import Gauge

-from authentik.admin.apps import GAUGE_WORKERS
+from authentik import get_full_version
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set

+GAUGE_WORKERS = Gauge(
+    "authentik_admin_workers",
+    "Currently connected workers, their versions and if they are the same version as authentik",
+    ["version", "version_matched"],
+)
+
+
+_version = parse(get_full_version())
+

@receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
    """Set worker gauge"""
-    count = len(CELERY_APP.control.ping(timeout=0.5))
-    GAUGE_WORKERS.set(count)
+    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+    worker_version_count = {}
+    for worker in raw:
+        key = list(worker.keys())[0]
+        version = worker[key].get("version")
+        version_matching = False
+        if version:
+            version_matching = parse(version) == _version
+        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
+        worker_version_count[version]["count"] += 1
+    for version, stats in worker_version_count.items():
+        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -34,7 +34,7 @@ class TestAdminAPI(TestCase):
        response = self.client.get(reverse("authentik_api:admin_workers"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["count"], 0)
+        self.assertEqual(len(body), 0)

    def test_metrics(self):
        """Test metrics API"""
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -1,67 +0,0 @@
-"""API Authorization"""
-
-from django.conf import settings
-from django.db.models import Model
-from django.db.models.query import QuerySet
-from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.authentication import get_authorization_header
-from rest_framework.filters import BaseFilterBackend
-from rest_framework.permissions import BasePermission
-from rest_framework.request import Request
-
-from authentik.api.authentication import validate_auth
-from authentik.rbac.filters import ObjectFilter
-
-
-class OwnerFilter(BaseFilterBackend):
-    """Filter objects by their owner"""
-
-    owner_key = "user"
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        if request.user.is_superuser:
-            return queryset
-        return queryset.filter(**{self.owner_key: request.user})
-
-
-class SecretKeyFilter(DjangoFilterBackend):
-    """Allow access to all objects when authenticated with secret key as token.
-
-    Replaces both DjangoFilterBackend and ObjectFilter"""
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        auth_header = get_authorization_header(request)
-        token = validate_auth(auth_header)
-        if token and token == settings.SECRET_KEY:
-            return queryset
-        queryset = ObjectFilter().filter_queryset(request, queryset, view)
-        return super().filter_queryset(request, queryset, view)
-
-
-class OwnerPermissions(BasePermission):
-    """Authorize requests by an object's owner matching the requesting user"""
-
-    owner_key = "user"
-
-    def has_permission(self, request: Request, view) -> bool:
-        """If the user is authenticated, we allow all requests here. For listing, the
-        object-level permissions are done by the filter backend"""
-        return request.user.is_authenticated
-
-    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
-        """Check if the object's owner matches the currently logged in user"""
-        if not hasattr(obj, self.owner_key):
-            return False
-        owner = getattr(obj, self.owner_key)
-        if owner != request.user:
-            return False
-        return True
-
-
-class OwnerSuperuserPermissions(OwnerPermissions):
-    """Similar to OwnerPermissions, except always allow access for superusers"""
-
-    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
-        if request.user.is_superuser:
-            return True
-        return super().has_object_permission(request, view, obj)
--- a/authentik/blueprints/management/commands/blueprint_shell.py
+++ b/authentik/blueprints/management/commands/blueprint_shell.py
@ -0,0 +1,68 @@
+"""Test and debug Blueprints"""
+
+import atexit
+import readline
+from pathlib import Path
+from pprint import pformat
+from sys import exit as sysexit
+from textwrap import indent
+
+from django.core.management.base import BaseCommand, no_translations
+from structlog.stdlib import get_logger
+from yaml import load
+
+from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
+from authentik.core.management.commands.shell import get_banner_text
+from authentik.lib.utils.errors import exception_to_string
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Test and debug Blueprints"""
+
+    lines = []
+
+    def __init__(self, *args, **kwargs) -> None:
+        super().__init__(*args, **kwargs)
+        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
+        histfolder.mkdir(parents=True, exist_ok=True)
+        histfile = histfolder / Path("blueprint_shell_history")
+        readline.parse_and_bind("tab: complete")
+        readline.parse_and_bind("set editing-mode vi")
+
+        try:
+            readline.read_history_file(str(histfile))
+        except FileNotFoundError:
+            pass
+
+        atexit.register(readline.write_history_file, str(histfile))
+
+    @no_translations
+    def handle(self, *args, **options):
+        """Interactively debug blueprint files"""
+        self.stdout.write(get_banner_text("Blueprint shell"))
+        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
+
+        def do_eval():
+            yaml_input = "\n".join([line for line in self.lines if line])
+            data = load(yaml_input, BlueprintLoader)
+            self.stdout.write(pformat(data))
+            self.lines = []
+
+        while True:
+            try:
+                line = input("> ")
+                if line == ".eval":
+                    do_eval()
+                else:
+                    self.lines.append(line)
+            except EntryInvalidError as exc:
+                self.stdout.write("Failed to evaluate expression:")
+                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
+            except EOFError:
+                break
+            except KeyboardInterrupt:
+                self.stdout.write()
+                sysexit(0)
+        self.stdout.write()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -126,7 +126,7 @@ class Command(BaseCommand):
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        return {
+        template = {
            "type": "object",
            "required": ["model", "identifiers"],
            "properties": {
@ -143,6 +143,11 @@ class Command(BaseCommand):
                "identifiers": {"$ref": def_path},
            },
        }
+        # Meta models don't require identifiers, as there's no matching database model to find
+        if issubclass(model, BaseMetaModel):
+            del template["properties"]["identifiers"]
+            template["required"].remove("identifiers")
+        return template

    def field_to_jsonschema(self, field: Field) -> dict:
        """Convert a single field to json schema"""
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -146,6 +146,10 @@ entries:
                  ]
              ]
              nested_context: !Context context2
+              at_index_sequence: !AtIndex [!Context sequence, 0]
+              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
+              at_index_mapping: !AtIndex [!Context mapping, "key2"]
+              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -215,6 +215,10 @@ class TestBlueprintsV1(TransactionTestCase):
                    },
                    "nested_context": "context-nested-value",
                    "env_null": None,
+                    "at_index_sequence": "foo",
+                    "at_index_sequence_default": "non existent",
+                    "at_index_mapping": 2,
+                    "at_index_mapping_default": "non existent",
                }
            ).exists()
        )
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -24,6 +24,10 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel


+class UNSET:
+    """Used to test whether a key has not been set."""
+
+
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
    """Get object's attributes via their serializer, and convert it to a normal dict"""
    serializer: Serializer = obj.serializer(obj)
@ -198,6 +202,9 @@ class Blueprint:
 class YAMLTag:
    """Base class for all YAML Tags"""

+    def __repr__(self) -> str:
+        return str(self.resolve(BlueprintEntry(""), Blueprint()))
+
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        """Implement yaml tag logic"""
        raise NotImplementedError
@ -556,6 +563,53 @@ class Value(EnumeratedItem):
            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc


+class AtIndex(YAMLTag):
+    """Get value at index of a sequence or mapping"""
+
+    obj: YAMLTag | dict | list | tuple
+    attribute: int | str | YAMLTag
+    default: Any | UNSET
+
+    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+        super().__init__()
+        self.obj = loader.construct_object(node.value[0])
+        self.attribute = loader.construct_object(node.value[1])
+        if len(node.value) == 2:  # noqa: PLR2004
+            self.default = UNSET
+        else:
+            self.default = loader.construct_object(node.value[2])
+
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+        if isinstance(self.obj, YAMLTag):
+            obj = self.obj.resolve(entry, blueprint)
+        else:
+            obj = self.obj
+        if isinstance(self.attribute, YAMLTag):
+            attribute = self.attribute.resolve(entry, blueprint)
+        else:
+            attribute = self.attribute
+
+        if isinstance(obj, list | tuple):
+            try:
+                return obj[attribute]
+            except TypeError as exc:
+                raise EntryInvalidError.from_entry(
+                    f"Invalid index for list: {attribute}", entry
+                ) from exc
+            except IndexError as exc:
+                if self.default is UNSET:
+                    raise EntryInvalidError.from_entry(
+                        f"Index out of range: {attribute}", entry
+                    ) from exc
+                return self.default
+        if attribute in obj:
+            return obj[attribute]
+        else:
+            if self.default is UNSET:
+                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
+            return self.default
+
+
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""

@ -606,6 +660,7 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Enumerate", Enumerate)
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
+        self.add_constructor("!AtIndex", AtIndex)


 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -14,10 +14,10 @@ from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

-from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.utils import get_current_tenant


--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@ -0,0 +1,58 @@
+"""Application Roles API Viewset"""
+
+from django.http import HttpRequest
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.core.models import (
+    Application,
+    ApplicationEntitlement,
+)
+
+
+class ApplicationEntitlementSerializer(ModelSerializer):
+    """ApplicationEntitlement Serializer"""
+
+    def validate_app(self, app: Application) -> Application:
+        """Ensure user has permission to view"""
+        request: HttpRequest = self.context.get("request")
+        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
+            return app
+        user = request.user
+        if user.has_perm("view_application", app) or user.has_perm(
+            "authentik_core.view_application"
+        ):
+            return app
+        raise ValidationError(_("User does not have access to application."), code="invalid")
+
+    class Meta:
+        model = ApplicationEntitlement
+        fields = [
+            "pbm_uuid",
+            "name",
+            "app",
+            "attributes",
+        ]
+
+
+class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
+    """ApplicationEntitlement Viewset"""
+
+    queryset = ApplicationEntitlement.objects.all()
+    serializer_class = ApplicationEntitlementSerializer
+    search_fields = [
+        "pbm_uuid",
+        "name",
+        "app",
+        "attributes",
+    ]
+    filterset_fields = [
+        "pbm_uuid",
+        "name",
+        "app",
+    ]
+    ordering = ["name"]
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -2,16 +2,12 @@

 from typing import TypedDict

-from django_filters.rest_framework import DjangoFilterBackend
-from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

