release: 2024.10.4

providers/oauth2: fix migration (cherry-pick #12138 ) (#12139 )
providers/oauth2: fix migration (#12138) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
2024-11-21 19:21:40 +01:00 · 2024-11-21 18:55:26 +01:00 · 2024-11-21 17:25:33 +01:00 · 2024-11-21 17:25:04 +01:00 · 2024-11-21 17:22:00 +01:00 · 2024-11-21 17:21:39 +01:00
556 changed files with 30200 additions and 55061 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.10.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -30,5 +30,3 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/common/constants.ts]
 [bumpversion:file:website/docs/install-config/install/aws/template.yaml]
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -11,9 +11,9 @@ inputs:
    description: "Docker image arch"
 outputs:
-  shouldPush:
+  shouldBuild:
-    description: "Whether to push the image or not"
+    description: "Whether to build image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+    value: ${{ steps.ev.outputs.shouldBuild }}
  sha:
    description: "sha"
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -7,14 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
-# Decide if we should push the image or not
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
    should_push = False
 if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
    # Don't push on the internal repo
    should_push = False
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@ -71,7 +64,7 @@ def get_attest_image_names(image_with_tags: list[str]):
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -35,7 +35,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry install
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -7,7 +7,6 @@ on:
  workflow_dispatch:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -7,7 +7,6 @@ on:
  workflow_dispatch:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -1,46 +0,0 @@
 name: authentik-ci-aws-cfn
 on:
  push:
    branches:
      - main
      - next
      - version-*
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: |
          npm ci
      - name: Check changes have been applied
        run: |
          poetry run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
    needs:
      - check-changes-applied
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -116,7 +116,7 @@ jobs:
          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
@ -134,13 +134,13 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.11.0
+        uses: helm/kind-action@v1.10.0
      - name: run integration
        run: |
          poetry run coverage run manage.py test tests/integration
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
@ -198,7 +198,7 @@ jobs:
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
@ -209,7 +209,6 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
    if: always()
    needs:
      - lint
      - test-migrations
@ -219,9 +218,7 @@ jobs:
      - test-e2e
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  build:
    strategy:
      fail-fast: false
@ -255,7 +252,7 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-server
          image-arch: ${{ matrix.arch }}
      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@ -272,15 +269,15 @@ jobs:
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
          platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
@ -306,7 +303,7 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/dev-server
      - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: ./.github/actions/comment-pr-instructions
        with:
          tag: ${{ steps.ev.outputs.imageMainTag }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -49,15 +49,12 @@ jobs:
        run: |
          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
  ci-outpost-mark:
    if: always()
    needs:
      - lint-golint
      - test-unittest
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
    timeout-minutes: 120
    needs:
@ -93,7 +90,7 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@ -107,16 +104,16 @@ jobs:
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -61,15 +61,12 @@ jobs:
        working-directory: web/
        run: npm run build
  ci-web-mark:
    if: always()
    needs:
      - build
      - lint
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  test:
    needs:
      - ci-web-mark
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -62,13 +62,10 @@ jobs:
        working-directory: website/
        run: npm run ${{ matrix.job }}
  ci-website-mark:
    if: always()
    needs:
      - lint
      - test
      - build
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -11,7 +11,6 @@ env:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -7,7 +7,6 @@ on:
 jobs:
  clean-ghcr:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    name: Delete old unused container images
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -12,7 +12,6 @@ env:
 jobs:
  publish-source-docs:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -11,7 +11,6 @@ permissions:
 jobs:
  update-next:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -55,7 +55,7 @@ jobs:
            VERSION=${{ github.ref }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@ -119,7 +119,7 @@ jobs:
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@ -169,27 +169,6 @@ jobs:
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
  upload-aws-cfn-template:
    permissions:
      # Needed for AWS login
      id-token: write
      contents: read
    needs:
      - build-server
      - build-outpost
    env:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@ -1,21 +0,0 @@
 name: "authentik-repo-mirror"
 on: [push, delete]
 jobs:
  to_internal:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
        uses: pixta-dev/repository-mirroring-action@v1
        with:
          target_repo_url:
            git@github.com:goauthentik/authentik-internal.git
          ssh_private_key:
            ${{ secrets.GH_MIRROR_KEY }}
        env:
          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -11,7 +11,6 @@ permissions:
 jobs:
  stale:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/7
+++ b/7
@ -19,15 +19,10 @@ Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
 CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                     @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security
 website/docs/security/          @goauthentik/security @goauthentik/docs
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1 +1 @@
-website/docs/developer-docs/index.md
+website/developer-docs/index.md
--- a/2
+++ b/2
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
--- a/5
+++ b/5
@ -5,7 +5,7 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 GEN_API_TS = "gen-ts-api"
@ -252,9 +252,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 aws-cfn:
 	cd website && npm run aws-cfn
 #########################
 ## Docker
 #########################
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 ## Independent audits and pentests
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 ## What authentik classifies as a CVE
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.10.5"
+__version__ = "2024.10.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -65,12 +65,7 @@ from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
    AccessToken,
    AuthorizationCode,
    DeviceToken,
    RefreshToken,
 )
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@ -130,7 +125,6 @@ def excluded_models() -> list[type[Model]]:
        MicrosoftEntraProviderGroup,
        EndpointDevice,
        EndpointDeviceConnection,
        DeviceToken,
    )
@ -299,11 +293,7 @@ class Importer:
        serializer_kwargs = {}
        model_instance = existing_models.first()
-        if (
+        if not isinstance(model(), BaseMetaModel) and model_instance:
            not isinstance(model(), BaseMetaModel)
            and model_instance
            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
        ):
            self.logger.debug(
                "Initialise serializer with instance",
                model=model,
@ -313,12 +303,11 @@ class Importer:
            serializer_kwargs["instance"] = model_instance
            serializer_kwargs["partial"] = True
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
            msg = (
                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
                "and object exists already",
            )
            raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
                    "and object exists already",
                ),
                entry,
            )
        else:
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -5,9 +5,8 @@ from hashlib import sha512
 from pathlib import Path
 from sys import platform
 import pglock
 from dacite.core import from_dict
-from django.db import DatabaseError, InternalError, ProgrammingError, connection
+from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@ -153,18 +152,6 @@ def blueprints_find() -> list[BlueprintFile]:
@prefill_task
 def blueprints_discovery(self: SystemTask, path: str | None = None):
    """Find blueprints and check if they need to be created in the database"""
    with pglock.advisory(
        lock_id=f"goauthentik.io/{connection.schema_name}/blueprints/discovery",
        timeout=0,
        side_effect=pglock.Return,
    ) as lock_acquired:
        if not lock_acquired:
            LOGGER.debug("Not running blueprint discovery, lock was not acquired")
            self.set_status(
                TaskStatus.SUCCESSFUL,
                _("Blueprint discovery lock could not be acquired. Skipping discovery."),
            )
            return
    count = 0
    for blueprint in blueprints_find():
        if path and blueprint.path != path:
@ -172,7 +159,7 @@ def blueprints_discovery(self: SystemTask, path: str | None = None):
        check_blueprint_v1_file(blueprint)
        count += 1
    self.set_status(
-            TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
    )
@ -210,18 +197,6 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
 def apply_blueprint(self: SystemTask, instance_pk: str):
    """Apply single blueprint"""
    self.save_on_success = False
    with pglock.advisory(
        lock_id=f"goauthentik.io/{connection.schema_name}/blueprints/apply/{instance_pk}",
        timeout=0,
        side_effect=pglock.Return,
    ) as lock_acquired:
        if not lock_acquired:
            LOGGER.debug("Not running blueprint discovery, lock was not acquired")
            self.set_status(
                TaskStatus.SUCCESSFUL,
                _("Blueprint apply lock could not be acquired. Skipping apply."),
            )
            return
    instance: BlueprintInstance | None = None
    try:
        instance: BlueprintInstance = BlueprintInstance.objects.filter(pk=instance_pk).first()
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -84,8 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
    matched_domain = CharField(source="domain")
    branding_title = CharField()
-    branding_logo = CharField(source="branding_logo_url")
+    branding_logo = CharField()
-    branding_favicon = CharField(source="branding_favicon_url")
+    branding_favicon = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -25,7 +25,5 @@ class BrandMiddleware:
            locale = brand.default_locale
            if locale != "":
                locale_to_set = locale
        if locale_to_set:
        with override(locale_to_set):
            return self.get_response(request)
        return self.get_response(request)
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -10,7 +10,6 @@ from structlog.stdlib import get_logger
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
@ -72,18 +71,6 @@ class Brand(SerializerModel):
    )
    attributes = models.JSONField(default=dict, blank=True)
    def branding_logo_url(self) -> str:
        """Get branding_logo with the correct prefix"""
        if self.branding_logo.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
        return self.branding_logo
    def branding_favicon_url(self) -> str:
        """Get branding_favicon with the correct prefix"""
        if self.branding_favicon.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
        return self.branding_favicon
    @property
    def serializer(self) -> Serializer:
        from authentik.brands.api import BrandSerializer
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -1,12 +1,10 @@
 """transactional application and provider creation"""
 from django.apps import apps
 from django.db.models import Model
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -24,7 +22,6 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
 def get_provider_serializer_mapping():
@ -48,13 +45,6 @@ class TransactionProviderField(DictField):
    """Dictionary field which can hold provider creation data"""
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
 class TransactionApplicationSerializer(PassiveSerializer):
    """Serializer for creating a provider and an application in one transaction"""
@ -62,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
    provider = TransactionProviderField()
    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
    _provider_model: type[Provider] = None
    def validate_provider_model(self, fq_model_name: str) -> str:
@ -108,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                id="app",
            )
        )
        for binding in attrs.get("policy_bindings", []):
            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
            for key, value in binding.items():
                if not isinstance(value, Model):
                    continue
                binding[key] = value.pk
            blueprint.entries.append(
                BlueprintEntry(
                    model="authentik_policies.policybinding",
                    state=BlueprintEntryDesiredState.MUST_CREATED,
                    identifiers=binding,
                )
            )
        importer = Importer(blueprint, {})
        try:
            valid, _ = importer.validate(raise_validation_errors=True)
@ -145,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
    """Create provider and application and attach them in a single transaction"""
-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
    permission_classes = [IsAdminUser]
    @extend_schema(
        request=TransactionApplicationSerializer(),
@ -157,23 +133,8 @@ class TransactionalApplicationView(APIView):
        """Convert data into a blueprint, validate it and apply it"""
        data = TransactionApplicationSerializer(data=request.data)
        data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
+
-        for entry in blueprint.entries:
+        importer = Importer(data.validated_data, {})
            full_model = entry.get_model(blueprint)
            app, __, model = full_model.partition(".")
