wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
wip
2025-03-07 19:23:34 +01:00 · 2025-03-07 16:24:55 +01:00 · 2025-03-07 14:04:21 +01:00
1321 changed files with 21641 additions and 76912 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,8 +17,6 @@ optional_value = final

 [bumpversion:file:pyproject.toml]

-[bumpversion:file:uv.lock]
-
 [bumpversion:file:package.json]

 [bumpversion:file:docker-compose.yml]
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@ -1,22 +0,0 @@
---
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
---
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -44,6 +44,7 @@ if is_release:
        ]
        if not prerelease:
            image_tags += [
+                f"{name}:latest",
                f"{name}:{version_family}",
            ]
 else:
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -9,22 +9,17 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
+    - name: Install poetry & deps
      shell: bash
      run: |
+        pipx install poetry || true
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
-      uses: astral-sh/setup-uv@v5
-      with:
-        enable-cache: true
-    - name: Setup python
+    - name: Setup python and restore poetry
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-    - name: Install Python deps
-      shell: bash
-      run: uv sync --all-extras --dev --frozen
+        cache: "poetry"
    - name: Setup node
      uses: actions/setup-node@v4
      with:
@ -44,11 +39,12 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry sync
        cd web && npm ci
    - name: Generate config
-      shell: uv run python {0}
+      shell: poetry run python {0}
      run: |
-        from authentik.crypto.generators import generate_id
+        from authentik.lib.generators import generate_id
        from yaml import safe_dump

        with open("local.env.yml", "w") as _config:
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -98,7 +98,7 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: daily
@ -118,15 +118,3 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -30,6 +30,7 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
+          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -33,7 +33,7 @@ jobs:
          npm ci
      - name: Check changes have been applied
        run: |
-          uv run make aws-cfn
+          poetry run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -34,7 +34,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@ -42,7 +42,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-make-seed:
    runs-on: ubuntu-latest
    steps:
@ -69,8 +69,10 @@ jobs:
          fetch-depth: 0
      - name: checkout stable
        run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
-          cp authentik/common/config/default.yml local.env.yml
+          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
@ -81,7 +83,7 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@ -89,13 +91,15 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
@ -104,7 +108,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
  test-unittest:
    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
@ -129,7 +133,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -152,8 +156,8 @@ jobs:
        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
-          uv run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage run manage.py test tests/integration
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -210,8 +214,8 @@ jobs:
          npm run build
      - name: run e2e
        run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout 5000s --verbose
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -2,7 +2,7 @@ name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'

 env:
  POSTGRES_DB: authentik
@ -24,7 +24,7 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
+      - run: poetry run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -1,45 +0,0 @@
-name: authentik-packages-npm-publish
-on:
-  push:
-    branches: [main]
-    paths:
-      - packages/docusaurus-config/**
-      - packages/eslint-config/**
-      - packages/prettier-config/**
-      - packages/tsconfig/**
-  workflow_dispatch:
-jobs:
-  publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        package:
-          - docusaurus-config
-          - eslint-config
-          - prettier-config
-          - tsconfig
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: packages/${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
-        with:
-          files: |
-            packages/${{ matrix.package }}/package.json
-      - name: Publish package
-        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: packages/${{ matrix.package}}
-        run: |
-          npm ci
-          npm run build
-          npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -21,8 +21,8 @@ jobs:
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          uv run make migrate
-          uv run ak build_source_docs
+          poetry run make migrate
+          poetry run ak build_source_docs
      - name: Publish
        uses: netlify/actions/cli@master
        with:
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,27 +0,0 @@
-name: authentik-semgrep
-on:
-  workflow_dispatch: {}
-  pull_request: {}
-  push:
-    branches:
-      - main
-      - master
-    paths:
-      - .github/workflows/semgrep.yml
-  schedule:
-    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-    - cron: '12 15 * * *'
-jobs:
-  semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-    container:
-      image: semgrep/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@v4
-      - run: semgrep ci
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -36,10 +36,10 @@ jobs:
        run: make gen-client-ts
      - name: run extract
        run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
      - name: run compile
        run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
--- a/.gitignore
+++ b/.gitignore
@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media