-from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
@ -110,11 +106,4 @@ class AuthenticatedSessionViewSet(
    search_fields = ["user__username", "last_ip", "last_user_agent"]
    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
-    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
-
-    def get_queryset(self):
-        user = self.request.user if self.request else get_anonymous_user()
-        if user.is_superuser:
-            return super().get_queryset()
-        return super().get_queryset().filter(user=user.pk)
+    owner_field = "user"
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -2,19 +2,16 @@

 from collections.abc import Iterable

-from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

-from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
@ -159,9 +156,9 @@ class SourceViewSet(


 class UserSourceConnectionSerializer(SourceSerializer):
-    """OAuth Source Serializer"""
+    """User source connection"""

-    source = SourceSerializer(read_only=True)
+    source_obj = SourceSerializer(read_only=True, source="source")

    class Meta:
        model = UserSourceConnection
@ -169,10 +166,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "pk",
            "user",
            "source",
+            "source_obj",
            "created",
        ]
        extra_kwargs = {
-            "user": {"read_only": True},
            "created": {"read_only": True},
        }

@ -189,17 +186,16 @@ class UserSourceConnectionViewSet(

    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
-    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["user", "source__slug"]
    search_fields = ["source__slug"]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
+    owner_field = "user"


 class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection Serializer"""
+    """Group Source Connection"""

-    source = SourceSerializer(read_only=True)
+    source_obj = SourceSerializer(read_only=True)

    class Meta:
        model = GroupSourceConnection
@ -207,12 +203,11 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "pk",
            "group",
            "source",
+            "source_obj",
            "identifier",
            "created",
        ]
        extra_kwargs = {
-            "group": {"read_only": True},
-            "identifier": {"read_only": True},
            "created": {"read_only": True},
        }

@ -229,8 +224,7 @@ class GroupSourceConnectionViewSet(

    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
-    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["group", "source__slug"]
    search_fields = ["source__slug"]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
+    owner_field = "user"
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -3,18 +3,15 @@
 from typing import Any

 from django.utils.timezone import now
-from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

-from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
@ -138,8 +135,8 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        "managed",
    ]
    ordering = ["identifier", "expires"]
-    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+    owner_field = "user"
+    rbac_allow_create_without_perm = True

    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -22,7 +22,7 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Provider
+from authentik.core.models import Application, Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer

@ -51,6 +51,13 @@ class TransactionProviderField(DictField):
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""

+    def validate(self, attrs):
+        # As the PolicyBindingSerializer checks that the correct things can be bound to a target
+        # but we don't have a target here as that's set by the blueprint, pass in an empty app
+        # which will have the correct allowed combination of group/user/policy.
+        attrs["target"] = Application()
+        return super().validate(attrs)
+
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]

--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -427,7 +427,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid"]
+    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
    filterset_class = UsersFilter

    def get_queryset(self):
@ -585,7 +585,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        """Set password for user"""
        user: User = self.get_object()
        try:
-            user.set_password(request.data.get("password"))
+            user.set_password(request.data.get("password"), request=request)
            user.save()
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -44,13 +44,12 @@ class TokenBackend(InbuiltBackend):
        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
    ) -> User | None:
        try:
-
            user = User._default_manager.get_by_natural_key(username)

        except User.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password)
+            User().set_password(password, request=request)
            return None

        tokens = Token.filter_not_expired(
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -58,6 +58,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
            self._context["user"] = user
        if request:
            req.http_request = request
+            self._context["http_request"] = request
        req.context.update(**kwargs)
        self._context["request"] = req
        self._context.update(**kwargs)
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -17,7 +17,9 @@ from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict

-BANNER_TEXT = f"""### authentik shell ({get_full_version()})
+
+def get_banner_text(shell_type="shell") -> str:
+    return f"""### authentik {shell_type} ({get_full_version()})
 ### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """


@ -114,4 +116,4 @@ class Command(BaseCommand):
            readline.parse_and_bind("tab: complete")

        # Run interactive shell
-        code.interact(banner=BANNER_TEXT, local=namespace)
+        code.interact(banner=get_banner_text(), local=namespace)
--- a/authentik/core/migrations/0041_applicationentitlement.py
+++ b/authentik/core/migrations/0041_applicationentitlement.py
@ -0,0 +1,45 @@
+# Generated by Django 5.0.9 on 2024-11-20 15:16
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0040_provider_invalidation_flow"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ApplicationEntitlement",
+            fields=[
+                (
+                    "policybindingmodel_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_policies.policybindingmodel",
+                    ),
+                ),
+                ("attributes", models.JSONField(blank=True, default=dict)),
+                ("name", models.TextField()),
+                (
+                    "app",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.application"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Application Entitlement",
+                "verbose_name_plural": "Application Entitlements",
+                "unique_together": {("app", "name")},
+            },
+            bases=("authentik_policies.policybindingmodel", models.Model),
+        ),
+    ]
--- a/authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py
+++ b/authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py
@ -0,0 +1,45 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0041_applicationentitlement"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_08251d_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_9cd839_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_195a84_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(fields=["session_key"], name="authentik_c_session_d0f005_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_a62b4b_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_a1b838_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_ba04d9_idx"
+            ),
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -314,6 +314,32 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        always_merger.merge(final_attributes, self.attributes)
        return final_attributes

+    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
+        """Get all entitlements this user has for `app`."""
+        if not app:
+            return []
+        all_groups = self.all_groups()
+        qs = app.applicationentitlement_set.filter(
+            Q(
+                Q(bindings__user=self) | Q(bindings__group__in=all_groups),
+                bindings__negate=False,
+            )
+            | Q(
+                Q(~Q(bindings__user=self), bindings__user__isnull=False)
+                | Q(~Q(bindings__group__in=all_groups), bindings__group__isnull=False),
+                bindings__negate=True,
+            ),
+            bindings__enabled=True,
+        ).order_by("name")
+        return qs
+
+    def app_entitlements_attributes(self, app: "Application | None") -> dict:
+        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
+        final_attributes = {}
+        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
+            always_merger.merge(final_attributes, attrs)
+        return final_attributes
+
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.users import UserSerializer
@ -330,13 +356,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore

-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True, sender=None, request=None):
        if self.pk and signal:
            from authentik.core.signals import password_changed

            if not sender:
                sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password)
+            password_changed.send(sender=sender, user=self, password=raw_password, request=request)
        self.password_change_date = now()
        return super().set_password(raw_password)

@ -581,6 +607,31 @@ class Application(SerializerModel, PolicyBindingModel):
        verbose_name_plural = _("Applications")


+class ApplicationEntitlement(AttributesMixin, SerializerModel, PolicyBindingModel):
+    """Application-scoped entitlement to control authorization in an application"""
+
+    name = models.TextField()
+
+    app = models.ForeignKey(Application, on_delete=models.CASCADE)
+
+    class Meta:
+        verbose_name = _("Application Entitlement")
+        verbose_name_plural = _("Application Entitlements")
+        unique_together = (("app", "name"),)
+
+    def __str__(self):
+        return f"Application Entitlement {self.name} for app {self.app_id}"
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.core.api.application_entitlements import ApplicationEntitlementSerializer
+
+        return ApplicationEntitlementSerializer
+
+    def supported_policy_binding_targets(self):
+        return ["group", "user"]
+
+
 class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""

@ -795,6 +846,11 @@ class ExpiringModel(models.Model):

    class Meta:
        abstract = True
+        indexes = [
+            models.Index(fields=["expires"]),
+            models.Index(fields=["expiring"]),
+            models.Index(fields=["expiring", "expires"]),
+        ]

    def expire_action(self, *args, **kwargs):
        """Handler which is called when this object is expired. By
@ -850,7 +906,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
    class Meta:
        verbose_name = _("Token")
        verbose_name_plural = _("Tokens")
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["identifier"]),
            models.Index(fields=["key"]),
        ]
@ -950,6 +1006,9 @@ class AuthenticatedSession(ExpiringModel):
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
+        indexes = ExpiringModel.Meta.indexes + [
+            models.Index(fields=["session_key"]),
+        ]

    def __str__(self) -> str:
        return f"Authenticated Session {self.session_key[:10]}"
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -238,13 +238,7 @@ class SourceFlowManager:
                self.request.GET,
                flow_slug=flow_slug,
            )
-        # Ensure redirect is carried through when user was trying to
-        # authorize application
-        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-user"
-        )
-        if PLAN_CONTEXT_REDIRECT not in flow_context:
-            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
+        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)

        if not flow:
            return bad_request_message(
--- a/authentik/core/tests/test_application_entitlements.py
+++ b/authentik/core/tests/test_application_entitlements.py
@ -0,0 +1,153 @@
+"""Test Application Entitlements API"""
+
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, ApplicationEntitlement, Group
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.policies.dummy.models import DummyPolicy
+from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.models import OAuth2Provider
+
+
+class TestApplicationEntitlements(APITestCase):
+    """Test application entitlements"""
+
+    def setUp(self) -> None:
+        self.user = create_test_user()
+        self.other_user = create_test_user()
+        self.provider = OAuth2Provider.objects.create(
+            name="test",
+            authorization_flow=create_test_flow(),
+        )
+        self.app: Application = Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            provider=self.provider,
+        )
+
+    def test_user(self):
+        """Test user-direct assignment"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, user=self.user, order=0)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_group(self):
+        """Test direct group"""
+        group = Group.objects.create(name=generate_id())
+        self.user.ak_groups.add(group)
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, group=group, order=0)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_group_indirect(self):
+        """Test indirect group"""
+        parent = Group.objects.create(name=generate_id())
+        group = Group.objects.create(name=generate_id(), parent=parent)
+        self.user.ak_groups.add(group)
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, group=parent, order=0)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_negate_user(self):
+        """Test with negate flag"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_negate_group(self):
+        """Test with negate flag"""
+        other_group = Group.objects.create(name=generate_id())
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_api_perms_global(self):
+        """Test API creation with global permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        assign_perm("authentik_core.view_application", self.user)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_api_perms_scoped(self):
+        """Test API creation with scoped permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        assign_perm("authentik_core.view_application", self.user, self.app)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_api_perms_missing(self):
+        """Test API creation with no permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
+
+    def test_api_bindings_policy(self):
+        """Test that API doesn't allow policies to be bound to this"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        policy = DummyPolicy.objects.create(name=generate_id())
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+        response = self.client.post(
+            reverse("authentik_api:policybinding-list"),
+            data={
+                "target": ent.pbm_uuid,
+                "policy": policy.pk,
+                "order": 0,
+            },
+        )
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"non_field_errors": ["One of 'group', 'user' must be set."]},
+        )
+
+    def test_api_bindings_group(self):
+        """Test that API doesn't allow policies to be bound to this"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        group = Group.objects.create(name=generate_id())
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+        response = self.client.post(
+            reverse("authentik_api:policybinding-list"),
+            data={
+                "target": ent.pbm_uuid,
+                "group": group.pk,
+                "order": 0,
+            },
+        )
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,6 +6,7 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path