            if not request.user.has_perm(f"{app}.add_{model}"):
                raise PermissionDenied(
                    {
                        entry.id: _(
                            "User lacks permission to create {model}".format_map(
                                {
                                    "model": full_model,
                                }
                            )
                        )
                    }
                )
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
        response["applied"] = applied
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.impersonate")
    @extend_schema(
-        request=inline_serializer(
+        request=OpenApiTypes.NONE,
            "ImpersonationSerializer",
            {
                "reason": CharField(required=True),
            },
        ),
        responses={
            "204": OpenApiResponse(description="Successfully started impersonation"),
            "401": OpenApiResponse(description="Access denied"),
@ -684,7 +679,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
        reason = request.data.get("reason", "")
        # Check both object-level perms and global perms
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
@ -694,16 +688,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
        if not reason and request.tenant.impersonation_require_reason:
            LOGGER.debug(
                "User attempted to impersonate without providing a reason", user=request.user
            )
            return Response(status=401)
        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
        return Response(status=201)
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -42,10 +42,8 @@ class ImpersonateMiddleware:
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
        if locale_to_set:
        with override(locale_to_set):
            return self.get_response(request)
        return self.get_response(request)
 class RequestIDMiddleware:
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -265,7 +265,12 @@ class SourceFlowManager:
        if stages:
            for stage in stages:
                plan.append_stage(stage)
-        return plan.to_redirect(self.request, flow)
+        self.request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=flow.slug,
        )
    def handle_auth(
        self,
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -9,9 +9,6 @@
        versionFamily: "{{ version_family }}",
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
        {% for message in messages %}
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -9,8 +9,8 @@
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head_before %}
-<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
+<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
+    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
@ -50,7 +50,7 @@
    <div class="ak-login-container">
        <main class="pf-c-login__main">
            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
            </div>
            <header class="pf-c-login__main-header">
                <h1 class="pf-c-title pf-m-3xl">
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        response = self.client.get(reverse("authentik_api:user-me"))
@ -56,8 +55,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -77,8 +75,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -92,8 +89,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.other_user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 403)
@ -109,8 +105,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
@ -123,22 +118,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
        response = self.client.get(reverse("authentik_api:user-me"))
        response_body = loads(response.content.decode())
        self.assertEqual(response_body["user"]["username"], self.user.username)
    def test_impersonate_reason_required(self):
        """test impersonation that user must provide reason"""
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
            data={"reason": ""},
        )
        self.assertEqual(response.status_code, 401)
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -1,13 +1,11 @@
 """Test Transactional API"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
-from authentik.core.models import Application, Group
+from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
@ -15,9 +13,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
    """Test Transactional API"""
    def setUp(self) -> None:
-        self.user = create_test_user()
+        self.user = create_test_admin_user()
        assign_perm("authentik_core.add_application", self.user)
        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
    def test_create_transactional(self):
        """Test transactional Application + provider creation"""
@ -46,66 +42,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
    def test_create_transactional_permission_denied(self):
        """Test transactional Application + provider creation (missing permissions)"""
        self.client.force_login(self.user)
        uid = generate_id()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_saml.samlprovider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "acs_url": "https://goauthentik.io",
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
        )
    def test_create_transactional_bindings(self):
        """Test transactional Application + provider creation"""
        assign_perm("authentik_policies.add_policybinding", self.user)
        self.client.force_login(self.user)
        uid = generate_id()
        group = Group.objects.create(name=generate_id())
        authorization_flow = create_test_flow()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(authorization_flow.pk),
                    "invalidation_flow": str(authorization_flow.pk),
                    "redirect_uris": [],
                },
                "policy_bindings": [{"group": group.pk, "order": 0}],
            },
        )
        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
        provider = OAuth2Provider.objects.filter(name=uid).first()
        self.assertIsNotNone(provider)
        app = Application.objects.filter(slug=uid).first()
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
        binding = PolicyBinding.objects.filter(target=app).first()
        self.assertIsNotNone(binding)
        self.assertEqual(binding.target, app)
        self.assertEqual(binding.group, group)
    def test_create_transactional_invalid(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
@ -135,32 +71,3 @@ class TestTransactionalApplicationsAPI(APITestCase):
                }
            },
        )
    def test_create_transactional_duplicate_name_provider(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
        OAuth2Provider.objects.create(
            name=uid,
            authorization_flow=create_test_flow(),
            invalidation_flow=create_test_flow(),
        )
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": {"name": ["State is set to must_created and object exists already"]}},
        )
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -17,8 +17,10 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import (
    SESSION_KEY_APPLICATION_PRE,
    SESSION_KEY_PLAN,
    ToDefaultFlow,
 )
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
    PLAN_CONTEXT_CONSENT_HEADER,
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
@ -56,7 +58,8 @@ class RedirectToAppLaunch(View):
        except FlowNonApplicableException:
            raise Http404 from None
        plan.insert_stage(in_memory_stage(RedirectToAppStage))
-        return plan.to_redirect(request, flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
 class RedirectToAppStage(ChallengeStageView):
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -16,7 +16,6 @@ from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
 from authentik.core.models import UserTypes
 from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
@ -52,7 +51,6 @@ class InterfaceView(TemplateView):
        kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
        return super().get_context_data(**kwargs)
--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@ -85,5 +85,5 @@ def certificate_discovery(self: SystemTask):
        if dirty:
            cert.save()
    self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=discovered))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": discovered})
    )
--- a/authentik/enterprise/middleware.py
+++ b/authentik/enterprise/middleware.py
@ -6,7 +6,6 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@ -60,9 +59,6 @@ class EnterpriseMiddleware:
        # Flow executor is mounted as an API path but explicitly allowed
        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
            return True
        # Always allow making changes to users, even in case the license has ben exceeded
        if request.resolver_match._func_path == class_to_path(UserViewSet):
            return True
        # Only apply these restrictions to the API
        if "authentik_api" not in request.resolver_match.app_names:
            return True
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -6,8 +6,8 @@
 <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="icon" href="{{ tenant.branding_favicon }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
 {% include "base/header_js.html" %}
 {% endblock %}
--- a/authentik/enterprise/providers/rac/views.py
+++ b/authentik/enterprise/providers/rac/views.py
@ -18,7 +18,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.engine import PolicyEngine
@ -54,7 +56,12 @@ class RACStartView(EnterprisePolicyAccessView):
                provider=self.provider,
            )
        )
-        return plan.to_redirect(request, self.provider.authorization_flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            request.GET,
            flow_slug=self.provider.authorization_flow.slug,
        )
 class RACInterface(InterfaceView):
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -4,9 +4,7 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -28,7 +26,6 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""
--- a/authentik/enterprise/tests/test_read_only.py
+++ b/authentik/enterprise/tests/test_read_only.py
@ -215,49 +215,3 @@ class TestReadOnly(FlowTestCase):
            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
        )
        self.assertEqual(response.status_code, 400)
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=expiry_valid,
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_external_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.record_usage",
        MagicMock(),
    )
    def test_manage_users(self):
        """Test that managing users is still possible"""
        License.objects.create(key=generate_id())
        usage = LicenseUsage.objects.create(
            internal_user_count=100,
            external_user_count=100,
            status=LicenseUsageStatus.VALID,
        )
        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
        usage.save(update_fields=["record_date"])
        admin = create_test_admin_user()
        self.client.force_login(admin)
        # Reading is always allowed
        response = self.client.get(reverse("authentik_api:user-list"))
        self.assertEqual(response.status_code, 200)
        # Writing should also be allowed
        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
        self.assertEqual(response.status_code, 200)
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -60,7 +60,7 @@ def default_event_duration():
    """Default duration an Event is saved.
    This is used as a fallback when no brand is available"""
    try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
        return now() + timedelta_from_string(tenant.event_retention)
    except Tenant.DoesNotExist:
        return now() + timedelta(days=365)
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -40,7 +40,6 @@ class Migration(migrations.Migration):
                    ("require_authenticated", "Require Authenticated"),
                    ("require_unauthenticated", "Require Unauthenticated"),
                    ("require_superuser", "Require Superuser"),
                    ("require_redirect", "Require Redirect"),
                    ("require_outpost", "Require Outpost"),
                ],
                default="none",
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -14,7 +14,6 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
 from authentik.lib.config import CONFIG
 from authentik.lib.models import InheritanceForeignKey, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel
@ -33,7 +32,6 @@ class FlowAuthenticationRequirement(models.TextChoices):
    REQUIRE_AUTHENTICATED = "require_authenticated"
    REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
    REQUIRE_SUPERUSER = "require_superuser"
    REQUIRE_REDIRECT = "require_redirect"
    REQUIRE_OUTPOST = "require_outpost"
@ -179,13 +177,9 @@ class Flow(SerializerModel, PolicyBindingModel):
        """Get the URL to the background image. If the name is /static or starts with http
        it is returned as-is"""
        if not self.background:
-            return (
+            return "/static/dist/assets/images/flow_background.jpg"
-                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
+        if self.background.name.startswith("http") or self.background.name.startswith("/static"):
            )
        if self.background.name.startswith("http"):
            return self.background.name
        if self.background.name.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.background.name
        return self.background.url
    stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -1,10 +1,10 @@
 """Flows Planner"""
 from dataclasses import dataclass, field
-from typing import TYPE_CHECKING, Any
+from typing import Any
 from django.core.cache import cache
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@ -23,15 +23,10 @@ from authentik.flows.models import (
    in_memory_stage,
 )
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware
 if TYPE_CHECKING:
    from authentik.flows.stage import StageView
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
 PLAN_CONTEXT_SSO = "is_sso"
@ -42,8 +37,6 @@ PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
 PLAN_CONTEXT_IS_REDIRECTED = "is_redirected"
 PLAN_CONTEXT_REDIRECT_STAGE_TARGET = "redirect_stage_target"
 CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
@ -117,54 +110,6 @@ class FlowPlan:
        """Check if there are any stages left in this plan"""
        return len(self.markers) + len(self.bindings) > 0
    def requires_flow_executor(
        self,
        allowed_silent_types: list["StageView"] | None = None,
    ):
        # Check if we actually need to show the Flow executor, or if we can jump straight to the end
        found_unskippable = True
        if allowed_silent_types:
            LOGGER.debug("Checking if we can skip the flow executor...")
            # Policies applied to the flow have already been evaluated, so we're checking for stages
            # allow-listed or bindings that require a policy re-eval
            found_unskippable = False
            for binding, marker in zip(self.bindings, self.markers, strict=True):
                if binding.stage.view not in allowed_silent_types:
                    found_unskippable = True
                if marker and isinstance(marker, ReevaluateMarker):
                    found_unskippable = True
        LOGGER.debug("Required flow executor status", status=found_unskippable)
        return found_unskippable
    def to_redirect(
        self,
        request: HttpRequest,
        flow: Flow,
        allowed_silent_types: list["StageView"] | None = None,
    ) -> HttpResponse:
        """Redirect to the flow executor for this flow plan"""
        from authentik.flows.views.executor import (
            SESSION_KEY_PLAN,
            FlowExecutorView,
        )
        request.session[SESSION_KEY_PLAN] = self
        requires_flow_executor = self.requires_flow_executor(allowed_silent_types)
        if not requires_flow_executor:
            # No unskippable stages found, so we can directly return the response of the last stage
            final_stage: type[StageView] = self.bindings[-1].stage.view
            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
            temp_exec.current_stage = self.bindings[-1].stage
            stage = final_stage(request=request, executor=temp_exec)
            return stage.dispatch(request)
        return redirect_with_qs(
            "authentik_core:if-flow",
            request.GET,
            flow_slug=flow.slug,
        )
 class FlowPlanner:
    """Execute all policies to plan out a flat list of all Stages
@ -183,7 +128,7 @@ class FlowPlanner:
        self.flow = flow
        self._logger = get_logger().bind(flow_slug=flow.slug)
-    def _check_authentication(self, request: HttpRequest, context: dict[str, Any]):
+    def _check_authentication(self, request: HttpRequest):
        """Check the flow's authentication level is matched by `request`"""
        if (
            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
@ -200,11 +145,6 @@ class FlowPlanner:
            and not request.user.is_superuser
        ):
            raise FlowNonApplicableException()
        if (
            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_REDIRECT
            and context.get(PLAN_CONTEXT_IS_REDIRECTED) is None
        ):
            raise FlowNonApplicableException()
        outpost_user = ClientIPMiddleware.get_outpost_user(request)
        if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
            if not outpost_user:
@ -236,13 +176,18 @@ class FlowPlanner:
            )
            context = default_context or {}
            # Bit of a workaround here, if there is a pending user set in the default context
-            # we use that user for our cache key to make sure they don't get the generic response
+            # we use that user for our cache key
            # to make sure they don't get the generic response
            if context and PLAN_CONTEXT_PENDING_USER in context:
                user = context[PLAN_CONTEXT_PENDING_USER]
            else:
                user = request.user
-
+                # We only need to check the flow authentication if it's planned without a user
-            context.update(self._check_authentication(request, context))
+                # in the context, as a user in the context can only be set via the explicit code API
                # or if a flow is restarted due to `invalid_response_action` being set to
                # `restart_with_context`, which can only happen if the user was already authorized
                # to use the flow
                context.update(self._check_authentication(request))
            # First off, check the flow's direct policy bindings
            # to make sure the user even has access to the flow
            engine = PolicyEngine(self.flow, user, request)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -2,7 +2,6 @@
 from typing import TYPE_CHECKING
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -93,11 +92,7 @@ class ChallengeStageView(StageView):
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Return a challenge for the frontend to solve"""
        try:
        challenge = self._get_challenge(*args, **kwargs)
        except StageInvalidException as exc:
            self.logger.debug("Got StageInvalidException", exc=exc)
            return self.executor.stage_invalid()
        if not challenge.is_valid():
            self.logger.warning(
                "f(ch): Invalid challenge",
@ -173,7 +168,11 @@ class ChallengeStageView(StageView):
                stage_type=self.__class__.__name__, method="get_challenge"
            ).time(),
        ):
            try:
                challenge = self.get_challenge(*args, **kwargs)
            except StageInvalidException as exc:
                self.logger.debug("Got StageInvalidException", exc=exc)
                return self.executor.stage_invalid()
        with start_span(
            op="authentik.flow.stage._get_challenge",
            name=self.__class__.__name__,
@ -225,14 +224,6 @@ class ChallengeStageView(StageView):
                full_errors[field].append(field_error)
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
            if settings.TEST:
                raise StageInvalidException(
                    (
                        f"Invalid challenge response: \n\t{challenge_response.errors}"
                        f"\n\nValidated data:\n\t {challenge_response.data}"
                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
                    ),
                )
            self.logger.error(
                "f(ch): invalid challenge response",
                errors=challenge_response.errors,
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -9,8 +9,8 @@
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@ -5,8 +5,6 @@ from unittest.mock import MagicMock, Mock, PropertyMock, patch
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
 from django.http import HttpRequest
 from django.shortcuts import redirect
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
@ -16,19 +14,8 @@ from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import (
+from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
-    FlowAuthenticationRequirement,
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
    FlowDesignation,
    FlowStageBinding,
    in_memory_stage,
 )
 from authentik.flows.planner import (
    PLAN_CONTEXT_IS_REDIRECTED,
    PLAN_CONTEXT_PENDING_USER,
    FlowPlanner,
    cache_key,
 )
 from authentik.flows.stage import StageView
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
@ -86,24 +73,6 @@ class TestFlowPlanner(TestCase):
        planner.allow_empty_flows = True
        planner.plan(request)
    def test_authentication_redirect_required(self):
        """Test flow authentication (redirect required)"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.REQUIRE_REDIRECT
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        with self.assertRaises(FlowNonApplicableException):
            planner.plan(request)
        context = {}
        context[PLAN_CONTEXT_IS_REDIRECTED] = create_test_flow()
        planner.plan(request, context)
    @reconcile_app("authentik_outposts")
    def test_authentication_outpost(self):
        """Test flow authentication (outpost)"""
@ -242,99 +211,3 @@ class TestFlowPlanner(TestCase):
            self.assertIsInstance(plan.markers[0], StageMarker)
            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
    def test_to_redirect(self):
        """Test to_redirect and skipping the flow executor"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        self.assertTrue(plan.requires_flow_executor())
        self.assertEqual(
            plan.to_redirect(request, flow).url,
            reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug}),
        )
    def test_to_redirect_skip_simple(self):
        """Test to_redirect and skipping the flow executor"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        class TStageView(StageView):
            def dispatch(self, request: HttpRequest, *args, **kwargs):
                return redirect("https://authentik.company")
        plan.append_stage(in_memory_stage(TStageView))
        self.assertFalse(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
        self.assertEqual(
            plan.to_redirect(request, flow, allowed_silent_types=[TStageView]).url,
            "https://authentik.company",
        )
    def test_to_redirect_skip_stage(self):
        """Test to_redirect and skipping the flow executor
        (with a stage bound that cannot be skipped)"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        FlowStageBinding.objects.create(
            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
        )
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        class TStageView(StageView):
            def dispatch(self, request: HttpRequest, *args, **kwargs):
                return redirect("https://authentik.company")
        plan.append_stage(in_memory_stage(TStageView))
        self.assertTrue(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
    def test_to_redirect_skip_policies(self):
        """Test to_redirect and skipping the flow executor
        (with a marker on the stage view type that can be skipped)
        Note that this is not actually used anywhere in the code, all stages that are dynamically
        added are statically added"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        class TStageView(StageView):
            def dispatch(self, request: HttpRequest, *args, **kwargs):
                return redirect("https://authentik.company")
        plan.append_stage(in_memory_stage(TStageView), ReevaluateMarker(None))
        self.assertTrue(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -171,7 +171,6 @@ class FlowExecutorView(APIView):
                    # Existing plan is deleted from session and instance
                    self.plan = None
                    self.cancel()
                else:
                self._logger.debug("f(exec): Continuing existing plan")
            # Initial flow request, check if we have an upstream query string passed in
@ -598,4 +597,9 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            raise Http404 from None
-        return plan.to_redirect(request, stage.configure_flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=stage.configure_flow.slug,
        )
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -5,7 +5,6 @@ import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
 from copy import deepcopy
 from dataclasses import dataclass, field
 from enum import Enum
 from glob import glob
@ -337,58 +336,6 @@ def redis_url(db: int) -> str:
    return _redis_url
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
            "HOST": config.get("postgresql.host"),
            "NAME": config.get("postgresql.name"),
            "USER": config.get("postgresql.user"),
            "PASSWORD": config.get("postgresql.password"),
            "PORT": config.get("postgresql.port"),
            "OPTIONS": {
                "sslmode": config.get("postgresql.sslmode"),
                "sslrootcert": config.get("postgresql.sslrootcert"),
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
            "TEST": {
                "NAME": config.get("postgresql.test.name"),
            },
        }
    }
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    if config.get_bool("postgresql.use_pgbouncer", False):
        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
        db["default"]["CONN_MAX_AGE"] = None  # persistent
    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
        for setting, current_value in db["default"].items():
            if isinstance(current_value, dict):
                continue
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database[setting] = override
        for setting in db["default"]["OPTIONS"].keys():
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database["OPTIONS"][setting] = override
        db[f"replica_{replica}"] = _database
    return db
 if __name__ == "__main__":
    if len(argv) < 2:  # noqa: PLR2004
        print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -135,7 +135,6 @@ web:
  # No default here as it's set dynamically
  # workers: 2
  threads: 4
  path: /
 worker:
  concurrency: 2
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -36,7 +36,6 @@ from authentik.lib.utils.http import authentik_user_agent
 from authentik.lib.utils.reflection import get_env
 LOGGER = get_logger()
 _root_path = CONFIG.get("web.path", "/")
 class SentryIgnoredException(Exception):
@ -91,7 +90,7 @@ def traces_sampler(sampling_context: dict) -> float:
    path = sampling_context.get("asgi_scope", {}).get("path", "")
    _type = sampling_context.get("asgi_scope", {}).get("type", "")
    # Ignore all healthcheck routes
-    if path.startswith(f"{_root_path}-/health") or path.startswith(f"{_root_path}-/metrics"):
+    if path.startswith("/-/health") or path.startswith("/-/metrics"):
        return 0
    if _type == "websocket":
        return 0
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -82,7 +82,7 @@ class SyncTasks:
                return
            try:
                for page in users_paginator.page_range:
-                    messages.append(_("Syncing page {page} of users".format(page=page)))
+                    messages.append(_("Syncing page %(page)d of users" % {"page": page}))
                    for msg in sync_objects.apply_async(
                        args=(class_to_path(User), page, provider_pk),
                        time_limit=PAGE_TIMEOUT,
@ -90,7 +90,7 @@ class SyncTasks:
                    ).get():
                        messages.append(LogEvent(**msg))
                for page in groups_paginator.page_range:
-                    messages.append(_("Syncing page {page} of groups".format(page=page)))
+                    messages.append(_("Syncing page %(page)d of groups" % {"page": page}))
                    for msg in sync_objects.apply_async(
                        args=(class_to_path(Group), page, provider_pk),
                        time_limit=PAGE_TIMEOUT,
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -9,14 +9,7 @@ from unittest import mock
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
-from authentik.lib.config import (
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
    ENV_PREFIX,
    UNSET,
    Attr,
    AttrEncoder,
    ConfigLoader,
    django_db_config,
 )
 class TestConfig(TestCase):
@ -182,201 +175,3 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo.bar", "baz")
        self.assertEqual(list(config.get_keys("foo")), ["bar"])
    def test_db_default(self):
        """Test default DB Config"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                }
            },
        )
    def test_db_read_replicas(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_pgpool(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        config.set("postgresql.use_pgpool", True)
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        # This isn't supported
        config.set("postgresql.read_replicas.0.use_pgpool", False)
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_diff_ssl(self):
        """Test read replicas (with different SSL Settings)"""
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        config.set("postgresql.read_replicas.0.sslcert", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "bar",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
--- a/authentik/policies/expiry/models.py
+++ b/authentik/policies/expiry/models.py
@ -43,9 +43,8 @@ class PasswordExpiryPolicy(Policy):
                request.user.set_unusable_password()
                request.user.save()
                message = _(
-                    "Password expired {days} days ago. Please update your password.".format(
+                    "Password expired %(days)d days ago. Please update your password."
-                        days=days_since_expiry
+                    % {"days": days_since_expiry}
                    )
                )
                return PolicyResult(False, message)
            return PolicyResult(False, _("Password has expired."))
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -135,7 +135,7 @@ class PasswordPolicy(Policy):
        LOGGER.debug("got hibp result", count=final_count, hash=pw_hash[:5])
        if final_count > self.hibp_allowed_count:
            LOGGER.debug("password failed", check="hibp", count=final_count)
-            message = _("Password exists on {count} online lists.".format(count=final_count))
+            message = _("Password exists on %(count)d online lists." % {"count": final_count})
            return PolicyResult(False, message)
        return PolicyResult(True)
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -73,8 +73,7 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "sub_mode",
            "property_mappings",
            "issuer_mode",
-            "jwt_federation_sources",
+            "jwks_sources",
            "jwt_federation_providers",
        ]
        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
--- a/authentik/providers/oauth2/migrations/0025_rename_jwks_sources_oauth2provider_jwt_federation_sources_and_more.py
+++ b/authentik/providers/oauth2/migrations/0025_rename_jwks_sources_oauth2provider_jwt_federation_sources_and_more.py
@ -1,25 +0,0 @@
 # Generated by Django 5.0.9 on 2024-11-22 14:25
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0024_remove_oauth2provider_redirect_uris_and_more"),
    ]
    operations = [
        migrations.RenameField(
            model_name="oauth2provider",
            old_name="jwks_sources",
            new_name="jwt_federation_sources",
        ),
        migrations.AddField(
            model_name="oauth2provider",
            name="jwt_federation_providers",
            field=models.ManyToManyField(
                blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
            ),
        ),
    ]
--- a/authentik/providers/oauth2/migrations/0026_alter_accesstoken_session_and_more.py
+++ b/authentik/providers/oauth2/migrations/0026_alter_accesstoken_session_and_more.py
@ -1,38 +0,0 @@
 # Generated by Django 5.0.10 on 2024-12-12 17:16
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0040_provider_invalidation_flow"),
        (
            "authentik_providers_oauth2",
            "0025_rename_jwks_sources_oauth2provider_jwt_federation_sources_and_more",
        ),
    ]
    operations = [
        migrations.AlterField(
            model_name="accesstoken",
            name="session",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.CASCADE,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.AlterField(
            model_name="authorizationcode",
            name="session",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.CASCADE,
                to="authentik_core.authenticatedsession",
            ),
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -244,7 +244,7 @@ class OAuth2Provider(WebfingerProvider, Provider):
        related_name="oauth2provider_encryption_key_set",
    )
-    jwt_federation_sources = models.ManyToManyField(
+    jwks_sources = models.ManyToManyField(
        OAuthSource,
        verbose_name=_(
            "Any JWT signed by the JWK of the selected source can be used to authenticate."
@ -253,7 +253,6 @@ class OAuth2Provider(WebfingerProvider, Provider):
        default=None,
        blank=True,
    )
    jwt_federation_providers = models.ManyToManyField("OAuth2Provider", blank=True, default=None)
    @cached_property
    def jwt_key(self) -> tuple[str | PrivateKeyTypes, str]:
@ -396,7 +395,7 @@ class BaseGrantModel(models.Model):
    _scope = models.TextField(default="", verbose_name=_("Scopes"))
    auth_time = models.DateTimeField(verbose_name="Authentication time")
    session = models.ForeignKey(
-        AuthenticatedSession, null=True, on_delete=models.CASCADE, default=None
+        AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
    )
    class Meta:
@ -497,11 +496,6 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
    token = models.TextField(default=generate_client_secret)
    _id_token = models.TextField(verbose_name=_("ID Token"))