-# Node
-
-node_modules
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
-out/
 sdist/
 var/
 wheels/
--- a/.prettierignore
+++ b/.prettierignore
@ -1,47 +0,0 @@
-# Prettier Ignorefile
-
-## Static Files
-**/LICENSE
-
-authentik/stages/**/*
-
-## Build asset directories
-coverage
-dist
-out
-.docusaurus
-website/docs/developer-docs/api/**/*
-
-## Environment
-*.env
-
-## Secrets
-*.secrets
-
-## Yarn
-.yarn/**/*
-
-## Node
-node_modules
-coverage
-
-## Configs
-*.log
-*.yaml
-*.yml
-
-# Templates
-# TODO: Rename affected files to *.template.* or similar.
-*.html
-*.mdx
-*.md
-
-## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-
-# Storybook
-storybook-static/
-.storybook/css-import-maps*
-
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,7 +16,7 @@
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@ -30,5 +30,7 @@
        }
    ],
    "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -3,13 +3,8 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "lint-fix",
-                "lint"
-            ],
+            "command": "poetry",
+            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
            },
@ -17,12 +12,8 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "uv",
-            "args": [
-                "run",
-                "ak",
-                "server"
-            ],
+            "command": "poetry",
+            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -32,17 +23,13 @@
        {
            "label": "authentik/web: make",
            "command": "make",
-            "args": [
-                "web"
-            ],
+            "args": ["web"],
            "group": "build"
        },
        {
            "label": "authentik/web: watch",
            "command": "make",
-            "args": [
-                "web-watch"
-            ],
+            "args": ["web-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -52,26 +39,19 @@
        {
            "label": "authentik: install",
            "command": "make",
-            "args": [
-                "install",
-                "-j4"
-            ],
+            "args": ["install", "-j4"],
            "group": "build"
        },
        {
            "label": "authentik/website: make",
            "command": "make",
-            "args": [
-                "website"
-            ],
+            "args": ["website"],
            "group": "build"
        },
        {
            "label": "authentik/website: watch",
            "command": "make",
-            "args": [
-                "website-watch"
-            ],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -80,12 +60,8 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "command": "poetry",
+            "args": ["run", "make", "gen"],
            "group": "build"
        }
    ]
--- a/4
+++ b/4
@ -10,7 +10,7 @@ schemas/                        @goauthentik/backend
 scripts/                        @goauthentik/backend
 tests/                          @goauthentik/backend
 pyproject.toml                  @goauthentik/backend
-uv.lock                         @goauthentik/backend
+poetry.lock                     @goauthentik/backend
 go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
@ -23,8 +23,6 @@ docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
-# Web packages
-packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.

--- a/92
+++ b/92
@ -43,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build

 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@ -76,7 +76,7 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

 # Stage 4: MaxMind GeoIP
@ -85,66 +85,61 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
+ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"

 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.3 AS uv
-# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
-
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
-
-WORKDIR /ak-root/
-
-COPY --from=uv /uv /uvx /bin/
-
-# Stage 7: Python dependencies
-FROM python-base AS python-deps
+# Stage 5: Python dependencies
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT

-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry

-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs
-    clang libkrb5-dev sccache \
-    # xmlsec
-    libltdl-dev && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
+    python -m venv /ak-root/venv/ && \
+    bash -c "source ${VENV_PATH}/bin/activate && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"

-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
-
-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
-    --mount=type=bind,target=uv.lock,src=uv.lock \
-    --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-install-project --no-dev
-
-# Stage 8: Run
-FROM python-base AS final-image
+# Stage 6: Run
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -176,7 +171,7 @@ RUN apt-get update && \

 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
@ -185,7 +180,7 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
+COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
@ -196,6 +191,9 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
    GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/55
+++ b/55
@ -4,7 +4,7 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
+NPM_VERSION = $(shell poetry run python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

@ -12,9 +12,9 @@ GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"

-pg_user := $(shell uv run python -m authentik.common.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.common.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.common.config postgresql.name 2>/dev/null)
+pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)

 all: lint-fix lint test gen web  ## Lint, build, and test everything

@ -32,37 +32,34 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage html
-	uv run coverage report
+	poetry run coverage run manage.py test --keepdb authentik
+	poetry run coverage html
+	poetry run coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	poetry run black $(PY_SOURCES)
+	poetry run ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	poetry run codespell -w

 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v

 core-install:
-	uv sync --frozen
+	poetry install

 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	poetry run python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

 aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn

-run:  ## Run the main authentik server process
-	uv run ak server
-
 core-i18n-extract:
-	uv run ak makemessages \
+	poetry run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@ -93,11 +90,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema > blueprints/schema.json
+		poetry run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		poetry run ak spectacular --file schema.yml

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@ -148,7 +145,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@ -176,7 +173,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	poetry run scripts/generate_config.py

 gen: gen-build gen-client-ts

@ -257,21 +254,21 @@ ci--meta-debug:
 	node --version

 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	poetry run black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	poetry run ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	poetry run codespell -s

 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	poetry run bandit -r $(PY_SOURCES)

 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
+	poetry run ak makemigrations --check

 ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	uv run coverage report
-	uv run coverage xml
+	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	poetry run coverage report
+	poetry run coverage xml
--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)

 ## Adoption and Contributions

-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
+| 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
-| 2025.4.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.4.0"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/meta.py
+++ b/authentik/admin/api/meta.py
@ -7,8 +7,8 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

-from authentik.common.utils.reflection import get_apps
 from authentik.core.api.utils import PassiveSerializer
+from authentik.lib.utils.reflection import get_apps
 from authentik.policies.event_matcher.models import model_choices