+from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
@ -69,6 +70,7 @@ urlpatterns = [
 api_urlpatterns = [
    ("core/authenticated_sessions", AuthenticatedSessionViewSet),
    ("core/applications", ApplicationViewSet),
+    ("core/application_entitlements", ApplicationEntitlementViewSet),
    path(
        "core/transactional/applications/",
        TransactionalApplicationView.as_view(),
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -28,7 +28,6 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

-from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
@ -36,7 +35,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter
+from authentik.rbac.filters import ObjectFilter, SecretKeyFilter

 LOGGER = get_logger()

--- a/authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py
+++ b/authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py
@ -0,0 +1,27 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_enterprise", "0003_remove_licenseusage_within_limits_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="licenseusage",
+            index=models.Index(fields=["expires"], name="authentik_e_expires_3f2956_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="licenseusage",
+            index=models.Index(fields=["expiring"], name="authentik_e_expirin_11d3d7_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="licenseusage",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_e_expirin_4d558f_idx"
+            ),
+        ),
+    ]
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -93,3 +93,4 @@ class LicenseUsage(ExpiringModel):
    class Meta:
        verbose_name = _("License Usage")
        verbose_name_plural = _("License Usage Records")
+        indexes = ExpiringModel.Meta.indexes
--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -1,11 +1,8 @@
 """RAC Provider API Views"""

-from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet

-from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
@ -34,12 +31,6 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
        ]


-class ConnectionTokenOwnerFilter(OwnerFilter):
-    """Owner filter for connection tokens (checks session's user)"""
-
-    owner_key = "session__user"
-
-
 class ConnectionTokenViewSet(
    mixins.RetrieveModelMixin,
    mixins.UpdateModelMixin,
@ -55,10 +46,4 @@ class ConnectionTokenViewSet(
    filterset_fields = ["endpoint", "session__user", "provider"]
    search_fields = ["endpoint__name", "provider__name"]
    ordering = ["endpoint__name", "provider__name"]
-    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [
-        ConnectionTokenOwnerFilter,
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
+    owner_field = "session__user"
--- a/authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py
+++ b/authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py
@ -0,0 +1,28 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_providers_rac", "0005_alter_racpropertymapping_options"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="connectiontoken",
+            index=models.Index(fields=["expires"], name="authentik_p_expires_91f148_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="connectiontoken",
+            index=models.Index(fields=["expiring"], name="authentik_p_expirin_59a5a7_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="connectiontoken",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_p_expirin_aed3ca_idx"
+            ),
+        ),
+    ]
--- a/authentik/enterprise/providers/rac/models.py
+++ b/authentik/enterprise/providers/rac/models.py
@ -159,9 +159,9 @@ class ConnectionToken(ExpiringModel):
            default_settings["port"] = str(port)
        else:
            default_settings["hostname"] = self.endpoint.host
-        default_settings["client-name"] = "authentik"
-        # default_settings["enable-drive"] = "true"
-        # default_settings["drive-name"] = "authentik"
+        if self.endpoint.protocol == Protocols.RDP:
+            default_settings["resize-method"] = "display-update"
+        default_settings["client-name"] = f"authentik - {self.session.user}"
        settings = {}
        always_merger.merge(settings, default_settings)
        always_merger.merge(settings, self.endpoint.provider.settings)
@ -211,3 +211,4 @@ class ConnectionToken(ExpiringModel):
    class Meta:
        verbose_name = _("RAC Connection token")
        verbose_name_plural = _("RAC Connection tokens")
+        indexes = ExpiringModel.Meta.indexes
--- a/authentik/enterprise/providers/rac/tests/test_models.py
+++ b/authentik/enterprise/providers/rac/tests/test_models.py
@ -50,9 +50,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": "authentik",
+                "client-name": f"authentik - {self.user}",
                "drive-path": path,
                "create-drive-path": "true",
+                "resize-method": "display-update",
            },
        )
        # Set settings in provider
@ -63,10 +64,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": "authentik",
+                "client-name": f"authentik - {self.user}",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "provider",
+                "resize-method": "display-update",
            },
        )
        # Set settings in endpoint
@ -79,10 +81,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": "authentik",
+                "client-name": f"authentik - {self.user}",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "endpoint",
+                "resize-method": "display-update",
            },
        )
        # Set settings in token
@ -95,10 +98,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": "authentik",
+                "client-name": f"authentik - {self.user}",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "token",
+                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (provider)
@ -114,10 +118,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": "authentik",
+                "client-name": f"authentik - {self.user}",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_provider",
+                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (endpoint)
@ -135,11 +140,12 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": "authentik",
+                "client-name": f"authentik - {self.user}",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_endpoint",
                "foo": "true",
                "bar": "6",
+                "resize-method": "display-update",
            },
        )
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -1,14 +1,11 @@
 """AuthenticatorEndpointGDTCStage API Views"""

-from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger

-from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -67,8 +64,7 @@ class EndpointDeviceViewSet(
    search_fields = ["name"]
    filterset_fields = ["name"]
    ordering = ["name"]
-    permission_classes = [OwnerPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    owner_field = "user"


 class EndpointAdminDeviceViewSet(ModelViewSet):
--- a/authentik/events/api/notifications.py
+++ b/authentik/events/api/notifications.py
@ -1,17 +1,15 @@
 """Notification API Views"""

-from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
-from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet

-from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.events.api.events import EventSerializer
@ -57,8 +55,7 @@ class NotificationViewSet(
        "seen",
        "user",
    ]
-    permission_classes = [OwnerPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    owner_field = "user"

    @extend_schema(
        request=OpenApiTypes.NONE,
@ -66,7 +63,7 @@ class NotificationViewSet(
            204: OpenApiResponse(description="Marked tasks as read successfully."),
        },
    )
-    @action(detail=False, methods=["post"])
+    @action(detail=False, methods=["post"], permission_classes=[IsAuthenticated])
    def mark_all_seen(self, request: Request) -> Response:
        """Mark all the user's notifications as seen"""
        Notification.objects.filter(user=request.user, seen=False).update(seen=True)
--- a/authentik/events/migrations/0008_event_authentik_e_expires_8c73a8_idx_and_more.py
+++ b/authentik/events/migrations/0008_event_authentik_e_expires_8c73a8_idx_and_more.py
@ -0,0 +1,41 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(fields=["expires"], name="authentik_e_expires_8c73a8_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(fields=["expiring"], name="authentik_e_expirin_b5cb5e_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_e_expirin_e37180_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="systemtask",
+            index=models.Index(fields=["expires"], name="authentik_e_expires_4d3985_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="systemtask",
+            index=models.Index(fields=["expiring"], name="authentik_e_expirin_81d649_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="systemtask",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_e_expirin_eb3598_idx"
+            ),
+        ),
+    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -306,7 +306,7 @@ class Event(SerializerModel, ExpiringModel):
    class Meta:
        verbose_name = _("Event")
        verbose_name_plural = _("Events")
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["action"]),
            models.Index(fields=["user"]),
            models.Index(fields=["app"]),
@ -694,3 +694,4 @@ class SystemTask(SerializerModel, ExpiringModel):
        permissions = [("run_task", _("Run task"))]
        verbose_name = _("System Task")
        verbose_name_plural = _("System Tasks")
+        indexes = ExpiringModel.Meta.indexes
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -106,9 +106,9 @@ def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_


@receiver(password_changed)
-def on_password_changed(sender, user: User, password: str, **_):
+def on_password_changed(sender, user: User, password: str, request: HttpRequest | None, **_):
    """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
+    Event.new(EventAction.PASSWORD_SET).from_http(request, user=user)


@receiver(post_save, sender=Event)
--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -138,7 +138,6 @@ def notification_cleanup(self: SystemTask):
    """Cleanup seen notifications and notifications whose event expired."""
    notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
    amount = notifications.count()
-    for notification in notifications:
-        notification.delete()
+    notifications.delete()
    LOGGER.debug("Expired notifications", amount=amount)
    self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -1,5 +1,7 @@
 """Flow Stage API Views"""

+from uuid import uuid4
+
 from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
@ -27,6 +29,11 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):
    component = SerializerMethodField()
    flow_set = FlowSetSerializer(many=True, required=False)

+    def to_representation(self, instance: Stage):
+        if isinstance(instance, Stage) and instance.is_in_memory:
+            instance.stage_uuid = uuid4()
+        return super().to_representation(instance)
+
    def get_component(self, obj: Stage) -> str:
        """Get object type so that we know how to edit the object"""
        if obj.__class__ == Stage:
--- a/authentik/flows/migrations/0012_auto_20200908_1542_squashed_0017_auto_20210329_1334.py
+++ b/authentik/flows/migrations/0012_auto_20200908_1542_squashed_0017_auto_20210329_1334.py
@ -88,7 +88,8 @@ class Migration(migrations.Migration):
            model_name="flowstagebinding",
            name="re_evaluate_policies",
            field=models.BooleanField(
-                default=False, help_text="Evaluate policies when the Stage is present to the user."
+                default=False,
+                help_text="Evaluate policies when the Stage is presented to the user.",
            ),
        ),
        migrations.AddField(
--- a/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py
+++ b/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py
@ -20,7 +20,7 @@ class Migration(migrations.Migration):
            model_name="flowstagebinding",
            name="re_evaluate_policies",
            field=models.BooleanField(
-                default=True, help_text="Evaluate policies when the Stage is present to the user."
+                default=True, help_text="Evaluate policies when the Stage is presented to the user."
            ),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -102,8 +102,12 @@ class Stage(SerializerModel):
        user settings are available, or a challenge."""
        return None