    # Shadow the `session` field from `BaseGrantModel` as we want refresh tokens to persist even
    # when the session is terminated.
    session = models.ForeignKey(
        AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None
    )
    class Meta:
        indexes = [
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -311,7 +311,7 @@ class TestAuthorize(OAuthTestCase):
        user = create_test_admin_user()
        self.client.force_login(user)
        # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "code",
@ -320,10 +320,16 @@ class TestAuthorize(OAuthTestCase):
                "redirect_uri": "foo://localhost",
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
+        self.assertJSONEqual(
-            response.url,
+            response.content.decode(),
-            f"foo://localhost?code={code.code}&state={state}",
+            {
                "component": "xak-flow-redirect",
                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )
        self.assertAlmostEqual(
            code.expires.timestamp() - now().timestamp(),
@ -371,7 +377,7 @@ class TestAuthorize(OAuthTestCase):
            ),
        ):
            # Step 1, initiate params and get redirect to flow
-            response = self.client.get(
+            self.client.get(
                reverse("authentik_providers_oauth2:authorize"),
                data={
                    "response_type": "id_token",
@ -382,16 +388,22 @@ class TestAuthorize(OAuthTestCase):
                    "nonce": generate_id(),
                },
            )
            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
            )
            token: AccessToken = AccessToken.objects.filter(user=user).first()
            expires = timedelta_from_string(provider.access_token_validity).total_seconds()
-            self.assertEqual(
+            self.assertJSONEqual(
-                response.url,
+                response.content.decode(),
-                (
+                {
                    "component": "xak-flow-redirect",
                    "to": (
                        f"http://localhost#access_token={token.token}"
                        f"&id_token={provider.encode(token.id_token.to_dict())}"
                        f"&token_type={TOKEN_TYPE}"
                        f"&expires_in={int(expires)}&state={state}"
                    ),
                },
            )
            jwt = self.validate_jwt(token, provider)
            self.assertEqual(jwt["amr"], ["pwd"])
@ -443,7 +455,7 @@ class TestAuthorize(OAuthTestCase):
            ),
        ):
            # Step 1, initiate params and get redirect to flow
-            response = self.client.get(
+            self.client.get(
                reverse("authentik_providers_oauth2:authorize"),
                data={
                    "response_type": "id_token",
@ -454,7 +466,10 @@ class TestAuthorize(OAuthTestCase):
                    "nonce": generate_id(),
                },
            )
-            self.assertEqual(response.status_code, 302)
+            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
            )
            self.assertEqual(response.status_code, 200)
            token: AccessToken = AccessToken.objects.filter(user=user).first()
            expires = timedelta_from_string(provider.access_token_validity).total_seconds()
            jwt = self.validate_jwe(token, provider)
@ -491,7 +506,7 @@ class TestAuthorize(OAuthTestCase):
            ),
        ):
            # Step 1, initiate params and get redirect to flow
-            response = self.client.get(
+            self.client.get(
                reverse("authentik_providers_oauth2:authorize"),
                data={
                    "response_type": "code",
@ -503,10 +518,16 @@ class TestAuthorize(OAuthTestCase):
                    "nonce": generate_id(),
                },
            )
            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
            )
            code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-            self.assertEqual(
+            self.assertJSONEqual(
-                response.url,
+                response.content.decode(),
-                f"http://localhost#code={code.code}&state={state}",
+                {
                    "component": "xak-flow-redirect",
                    "to": (f"http://localhost#code={code.code}" f"&state={state}"),
                },
            )
            self.assertAlmostEqual(
                code.expires.timestamp() - now().timestamp(),
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py
@ -1,228 +0,0 @@
 """Test token view"""
 from datetime import datetime, timedelta
 from json import loads
 from django.test import RequestFactory
 from django.urls import reverse
 from django.utils.timezone import now
 from jwt import decode
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.constants import (
    GRANT_TYPE_CLIENT_CREDENTIALS,
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
    SCOPE_OPENID_PROFILE,
    TOKEN_TYPE,
 )
 from authentik.providers.oauth2.models import (
    AccessToken,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 class TestTokenClientCredentialsJWTProvider(OAuthTestCase):
    """Test token (client_credentials, with JWT) view"""
    @apply_blueprint("system/providers-oauth2.yaml")
    def setUp(self) -> None:
        super().setUp()
        self.factory = RequestFactory()
        self.other_cert = create_test_cert()
        self.cert = create_test_cert()
        self.other_provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
            signing_key=self.other_cert,
        )
        self.other_provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(
            name=generate_id(), slug=generate_id(), provider=self.other_provider
        )
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=self.cert,
        )
        self.provider.jwt_federation_providers.add(self.other_provider)
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
    def test_invalid_type(self):
        """test invalid type"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "foo",
                "client_assertion": "foo.bar",
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_jwt(self):
        """test invalid JWT"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": "foo.bar",
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_signature(self):
        """test invalid JWT"""
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token + "foo",
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_expired(self):
        """test invalid JWT"""
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() - timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_no_app(self):
        """test invalid JWT"""
        self.app.provider = None
        self.app.save()
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_access_denied(self):
        """test invalid JWT"""
        group = Group.objects.create(name="foo")
        PolicyBinding.objects.create(
            group=group,
            target=self.app,
            order=0,
        )
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_successful(self):
        """test successful"""
        user = create_test_user()
        token = self.other_provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        AccessToken.objects.create(
            provider=self.other_provider,
            token=token,
            user=user,
            auth_time=now(),
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["token_type"], TOKEN_TYPE)
        _, alg = self.provider.jwt_key
        jwt = decode(
            body["access_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(jwt["given_name"], user.name)
        self.assertEqual(jwt["preferred_username"], user.username)
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
@ -37,16 +37,9 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
    def setUp(self) -> None:
        super().setUp()
        self.factory = RequestFactory()
        self.other_cert = create_test_cert()
        # Provider used as a helper to sign JWTs with the same key as the OAuth source has
        self.helper_provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
            signing_key=self.other_cert,
        )
        self.cert = create_test_cert()
-        jwk = JWKSView().get_jwk_for_key(self.other_cert, "sig")
+        jwk = JWKSView().get_jwk_for_key(self.cert, "sig")
        self.source: OAuthSource = OAuthSource.objects.create(
            name=generate_id(),
            slug=generate_id(),
@ -69,7 +62,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
            signing_key=self.cert,
        )
-        self.provider.jwt_federation_sources.add(self.source)
+        self.provider.jwks_sources.add(self.source)
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -107,7 +100,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
    def test_invalid_signature(self):
        """test invalid JWT"""
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
@ -129,7 +122,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
    def test_invalid_expired(self):
        """test invalid JWT"""
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() - timedelta(hours=2),
@ -153,7 +146,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
        """test invalid JWT"""
        self.app.provider = None
        self.app.save()
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
@ -181,7 +174,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
            target=self.app,
            order=0,
        )
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
@ -203,7 +196,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
    def test_successful(self):
        """test successful"""
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
--- a/authentik/providers/oauth2/tests/test_token_pkce.py
+++ b/authentik/providers/oauth2/tests/test_token_pkce.py
@ -45,7 +45,7 @@ class TestTokenPKCE(OAuthTestCase):
        challenge = generate_id()
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "code",
@ -56,10 +56,16 @@ class TestTokenPKCE(OAuthTestCase):
                "code_challenge_method": "S256",
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
+        self.assertJSONEqual(
-            response.url,
+            response.content.decode(),
-            f"foo://localhost?code={code.code}&state={state}",
+            {
                "component": "xak-flow-redirect",
                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
@ -101,7 +107,7 @@ class TestTokenPKCE(OAuthTestCase):
        self.client.force_login(user)
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "code",
@ -112,10 +118,16 @@ class TestTokenPKCE(OAuthTestCase):
                # "code_challenge_method": "S256",
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
+        self.assertJSONEqual(
-            response.url,
+            response.content.decode(),
-            f"foo://localhost?code={code.code}&state={state}",
+            {
                "component": "xak-flow-redirect",
                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
@ -162,7 +174,7 @@ class TestTokenPKCE(OAuthTestCase):
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "code",
@ -173,10 +185,16 @@ class TestTokenPKCE(OAuthTestCase):
                "code_challenge_method": "S256",
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
+        self.assertJSONEqual(
-            response.url,
+            response.content.decode(),
-            f"foo://localhost?code={code.code}&state={state}",
+            {
                "component": "xak-flow-redirect",
                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
@ -207,7 +225,7 @@ class TestTokenPKCE(OAuthTestCase):
        verifier = generate_id()
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "code",
@ -217,10 +235,16 @@ class TestTokenPKCE(OAuthTestCase):
                "code_challenge": verifier,
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
+        self.assertJSONEqual(
-            response.url,
+            response.content.decode(),
-            f"foo://localhost?code={code.code}&state={state}",
+            {
                "component": "xak-flow-redirect",
                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -27,7 +27,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
 from authentik.policies.views import PolicyAccessView, RequestValidationError
@ -452,16 +454,11 @@ class AuthorizationFlowInitView(PolicyAccessView):
        plan.append_stage(in_memory_stage(OAuthFulfillmentStage))
-        return plan.to_redirect(
+        self.request.session[SESSION_KEY_PLAN] = plan
-            self.request,
+        return redirect_with_qs(
-            self.provider.authorization_flow,
+            "authentik_core:if-flow",
-            # We can only skip the flow executor and directly go to the final redirect URL if
+            self.request.GET,
-            #  we can submit the data to the RP via URL
+            flow_slug=self.provider.authorization_flow.slug,
            allowed_silent_types=(
                [OAuthFulfillmentStage]
                if self.params.response_mode in [ResponseMode.QUERY, ResponseMode.FRAGMENT]
                else []
            ),
        )
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -16,6 +16,7 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.oauth2.models import DeviceToken
 from authentik.providers.oauth2.views.device_finish import (
@ -72,7 +73,12 @@ class CodeValidatorView(PolicyAccessView):
            LOGGER.warning("Flow not applicable to user")
            return None
        plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
-        return plan.to_redirect(self.request, self.token.provider.authorization_flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            request.GET,
            flow_slug=self.token.provider.authorization_flow.slug,
        )
 class DeviceEntryView(PolicyAccessView):
@ -103,7 +109,11 @@ class DeviceEntryView(PolicyAccessView):
        plan.append_stage(in_memory_stage(OAuthDeviceCodeStage))
        self.request.session[SESSION_KEY_PLAN] = plan
-        return plan.to_redirect(self.request, device_flow)
+        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=device_flow.slug,
        )
 class OAuthDeviceCodeChallenge(Challenge):
@ -127,7 +137,7 @@ class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
 class OAuthDeviceCodeStage(ChallengeStageView):
-    """Flow challenge for users to enter device code"""
+    """Flow challenge for users to enter device codes"""
    response_class = OAuthDeviceCodeChallengeResponse
--- a/authentik/providers/oauth2/views/end_session.py
+++ b/authentik/providers/oauth2/views/end_session.py
@ -7,6 +7,8 @@ from authentik.core.models import Application
 from authentik.flows.models import Flow, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import SessionEndStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.views import PolicyAccessView
@ -35,4 +37,9 @@ class EndSessionView(PolicyAccessView):
            },
        )
        plan.insert_stage(in_memory_stage(SessionEndStage))
-        return plan.to_redirect(self.request, self.flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=self.flow.slug,
        )
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -362,9 +362,23 @@ class TokenParams:
            },
        ).from_http(request, user=user)
-    def __validate_jwt_from_source(
+    def __post_init_client_credentials_jwt(self, request: HttpRequest):
-        self, assertion: str
+        assertion_type = request.POST.get(CLIENT_ASSERTION_TYPE, "")
-    ) -> tuple[dict, OAuthSource] | tuple[None, None]:
+        if assertion_type != CLIENT_ASSERTION_TYPE_JWT:
            LOGGER.warning("Invalid assertion type", assertion_type=assertion_type)
            raise TokenError("invalid_grant")
        client_secret = request.POST.get("client_secret", None)
        assertion = request.POST.get(CLIENT_ASSERTION, client_secret)
        if not assertion:
            LOGGER.warning("Missing client assertion")
            raise TokenError("invalid_grant")