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -7,7 +7,6 @@ from sys import version as python_version
 from typing import TypedDict

 from cryptography.hazmat.backends.openssl.backend import backend
-from django.apps import apps
 from django.conf import settings
 from django.utils.timezone import now
 from django.views.debug import SafeExceptionReporterFilter
@ -18,10 +17,12 @@ from rest_framework.response import Response
 from rest_framework.views import APIView

 from authentik import get_full_version
-from authentik.common.config import CONFIG
-from authentik.common.utils.reflection import get_env
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.reflection import get_env
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost
 from authentik.rbac.permissions import HasPermission


@ -58,7 +59,7 @@ class SystemInfoSerializer(PassiveSerializer):
            if not isinstance(value, str):
                continue
            actual_value = value
-            if raw_session is not None and raw_session in actual_value:
+            if raw_session in actual_value:
                actual_value = actual_value.replace(
                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
                )
@ -102,12 +103,6 @@ class SystemInfoSerializer(PassiveSerializer):

    def get_embedded_outpost_host(self, request: Request) -> str:
        """Get the FQDN configured on the embedded outpost"""
-        if not apps.is_installed("authentik.outposts"):
-            return ""
-
-        from authentik.outposts.apps import MANAGED_OUTPOST
-        from authentik.outposts.models import Outpost
-
        outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
        if not outposts.exists():  # pragma: no cover
            return ""
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -2,7 +2,7 @@

 from celery.schedules import crontab

-from authentik.common.utils.time import fqdn_rand
+from authentik.lib.utils.time import fqdn_rand

 CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -9,10 +9,10 @@ from structlog.stdlib import get_logger

 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.common.config import CONFIG
-from authentik.common.utils.http import get_http_session
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -8,7 +8,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id


 class TestAdminAPI(TestCase):
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -9,8 +9,8 @@ from authentik.admin.tasks import (
    clear_update_notifications,
    update_latest_version,
 )
-from authentik.common.config import CONFIG
 from authentik.events.models import Event, EventAction
+from authentik.lib.config import CONFIG

 RESPONSE_VALID = {
    "$schema": "https://version.goauthentik.io/schema.json",
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -1,16 +1,19 @@
 """API Authentication"""

+from hmac import compare_digest
 from typing import Any

+from django.conf import settings
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger

-from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User
+from authentik.outposts.models import Outpost
+from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API

 LOGGER = get_logger()

@ -65,9 +68,28 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
            raise AuthenticationFailed("Token invalid/expired")
        CTX_AUTH_VIA.set("jwt")
        return jwt_token.user
+    # then try to auth via secret key (for embedded outpost/etc)
+    user = token_secret_key(auth_credentials)
+    if user:
+        CTX_AUTH_VIA.set("secret_key")
+        return user
    raise AuthenticationFailed("Token invalid/expired")


+def token_secret_key(value: str) -> User | None:
+    """Check if the token is the secret key
+    and return the service account for the managed outpost"""
+    from authentik.outposts.apps import MANAGED_OUTPOST
+
+    if not compare_digest(value, settings.SECRET_KEY):
+        return None
+    outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
+    if not outposts:
+        return None
+    outpost = outposts.first()
+    return outpost.user
+
+
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""

--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component


-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -3,15 +3,19 @@
 import json
 from base64 import b64encode

+from django.conf import settings
 from django.test import TestCase
 from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed

 from authentik.api.authentication import bearer_auth
-from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
-from authentik.core.models import Token, TokenIntents
+from authentik.blueprints.tests import reconcile_app
+from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost
+from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider


@ -48,6 +52,21 @@ class TestAPIAuth(TestCase):
        with self.assertRaises(AuthenticationFailed):
            bearer_auth(f"Bearer {token.key}".encode())

+    @reconcile_app("authentik_outposts")
+    def test_managed_outpost_fail(self):
+        """Test managed outpost"""
+        outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        outpost.user.delete()
+        outpost.delete()
+        with self.assertRaises(AuthenticationFailed):
+            bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+
+    @reconcile_app("authentik_outposts")
+    def test_managed_outpost_success(self):
+        """Test managed outpost"""
+        user: User = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+        self.assertEqual(user.type, UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
    def test_jwt_valid(self):
        """Test valid JWT"""
        provider = OAuth2Provider.objects.create(
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -19,9 +19,9 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik.common.config import CONFIG
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.context_processors.base import get_context_processors
+from authentik.lib.config import CONFIG

 capabilities = Signal()

--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -11,7 +11,7 @@ from structlog.stdlib import get_logger

 from authentik.api.v3.config import ConfigView
 from authentik.api.views import APIBrowserView
-from authentik.common.utils.reflection import get_apps
+from authentik.lib.utils.reflection import get_apps

 LOGGER = get_logger()

--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.blueprints.models import BlueprintInstance
@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required