+    @property
+    def is_in_memory(self):
+        return hasattr(self, "__in_memory_type")
+
    def __str__(self):
-        if hasattr(self, "__in_memory_type"):
+        if self.is_in_memory:
            return f"In-memory Stage {getattr(self, '__in_memory_type')}"
        return f"Stage {self.name}"

@ -227,7 +231,7 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
    )
    re_evaluate_policies = models.BooleanField(
        default=True,
-        help_text=_("Evaluate policies when the Stage is present to the user."),
+        help_text=_("Evaluate policies when the Stage is presented to the user."),
    )

    invalid_response_action = models.TextField(
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -159,9 +159,17 @@ class FlowPlan:
            stage = final_stage(request=request, executor=temp_exec)
            return stage.dispatch(request)

+        get_qs = request.GET.copy()
+        if request.user.is_authenticated and (
+            # Object-scoped permission or global permission
+            request.user.has_perm("authentik_flows.inspect_flow", flow)
+            or request.user.has_perm("authentik_flows.inspect_flow")
+        ):
+            get_qs["inspector"] = "available"
+
        return redirect_with_qs(
            "authentik_core:if-flow",
-            request.GET,
+            get_qs,
            flow_slug=flow.slug,
        )

--- a/authentik/flows/tests/test_executor.py
+++ b/authentik/flows/tests/test_executor.py
@ -7,8 +7,8 @@ from django.http import HttpRequest, HttpResponse
 from django.test.client import RequestFactory
 from django.urls import reverse

-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_flow
+from authentik.core.models import Group, User
+from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import (
    FlowDeniedAction,
@ -255,7 +255,11 @@ class TestFlowExecutor(FlowTestCase):
        )

        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=0,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -278,8 +282,8 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding)
            self.assertEqual(plan.bindings[1], binding2)

-            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
+            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)

            # Second request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -301,7 +305,11 @@ class TestFlowExecutor(FlowTestCase):
        )

        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=0,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -310,7 +318,11 @@ class TestFlowExecutor(FlowTestCase):
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=2,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )

        PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@ -328,9 +340,9 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[1], binding2)
            self.assertEqual(plan.bindings[2], binding3)

-            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-            self.assertIsInstance(plan.markers[2], StageMarker)
+            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertEqual(plan.markers[2].__class__, StageMarker)

            # Second request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -341,8 +353,8 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding2)
            self.assertEqual(plan.bindings[1], binding3)

-            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertIsInstance(plan.markers[1], StageMarker)
+            self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
+            self.assertEqual(plan.markers[1].__class__, StageMarker)

        # third request, this should trigger the re-evaluate
        # We do this request without the patch, so the policy results in false
@ -360,7 +372,11 @@ class TestFlowExecutor(FlowTestCase):
        )

        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=0,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -369,7 +385,11 @@ class TestFlowExecutor(FlowTestCase):
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=2,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )

        PolicyBinding.objects.create(policy=true_policy, target=binding2, order=0)
@ -387,9 +407,9 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[1], binding2)
            self.assertEqual(plan.bindings[2], binding3)

-            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-            self.assertIsInstance(plan.markers[2], StageMarker)
+            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertEqual(plan.markers[2].__class__, StageMarker)

            # Second request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -400,8 +420,8 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding2)
            self.assertEqual(plan.bindings[1], binding3)

-            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertIsInstance(plan.markers[1], StageMarker)
+            self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
+            self.assertEqual(plan.markers[1].__class__, StageMarker)

            # Third request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -411,7 +431,7 @@ class TestFlowExecutor(FlowTestCase):

            self.assertEqual(plan.bindings[0], binding3)

-            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertEqual(plan.markers[0].__class__, StageMarker)

        # third request, this should trigger the re-evaluate
        # We do this request without the patch, so the policy results in false
@ -429,7 +449,11 @@ class TestFlowExecutor(FlowTestCase):
        )

        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=0,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -444,7 +468,11 @@ class TestFlowExecutor(FlowTestCase):
            re_evaluate_policies=True,
        )
        binding4 = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=2,
+            evaluate_on_plan=True,
+            re_evaluate_policies=False,
        )

        PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@ -465,10 +493,10 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[2], binding3)
            self.assertEqual(plan.bindings[3], binding4)

-            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-            self.assertIsInstance(plan.markers[2], ReevaluateMarker)
-            self.assertIsInstance(plan.markers[3], StageMarker)
+            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertEqual(plan.markers[2].__class__, ReevaluateMarker)
+            self.assertEqual(plan.markers[3].__class__, StageMarker)

        # Second request, this passes the first dummy stage
        response = self.client.post(exec_url)
@ -519,9 +547,9 @@ class TestFlowExecutor(FlowTestCase):
        )
        # Stage 0 is a deny stage that is added dynamically
        # when the reputation policy says so
-        deny_stage = DenyStage.objects.create(name="deny")
+        deny_stage = DenyStage.objects.create(name=generate_id())
        reputation_policy = ReputationPolicy.objects.create(
-            name="reputation", threshold=-1, check_ip=False
+            name=generate_id(), threshold=-1, check_ip=False
        )
        deny_binding = FlowStageBinding.objects.create(
            target=flow,
@ -534,7 +562,7 @@ class TestFlowExecutor(FlowTestCase):

        # Stage 1 is an identification stage
        ident_stage = IdentificationStage.objects.create(
-            name="ident",
+            name=generate_id(),
            user_fields=[UserFields.E_MAIL],
            pretend_user_exists=False,
        )
@ -559,3 +587,64 @@ class TestFlowExecutor(FlowTestCase):
        )
        response = self.client.post(exec_url, {"uid_field": "invalid-string"}, follow=True)
        self.assertStageResponse(response, flow, component="ak-stage-access-denied")
+
+    def test_re_evaluate_group_binding(self):
+        """Test re-evaluate stage binding that has a policy binding to a group"""
+        flow = create_test_flow()
+
+        user_group_membership = create_test_user()
+        user_direct_binding = create_test_user()
+        user_other = create_test_user()
+
+        group_a = Group.objects.create(name=generate_id())
+        user_group_membership.ak_groups.add(group_a)
+
+        # Stage 0 is an identification stage
+        ident_stage = IdentificationStage.objects.create(
+            name=generate_id(),
+            user_fields=[UserFields.USERNAME],
+            pretend_user_exists=False,
+        )
+        FlowStageBinding.objects.create(
+            target=flow,
+            stage=ident_stage,
+            order=0,
+        )
+
+        # Stage 1 is a dummy stage that is only shown for users in group_a
+        dummy_stage = DummyStage.objects.create(name=generate_id())
+        dummy_binding = FlowStageBinding.objects.create(target=flow, stage=dummy_stage, order=1)
+        PolicyBinding.objects.create(group=group_a, target=dummy_binding, order=0)
+        PolicyBinding.objects.create(user=user_direct_binding, target=dummy_binding, order=0)
+
+        # Stage 2 is a deny stage that (in this case) only user_b will see
+        deny_stage = DenyStage.objects.create(name=generate_id())
+        FlowStageBinding.objects.create(target=flow, stage=deny_stage, order=2)
+
+        exec_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
+
+        with self.subTest(f"Test user access through group: {user_group_membership}"):
+            self.client.logout()
+            # First request, run the planner
+            response = self.client.get(exec_url)
+            self.assertStageResponse(response, flow, component="ak-stage-identification")
+            response = self.client.post(
+                exec_url, {"uid_field": user_group_membership.username}, follow=True
+            )
+            self.assertStageResponse(response, flow, component="ak-stage-dummy")
+        with self.subTest(f"Test user access through user: {user_direct_binding}"):
+            self.client.logout()
+            # First request, run the planner
+            response = self.client.get(exec_url)
+            self.assertStageResponse(response, flow, component="ak-stage-identification")
+            response = self.client.post(
+                exec_url, {"uid_field": user_direct_binding.username}, follow=True
+            )
+            self.assertStageResponse(response, flow, component="ak-stage-dummy")
+        with self.subTest(f"Test user has no access: {user_other}"):
+            self.client.logout()
+            # First request, run the planner
+            response = self.client.get(exec_url)
+            self.assertStageResponse(response, flow, component="ak-stage-identification")
+            response = self.client.post(exec_url, {"uid_field": user_other.username}, follow=True)
+            self.assertStageResponse(response, flow, component="ak-stage-access-denied")
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -8,6 +8,7 @@ from rest_framework.test import APITestCase

 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, InvalidResponseAction
+from authentik.lib.generators import generate_id
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields

@ -26,7 +27,7 @@ class TestFlowInspector(APITestCase):

        # Stage 1 is an identification stage
        ident_stage = IdentificationStage.objects.create(
-            name="ident",
+            name=generate_id(),
            user_fields=[UserFields.USERNAME],
        )
        FlowStageBinding.objects.create(
@ -35,9 +36,8 @@ class TestFlowInspector(APITestCase):
            order=1,
            invalid_response_action=InvalidResponseAction.RESTART_WITH_CONTEXT,
        )
-        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy2"), order=1
-        )
+        dummy_stage = DummyStage.objects.create(name=generate_id())
+        FlowStageBinding.objects.create(target=flow, stage=dummy_stage, order=1)