        token = None
        source: OAuthSource | None = None
        parsed_key: PyJWK | None = None
        # Fully decode the JWT without verifying the signature, so we can get access to
        # the header.
        # Get the Key ID from the header, and use that to optimise our source query to only find
@ -379,23 +393,19 @@ class TokenParams:
            LOGGER.warning("failed to parse JWT for kid lookup", exc=exc)
            raise TokenError("invalid_grant") from None
        expected_kid = decode_unvalidated["header"]["kid"]
-        fallback_alg = decode_unvalidated["header"]["alg"]
+        for source in self.provider.jwks_sources.filter(
        token = source = None
        for source in self.provider.jwt_federation_sources.filter(
            oidc_jwks__keys__contains=[{"kid": expected_kid}]
        ):
            LOGGER.debug("verifying JWT with source", source=source.slug)
            keys = source.oidc_jwks.get("keys", [])
            for key in keys:
                if key.get("kid") and key.get("kid") != expected_kid:
                    continue
                LOGGER.debug("verifying JWT with key", source=source.slug, key=key.get("kid"))
                try:
-                    parsed_key = PyJWK.from_dict(key).key
+                    parsed_key = PyJWK.from_dict(key)
                    token = decode(
                        assertion,
-                        parsed_key,
+                        parsed_key.key,
-                        algorithms=[key.get("alg")] if "alg" in key else [fallback_alg],
+                        algorithms=[key.get("alg")],
                        options={
                            "verify_aud": False,
                        },
@ -404,61 +414,13 @@ class TokenParams:
                # and not a public key
                except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
                    LOGGER.warning("failed to verify JWT", exc=exc, source=source.slug)
        if token:
            LOGGER.info("successfully verified JWT with source", source=source.slug)
        return token, source
    def __validate_jwt_from_provider(
        self, assertion: str
    ) -> tuple[dict, OAuth2Provider] | tuple[None, None]:
        token = provider = _key = None
        federated_token = AccessToken.objects.filter(
            token=assertion, provider__in=self.provider.jwt_federation_providers.all()
        ).first()
        if federated_token:
            _key, _alg = federated_token.provider.jwt_key
            try:
                token = decode(
                    assertion,
                    _key.public_key(),
                    algorithms=[_alg],
                    options={
                        "verify_aud": False,
                    },
                )
                provider = federated_token.provider
                self.user = federated_token.user
            except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
                LOGGER.warning(
                    "failed to verify JWT", exc=exc, provider=federated_token.provider.name
                )
        if token:
            LOGGER.info("successfully verified JWT with provider", provider=provider.name)
        return token, provider
    def __post_init_client_credentials_jwt(self, request: HttpRequest):
        assertion_type = request.POST.get(CLIENT_ASSERTION_TYPE, "")
        if assertion_type != CLIENT_ASSERTION_TYPE_JWT:
            LOGGER.warning("Invalid assertion type", assertion_type=assertion_type)
            raise TokenError("invalid_grant")
        client_secret = request.POST.get("client_secret", None)
        assertion = request.POST.get(CLIENT_ASSERTION, client_secret)
        if not assertion:
            LOGGER.warning("Missing client assertion")
            raise TokenError("invalid_grant")
        source = provider = None
        token, source = self.__validate_jwt_from_source(assertion)
        if not token:
            token, provider = self.__validate_jwt_from_provider(assertion)
        if not token:
            LOGGER.warning("No token could be verified")
            raise TokenError("invalid_grant")
        LOGGER.info("successfully verified JWT with source", source=source.slug)
        if "exp" in token:
            exp = datetime.fromtimestamp(token["exp"])
            # Non-timezone aware check since we assume `exp` is in UTC
@ -472,7 +434,6 @@ class TokenParams:
            raise TokenError("invalid_grant")
        self.__check_policy_access(app, request, oauth_jwt=token)
        if not provider:
        self.__create_user_from_jwt(token, app, source)
        method_args = {
@ -480,8 +441,8 @@ class TokenParams:
        }
        if source:
            method_args["source"] = source
-        if provider:
+        if parsed_key:
-            method_args["provider"] = provider
+            method_args["jwk_id"] = parsed_key.key_id
        Event.new(
            action=EventAction.LOGIN,
            **{
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -94,8 +94,7 @@ class ProxyProviderSerializer(ProviderSerializer):
            "intercept_header_auth",
            "redirect_uris",
            "cookie_domain",
-            "jwt_federation_sources",
+            "jwks_sources",
            "jwt_federation_providers",
            "access_token_validity",
            "refresh_token_validity",
            "outpost_set",
--- a/authentik/providers/saml/views/slo.py
+++ b/authentik/providers/saml/views/slo.py
@ -13,6 +13,8 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.models import Flow, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import SessionEndStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
@ -62,7 +64,12 @@ class SAMLSLOView(PolicyAccessView):
            },
        )
        plan.insert_stage(in_memory_stage(SessionEndStage))
-        return plan.to_redirect(self.request, self.flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=self.flow.slug,
        )
    def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
        """GET and POST use the same handler, but we can't
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@ -13,11 +13,12 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
-from authentik.flows.views.executor import SESSION_KEY_POST
+from authentik.flows.views.executor import SESSION_KEY_PLAN, SESSION_KEY_POST
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
-from authentik.providers.saml.models import SAMLBindings, SAMLProvider
+from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (
    REQUEST_KEY_RELAY_STATE,
@ -73,12 +74,11 @@ class SAMLSSOView(PolicyAccessView):
        except FlowNonApplicableException:
            raise Http404 from None
        plan.append_stage(in_memory_stage(SAMLFlowFinalView))
-        return plan.to_redirect(
+        request.session[SESSION_KEY_PLAN] = plan
-            request,
+        return redirect_with_qs(
-            self.provider.authorization_flow,
+            "authentik_core:if-flow",
-            allowed_silent_types=(
+            request.GET,
-                [SAMLFlowFinalView] if self.provider.sp_binding in [SAMLBindings.REDIRECT] else []
+            flow_slug=self.provider.authorization_flow.slug,
            ),
        )
    def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -12,7 +12,7 @@ from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace
 from authentik import __version__
-from authentik.lib.config import CONFIG, django_db_config, redis_url
+from authentik.lib.config import CONFIG, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
@ -32,14 +32,13 @@ LOGIN_URL = "authentik_flows:default-authentication"
 # Custom user model
 AUTH_USER_MODEL = "authentik_core.User"
 CSRF_COOKIE_PATH = LANGUAGE_COOKIE_PATH = SESSION_COOKIE_PATH = CONFIG.get("web.path", "/")
 CSRF_COOKIE_NAME = "authentik_csrf"
 CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
 LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
 X_FRAME_OPTIONS = "SAMEORIGIN"
 AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
@ -114,7 +113,6 @@ TENANT_APPS = [
    "authentik.stages.invitation",
    "authentik.stages.password",
    "authentik.stages.prompt",
    "authentik.stages.redirect",
    "authentik.stages.user_delete",
    "authentik.stages.user_login",
    "authentik.stages.user_logout",
@ -298,7 +296,45 @@ CHANNEL_LAYERS = {
 # https://docs.djangoproject.com/en/2.1/ref/settings/#databases
 ORIGINAL_BACKEND = "django_prometheus.db.backends.postgresql"
-DATABASES = django_db_config()
+DATABASES = {
    "default": {
        "ENGINE": "authentik.root.db",
        "HOST": CONFIG.get("postgresql.host"),
        "NAME": CONFIG.get("postgresql.name"),
        "USER": CONFIG.get("postgresql.user"),
        "PASSWORD": CONFIG.get("postgresql.password"),
        "PORT": CONFIG.get("postgresql.port"),
        "SSLMODE": CONFIG.get("postgresql.sslmode"),
        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
        "SSLCERT": CONFIG.get("postgresql.sslcert"),
        "SSLKEY": CONFIG.get("postgresql.sslkey"),
        "TEST": {
            "NAME": CONFIG.get("postgresql.test.name"),
        },
    }
 }
 if CONFIG.get_bool("postgresql.use_pgpool", False):
    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
 if CONFIG.get_bool("postgresql.use_pgbouncer", False):
    # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
    DATABASES["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
    DATABASES["default"]["CONN_MAX_AGE"] = None  # persistent
 for replica in CONFIG.get_keys("postgresql.read_replicas"):
    _database = DATABASES["default"].copy()
    for setting in DATABASES["default"].keys():
        default = object()
        if setting in ("TEST",):
            continue
        override = CONFIG.get(
            f"postgresql.read_replicas.{replica}.{setting.lower()}", default=default
        )
        if override is not default:
            _database[setting] = override
    DATABASES[f"replica_{replica}"] = _database
 DATABASE_ROUTERS = (
    "authentik.tenants.db.FailoverRouter",
@ -389,7 +425,7 @@ if _ERROR_REPORTING:
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 STATICFILES_DIRS = [BASE_DIR / Path("web")]
-STATIC_URL = CONFIG.get("web.path", "/") + "static/"
+STATIC_URL = "/static/"
 STORAGES = {
    "staticfiles": {
--- a/authentik/root/urls.py
+++ b/authentik/root/urls.py
@ -4,7 +4,6 @@ from django.urls import include, path
 from structlog.stdlib import get_logger
 from authentik.core.views import error
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_apps
 from authentik.root.monitoring import LiveView, MetricsView, ReadyView
@ -15,7 +14,7 @@ handler403 = error.ForbiddenView.as_view()
 handler404 = error.NotFoundView.as_view()
 handler500 = error.ServerErrorView.as_view()
-_urlpatterns = []
+urlpatterns = []