--- a/authentik/blueprints/management/commands/blueprint_shell.py
+++ b/authentik/blueprints/management/commands/blueprint_shell.py
@ -12,8 +12,8 @@ from structlog.stdlib import get_logger
 from yaml import load

 from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
-from authentik.common.utils.errors import exception_to_string
 from authentik.core.management.commands.shell import get_banner_text
+from authentik.lib.utils.errors import exception_to_string

 LOGGER = get_logger()

--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -15,7 +15,7 @@ from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
-from authentik.common.models import SerializerModel
+from authentik.lib.models import SerializerModel

 LOGGER = get_logger()

--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@ -11,7 +11,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from yaml import load

 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
-from authentik.common.config import CONFIG
+from authentik.lib.config import CONFIG


 def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
--- a/authentik/blueprints/migrations/0003_alter_blueprintinstance_name.py
+++ b/authentik/blueprints/migrations/0003_alter_blueprintinstance_name.py
@ -2,7 +2,7 @@

 from django.db import migrations, models

-from authentik.common.migrations import fallback_names
+from authentik.lib.migrations import fallback_names


 class Migration(migrations.Migration):
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@ -10,14 +10,14 @@ from rest_framework.serializers import Serializer
 from structlog import get_logger

 from authentik.blueprints.v1.oci import OCI_PREFIX, BlueprintOCIClient, OCIException
-from authentik.common.config import CONFIG
-from authentik.common.exceptions import NotReportedException
-from authentik.common.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.config import CONFIG
+from authentik.lib.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.sentry import SentryIgnoredException

 LOGGER = get_logger()


-class BlueprintRetrievalFailed(NotReportedException):
+class BlueprintRetrievalFailed(SentryIgnoredException):
    """Error raised when we are unable to fetch the blueprint contents, whether it be HTTP files
    not being accessible or local files not being readable"""

--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@ -2,7 +2,7 @@

 from celery.schedules import crontab

-from authentik.common.utils.time import fqdn_rand
+from authentik.lib.utils.time import fqdn_rand

 CELERY_BEAT_SCHEDULE = {
    "blueprints_v1_discover": {
--- a/authentik/blueprints/tests/test_models.py
+++ b/authentik/blueprints/tests/test_models.py
@ -3,7 +3,7 @@
 from django.test import TestCase

 from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id


 class TestModels(TestCase):
--- a/authentik/blueprints/tests/test_serializer_models.py
+++ b/authentik/blueprints/tests/test_serializer_models.py
@ -6,7 +6,7 @@ from django.apps import apps
 from django.test import TestCase

 from authentik.blueprints.v1.importer import is_model_allowed
-from authentik.common.models import SerializerModel
+from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken


--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -6,10 +6,10 @@ from django.test import TransactionTestCase

 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
-from authentik.common.tests import load_fixture
 from authentik.core.models import Group
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@ -7,8 +7,8 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump

-from authentik.common.config import CONFIG
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.config import CONFIG

 TMP = mkdtemp("authentik-blueprints")

--- a/authentik/blueprints/tests/test_v1_conditional_fields.py
+++ b/authentik/blueprints/tests/test_v1_conditional_fields.py
@ -3,11 +3,11 @@
 from django.test import TransactionTestCase

 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
 from authentik.core.models import Application, Token, User
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 from authentik.sources.oauth.models import OAuthSource


--- a/authentik/blueprints/tests/test_v1_conditions.py
+++ b/authentik/blueprints/tests/test_v1_conditions.py
@ -3,9 +3,9 @@
 from django.test import TransactionTestCase

 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture


 class TestBlueprintsV1Conditions(TransactionTestCase):
--- a/authentik/blueprints/tests/test_v1_rbac.py
+++ b/authentik/blueprints/tests/test_v1_rbac.py
@ -4,10 +4,10 @@ from django.test import TransactionTestCase
 from guardian.shortcuts import get_perms

 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
 from authentik.core.models import User
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 from authentik.rbac.models import Role


--- a/authentik/blueprints/tests/test_v1_state.py
+++ b/authentik/blueprints/tests/test_v1_state.py
@ -3,9 +3,9 @@
 from django.test import TransactionTestCase

 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture


 class TestBlueprintsV1State(TransactionTestCase):
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@ -8,8 +8,8 @@ from yaml import dump

 from authentik.blueprints.models import BlueprintInstance, BlueprintInstanceStatus
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discovery, blueprints_find
-from authentik.common.config import CONFIG
-from authentik.crypto.generators import generate_id
+from authentik.lib.config import CONFIG
+from authentik.lib.generators import generate_id

 TMP = mkdtemp("authentik-blueprints")

--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -19,8 +19,8 @@ from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode

-from authentik.common.exceptions import NotReportedException
-from authentik.common.models import SerializerModel
+from authentik.lib.models import SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel


@ -164,7 +164,9 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))

-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
@ -661,7 +663,7 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!AtIndex", AtIndex)