        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
@ -68,9 +68,11 @@ class TestFlowInspector(APITestCase):
        )
        content = loads(ins.content)
        self.assertEqual(content["is_completed"], False)
-        self.assertEqual(content["current_plan"]["current_stage"]["stage_obj"]["name"], "ident")
        self.assertEqual(
-            content["current_plan"]["next_planned_stage"]["stage_obj"]["name"], "dummy2"
+            content["current_plan"]["current_stage"]["stage_obj"]["name"], ident_stage.name
+        )
+        self.assertEqual(
+            content["current_plan"]["next_planned_stage"]["stage_obj"]["name"], dummy_stage.name
        )

        self.client.post(
@ -84,8 +86,12 @@ class TestFlowInspector(APITestCase):
        )
        content = loads(ins.content)
        self.assertEqual(content["is_completed"], False)
-        self.assertEqual(content["plans"][0]["current_stage"]["stage_obj"]["name"], "ident")
-        self.assertEqual(content["current_plan"]["current_stage"]["stage_obj"]["name"], "dummy2")
+        self.assertEqual(
+            content["plans"][0]["current_stage"]["stage_obj"]["name"], ident_stage.name
+        )
+        self.assertEqual(
+            content["current_plan"]["current_stage"]["stage_obj"]["name"], dummy_stage.name
+        )
        self.assertEqual(
            content["current_plan"]["plan_context"]["pending_user"]["username"], self.admin.username
        )
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@ -29,6 +29,7 @@ from authentik.flows.planner import (
    cache_key,
 )
 from authentik.flows.stage import StageView
+from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
@ -153,7 +154,7 @@ class TestFlowPlanner(TestCase):
        """Test planner cache"""
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
@ -172,7 +173,7 @@ class TestFlowPlanner(TestCase):
        """Test planner with default_context"""
        flow = create_test_flow()
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )

        user = User.objects.create(username="test-user")
@ -191,7 +192,7 @@ class TestFlowPlanner(TestCase):

        FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy1"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=0,
            re_evaluate_policies=True,
        )
@ -204,7 +205,7 @@ class TestFlowPlanner(TestCase):
        planner = FlowPlanner(flow)
        plan = planner.plan(request)

-        self.assertIsInstance(plan.markers[0], ReevaluateMarker)
+        self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)

    def test_planner_reevaluate_actual(self):
        """Test planner with re-evaluate"""
@ -212,11 +213,14 @@ class TestFlowPlanner(TestCase):
        false_policy = DummyPolicy.objects.create(result=False, wait_min=1, wait_max=2)

        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+            target=flow,
+            stage=DummyStage.objects.create(name=generate_id()),
+            order=0,
+            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy2"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=1,
            re_evaluate_policies=True,
        )
@ -240,6 +244,8 @@ class TestFlowPlanner(TestCase):
            self.assertEqual(plan.bindings[0], binding)
            self.assertEqual(plan.bindings[1], binding2)

+            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
            self.assertIsInstance(plan.markers[0], StageMarker)
            self.assertIsInstance(plan.markers[1], ReevaluateMarker)

--- a/authentik/flows/views/inspector.py
+++ b/authentik/flows/views/inspector.py
@ -78,7 +78,9 @@ class FlowInspectorView(APIView):
        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        if settings.DEBUG:
            return
-        if request.user.has_perm("authentik_flow.inspect_flow", self.flow):
+        if request.user.has_perm(
+            "authentik_flows.inspect_flow", self.flow
+        ) or request.user.has_perm("authentik_flows.inspect_flow"):
            return
        raise Http404

@ -94,6 +96,9 @@ class FlowInspectorView(APIView):
        """Get current flow state and record it"""
        plans = []
        for plan in request.session.get(SESSION_KEY_HISTORY, []):
+            plan: FlowPlan
+            if plan.flow_pk != self.flow.pk.hex:
+                continue
            plan_serializer = FlowInspectorPlanSerializer(
                instance=plan, context={"request": request}
            )
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -280,9 +280,24 @@ class ConfigLoader:
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default

+    def get_optional_int(self, path: str, default=None) -> int | None:
+        """Wrapper for get that converts value into int or None if set"""
+        value = self.get(path, default)
+
+        try:
+            return int(value)
+        except (ValueError, TypeError) as exc:
+            if value is None or (isinstance(value, str) and value.lower() == "null"):
+                return None
+            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
+            return default
+
    def get_bool(self, path: str, default=False) -> bool:
        """Wrapper for get that converts value into boolean"""
-        return str(self.get(path, default)).lower() == "true"
+        value = self.get(path, UNSET)
+        if value is UNSET:
+            return default
+        return str(self.get(path)).lower() == "true"

    def get_keys(self, path: str, sep=".") -> list[str]:
        """List attribute keys by using yaml path"""
@ -354,20 +369,33 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
+            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
+                "postgresql.disable_server_side_cursors", False
+            ),
            "TEST": {
                "NAME": config.get("postgresql.test.name"),
            },
        }
    }

+    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
+        if disable_server_side_cursors is not UNSET:
+            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors

    if config.get_bool("postgresql.use_pgbouncer", False):
        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
        db["default"]["CONN_MAX_AGE"] = None  # persistent
+        if disable_server_side_cursors is not UNSET:
+            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
+        if conn_max_age is not UNSET:
+            db["default"]["CONN_MAX_AGE"] = conn_max_age

    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -6,8 +6,6 @@ postgresql:
  user: authentik
  port: 5432
  password: "env://POSTGRES_PASSWORD"
-  use_pgbouncer: false
-  use_pgpool: false
  test:
    name: test_authentik
  read_replicas: {}
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -9,20 +9,25 @@ from typing import Any

 from cachetools import TLRUCache, cached
 from django.core.exceptions import FieldError
+from django.http import HttpRequest
 from django.utils.text import slugify
+from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.events.models import Event
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
 from authentik.policies.types import PolicyRequest, PolicyResult
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 from authentik.stages.authenticator import devices_for_user

 LOGGER = get_logger()
@ -56,6 +61,7 @@ class BaseEvaluator:
            "ak_logger": get_logger(self._filename).bind(),
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_user_has_authenticator": BaseEvaluator.expr_func_user_has_authenticator,
+            "ak_create_jwt": self.expr_create_jwt,
            "ip_address": ip_address,
            "ip_network": ip_network,
            "list_flatten": BaseEvaluator.expr_flatten,
@ -182,6 +188,36 @@ class BaseEvaluator:
        proc = PolicyProcess(PolicyBinding(policy=policy), request=req, connection=None)
        return proc.profiling_wrapper()

+    def expr_create_jwt(
+        self,
+        user: User,
+        provider: OAuth2Provider | str,
+        scopes: list[str],
+        validity: str = "seconds=60",
+    ) -> str | None:
+        """Issue a JWT for a given provider"""
+        request: HttpRequest = self._context.get("http_request")
+        if not request:
+            return None
+        if not isinstance(provider, OAuth2Provider):
+            provider = OAuth2Provider.objects.get(name=provider)
+        session = None
+        if hasattr(request, "session") and request.session.session_key:
+            session = AuthenticatedSession.objects.filter(
+                session_key=request.session.session_key
+            ).first()
+        access_token = AccessToken(
+            provider=provider,
+            user=user,
+            expires=now() + timedelta_from_string(validity),
+            scope=scopes,
+            auth_time=now(),
+            session=session,
+        )
+        access_token.id_token = IDToken.new(provider, access_token, request)
+        access_token.save()
+        return access_token.token
+
    def wrap_expression(self, expression: str) -> str:
        """Wrap expression in a function, call it, and save the result as `result`"""
        handler_signature = ",".join(sanitize_arg(x) for x in self._context.keys())
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -214,6 +214,9 @@ class TestConfig(TestCase):
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
                }
            },
        )
@ -251,6 +254,9 @@ class TestConfig(TestCase):
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
@ -266,6 +272,72 @@ class TestConfig(TestCase):
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                },
+            },
+        )
+
+    def test_db_read_replicas_pgbouncer(self):
+        """Test read replicas"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.sslmode", "foo")
+        config.set("postgresql.sslrootcert", "foo")
+        config.set("postgresql.sslcert", "foo")
+        config.set("postgresql.sslkey", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pgbouncer", True)
+        # Read replica
+        config.set("postgresql.read_replicas.0.host", "bar")
+        # Override conn_max_age
+        config.set("postgresql.read_replicas.0.conn_max_age", 10)
+        # This isn't supported
+        config.set("postgresql.read_replicas.0.use_pgbouncer", False)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": None,
+                    "CONN_HEALTH_CHECKS": False,
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "sslcert": "foo",
+                        "sslkey": "foo",
+                        "sslmode": "foo",
+                        "sslrootcert": "foo",
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                },
+                "replica_0": {
+                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 10,
+                    "CONN_HEALTH_CHECKS": False,
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "bar",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "sslcert": "foo",
+                        "sslkey": "foo",
+                        "sslmode": "foo",
+                        "sslrootcert": "foo",
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
                },
            },
        )
@ -294,6 +366,8 @@ class TestConfig(TestCase):
            {
                "default": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
@ -310,6 +384,8 @@ class TestConfig(TestCase):
                },
                "replica_0": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
@ -362,6 +438,9 @@ class TestConfig(TestCase):
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
@ -377,6 +456,9 @@ class TestConfig(TestCase):
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                },
            },
        )
--- a/authentik/lib/tests/test_evaluator.py
+++ b/authentik/lib/tests/test_evaluator.py
@ -1,11 +1,15 @@
 """Test Evaluator base functions"""

-from django.test import TestCase
+from django.test import RequestFactory, TestCase
+from django.urls import reverse
+from jwt import decode