 for _authentik_app in get_apps():
    mountpoints = None
@ -36,7 +35,7 @@ for _authentik_app in get_apps():
                namespace=namespace,
            ),
        )
-        _urlpatterns.append(_path)
+        urlpatterns.append(_path)
        LOGGER.debug(
            "Mounted URLs",
            app_name=_authentik_app.name,
@ -44,10 +43,8 @@ for _authentik_app in get_apps():
            namespace=namespace,
        )
-_urlpatterns += [
+urlpatterns += [
    path("-/metrics/", MetricsView.as_view(), name="metrics"),
    path("-/health/live/", LiveView.as_view(), name="health-live"),
    path("-/health/ready/", ReadyView.as_view(), name="health-ready"),
 ]
 urlpatterns = [path(CONFIG.get("web.path", "/")[1:], include(_urlpatterns))]
--- a/authentik/root/websocket.py
+++ b/authentik/root/websocket.py
@ -2,16 +2,13 @@
 from importlib import import_module
 from channels.routing import URLRouter
 from django.urls import path
 from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_apps
 LOGGER = get_logger()
-_websocket_urlpatterns = []
+websocket_urlpatterns = []
 for _authentik_app in get_apps():
    try:
        api_urls = import_module(f"{_authentik_app.name}.urls")
@ -20,15 +17,8 @@ for _authentik_app in get_apps():
    if not hasattr(api_urls, "websocket_urlpatterns"):
        continue
    urls: list = api_urls.websocket_urlpatterns
-    _websocket_urlpatterns.extend(urls)
+    websocket_urlpatterns.extend(urls)
    LOGGER.debug(
        "Mounted Websocket URLs",
        app_name=_authentik_app.name,
    )
 websocket_urlpatterns = [
    path(
        CONFIG.get("web.path", "/")[1:],
        URLRouter(_websocket_urlpatterns),
    ),
 ]
--- a/authentik/sources/kerberos/api/source.py
+++ b/authentik/sources/kerberos/api/source.py
@ -32,7 +32,6 @@ class KerberosSourceSerializer(SourceSerializer):
            "group_matching_mode",
            "realm",
            "krb5_conf",
            "kadmin_type",
            "sync_users",
            "sync_users_password",
            "sync_principal",
@ -70,7 +69,6 @@ class KerberosSourceViewSet(UsedByMixin, ModelViewSet):
        "slug",
        "enabled",
        "realm",
        "kadmin_type",
        "sync_users",
        "sync_users_password",
        "sync_principal",
--- a/authentik/sources/kerberos/migrations/0002_kerberossource_kadmin_type.py
+++ b/authentik/sources/kerberos/migrations/0002_kerberossource_kadmin_type.py
@ -1,22 +0,0 @@
 # Generated by Django 5.0.10 on 2024-12-06 19:24
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_sources_kerberos", "0001_initial"),
    ]
    operations = [
        migrations.AddField(
            model_name="kerberossource",
            name="kadmin_type",
            field=models.TextField(
                choices=[("MIT", "Mit"), ("Heimdal", "Heimdal"), ("other", "Other")],
                default="other",
                help_text="KAdmin server type",
            ),
        ),
    ]
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -6,6 +6,7 @@ from tempfile import gettempdir
 from typing import Any
 import gssapi
 import kadmin
 import pglock
 from django.db import connection, models
 from django.db.models.fields import b64decode
@ -13,8 +14,6 @@ from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from kadmin import KAdmin, KAdminApiVersion
 from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@ -31,17 +30,12 @@ from authentik.flows.challenge import RedirectChallenge
 LOGGER = get_logger()
-# Creating kadmin connections is expensive. As such, this global is used to reuse
+# python-kadmin leaks file descriptors. As such, this global is used to reuse
-# existing kadmin connections instead of creating new ones
+# existing kadmin connections instead of creating new ones, which results in less to no file
 # descriptors leaks
 _kadmin_connections: dict[str, Any] = {}
 class KAdminType(models.TextChoices):
    MIT = "MIT"
    HEIMDAL = "Heimdal"
    OTHER = "other"
 class KerberosSource(Source):
    """Federate Kerberos realm with authentik"""
@ -50,9 +44,6 @@ class KerberosSource(Source):
        blank=True,
        help_text=_("Custom krb5.conf to use. Uses the system one by default"),
    )
    kadmin_type = models.TextField(
        choices=KAdminType.choices, default=KAdminType.OTHER, help_text=_("KAdmin server type")
    )
    sync_users = models.BooleanField(
        default=False, help_text=_("Sync users from Kerberos into authentik"), db_index=True
@ -207,24 +198,15 @@ class KerberosSource(Source):
        conf_path.write_text(self.krb5_conf)
        return str(conf_path)
-    def _kadmin_init(self) -> KAdmin | None:
+    def _kadmin_init(self) -> "kadmin.KAdmin | None":
        api_version = None
        match self.kadmin_type:
            case KAdminType.MIT:
                api_version = KAdminApiVersion.Version4
            case KAdminType.HEIMDAL:
                api_version = KAdminApiVersion.Version2
            case KAdminType.OTHER:
                api_version = KAdminApiVersion.Version2
        # kadmin doesn't use a ccache for its connection
        # as such, we don't need to create a separate ccache for each source
        if not self.sync_principal:
            return None
        if self.sync_password:
-            return KAdmin.with_password(
+            return kadmin.init_with_password(
                self.sync_principal,
                self.sync_password,
                api_version=api_version,
            )
        if self.sync_keytab:
            keytab = self.sync_keytab
@ -233,20 +215,18 @@ class KerberosSource(Source):
                keytab_path.touch(mode=0o600)
                keytab_path.write_bytes(b64decode(self.sync_keytab))
                keytab = f"FILE:{keytab_path}"
-            return KAdmin.with_keytab(
+            return kadmin.init_with_keytab(
                self.sync_principal,
                keytab,
                api_version=api_version,
            )
        if self.sync_ccache:
-            return KAdmin.with_ccache(
+            return kadmin.init_with_ccache(
                self.sync_principal,
                self.sync_ccache,
                api_version=api_version,
            )
        return None
-    def connection(self) -> KAdmin | None:
+    def connection(self) -> "kadmin.KAdmin | None":
        """Get kadmin connection"""
        if str(self.pk) not in _kadmin_connections:
            kadm = self._kadmin_init()
@ -266,7 +246,7 @@ class KerberosSource(Source):
                    status["status"] = "no connection"
                    return status
                status["principal_exists"] = kadm.principal_exists(self.sync_principal)
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                status["status"] = str(exc)
        return status
--- a/authentik/sources/kerberos/signals.py
+++ b/authentik/sources/kerberos/signals.py
@ -1,8 +1,8 @@
 """authentik kerberos source signals"""
 import kadmin
 from django.db.models.signals import post_save
 from django.dispatch import receiver
 from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
@ -45,12 +45,10 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
            continue
        with Krb5ConfContext(source):
            try:
-                kadm = source.connection()
+                source.connection().getprinc(user_source_connection.identifier).change_password(
-                kadm.get_principal(user_source_connection.identifier).change_password(
+                    password
                    kadm,
                    password,
                )
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
--- a/authentik/sources/kerberos/sync.py
+++ b/authentik/sources/kerberos/sync.py
@ -2,9 +2,9 @@
 from typing import Any
 import kadmin
 from django.core.exceptions import FieldError
 from django.db import IntegrityError, transaction
 from kadmin import KAdmin
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.expression.exceptions import (
@ -30,7 +30,7 @@ class KerberosSync:
    _source: KerberosSource
    _logger: BoundLogger
-    _connection: KAdmin
+    _connection: "kadmin.KAdmin"
    mapper: SourceMapper
    user_manager: PropertyMappingManager
    group_manager: PropertyMappingManager
@ -43,10 +43,8 @@ class KerberosSync:
        self._messages = []
        self._logger = get_logger().bind(source=self._source, syncer=self.__class__.__name__)
        self.mapper = SourceMapper(self._source)
-        self.user_manager = self.mapper.get_manager(User, ["principal", "principal_obj"])
+        self.user_manager = self.mapper.get_manager(User, ["principal"])
-        self.group_manager = self.mapper.get_manager(
+        self.group_manager = self.mapper.get_manager(Group, ["group_id", "principal"])
            Group, ["group_id", "principal", "principal_obj"]
        )
        self.matcher = SourceMatcher(
            self._source, UserKerberosSourceConnection, GroupKerberosSourceConnection
        )
@ -69,16 +67,12 @@ class KerberosSync:
    def _handle_principal(self, principal: str) -> bool:
        try:
            # TODO: handle permission error
            principal_obj = self._connection.get_principal(principal)
            defaults = self.mapper.build_object_properties(
                object_type=User,
                manager=self.user_manager,
                user=None,
                request=None,
                principal=principal,
                principal_obj=principal_obj,
            )
            self._logger.debug("Writing user with attributes", **defaults)
            if "username" not in defaults:
@ -97,7 +91,6 @@ class KerberosSync:
                    request=None,
                    group_id=group_id,
                    principal=principal,
                    principal_obj=principal_obj,
                )
                for group_id in defaults.pop("groups", [])
            }
@ -168,7 +161,7 @@ class KerberosSync:
        user_count = 0
        with Krb5ConfContext(self._source):
-            for principal in self._connection.list_principals(None):
+            for principal in self._connection.principals():
                if self._handle_principal(principal):
                    user_count += 1
        return user_count
--- a/authentik/sources/kerberos/tests/test_auth.py
+++ b/authentik/sources/kerberos/tests/test_auth.py
@ -23,7 +23,6 @@ class TestKerberosAuth(KerberosTestCase):
        )
        self.user = User.objects.create(username=generate_id())
        self.user.set_unusable_password()
        self.user.save()
        UserKerberosSourceConnection.objects.create(
            source=self.source, user=self.user, identifier=self.realm.user_princ
        )
--- a/authentik/sources/kerberos/tests/test_spnego.py
+++ b/authentik/sources/kerberos/tests/test_spnego.py
@ -2,8 +2,6 @@