-class EntryInvalidError(NotReportedException):
+class EntryInvalidError(SentryIgnoredException):
    """Error raised when an entry is invalid"""

    entry_model: str | None
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -8,11 +8,14 @@ from dacite.config import Config
 from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import FieldError
 from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
+from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
@ -28,26 +31,117 @@ from authentik.blueprints.v1.common import (
    EntryInvalidError,
 )
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
-from authentik.common.exceptions import NotReportedException
-from authentik.common.models import SerializerModel, excluded_models
-from authentik.common.utils.reflection import get_apps
-from authentik.core.models import User
+from authentik.core.models import (
+    AuthenticatedSession,
+    GroupSourceConnection,
+    PropertyMapping,
+    Provider,
+    Source,
+    User,
+    UserSourceConnection,
+)
 from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import LicenseUsage
+from authentik.enterprise.providers.google_workspace.models import (
+    GoogleWorkspaceProviderGroup,
+    GoogleWorkspaceProviderUser,
+)
+from authentik.enterprise.providers.microsoft_entra.models import (
+    MicrosoftEntraProviderGroup,
+    MicrosoftEntraProviderUser,
+)
+from authentik.enterprise.providers.ssf.models import StreamEvent
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
 from authentik.events.logs import LogEvent, capture_logs
+from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
+from authentik.flows.models import FlowToken, Stage
+from authentik.lib.models import SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.reflection import get_apps
+from authentik.outposts.models import OutpostServiceConnection
+from authentik.policies.models import Policy, PolicyBindingModel
+from authentik.policies.reputation.models import Reputation
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    AuthorizationCode,
+    DeviceToken,
+    RefreshToken,
+)
+from authentik.providers.rac.models import ConnectionToken
+from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
+from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
+from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
+from authentik.tenants.models import Tenant

 # Context set when the serializer is created in a blueprint context
 # Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"


+def excluded_models() -> list[type[Model]]:
+    """Return a list of all excluded models that shouldn't be exposed via API
+    or other means (internal only, base classes, non-used objects, etc)"""
+
+    from django.contrib.auth.models import Group as DjangoGroup
+    from django.contrib.auth.models import User as DjangoUser
+
+    return (
+        # Django only classes
+        DjangoUser,
+        DjangoGroup,
+        ContentType,
+        Permission,
+        UserObjectPermission,
+        # Base classes
+        Provider,
+        Source,
+        PropertyMapping,
+        UserSourceConnection,
+        GroupSourceConnection,
+        Stage,
+        OutpostServiceConnection,
+        Policy,
+        PolicyBindingModel,
+        # Classes that have other dependencies
+        AuthenticatedSession,
+        # Classes which are only internally managed
+        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
+        FlowToken,
+        LicenseUsage,
+        SCIMProviderGroup,
+        SCIMProviderUser,
+        Tenant,
+        SystemTask,
+        ConnectionToken,
+        AuthorizationCode,
+        AccessToken,
+        RefreshToken,
+        Reputation,
+        WebAuthnDeviceType,
+        SCIMSourceUser,
+        SCIMSourceGroup,
+        GoogleWorkspaceProviderUser,
+        GoogleWorkspaceProviderGroup,
+        MicrosoftEntraProviderUser,
+        MicrosoftEntraProviderGroup,
+        EndpointDevice,
+        EndpointDeviceConnection,
+        DeviceToken,
+        StreamEvent,
+    )
+
+
 def is_model_allowed(model: type[Model]) -> bool:
    """Check if model is allowed"""
    return model not in excluded_models() and issubclass(model, SerializerModel | BaseMetaModel)


-class DoRollback(NotReportedException):
+class DoRollback(SentryIgnoredException):
    """Exception to trigger a rollback"""


--- a/authentik/blueprints/v1/oci.py
+++ b/authentik/blueprints/v1/oci.py
@ -16,14 +16,14 @@ from requests.exceptions import RequestException
 from structlog import get_logger
 from structlog.stdlib import BoundLogger

-from authentik.common.exceptions import NotReportedException
-from authentik.common.utils.http import authentik_user_agent
+from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.http import authentik_user_agent

 OCI_MEDIA_TYPE = "application/vnd.goauthentik.blueprint.v1+yaml"
 OCI_PREFIX = "oci://"


-class OCIException(NotReportedException):
+class OCIException(SentryIgnoredException):
    """OCI-related errors"""


--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -30,11 +30,11 @@ from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata, E
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
-from authentik.common.config import CONFIG
 from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
+from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant

--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -49,8 +49,6 @@ class BrandSerializer(ModelSerializer):
            "branding_title",
            "branding_logo",
            "branding_favicon",
-            "branding_custom_css",
-            "branding_default_flow_background",
            "flow_authentication",
            "flow_invalidation",
            "flow_recovery",
@ -88,7 +86,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    branding_title = CharField()
    branding_logo = CharField(source="branding_logo_url")
    branding_favicon = CharField(source="branding_favicon_url")
-    branding_custom_css = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
@ -128,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "branding_title",
        "branding_logo",
        "branding_favicon",
-        "branding_default_flow_background",
        "flow_authentication",
        "flow_invalidation",
        "flow_recovery",
--- a/authentik/brands/migrations/0001_squashed_0005_tenant_web_certificate.py
+++ b/authentik/brands/migrations/0001_squashed_0005_tenant_web_certificate.py
@ -5,7 +5,7 @@ import uuid
 import django.db.models.deletion
 from django.db import migrations, models