-from authentik.core.tests.utils import create_test_admin_user
+from authentik.blueprints.tests import apply_blueprint
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
 from authentik.events.models import Event
 from authentik.lib.expression.evaluator import BaseEvaluator
 from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping


 class TestEvaluator(TestCase):
@ -41,3 +45,35 @@ class TestEvaluator(TestCase):
        event = Event.objects.filter(action="custom_foo").first()
        self.assertIsNotNone(event)
        self.assertEqual(event.context, {"bar": "baz", "foo": "bar"})
+
+    @apply_blueprint("system/providers-oauth2.yaml")
+    def test_expr_create_jwt(self):
+        """Test expr_create_jwt"""
+        rf = RequestFactory()
+        user = create_test_user()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                managed__in=[
+                    "goauthentik.io/providers/oauth2/scope-openid",
+                    "goauthentik.io/providers/oauth2/scope-email",
+                    "goauthentik.io/providers/oauth2/scope-profile",
+                ]
+            )
+        )
+        evaluator = BaseEvaluator(generate_id())
+        evaluator._context = {
+            "http_request": rf.get(reverse("authentik_core:root-redirect")),
+            "user": user,
+            "provider": provider.name,
+        }
+        jwt = evaluator.evaluate(
+            "return ak_create_jwt(user, provider, ['openid', 'email', 'profile'])"
+        )
+        decoded = decode(
+            jwt, provider.client_secret, algorithms=["HS256"], audience=provider.client_id
+        )
+        self.assertEqual(decoded["preferred_username"], user.username)
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -207,7 +207,7 @@ class KubernetesObjectReconciler(Generic[T]):
                "app.kubernetes.io/instance": slugify(self.controller.outpost.name),
                "app.kubernetes.io/managed-by": "goauthentik.io",
                "app.kubernetes.io/name": f"authentik-{self.controller.outpost.type.lower()}",
-                "app.kubernetes.io/version": get_version(),
+                "app.kubernetes.io/version": get_version().replace("+", "-"),
                "goauthentik.io/outpost-name": slugify(self.controller.outpost.name),
                "goauthentik.io/outpost-type": str(self.controller.outpost.type),
                "goauthentik.io/outpost-uuid": self.controller.outpost.uuid.hex,
--- a/authentik/outposts/controllers/k8s/deployment.py
+++ b/authentik/outposts/controllers/k8s/deployment.py
@ -94,7 +94,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
        meta = self.get_object_meta(name=self.name)
        image_name = self.controller.get_container_image()
        image_pull_secrets = self.outpost.config.kubernetes_image_pull_secrets
-        version = get_full_version()
+        version = get_full_version().replace("+", "-")
        return V1Deployment(
            metadata=meta,
            spec=V1DeploymentSpec(
--- a/authentik/outposts/controllers/k8s/service_monitor.py
+++ b/authentik/outposts/controllers/k8s/service_monitor.py
@ -13,7 +13,7 @@ if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController


-@dataclass
+@dataclass(slots=True)
 class PrometheusServiceMonitorSpecEndpoint:
    """Prometheus ServiceMonitor endpoint spec"""

@ -21,14 +21,14 @@ class PrometheusServiceMonitorSpecEndpoint:
    path: str = field(default="/metrics")


-@dataclass
+@dataclass(slots=True)
 class PrometheusServiceMonitorSpecSelector:
    """Prometheus ServiceMonitor selector spec"""

    matchLabels: dict


-@dataclass
+@dataclass(slots=True)
 class PrometheusServiceMonitorSpec:
    """Prometheus ServiceMonitor spec"""

@ -37,7 +37,7 @@ class PrometheusServiceMonitorSpec:
    selector: PrometheusServiceMonitorSpecSelector


-@dataclass
+@dataclass(slots=True)
 class PrometheusServiceMonitorMetadata:
    """Prometheus ServiceMonitor metadata"""

@ -46,7 +46,7 @@ class PrometheusServiceMonitorMetadata:
    labels: dict = field(default_factory=dict)


-@dataclass
+@dataclass(slots=True)
 class PrometheusServiceMonitor:
    """Prometheus ServiceMonitor"""

--- a/authentik/policies/api/bindings.py
+++ b/authentik/policies/api/bindings.py
@ -84,19 +84,17 @@ class PolicyBindingSerializer(ModelSerializer):

    def validate(self, attrs: OrderedDict) -> OrderedDict:
        """Check that either policy, group or user is set."""
-        count = sum(
-            [
-                bool(attrs.get("policy", None)),
-                bool(attrs.get("group", None)),
-                bool(attrs.get("user", None)),
-            ]
-        )
+        target: PolicyBindingModel = attrs.get("target")
+        supported = target.supported_policy_binding_targets()
+        supported.sort()
+        count = sum([bool(attrs.get(x, None)) for x in supported])
        invalid = count > 1
        empty = count < 1
+        warning = ", ".join(f"'{x}'" for x in supported)
        if invalid:
-            raise ValidationError("Only one of 'policy', 'group' or 'user' can be set.")
+            raise ValidationError(f"Only one of {warning} can be set.")
        if empty:
-            raise ValidationError("One of 'policy', 'group' or 'user' must be set.")
+            raise ValidationError(f"One of {warning} must be set.")
        return attrs


--- a/authentik/policies/migrations/0011_policybinding_failure_result_and_more.py
+++ b/authentik/policies/migrations/0011_policybinding_failure_result_and_more.py
@ -1,4 +1,6 @@
 # Generated by Django 4.2.5 on 2023-09-13 18:07
+import authentik.lib.models
+import django.db.models.deletion

 from django.db import migrations, models

@ -23,4 +25,13 @@ class Migration(migrations.Migration):
                default=30, help_text="Timeout after which Policy execution is terminated."
            ),
        ),
+        migrations.AlterField(
+            model_name="policybinding",
+            name="target",
+            field=authentik.lib.models.InheritanceForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="bindings",
+                to="authentik_policies.policybindingmodel",
+            ),
+        ),
    ]
--- a/authentik/policies/models.py
+++ b/authentik/policies/models.py
@ -47,6 +47,10 @@ class PolicyBindingModel(models.Model):
    def __str__(self) -> str:
        return f"PolicyBindingModel {self.pbm_uuid}"

+    def supported_policy_binding_targets(self):
+        """Return the list of objects that can be bound to this object."""
+        return ["policy", "user", "group"]
+

 class PolicyBinding(SerializerModel):
    """Relationship between a Policy and a PolicyBindingModel."""
@ -81,7 +85,9 @@ class PolicyBinding(SerializerModel):
        blank=True,
    )

-    target = InheritanceForeignKey(PolicyBindingModel, on_delete=models.CASCADE, related_name="+")
+    target = InheritanceForeignKey(
+        PolicyBindingModel, on_delete=models.CASCADE, related_name="bindings"
+    )
    negate = models.BooleanField(
        default=False,
        help_text=_("Negates the outcome of the policy. Messages are unaffected."),
--- a/authentik/policies/reputation/migrations/0008_reputation_authentik_p_expires_da493f_idx_and_more.py
+++ b/authentik/policies/reputation/migrations/0008_reputation_authentik_p_expires_da493f_idx_and_more.py
@ -0,0 +1,30 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_policies_reputation",
+            "0007_reputation_authentik_p_identif_9434d7_idx_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="reputation",
+            index=models.Index(fields=["expires"], name="authentik_p_expires_da493f_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="reputation",
+            index=models.Index(fields=["expiring"], name="authentik_p_expirin_2ab34f_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="reputation",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_p_expirin_2a8ec7_idx"
+            ),
+        ),
+    ]
--- a/authentik/policies/reputation/models.py
+++ b/authentik/policies/reputation/models.py
@ -96,7 +96,7 @@ class Reputation(ExpiringModel, SerializerModel):
        verbose_name = _("Reputation Score")
        verbose_name_plural = _("Reputation Scores")
        unique_together = ("identifier", "ip")
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["identifier"]),
            models.Index(fields=["ip"]),
            models.Index(fields=["ip", "identifier"]),
--- a/authentik/policies/tests/test_bindings_api.py
+++ b/authentik/policies/tests/test_bindings_api.py
@ -38,7 +38,7 @@ class TestBindingsAPI(APITestCase):
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {"non_field_errors": ["Only one of 'policy', 'group' or 'user' can be set."]},
+            {"non_field_errors": ["Only one of 'group', 'policy', 'user' can be set."]},
        )

    def test_invalid_too_little(self):
@ -49,5 +49,5 @@ class TestBindingsAPI(APITestCase):
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {"non_field_errors": ["One of 'policy', 'group' or 'user' must be set."]},
+            {"non_field_errors": ["One of 'group', 'policy', 'user' must be set."]},
        )
--- a/authentik/providers/oauth2/migrations/0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more.py
@ -0,0 +1,72 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_providers_oauth2", "0026_alter_accesstoken_session_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(fields=["expires"], name="authentik_p_expires_9f24a5_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(fields=["expiring"], name="authentik_p_expirin_2d9205_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_p_expirin_c74005_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="authorizationcode",
+            index=models.Index(fields=["expires"], name="authentik_p_expires_f594b2_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="authorizationcode",
+            index=models.Index(fields=["expiring"], name="authentik_p_expirin_6a5e2c_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="authorizationcode",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_p_expirin_c0f353_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="devicetoken",
+            index=models.Index(fields=["expires"], name="authentik_p_expires_961437_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="devicetoken",
+            index=models.Index(fields=["expiring"], name="authentik_p_expirin_4fd278_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="devicetoken",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_p_expirin_cd6b1c_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(fields=["expires"], name="authentik_p_expires_c479a7_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(fields=["expiring"], name="authentik_p_expirin_d4d17f_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_p_expirin_acb4a5_idx"
+            ),
+        ),
+    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -425,6 +425,7 @@ class AuthorizationCode(SerializerModel, ExpiringModel, BaseGrantModel):
    class Meta:
        verbose_name = _("Authorization Code")
        verbose_name_plural = _("Authorization Codes")
+        indexes = ExpiringModel.Meta.indexes

    def __str__(self):
        return f"Authorization code for {self.provider_id} for user {self.user_id}"
@ -453,7 +454,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
    _id_token = models.TextField()

    class Meta:
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
            HashIndex(fields=["token"]),
        ]
        verbose_name = _("OAuth2 Access Token")
@ -504,7 +505,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
    )

    class Meta:
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
            HashIndex(fields=["token"]),
        ]
        verbose_name = _("OAuth2 Refresh Token")
@ -556,6 +557,7 @@ class DeviceToken(ExpiringModel):
    class Meta:
        verbose_name = _("Device Token")
        verbose_name_plural = _("Device Tokens")
+        indexes = ExpiringModel.Meta.indexes

    def __str__(self):
        return f"Device Token for {self.provider_id}"
--- a/authentik/providers/oauth2/tests/test_device_init.py
+++ b/authentik/providers/oauth2/tests/test_device_init.py
@ -49,7 +49,9 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
-            ),
+            )
+            + "?"
+            + urlencode({"inspector": "available"}),
        )

    def test_device_init_post(self):
@ -63,7 +65,9 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                kwargs={
                    "flow_slug": self.device_flow.slug,
                },
-            ),
+            )
+            + "?"
+            + urlencode({"inspector": "available"}),
        )
        res = self.api_client.get(
            reverse(
@ -118,7 +122,9 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                    kwargs={
                        "flow_slug": provider.authorization_flow.slug,
                    },
-                ),
+                )
+                + "?"
+                + urlencode({"inspector": "available"}),
            },
        )