 from base64 import b64decode, b64encode
 from pathlib import Path
 from sys import platform
 from unittest import skipUnless
 import gssapi
 from django.urls import reverse
@ -38,7 +36,6 @@ class TestSPNEGOSource(KerberosTestCase):
        )
        self.assertEqual(response.status_code, 200)
    @skipUnless(platform.startswith("linux"), "Requires compatible GSSAPI implementation")
    def test_source_login(self):
        """test login view"""
        response = self.client.get(
--- a/authentik/sources/saml/views.py
+++ b/authentik/sources/saml/views.py
@ -31,7 +31,8 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
+from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@ -88,7 +89,12 @@ class InitiateView(View):
            raise Http404 from None
        for stage in stages_to_append:
            plan.append_stage(stage)
-        return plan.to_redirect(self.request, source.pre_authentication_flow)
+        self.request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=source.pre_authentication_flow.slug,
        )
    def get(self, request: HttpRequest, source_slug: str) -> HttpResponse:
        """Replies with an XHTML SSO Request."""
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            serializer = SelectableStageSerializer(
                data={
                    "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
+                    "name": getattr(stage, "friendly_name", stage.name),
                    "verbose_name": str(stage._meta.verbose_name)
                    .replace("Setup Stage", "")
                    .strip(),
--- a/authentik/stages/authenticator_validate/tests/test_stage.py
+++ b/authentik/stages/authenticator_validate/tests/test_stage.py
@ -4,7 +4,6 @@ from unittest.mock import MagicMock, patch
 from django.test.client import RequestFactory
 from django.urls.base import reverse
 from django.utils.timezone import now
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@ -14,7 +13,6 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@ -78,8 +76,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        conf_stage = AuthenticatorStaticStage.objects.create(
            name=generate_id(),
        )
-        conf_stage2 = AuthenticatorTOTPStage.objects.create(
+        conf_stage2 = AuthenticatorStaticStage.objects.create(
-            name=generate_id(), digits=TOTPDigits.SIX
+            name=generate_id(),
        )
        stage = AuthenticatorValidateStage.objects.create(
            name=generate_id(),
@ -155,14 +153,10 @@ class AuthenticatorValidateStageTests(FlowTestCase):
            {
                "device_class": "static",
                "device_uid": "1",
                "challenge": {},
                "last_used": now(),
            },
            {
                "device_class": "totp",
                "device_uid": "2",
                "challenge": {},
                "last_used": now(),
            },
        ]
        session[SESSION_KEY_PLAN] = plan
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
@ -141,10 +141,5 @@
    "name": "Devolutions",
    "icon_dark": "data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iNzJweCIgaGVpZ2h0PSI3MnB4IiB2aWV3Qm94PSIwIDAgNzIgNzIiPgk8ZGVmcz4KICAgICAgICA8ZmlsdGVyIGlkPSJhIiB3aWR0aD0iMjAwJSIgaGVpZ2h0PSIyMDAlIj4KICAgICAgICAgICAgPGZlT2Zmc2V0IHJlc3VsdD0ib2ZmT3V0IiBpbj0iU291cmNlQWxwaGEiIGR5PSIyLjIiLz4KICAgICAgICAgICAgPGZlR2F1c3NpYW5CbHVyIHJlc3VsdD0iYmx1ck91dCIgaW49Im9mZk91dCIgc3RkRGV2aWF0aW9uPSIxLjUiLz4KICAgICAgICAgICAgPGZlQ29sb3JNYXRyaXggdmFsdWVzPSIwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwLjQgMCIvPgogICAgICAgICAgICA8ZmVNZXJnZT4KICAgICAgICAgICAgICAgIDxmZU1lcmdlTm9kZS8+CiAgICAgICAgICAgICAgICA8ZmVNZXJnZU5vZGUgaW49IlNvdXJjZUdyYXBoaWMiLz4KICAgICAgICAgICAgPC9mZU1lcmdlPgogICAgICAgIDwvZmlsdGVyPgogICAgPC9kZWZzPgo8cGF0aCBmaWxsPSIjZmZmZmZmIiBmaWx0ZXI9InVybCgjYSkiIGQ9Ik0zMS4wNTksNS4zOTVjMTYuODktMi43MjcsMzIuODE3LDguNzcyLDM1LjU0NSwyNS42NjJjMi43MjcsMTYuODktOC43NzIsMzIuODE3LTI1LjY2MiwzNS41NDUKCUMyNC4wNTEsNjkuMzI5LDguMTI0LDU3LjgzLDUuMzk3LDQwLjk0QzIuNjcsMjQuMDQ5LDE0LjE2OSw4LjEyMiwzMS4wNTksNS4zOTV6Ii8+CjxwYXRoIGZpbGw9IiMwMDY4YzMiIGQ9Ik01NS4zNjQsMTcuMjAyYy01LjA0Ny01LjE5Ny0xMS44MDItOC4xMDktMTkuMDItOC4yYy03LjE5MS0wLjA5LTEzLjk4NSwyLjY2OS0xOS4xNDksNy43NjgKCUMxMS45MSwyMS45ODksOSwyOC45NTUsOSwzNi4zOTJsMC4wNDQsMS4yNmMwLDEuMTgxLDAuOTYxLDIuMTQyLDIuMTQyLDIuMTQyczIuMTQxLTAuOTYsMi4xNDItMi4xNGwwLjAxLTAuOTEzCgljMC05Ljk0NSw4LjQ1My0yMC41OTMsMjEuMDM1LTIwLjU5M2MxMy4xMzIsMCwyMS4yNjEsMTAuNzEyLDIxLjI2MSwyMC42MzdjMCw1LjE3My0yLjA2Myw5LjkxOS01LjgwOCwxMy4zNjMKCUM0Ni4xNyw1My41MDksNDEuMjYsNTUuMzYsMzYsNTUuMzZjLTMuMTMsMC02LjIxOS0wLjc1NS04Ljk1OC0yLjE4NmwxOC44Ny04LjY4NmMxLjI2Ny0wLjU4MywyLjExNS0xLjgxLDIuMjEzLTMuMjAxCglzLTAuNTY5LTIuNzI1LTEuNzU0LTMuNDg3bC0xNS43MDYtOC40MTVjLTAuNTU0LTAuMzU3LTEuMjEzLTAuNDc3LTEuODU4LTAuMzM3Yy0wLjY0NCwwLjEzOS0xLjE5NSwwLjUyMS0xLjU1MiwxLjA3NQoJYy0wLjczNywxLjE0NC0wLjQwNiwyLjY3MywwLjcyMSwzLjM5N2w4LjQ1NCw2LjkyM2wtMTguNDE5LDguNDc4Yy0xLjQyNywwLjY1Ny0yLjI5OCwyLjEtMi4yMTgsMy42NzUKCWMwLjA0OCwwLjk0OSwwLjQ5MywxLjg4NCwxLjI1MywyLjYzNEMyMi4xNTgsNjAuMjY5LDI4Ljg0LDYzLDM1Ljk4NSw2M2MwLjQ0NSwwLDAuODkyLTAuMDExLDEuMzQxLTAuMDMyCgljMTQuMTU2LTAuNjczLDI1LjQzMi0xMi4zMTUsMjUuNjcxLTI2LjUwNUM2My4xMTgsMjkuMjM2LDYwLjQwNywyMi4zOTYsNTUuMzY0LDE3LjIwMnoiLz4KPC9zdmc+Cg==",
    "icon_light": "data:image/svg+xml;base64,CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB3aWR0aD0iNzJweCIgaGVpZ2h0PSI3MnB4IiB2aWV3Qm94PSIwIDAgNzIgNzIiPgk8ZGVmcz4KICAgICAgICA8ZmlsdGVyIGlkPSJhIiB3aWR0aD0iMjAwJSIgaGVpZ2h0PSIyMDAlIj4KICAgICAgICAgICAgPGZlT2Zmc2V0IHJlc3VsdD0ib2ZmT3V0IiBpbj0iU291cmNlQWxwaGEiIGR5PSIyLjIiLz4KICAgICAgICAgICAgPGZlR2F1c3NpYW5CbHVyIHJlc3VsdD0iYmx1ck91dCIgaW49Im9mZk91dCIgc3RkRGV2aWF0aW9uPSIxLjUiLz4KICAgICAgICAgICAgPGZlQ29sb3JNYXRyaXggdmFsdWVzPSIwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwLjQgMCIvPgogICAgICAgICAgICA8ZmVNZXJnZT4KICAgICAgICAgICAgICAgIDxmZU1lcmdlTm9kZS8+CiAgICAgICAgICAgICAgICA8ZmVNZXJnZU5vZGUgaW49IlNvdXJjZUdyYXBoaWMiLz4KICAgICAgICAgICAgPC9mZU1lcmdlPgogICAgICAgIDwvZmlsdGVyPgogICAgPC9kZWZzPgo8cGF0aCBmaWxsPSIjZmZmZmZmIiBmaWx0ZXI9InVybCgjYSkiIGQ9Ik0zMS4wNTksNS4zOTVjMTYuODktMi43MjcsMzIuODE3LDguNzcyLDM1LjU0NSwyNS42NjJjMi43MjcsMTYuODktOC43NzIsMzIuODE3LTI1LjY2MiwzNS41NDUKCUMyNC4wNTEsNjkuMzI5LDguMTI0LDU3LjgzLDUuMzk3LDQwLjk0QzIuNjcsMjQuMDQ5LDE0LjE2OSw4LjEyMiwzMS4wNTksNS4zOTV6Ii8+CjxwYXRoIGZpbGw9IiMwMDY4YzMiIGQ9Ik01NS4zNjQsMTcuMjAyYy01LjA0Ny01LjE5Ny0xMS44MDItOC4xMDktMTkuMDItOC4yYy03LjE5MS0wLjA5LTEzLjk4NSwyLjY2OS0xOS4xNDksNy43NjgKCUMxMS45MSwyMS45ODksOSwyOC45NTUsOSwzNi4zOTJsMC4wNDQsMS4yNmMwLDEuMTgxLDAuOTYxLDIuMTQyLDIuMTQyLDIuMTQyczIuMTQxLTAuOTYsMi4xNDItMi4xNGwwLjAxLTAuOTEzCgljMC05Ljk0NSw4LjQ1My0yMC41OTMsMjEuMDM1LTIwLjU5M2MxMy4xMzIsMCwyMS4yNjEsMTAuNzEyLDIxLjI2MSwyMC42MzdjMCw1LjE3My0yLjA2Myw5LjkxOS01LjgwOCwxMy4zNjMKCUM0Ni4xNyw1My41MDksNDEuMjYsNTUuMzYsMzYsNTUuMzZjLTMuMTMsMC02LjIxOS0wLjc1NS04Ljk1OC0yLjE4NmwxOC44Ny04LjY4NmMxLjI2Ny0wLjU4MywyLjExNS0xLjgxLDIuMjEzLTMuMjAxCglzLTAuNTY5LTIuNzI1LTEuNzU0LTMuNDg3bC0xNS43MDYtOC40MTVjLTAuNTU0LTAuMzU3LTEuMjEzLTAuNDc3LTEuODU4LTAuMzM3Yy0wLjY0NCwwLjEzOS0xLjE5NSwwLjUyMS0xLjU1MiwxLjA3NQoJYy0wLjczNywxLjE0NC0wLjQwNiwyLjY3MywwLjcyMSwzLjM5N2w4LjQ1NCw2LjkyM2wtMTguNDE5LDguNDc4Yy0xLjQyNywwLjY1Ny0yLjI5OCwyLjEtMi4yMTgsMy42NzUKCWMwLjA0OCwwLjk0OSwwLjQ5MywxLjg4NCwxLjI1MywyLjYzNEMyMi4xNTgsNjAuMjY5LDI4Ljg0LDYzLDM1Ljk4NSw2M2MwLjQ0NSwwLDAuODkyLTAuMDExLDEuMzQxLTAuMDMyCgljMTQuMTU2LTAuNjczLDI1LjQzMi0xMi4zMTUsMjUuNjcxLTI2LjUwNUM2My4xMTgsMjkuMjM2LDYwLjQwNywyMi4zOTYsNTUuMzY0LDE3LjIwMnoiLz4KPC9zdmc+Cg=="
    },
    "22248c4c-7a12-46e2-9a41-44291b373a4d": {
 		"name": "LogMeOnce",
 		"icon_dark": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgdmVyc2lvbj0iMS4xIiB2aWV3Qm94PSIwIDAgMjA0OCAyMDQ4IiB3aWR0aD0iMTI4IiBoZWlnaHQ9IjEyOCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTSAwIDAgTCAtNSAxIEwgLTE1IDQgTCAtMzggMTEgTCAtNTcgMTggTCAtNzYgMjkgTCAtOTAgMzggTCAtMTA5IDUyIEwgLTExNiA1OSBMIC0xMjcgNjggTCAtMTQwIDgxIEwgLTE0OCA4OCBMIC0xNDkgOTEgTCAtMTUxIDkxIEwgLTE2MSAxMDEgTCAtMTY5IDEwOCBMIC0xNjkgMTEwIEwgLTE3MSAxMTAgTCAtMTgwIDExOSBMIC0xODggMTI2IEwgLTIwMSAxMzcgTCAtMjEyIDE0NiBMIC0yMjYgMTU3IEwgLTIzOSAxNjcgTCAtMjUwIDE3NSBMIC0yNzAgMTg4IEwgLTI5MSAyMDIgTCAtMzA5IDIxMiBMIC0zMzAgMjI0IEwgLTM1MyAyMzUgTCAtMzg2IDI1MCBMIC00MDcgMjU5IEwgLTQ0OSAyNzMgTCAtNDcyIDI4MSBMIC01MDIgMjg5IEwgLTU1MSAyOTggTCAtNjE1IDMwOSBMIC02NDcgMzE2IEwgLTY4MSAzMjQgTCAtNjk4IDMzMCBMIC03MTQgMzM4IEwgLTczNSAzNTEgTCAtNzQ1IDM1OCBMIC03NTYgMzY3IEwgLTc2NCAzNzUgTCAtNzY2IDM3OSBMIC03NjggMzc5IEwgLTc3MyAzODUgTCAtNzgxIDM5NSBMIC03OTEgNDEwIEwgLTgwMSA0MjggTCAtODEwIDQ0NyBMIC04MTYgNDY1IEwgLTgyMiA1MDAgTCAtODI3IDU0NSBMIC04MzAgNTkyIEwgLTgzMiA2NTMgTCAtODMyIDcxMiBMIC04MzEgNzQyIEwgLTgyOCA3OTQgTCAtODIyIDg2NiBMIC04MTYgOTI4IEwgLTgxMiA5NTcgTCAtODAwIDEwMjAgTCAtNzg5IDEwNzIgTCAtNzgzIDEwOTggTCAtNzY1IDExNjIgTCAtNzUxIDEyMDcgTCAtNzQ0IDEyMjUgTCAtNzM0IDEyNTQgTCAtNzIwIDEyOTAgTCAtNzA0IDEzMjggTCAtNjg5IDEzNjEgTCAtNjY4IDE0MDMgTCAtNjUzIDE0MzEgTCAtNjM5IDE0NTYgTCAtNjIwIDE0ODggTCAtNjA3IDE1MDkgTCAtNTk0IDE1MjkgTCAtNTg0IDE1NDQgTCAtNTcxIDE1NjMgTCAtNTU4IDE1ODEgTCAtNTQ0IDE2MDAgTCAtNTMzIDE2MTUgTCAtNTIwIDE2MzIgTCAtNTA3IDE2NDggTCAtNDc5IDE2ODIgTCAtNDcwIDE2OTMgTCAtNDYwIDE3MDQgTCAtNDQ5IDE3MTYgTCAtNDQyIDE3MjQgTCAtNDMyIDE3MzQgTCAtNDI1IDE3NDIgTCAtMzY4IDE3OTkgTCAtMzUxIDE4MTUgTCAtMzM1IDE4MzAgTCAtMzI3IDE4MzcgTCAtMzE0IDE4NDkgTCAtMjg4IDE4NzEgTCAtMjcxIDE4ODUgTCAtMjYxIDE4OTMgTCAtMjQ0IDE5MDcgTCAtMjI4IDE5MTkgTCAtMjE1IDE5MjkgTCAtMTk2IDE5NDMgTCAtMTg0IDE5NTIgTCAtMTY4IDE5NjMgTCAtMTQ4IDE5NzcgTCAtMTMzIDE5ODcgTCAtMTEyIDIwMDAgTCAtODggMjAxMyBMIC03MiAyMDIxIEwgLTUyIDIwMzAgTCAtMzIgMjAzNyBMIDEyIDIwNDggTCA2MCAyMDQ4IEwgNjEgMjA0NyBMIDczIDIwNDQgTCAxMDAgMjAzNyBMIDEyMSAyMDI5IEwgMTQ5IDIwMTUgTCAxNjcgMjAwNSBMIDE4NiAxOTk0IEwgMjEwIDE5NzkgTCAyMzEgMTk2NSBMIDI2NiAxOTQxIEwgMjg0IDE5MjggTCAyOTUgMTkyMCBMIDMwNiAxOTExIEwgMzI0IDE4OTggTCAzMzggMTg4NyBMIDM0OSAxODc3IEwgMzU4IDE4NzAgTCAzNjkgMTg2MCBMIDM4MCAxODUxIEwgMzgwIDE4NDkgTCAzODIgMTg0OSBMIDM4NSAxODQ2IEwgMzk2IDE4MzcgTCA0MDMgMTgzMCBMIDQxMSAxODIzIEwgNDE4IDE4MTYgTCA0MjYgMTgwOSBMIDQ3NSAxNzYwIEwgNDc3IDE3NTYgTCA0NzkgMTc1NiBMIDQ4NyAxNzQ3IEwgNTAzIDE3MzAgTCA1MTAgMTcyMiBMIDUxOSAxNzEyIEwgNTI2IDE3MDQgTCA1MzggMTY5MSBMIDU0NyAxNjgwIEwgNTU4IDE2NjcgTCA1NjYgMTY1NiBMIDU3OSAxNjQwIEwgNTkwIDE2MjYgTCA2MDYgMTYwNSBMIDYyMSAxNTgzIEwgNjMxIDE1NjkgTCA2NDUgMTU0OSBMIDY1NSAxNTMzIEwgNjcwIDE1MTAgTCA2ODUgMTQ4NSBMIDY5NiAxNDY3IEwgNzA2IDE0NDkgTCA3MzAgMTQwNSBMIDc0NSAxMzc0IEwgNzYyIDEzMzggTCA3NzQgMTMxMCBMIDc5MiAxMjY3IEwgODExIDEyMTYgTCA4MjcgMTE2NiBMIDg0MiAxMTE3IEwgODU4IDEwNTEgTCA4NzAgOTk2IEwgODc1IDk2NyBMIDg4MSA5MTcgTCA4ODYgODgyIEwgODkxIDg0NiBMIDg5NCA4MTIgTCA4OTYgNzc0IEwgODk2IDY1NSBMIDg5NSA2MzAgTCA4OTIgNTkzIEwgODg4IDU1OSBMIDg3NyA0NzAgTCA4NzIgNDQ1IEwgODY1IDQyNiBMIDg1NyA0MTEgTCA4NDcgMzk1IEwgODM0IDM3OCBMIDgxNCAzNTggTCA4MDAgMzQ3IEwgNzg1IDMzNyBMIDc2NiAzMjcgTCA3NTAgMzIxIEwgNzI3IDMxNSBMIDY5MyAzMDggTCA2NTAgMzAxIEwgNTk3IDI5MiBMIDU3MCAyODYgTCA1NDggMjgwIEwgNTE1IDI3MCBMIDQ4NyAyNjEgTCA0NTkgMjUwIEwgNDM4IDI0MSBMIDQxNCAyMzAgTCAzODIgMjEzIEwgMzU4IDE5OSBMIDM0NyAxOTIgTCAzMzAgMTgwIEwgMzEyIDE2NyBMIDMwMCAxNTcgTCAyODYgMTQ2IEwgMjcxIDEzMyBMIDI2MyAxMjYgTCAyNTEgMTE1IEwgMjQwIDEwNiBMIDIyOCA5NSBMIDIwMCA3MSBMIDE4OSA2MiBMIDE3NCA1MCBMIDE1OCAzOCBMIDE0MiAyNyBMIDEyNyAxOSBMIDExNSAxNCBMIDk1IDggTCA3MSAwIEwgMCAwIHogTSAzMCA2MjIgTCA1MSA2MjMgTCA3OSA2MjcgTCAxMDAgNjMzIEwgMTIxIDY0MSBMIDE0MSA2NTIgTCAxNTcgNjYzIEwgMTcyIDY3NiBMIDE4NiA2OTAgTCAxODYgNjkyIEwgMTg4IDY5MiBMIDIwNiA3MTYgTCAyMTYgNzM0IEwgMjIxIDc0NSBMIDIyNiA3NTggTCAyMzMgNzg0IEwgMjM2IDc5OCBMIDIzNyA4MDggTCAyMzcgODQwIEwgMjMzIDg2NSBMIDIyNiA4OTEgTCAyMTkgOTA5IEwgMjA5IDkyOCBMIDE5NSA5NDkgTCAxODYgOTU5IEwgMTc5IDk2NyBMIDE2NiA5ODAgTCAxNTUgOTg5IEwgMTQyIDk5OCBMIDEyNiAxMDA3IEwgMTEzIDEwMTIgTCAxMTQgMTAyNCBMIDEyMiAxMDYwIEwgMTM3IDExMjMgTCAxNTYgMTIwOCBMIDE3MCAxMjcxIEwgMTc0IDEyOTYgTCAxNzYgMTMxMCBMIDE3NiAxMzM1IEwgMTczIDEzNDkgTCAxNjYgMTM1OSBMIDE1NyAxMzY3IEwgMTQ2IDEzNzIgTCAxNDAgMTM3NCBMIDExOSAxMzc2IEwgNTEgMTM3NiBMIC0zMiAxMzc3IEwgLTY0IDEzNzcgTCAtNzggMTM3NCBMIC04NSAxMzcwIEwgLTk4IDEzNTkgTCAtMTA2IDEzNDkgTCAtMTEwIDEzNDEgTCAtMTEyIDEzMzMgTCAtMTEyIDEzMTggTCAtMTA3IDEyODggTCAtMTAwIDEyNTYgTCAtODUgMTE5NiBMIC02OSAxMTI0IEwgLTU3IDEwNzIgTCAtNTAgMTAzNiBMIC00NyAxMDExIEwgLTUzIDEwMDkgTCAtNjkgMTAwMSBMIC04MSA5OTQgTCAtOTMgOTg1IEwgLTEwMyA5NzYgTCAtMTExIDk2OSBMIC0xMjAgOTYwIEwgLTEzMSA5NDYgTCAtMTQyIDkyOSBMIC0xNTIgOTEwIEwgLTE2MCA4OTAgTCAtMTY2IDg3MCBMIC0xNjkgODUzIEwgLTE3MCA4NDQgTCAtMTcwIDgxNCBMIC0xNjcgNzk0IEwgLTE2MSA3NjcgTCAtMTU0IDc0NiBMIC0xMzcgNzEzIEwgLTEyNiA2OTggTCAtMTE5IDY5MCBMIC0xMDggNjc4IEwgLTkzIDY2NSBMIC03NyA2NTMgTCAtNTYgNjQxIEwgLTM4IDYzMyBMIC0xNiA2MjcgTCAzIDYyNCBMIDMwIDYyMiB6ICIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoOTkxKSIgc3R5bGU9ImZpbGw6I2ZmZmZmZiIgLz4KPC9zdmc+Cg==",