-import authentik.common.utils.time
+import authentik.lib.utils.time


 class Migration(migrations.Migration):
@ -104,7 +104,7 @@ class Migration(migrations.Migration):
                    "Events will be deleted after this duration.(Format:"
                    " weeks=3;days=2;hours=3,seconds=2)."
                ),
-                validators=[authentik.common.utils.time.timedelta_string_validator],
+                validators=[authentik.lib.utils.time.timedelta_string_validator],
            ),
        ),
        migrations.AddField(
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -1,35 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-22 01:51
-
-from pathlib import Path
-from django.db import migrations, models
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    Brand = apps.get_model("authentik_brands", "brand")
-
-    db_alias = schema_editor.connection.alias
-
-    path = Path("/web/dist/custom.css")
-    if not path.exists():
-        return
-    css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0007_brand_default_application"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_custom_css",
-            field=models.TextField(blank=True, default=""),
-        ),
-        migrations.RunPython(migrate_custom_css),
-    ]
--- a/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
+++ b/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
@ -1,18 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-19 22:54
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0008_brand_branding_custom_css"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_default_flow_background",
-            field=models.TextField(default="/static/dist/assets/images/flow_background.jpg"),
-        ),
-    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -8,10 +8,10 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

-from authentik.common.config import CONFIG
-from authentik.common.models import SerializerModel
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
+from authentik.lib.config import CONFIG
+from authentik.lib.models import SerializerModel

 LOGGER = get_logger()

@ -33,10 +33,6 @@ class Brand(SerializerModel):

    branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
    branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
-    branding_custom_css = models.TextField(default="", blank=True)
-    branding_default_flow_background = models.TextField(
-        default="/static/dist/assets/images/flow_background.jpg"
-    )

    flow_authentication = models.ForeignKey(
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
@ -88,12 +84,6 @@ class Brand(SerializerModel):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
        return self.branding_favicon

-    def branding_default_flow_background_url(self) -> str:
-        """Get branding_default_flow_background with the correct prefix"""
-        if self.branding_default_flow_background.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_default_flow_background
-        return self.branding_default_flow_background
-
    @property
    def serializer(self) -> Serializer:
        from authentik.brands.api import BrandSerializer
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -7,7 +7,7 @@ from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLProvider

@ -24,7 +24,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
-                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -44,7 +43,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "custom",
-                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -61,7 +59,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
-                "branding_custom_css": "",
                "matched_domain": "fallback",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -124,27 +121,3 @@ class TestBrands(APITestCase):
                "subject": None,
            },
        )
-
-    def test_branding_url(self):
-        """Test branding attributes return correct values"""
-        brand = create_test_brand()
-        brand.branding_default_flow_background = "https://goauthentik.io/img/icon.png"
-        brand.branding_favicon = "https://goauthentik.io/img/icon.png"
-        brand.branding_logo = "https://goauthentik.io/img/icon.png"
-        brand.save()
-        self.assertEqual(
-            brand.branding_default_flow_background_url(), "https://goauthentik.io/img/icon.png"
-        )
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
-            {
-                "branding_logo": "https://goauthentik.io/img/icon.png",
-                "branding_favicon": "https://goauthentik.io/img/icon.png",
-                "branding_title": "authentik",
-                "branding_custom_css": "",
-                "matched_domain": brand.domain,
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-            },
-        )
--- a/authentik/common/exceptions/init.py
+++ b/authentik/common/exceptions/init.py
@ -1,7 +0,0 @@
-class AuthentikException(Exception):
-    """Base class for authentik exceptions"""
-
-
-class NotReportedException(AuthentikException):
-    """Exception base class for all errors that are suppressed,
-    and not sent to any kind of monitoring."""
--- a/authentik/common/expression/exceptions.py
+++ b/authentik/common/expression/exceptions.py
@ -1,6 +0,0 @@
-from authentik.common.exceptions import NotReportedException
-
-
-class ControlFlowException(NotReportedException):
-    """Exceptions used to control the flow from exceptions, not reported as a warning/
-    error in logs"""
--- a/authentik/common/ldap/constants.py
+++ b/authentik/common/ldap/constants.py
@ -1 +0,0 @@
-LDAP_DISTINGUISHED_NAME = "distinguishedName"
--- a/authentik/common/saml/api.py
+++ b/authentik/common/saml/api.py
@ -1,10 +0,0 @@
-from rest_framework.fields import CharField
-
-from authentik.core.api.utils import PassiveSerializer
-
-
-class SAMLMetadataSerializer(PassiveSerializer):
-    """SAML Provider Metadata serializer"""
-
-    metadata = CharField(read_only=True)
-    download_url = CharField(read_only=True, required=False)
--- a/authentik/common/saml/time.py
+++ b/authentik/common/saml/time.py
@ -1,16 +0,0 @@
-"""Time utilities"""
-
-from datetime import datetime, timedelta
-
-from django.utils.timezone import now
-
-
-def get_time_string(delta: timedelta | datetime | None = None) -> str:
-    """Get Data formatted in SAML format"""
-    if delta is None:
-        delta = timedelta()
-    if isinstance(delta, timedelta):
-        final = now() + delta
-    else:
-        final = delta
-    return final.strftime("%Y-%m-%dT%H:%M:%SZ")
--- a/authentik/common/scim/init.py
+++ b/authentik/common/scim/init.py
--- a/authentik/common/sync/init.py
+++ b/authentik/common/sync/init.py
--- a/authentik/common/utils/init.py
+++ b/authentik/common/utils/init.py
--- a/authentik/common/utils/tests/init.py
+++ b/authentik/common/utils/tests/init.py
--- a/authentik/common/views/tests.py
+++ b/authentik/common/views/tests.py
@ -1,19 +0,0 @@
-"""Test HTTP Helpers"""
-
-from django.test import RequestFactory, TestCase
-
-from authentik.common.views import bad_request_message
-from authentik.core.tests.utils import create_test_admin_user
-
-
-class TestViews(TestCase):
-    """Test Views Helpers"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.factory = RequestFactory()
-
-    def test_bad_request_message(self):
-        """test bad_request_message"""
-        request = self.factory.get("/")
-        self.assertEqual(bad_request_message(request, "foo").status_code, 400)
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -23,18 +23,18 @@ from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.common.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
+from authentik.lib.utils.file import (
+    FilePathSerializer,
+    FileUploadSerializer,
+    set_file,
+    set_file_url,
+)
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import CACHE_PREFIX, PolicyResult
@ -46,7 +46,7 @@ LOGGER = get_logger()