@ -150,7 +156,7 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                },
            )
            + "?"
-            + urlencode({QS_KEY_CODE: token.user_code}),
+            + urlencode({QS_KEY_CODE: token.user_code, "inspector": "available"}),
        )

    def test_device_init_denied(self):
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -12,6 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_cert,
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import (
    AccessToken,
+    ClientTypes,
    IDToken,
    OAuth2Provider,
    RedirectURI,
@ -108,3 +109,29 @@ class TesOAuth2Revoke(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 401)
+
+    def test_revoke_public(self):
+        """Test revoke public client"""
+        self.provider.client_type = ClientTypes.PUBLIC
+        self.provider.save()
+        token: AccessToken = AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        auth_public = b64encode(f"{self.provider.client_id}:{generate_id()}".encode()).decode()
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-revoke"),
+            HTTP_AUTHORIZATION=f"Basic {auth_public}",
+            data={
+                "token": token.token,
+            },
+        )
+        self.assertEqual(res.status_code, 200)
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -178,12 +178,18 @@ def protected_resource_view(scopes: list[str]):
    return wrapper


-def authenticate_provider(request: HttpRequest) -> OAuth2Provider | None:
-    """Attempt to authenticate via Basic auth of client_id:client_secret"""
+def provider_from_request(request: HttpRequest) -> tuple[OAuth2Provider | None, str, str]:
+    """Get provider from Basic auth of client_id:client_secret. Does not perform authentication"""
    client_id, client_secret = extract_client_auth(request)
    if client_id == client_secret == "":
-        return None
+        return None, "", ""
    provider: OAuth2Provider | None = OAuth2Provider.objects.filter(client_id=client_id).first()
+    return provider, client_id, client_secret
+
+
+def authenticate_provider(request: HttpRequest) -> OAuth2Provider | None:
+    """Attempt to authenticate via Basic auth of client_id:client_secret"""
+    provider, client_id, client_secret = provider_from_request(request)
    if not provider:
        return None
    if client_id != provider.client_id or client_secret != provider.client_secret:
--- a/authentik/providers/oauth2/views/token_revoke.py
+++ b/authentik/providers/oauth2/views/token_revoke.py
@ -9,8 +9,12 @@ from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger

 from authentik.providers.oauth2.errors import TokenRevocationError
-from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, RefreshToken
-from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider
+from authentik.providers.oauth2.models import AccessToken, ClientTypes, OAuth2Provider, RefreshToken
+from authentik.providers.oauth2.utils import (
+    TokenResponse,
+    authenticate_provider,
+    provider_from_request,
+)

 LOGGER = get_logger()

@ -27,7 +31,9 @@ class TokenRevocationParams:
        """Extract required Parameters from HTTP Request"""
        raw_token = request.POST.get("token")

-        provider = authenticate_provider(request)
+        provider, _, _ = provider_from_request(request)
+        if provider and provider.client_type == ClientTypes.CONFIDENTIAL:
+            provider = authenticate_provider(request)
        if not provider:
            raise TokenRevocationError("invalid_client")

--- a/authentik/providers/proxy/controllers/k8s/traefik_3.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik_3.py
@ -15,7 +15,7 @@ if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController


-@dataclass
+@dataclass(slots=True)
 class TraefikMiddlewareSpecForwardAuth:
    """traefik middleware forwardAuth spec"""

@ -28,14 +28,14 @@ class TraefikMiddlewareSpecForwardAuth:
    trustForwardHeader: bool = field(default=True)


-@dataclass
+@dataclass(slots=True)
 class TraefikMiddlewareSpec:
    """Traefik middleware spec"""

    forwardAuth: TraefikMiddlewareSpecForwardAuth


-@dataclass
+@dataclass(slots=True)
 class TraefikMiddlewareMetadata:
    """Traefik Middleware metadata"""

@ -44,7 +44,7 @@ class TraefikMiddlewareMetadata:
    labels: dict = field(default_factory=dict)


-@dataclass
+@dataclass(slots=True)
 class TraefikMiddleware:
    """Traefik Middleware"""

@ -127,6 +127,7 @@ class Traefik3MiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]
                    authResponseHeaders=[
                        "X-authentik-username",
                        "X-authentik-groups",
+                        "X-authentik-entitlements",
                        "X-authentik-email",
                        "X-authentik-name",
                        "X-authentik-uid",
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -147,6 +147,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
                "goauthentik.io/providers/oauth2/scope-openid",
                "goauthentik.io/providers/oauth2/scope-profile",
                "goauthentik.io/providers/oauth2/scope-email",
+                "goauthentik.io/providers/oauth2/scope-entitlements",
                "goauthentik.io/providers/proxy/scope-proxy",
            ]
        )
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -16,6 +16,7 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, FileField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.permissions import AllowAny
+from rest_framework.renderers import BaseRenderer, JSONRenderer
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import PrimaryKeyRelatedField, ValidationError
@ -38,6 +39,16 @@ from authentik.sources.saml.processors.constants import SAML_BINDING_POST, SAML_
 LOGGER = get_logger()


+class RawXMLDataRenderer(BaseRenderer):
+    """Renderer to allow application/xml as value for 'Accept' in the metadata endpoint."""
+
+    media_type = "application/xml"
+    format = "xml"
+
+    def render(self, data, accepted_media_type=None, renderer_context=None):
+        return data
+
+
 class SAMLProviderSerializer(ProviderSerializer):
    """SAMLProvider Serializer"""

@ -54,9 +65,23 @@ class SAMLProviderSerializer(ProviderSerializer):
        if "request" not in self._context:
            return ""
        request: HttpRequest = self._context["request"]._request
-        return request.build_absolute_uri(
-            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": instance.pk}) + "?download"
-        )
+        try:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:metadata-download",
+                    kwargs={"application_slug": instance.application.slug},
+                )
+            )
+        except Provider.application.RelatedObjectDoesNotExist:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_api:samlprovider-metadata",
+                    kwargs={
+                        "pk": instance.pk,
+                    },
+                )
+                + "?download"
+            )

    def get_url_sso_post(self, instance: SAMLProvider) -> str:
        """Get SSO Post URL"""
@ -224,9 +249,21 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                ],
                description="Optionally force the metadata to only include one binding.",
            ),
+            # Explicitly excluded, because otherwise spectacular automatically
+            # add it when using multiple renderer_classes
+            OpenApiParameter(
+                name="format",
+                exclude=True,
+                required=False,
+            ),
        ],
    )
-    @action(methods=["GET"], detail=True, permission_classes=[AllowAny])
+    @action(
+        methods=["GET"],
+        detail=True,
+        permission_classes=[AllowAny],
+        renderer_classes=[JSONRenderer, RawXMLDataRenderer],
+    )
    def metadata(self, request: Request, pk: int) -> Response:
        """Return metadata as XML string"""
        # We don't use self.get_object() on purpose as this view is un-authenticated
@ -244,9 +281,9 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
                    f'attachment; filename="{provider.name}_authentik_meta.xml"'
                )
                return response
-            return Response({"metadata": metadata})
+            return Response({"metadata": metadata}, content_type="application/json")
        except Provider.application.RelatedObjectDoesNotExist:
-            return Response({"metadata": ""})
+            return Response({"metadata": ""}, content_type="application/json")

    @permission_required(
        None,
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -256,7 +256,7 @@ class AssertionProcessor:
        assertion.attrib["IssueInstant"] = self._issue_instant
        assertion.append(self.get_issuer())

-        if self.provider.signing_kp:
+        if self.provider.signing_kp and self.provider.sign_assertion:
            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
            )
@ -295,6 +295,18 @@ class AssertionProcessor:

        response.append(self.get_issuer())