 		"icon_light": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAyMDQ4IDIwNDgiIHdpZHRoPSIxMjgiIGhlaWdodD0iMTI4IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSg5OTEpIiBkPSJtMCAwaDcxbDI0IDggMjAgNiAxMiA1IDE1IDggMTYgMTEgMTYgMTIgMTUgMTIgMTEgOSAyOCAyNCAxMiAxMSAxMSA5IDEyIDExIDggNyAxNSAxMyAxNCAxMSAxMiAxMCAxOCAxMyAxNyAxMiAxMSA3IDI0IDE0IDMyIDE3IDI0IDExIDIxIDkgMjggMTEgMjggOSAzMyAxMCAyMiA2IDI3IDYgNTMgOSA0MyA3IDM0IDcgMjMgNiAxNiA2IDE5IDEwIDE1IDEwIDE0IDExIDIwIDIwIDEzIDE3IDEwIDE2IDggMTUgNyAxOSA1IDI1IDExIDg5IDQgMzQgMyAzNyAxIDI1djExOWwtMiAzOC0zIDM0LTUgMzYtNSAzNS02IDUwLTUgMjktMTIgNTUtMTYgNjYtMTUgNDktMTYgNTAtMTkgNTEtMTggNDMtMTIgMjgtMTcgMzYtMTUgMzEtMjQgNDQtMTAgMTgtMTEgMTgtMTUgMjUtMTUgMjMtMTAgMTYtMTQgMjAtMTAgMTQtMTUgMjItMTYgMjEtMTEgMTQtMTMgMTYtOCAxMS0xMSAxMy05IDExLTEyIDEzLTcgOC05IDEwLTcgOC0xNiAxNy04IDloLTJsLTIgNC00OSA0OS04IDctNyA3LTggNy03IDctMTEgOS0zIDNoLTJ2MmwtMTEgOS0xMSAxMC05IDctMTEgMTAtMTQgMTEtMTggMTMtMTEgOS0xMSA4LTE4IDEzLTM1IDI0LTIxIDE0LTI0IDE1LTE5IDExLTE4IDEwLTI4IDE0LTIxIDgtMjcgNy0xMiAzLTEgMWgtNDhsLTQ0LTExLTIwLTctMjAtOS0xNi04LTI0LTEzLTIxLTEzLTE1LTEwLTIwLTE0LTE2LTExLTEyLTktMTktMTQtMTMtMTAtMTYtMTItMTctMTQtMTAtOC0xNy0xNC0yNi0yMi0xMy0xMi04LTctMTYtMTUtMTctMTYtNTctNTctNy04LTEwLTEwLTctOC0xMS0xMi0xMC0xMS05LTExLTI4LTM0LTEzLTE2LTEzLTE3LTExLTE1LTE0LTE5LTEzLTE4LTEzLTE5LTEwLTE1LTEzLTIwLTEzLTIxLTE5LTMyLTE0LTI1LTE1LTI4LTIxLTQyLTE1LTMzLTE2LTM4LTE0LTM2LTEwLTI5LTctMTgtMTQtNDUtMTgtNjQtNi0yNi0xMS01Mi0xMi02My00LTI5LTYtNjItNi03Mi0zLTUyLTEtMzB2LTU5bDItNjEgMy00NyA1LTQ1IDYtMzUgNi0xOCA5LTE5IDEwLTE4IDEwLTE1IDgtMTAgNS02aDJsMi00IDgtOCAxMS05IDEwLTcgMjEtMTMgMTYtOCAxNy02IDM0LTggMzItNyA2NC0xMSA0OS05IDMwLTggMjMtOCA0Mi0xNCAyMS05IDMzLTE1IDIzLTExIDIxLTEyIDE4LTEwIDIxLTE0IDIwLTEzIDExLTggMTMtMTAgMTQtMTEgMTEtOSAxMy0xMSA4LTcgOS05aDJ2LTJsOC03IDEwLTEwaDJsMS0zIDgtNyAxMy0xMyAxMS05IDctNyAxOS0xNCAxNC05IDE5LTExIDE5LTcgMjMtNyAxMC0zeiIgZmlsbD0iI0YxODQyOSIvPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxMDIxLDYyMikiIGQ9Im0wIDAgMjEgMSAyOCA0IDIxIDYgMjEgOCAyMCAxMSAxNiAxMSAxNSAxMyAxNCAxNHYyaDJsMTggMjQgMTAgMTggNSAxMSA1IDEzIDcgMjYgMyAxNCAxIDEwdjMybC00IDI1LTcgMjYtNyAxOC0xMCAxOS0xNCAyMS05IDEwLTcgOC0xMyAxMy0xMSA5LTEzIDktMTYgOS0xMyA1IDEgMTIgOCAzNiAxNSA2MyAxOSA4NSAxNCA2MyA0IDI1IDIgMTR2MjVsLTMgMTQtNyAxMC05IDgtMTEgNS02IDItMjEgMmgtNjhsLTgzIDFoLTMybC0xNC0zLTctNC0xMy0xMS04LTEwLTQtOC0yLTh2LTE1bDUtMzAgNy0zMiAxNS02MCAxNi03MiAxMi01MiA3LTM2IDMtMjUtNi0yLTE2LTgtMTItNy0xMi05LTEwLTktOC03LTktOS0xMS0xNC0xMS0xNy0xMC0xOS04LTIwLTYtMjAtMy0xNy0xLTl2LTMwbDMtMjAgNi0yNyA3LTIxIDE3LTMzIDExLTE1IDctOCAxMS0xMiAxNS0xMyAxNi0xMiAyMS0xMiAxOC04IDIyLTYgMTktM3oiIGZpbGw9IiNGRUZGRkUiLz4KPC9zdmc+Cg=="
  }
 }
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/email/templates/email/password_reset.html
+++ b/authentik/stages/email/templates/email/password_reset.html
@ -37,7 +37,7 @@
 <tr>
  <td style="padding: 20px; font-size: 12px; color: #212124;" align="center">
    {% blocktrans with expires=expires|naturaltime %}
-    If you did not request a password change, please ignore this email. The link above is valid for {{ expires }}.
+    If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
    {% endblocktrans %}
  </td>
 </tr>
--- a/authentik/stages/email/templates/email/password_reset.txt
+++ b/authentik/stages/email/templates/email/password_reset.txt
@ -5,7 +5,7 @@ You recently requested to change your password for your authentik account. Use t
 {% endblocktrans %}
 {{ url }}
 {% blocktrans with expires=expires|naturaltime %}
-If you did not request a password change, please ignore this email. The link above is valid for {{ expires }}.
+If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
 {% endblocktrans %}
 -- 
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -26,7 +26,6 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
 from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@ -77,7 +76,7 @@ class IdentificationChallenge(Challenge):
    allow_show_password = BooleanField(default=False)
    application_pre = CharField(required=False)
    flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False, allow_null=True)
+    captcha_stage = CaptchaChallenge(required=False)
    enroll_url = CharField(required=False)
    recovery_url = CharField(required=False)
@ -225,8 +224,6 @@ class IdentificationStageView(ChallengeStageView):
                        "js_url": current_stage.captcha_stage.js_url,
                        "site_key": current_stage.captcha_stage.public_key,
                        "interactive": current_stage.captcha_stage.interactive,
                        "pending_user": "",
                        "pending_user_avatar": DEFAULT_AVATAR,
                    }
                    if current_stage.captcha_stage
                    else None
--- a/authentik/stages/redirect/init.py
+++ b/authentik/stages/redirect/init.py
--- a/authentik/stages/redirect/api.py
+++ b/authentik/stages/redirect/api.py
@ -1,42 +0,0 @@
 """RedirectStage API Views"""
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import ValidationError
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.redirect.models import RedirectMode, RedirectStage
 class RedirectStageSerializer(StageSerializer):
    """RedirectStage Serializer"""
    def validate(self, attrs):
        mode = attrs.get("mode")
        target_static = attrs.get("target_static")
        target_flow = attrs.get("target_flow")
        if mode == RedirectMode.STATIC and not target_static:
            raise ValidationError(_("Target URL should be present when mode is Static."))
        if mode == RedirectMode.FLOW and not target_flow:
            raise ValidationError(_("Target Flow should be present when mode is Flow."))
        return attrs
    class Meta:
        model = RedirectStage
        fields = StageSerializer.Meta.fields + [
            "keep_context",
            "mode",
            "target_static",
            "target_flow",
        ]
 class RedirectStageViewSet(UsedByMixin, ModelViewSet):
    """RedirectStage Viewset"""
    queryset = RedirectStage.objects.all()
    serializer_class = RedirectStageSerializer
    filterset_fields = ["name"]
    search_fields = ["name"]
    ordering = ["name"]
--- a/authentik/stages/redirect/apps.py
+++ b/authentik/stages/redirect/apps.py
@ -1,11 +0,0 @@
 """authentik redirect app"""
 from django.apps import AppConfig
 class AuthentikStageRedirectConfig(AppConfig):
    """authentik redirect app"""
    name = "authentik.stages.redirect"
    label = "authentik_stages_redirect"
    verbose_name = "authentik Stages.Redirect"
--- a/authentik/stages/redirect/migrations/0001_initial.py
+++ b/authentik/stages/redirect/migrations/0001_initial.py
@ -1,49 +0,0 @@
 # Generated by Django 5.0.10 on 2024-12-11 14:40
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.CreateModel(
            name="RedirectStage",
            fields=[
                (
                    "stage_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_flows.stage",
                    ),
                ),
                ("keep_context", models.BooleanField(default=True)),
                ("mode", models.TextField(choices=[("static", "Static"), ("flow", "Flow")])),
                ("target_static", models.CharField(blank=True, default="")),
                (
                    "target_flow",
                    models.ForeignKey(
                        blank=True,
                        null=True,
                        on_delete=django.db.models.deletion.SET_NULL,
                        to="authentik_flows.flow",
                    ),
                ),
            ],
            options={
                "verbose_name": "Redirect Stage",
                "verbose_name_plural": "Redirect Stages",
            },
            bases=("authentik_flows.stage",),
        ),
    ]
--- a/authentik/stages/redirect/migrations/init.py
+++ b/authentik/stages/redirect/migrations/init.py
--- a/authentik/stages/redirect/models.py
+++ b/authentik/stages/redirect/models.py
@ -1,49 +0,0 @@
 """authentik redirect stage"""
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
 from authentik.flows.models import Flow, Stage
 class RedirectMode(models.TextChoices):
    """Mode a Redirect stage can operate in"""
    STATIC = "static"
    FLOW = "flow"
 class RedirectStage(Stage):
    """Redirect the user to another flow, potentially with all gathered context"""
    keep_context = models.BooleanField(default=True)
    mode = models.TextField(choices=RedirectMode.choices)
    target_static = models.CharField(blank=True, default="")
    target_flow = models.ForeignKey(
        Flow,
        null=True,
        blank=True,
        on_delete=models.SET_NULL,
    )
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.stages.redirect.api import RedirectStageSerializer
        return RedirectStageSerializer
    @property
    def view(self) -> type[View]:
        from authentik.stages.redirect.stage import RedirectStageView
        return RedirectStageView
    @property
    def component(self) -> str:
        return "ak-stage-redirect-form"
    class Meta:
        verbose_name = _("Redirect Stage")
        verbose_name_plural = _("Redirect Stages")
--- a/Show More
+++ b/Show More
		`@ -1 +1 @@`
			`website/docs/developer-docs/index.md`				`website/developer-docs/index.md`