 def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
    """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}app_access/{user_pk}"
+    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
    if page_number:
        key += f"/{page_number}"
    return key
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -5,7 +5,6 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
-from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

@ -55,11 +54,6 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""

-    expires = DateTimeField(source="session.expires", read_only=True)
-    last_ip = IPAddressField(source="session.last_ip", read_only=True)
-    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
-    last_used = DateTimeField(source="session.last_used", read_only=True)
-
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
@ -68,19 +62,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session.session_key
+        return request._request.session.session_key == instance.session_key

    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.session.last_user_agent)
+        return user_agent_parser.Parse(instance.last_user_agent)

    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
        """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)

    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
        """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)

    class Meta:
        model = AuthenticatedSession
@ -96,7 +90,6 @@ class AuthenticatedSessionSerializer(ModelSerializer):
            "last_used",
            "expires",
        ]
-        extra_args = {"uuid": {"read_only": True}}


 class AuthenticatedSessionViewSet(
@ -108,10 +101,9 @@ class AuthenticatedSessionViewSet(
 ):
    """AuthenticatedSession Viewset"""

-    lookup_field = "uuid"
-    queryset = AuthenticatedSession.objects.select_related("session").all()
+    queryset = AuthenticatedSession.objects.all()
    serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
-    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
--- a/authentik/core/api/object_types.py
+++ b/authentik/core/api/object_types.py
@ -9,9 +9,9 @@ from rest_framework.fields import (
 from rest_framework.request import Request
 from rest_framework.response import Response

-from authentik.common.utils.reflection import all_subclasses
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.apps import EnterpriseConfig
+from authentik.lib.utils.reflection import all_subclasses


 class TypeCreateSerializer(PassiveSerializer):
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@ -22,7 +22,6 @@ from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet

 from authentik.blueprints.api import ManagedSerializer
-from authentik.common.utils.errors import exception_to_string
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
@ -34,6 +33,7 @@ from authentik.core.expression.evaluator import PropertyMappingEvaluator
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required

--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -5,7 +5,6 @@ from collections.abc import Iterable
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@ -14,17 +13,17 @@ from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.common.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
+from authentik.lib.utils.file import (
+    FilePathSerializer,
+    FileUploadSerializer,
+    set_file,
+    set_file_url,
+)
 from authentik.policies.engine import PolicyEngine
 from authentik.rbac.decorators import permission_required

@ -155,17 +154,6 @@ class SourceViewSet(
            matching_sources.append(source_settings.validated_data)
        return Response(matching_sources)