+        if self.provider.signing_kp and self.provider.sign_response:
+            sign_algorithm_transform = SIGN_ALGORITHM_TRANSFORM_MAP.get(
+                self.provider.signature_algorithm, xmlsec.constants.TransformRsaSha1
+            )
+            signature = xmlsec.template.create(
+                response,
+                xmlsec.constants.TransformExclC14N,
+                sign_algorithm_transform,
+                ns=xmlsec.constants.DSigNs,
+            )
+            response.append(signature)
+
        status = SubElement(response, f"{{{NS_SAML_PROTOCOL}}}Status")
        status_code = SubElement(status, f"{{{NS_SAML_PROTOCOL}}}StatusCode")
        status_code.attrib["Value"] = "urn:oasis:names:tc:SAML:2.0:status:Success"
--- a/authentik/providers/saml/tests/test_api.py
+++ b/authentik/providers/saml/tests/test_api.py
@ -104,6 +104,22 @@ class TestSAMLProviderAPI(APITestCase):
        )
        self.assertEqual(200, response.status_code)
        self.assertIn("Content-Disposition", response)
+        # Test download with Accept: application/xml
+        response = self.client.get(
+            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk})
+            + "?download",
+            HTTP_ACCEPT="application/xml",
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertIn("Content-Disposition", response)
+
+        response = self.client.get(
+            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk})
+            + "?download",
+            HTTP_ACCEPT="application/xml;charset=UTF-8",
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertIn("Content-Disposition", response)

    def test_metadata_invalid(self):
        """Test metadata export (invalid)"""
@ -121,6 +137,11 @@ class TestSAMLProviderAPI(APITestCase):
            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": "abc"}),
        )
        self.assertEqual(404, response.status_code)
+        response = self.client.get(
+            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": provider.pk}),
+            HTTP_ACCEPT="application/invalid-mime-type",
+        )
+        self.assertEqual(406, response.status_code)

    def test_import_success(self):
        """Test metadata import (success case)"""
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@ -2,8 +2,10 @@

 from base64 import b64encode

+from defusedxml.lxml import fromstring
 from django.http.request import QueryDict
 from django.test import TestCase
+from lxml import etree  # nosec

 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
@ -11,12 +13,14 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
+from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.constants import (
+    NS_MAP,
    SAML_BINDING_REDIRECT,
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_UNSPECIFIED,
@ -185,6 +189,19 @@ class TestAuthNRequest(TestCase):
        self.assertEqual(response.count(response_proc._assertion_id), 2)
        self.assertEqual(response.count(response_proc._response_id), 2)

+        schema = etree.XMLSchema(
+            etree.parse("schemas/saml-schema-protocol-2.0.xsd", parser=etree.XMLParser())  # nosec
+        )
+        self.assertTrue(schema.validate(lxml_from_string(response)))
+
+        response_xml = fromstring(response)
+        self.assertEqual(
+            len(response_xml.xpath("//saml:Assertion/ds:Signature", namespaces=NS_MAP)), 1
+        )
+        self.assertEqual(
+            len(response_xml.xpath("//samlp:Response/ds:Signature", namespaces=NS_MAP)), 1
+        )
+
        # Now parse the response (source)
        http_request.POST = QueryDict(mutable=True)
        http_request.POST["SAMLResponse"] = b64encode(response.encode()).decode()
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -5,6 +5,7 @@ from django.contrib.auth.models import Permission
 from django.db.models import QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
+from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
    CharField,
@ -13,6 +14,8 @@ from rest_framework.fields import (
    ReadOnlyField,
    SerializerMethodField,
 )
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet

 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
@ -92,7 +95,9 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    queryset = Permission.objects.none()
    serializer_class = PermissionSerializer
    ordering = ["name"]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    filterset_class = PermissionFilter
+    permission_classes = [IsAuthenticated]
    search_fields = [
        "codename",
        "content_type__model",
--- a/authentik/rbac/filters.py
+++ b/authentik/rbac/filters.py
@ -1,10 +1,15 @@
 """RBAC API Filter"""

+from django.conf import settings
 from django.db.models import QuerySet
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.authentication import get_authorization_header
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
+from rest_framework.views import APIView
 from rest_framework_guardian.filters import ObjectPermissionsFilter

+from authentik.api.authentication import validate_auth
 from authentik.core.models import UserTypes


@ -12,7 +17,7 @@ class ObjectFilter(ObjectPermissionsFilter):
    """Object permission filter that grants global permission higher priority than
    per-object permissions"""

-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView) -> QuerySet:
        permission = self.perm_format % {
            "app_label": queryset.model._meta.app_label,
            "model_name": queryset.model._meta.model_name,
@ -21,6 +26,9 @@ class ObjectFilter(ObjectPermissionsFilter):
        # per-object permissions
        if request.user.has_perm(permission):
            return queryset
+        # User does not have permissions, but we have an owner field defined, so filter by that
+        if owner_field := getattr(view, "owner_field", None):
+            return queryset.filter(**{owner_field: request.user})
        queryset = super().filter_queryset(request, queryset, view)
        # Outposts (which are the only objects using internal service accounts)
        # except requests to return an empty list when they have no objects
@ -32,3 +40,17 @@ class ObjectFilter(ObjectPermissionsFilter):
            # and also no object permissions assigned (directly or via role)
            raise PermissionDenied()
        return queryset
+
+
+class SecretKeyFilter(DjangoFilterBackend):
+    """Allow access to all objects when authenticated with secret key as token.
+
+    Replaces both DjangoFilterBackend and ObjectFilter"""
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        auth_header = get_authorization_header(request)
+        token = validate_auth(auth_header)
+        if token and token == settings.SECRET_KEY:
+            return queryset
+        queryset = ObjectFilter().filter_queryset(request, queryset, view)
+        return super().filter_queryset(request, queryset, view)
--- a/authentik/rbac/permissions.py
+++ b/authentik/rbac/permissions.py
@ -15,6 +15,17 @@ class ObjectPermissions(DjangoObjectPermissions):
        lookup = getattr(view, "lookup_url_kwarg", None) or getattr(view, "lookup_field", None)
        if lookup and lookup in view.kwargs:
            return True
+        # Legacy behaviour:
+        # Allow creation of objects even without explicit permission
+        queryset = self._queryset(view)
+        required_perms = self.get_required_permissions(request.method, queryset.model)
+        if (
+            len(required_perms) == 1
+            and f"{queryset.model._meta.app_label}.add_{queryset.model._meta.model_name}"
+            in required_perms
+            and getattr(view, "rbac_allow_create_without_perm", False)
+        ):
+            return True
        return super().has_permission(request, view)

    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
@ -24,6 +35,10 @@ class ObjectPermissions(DjangoObjectPermissions):
        # Rank global permissions higher than per-object permissions
        if request.user.has_perms(perms):
            return True
+        # Allow access for owners if configured
+        if owner_field := getattr(view, "owner_field", None):
+            if getattr(obj, owner_field) == request.user:
+                return True
        return super().has_object_permission(request, view, obj)


--- a/authentik/root/celery.py
+++ b/authentik/root/celery.py
@ -18,6 +18,7 @@ from celery.signals import (
    task_prerun,
    worker_ready,
 )
+from celery.worker.control import inspect_command
 from django.conf import settings
 from django.db import ProgrammingError
 from django_tenants.utils import get_public_schema_name
@ -25,6 +26,7 @@ from structlog.contextvars import STRUCTLOG_KEY_PREFIX
 from structlog.stdlib import get_logger
 from tenant_schemas_celery.app import CeleryApp as TenantAwareCeleryApp

+from authentik import get_full_version
 from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string

@ -159,6 +161,12 @@ class LivenessProbe(bootsteps.StartStopStep):
        HEARTBEAT_FILE.touch()


+@inspect_command(default_timeout=0.2)
+def ping(state, **kwargs):
+    """Ping worker(s)."""
+    return {"ok": "pong", "version": get_full_version()}
+
+
 CELERY_APP.config_from_object(settings.CELERY)

 # Load task modules from all registered Django app configs.
--- a/authentik/sources/kerberos/api/source_connection.py
+++ b/authentik/sources/kerberos/api/source_connection.py
@ -1,10 +1,7 @@
 """Kerberos Source Serializer"""

-from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import ModelViewSet

-from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.sources import (
    GroupSourceConnectionSerializer,
    GroupSourceConnectionViewSet,
@ -32,9 +29,8 @@ class UserKerberosSourceConnectionViewSet(UsedByMixin, ModelViewSet):
    serializer_class = UserKerberosSourceConnectionSerializer
    filterset_fields = ["source__slug"]
    search_fields = ["source__slug"]
-    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug"]
+    owner_field = "user"


 class GroupKerberosSourceConnectionSerializer(GroupSourceConnectionSerializer):
--- a/authentik/sources/kerberos/auth.py
+++ b/authentik/sources/kerberos/auth.py
@ -28,17 +28,19 @@ class KerberosBackend(InbuiltBackend):
        if "@" in username:
            username, realm = username.rsplit("@", 1)

-        user, source = self.auth_user(username, realm, **kwargs)
+        user, source = self.auth_user(request, username, realm, **kwargs)
        if user:
            self.set_method("kerberos", request, source=source)
            return user
        return None

    def auth_user(
-        self, username: str, realm: str | None, password: str, **filters
+        self, request: HttpRequest, username: str, realm: str | None, password: str, **filters
    ) -> tuple[User | None, KerberosSource | None]:
        sources = KerberosSource.objects.filter(enabled=True)
-        user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()
+        user = User.objects.filter(
+            usersourceconnection__source__in=sources, username=username, **filters
+        ).first()

        if user is not None:
            # User found, let's get its connections for the sources that are available
@ -74,10 +76,10 @@ class KerberosBackend(InbuiltBackend):
                        user=user_source_connection.user,
                    )
                    user_source_connection.user.set_password(
-                        password, sender=user_source_connection.source
+                        password, sender=user_source_connection.source, request=request
                    )
                    user_source_connection.user.save()
-                return user, user_source_connection.source
+                return user_source_connection.user, user_source_connection.source
            # Password doesn't match, onto next source
            LOGGER.debug(
                "failed to kinit, password invalid",
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -12,6 +12,7 @@ from django.db.models.fields import b64decode
 from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from kadmin import KAdmin, KAdminApiVersion
 from kadmin.exceptions import PyKAdminException
@ -173,12 +174,18 @@ class KerberosSource(Source):
    def get_base_user_properties(self, principal: str, **kwargs):
        localpart, _ = principal.rsplit("@", 1)

-        return {
+        properties = {
            "username": localpart,
            "type": UserTypes.INTERNAL,
            "path": self.get_user_path(),
        }

+        if "principal_obj" in kwargs:
+            princ_expiry = kwargs["principal_obj"].expire_time
+            properties["is_active"] = princ_expiry is None or princ_expiry > now()
+
+        return properties
+
    def get_base_group_properties(self, group_id: str, **kwargs):
        return {
            "name": group_id,
--- a/Show More
+++ b/Show More