-    def destroy(self, request: Request, *args, **kwargs):
-        """Prevent deletion of built-in sources"""
-        instance: Source = self.get_object()
-
-        if instance.managed == Source.MANAGED_INBUILT:
-            raise ValidationError(
-                {"detail": "Built-in sources cannot be deleted"}, code="protected"
-            )
-
-        return super().destroy(request, *args, **kwargs)
-

 class UserSourceConnectionSerializer(SourceSerializer):
    """User source connection"""
@ -179,13 +167,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "user",
            "source",
            "source_obj",
-            "identifier",
            "created",
-            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
-            "last_updated": {"read_only": True},
        }


@ -202,7 +187,7 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    filterset_fields = ["user", "source__slug"]
-    search_fields = ["user__username", "source__slug", "identifier"]
+    search_fields = ["source__slug"]
    ordering = ["source__slug", "pk"]
    owner_field = "user"

@ -221,11 +206,9 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "source_obj",
            "identifier",
            "created",
-            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
-            "last_updated": {"read_only": True},
        }


@ -242,5 +225,6 @@ class GroupSourceConnectionViewSet(
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    filterset_fields = ["group", "source__slug"]
-    search_fields = ["group__name", "source__slug", "identifier"]
+    search_fields = ["source__slug"]
    ordering = ["source__slug", "pk"]
+    owner_field = "user"
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -14,7 +14,6 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.common.utils.time import timedelta_from_string
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
@ -28,6 +27,7 @@ from authentik.core.models import (
 )
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.rbac.decorators import permission_required


--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -20,10 +20,10 @@ from authentik.blueprints.v1.common import (
    KeyOf,
 )
 from authentik.blueprints.v1.importer import Importer
-from authentik.common.utils.reflection import all_subclasses
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Application, Provider
+from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer


--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,6 +6,8 @@ from typing import Any

 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.core.cache import cache
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -62,7 +64,6 @@ from authentik.core.api.utils import (
    ModelSerializer,
    PassiveSerializer,
 )
-from authentik.core.avatars import get_avatar
 from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
@ -70,8 +71,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
+    AuthenticatedSession,
    Group,
-    Session,
    Token,
    TokenIntents,
    User,
@ -82,6 +83,7 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
+from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
@ -224,7 +226,6 @@ class UserSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
-            "date_joined",
            "is_superuser",
            "groups",
            "groups_obj",
@ -239,7 +240,6 @@ class UserSerializer(ModelSerializer):
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
-            "date_joined": {"read_only": True},
            "password_change_date": {"read_only": True},
        }

@ -373,7 +373,7 @@ class UsersFilter(FilterSet):
        method="filter_attributes",
    )

-    is_superuser = BooleanFilter(field_name="ak_groups", method="filter_is_superuser")
+    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
    uuid = UUIDFilter(field_name="uuid")

    path = CharFilter(field_name="path")
@ -391,11 +391,6 @@ class UsersFilter(FilterSet):
        queryset=Group.objects.all().order_by("name"),
    )

-    def filter_is_superuser(self, queryset, name, value):
-        if value:
-            return queryset.filter(ak_groups__is_superuser=True).distinct()
-        return queryset.exclude(ak_groups__is_superuser=True).distinct()
-
    def filter_attributes(self, queryset, name, value):
        """Filter attributes by query args"""
        try:
@ -772,6 +767,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
-            Session.objects.filter(authenticatedsession__user=instance).delete()
+            sessions = AuthenticatedSession.objects.filter(user=instance)
+            session_ids = sessions.values_list("session_key", flat=True)
+            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
+            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -20,8 +20,6 @@ from rest_framework.serializers import (
    raise_errors_on_nested_writes,
 )

-from authentik.rbac.permissions import assign_initial_permissions
-

 def is_dict(value: Any):
    """Ensure a value is a dictionary, useful for JSONFields"""
@ -31,14 +29,6 @@ def is_dict(value: Any):


 class ModelSerializer(BaseModelSerializer):
-    def create(self, validated_data):
-        instance = super().create(validated_data)
-
-        request = self.context.get("request")
-        if request and hasattr(request, "user") and not request.user.is_anonymous:
-            assign_initial_permissions(request.user, instance)
-
-        return instance

    def update(self, instance: Model, validated_data):
        raise_errors_on_nested_writes("update", self, validated_data)
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -32,5 +32,5 @@ class AuthentikCoreConfig(ManagedAppConfig):
                "name": "authentik Built-in",
                "slug": "authentik-built-in",
            },
-            managed=Source.MANAGED_INBUILT,
+            managed="goauthentik.io/sources/inbuilt",
        )
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -24,15 +24,6 @@ class InbuiltBackend(ModelBackend):
        self.set_method("password", request)
        return user

-    async def aauthenticate(
-        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
-    ) -> User | None:
-        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
-        if not user:
-            return None
-        self.set_method("password", request)
-        return user
-
    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -7,11 +7,11 @@ from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram

-from authentik.common.expression.evaluator import BaseEvaluator
-from authentik.common.utils.errors import exception_to_string
 from authentik.core.expression.exceptions import SkipObjectException
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
+from authentik.lib.expression.evaluator import BaseEvaluator
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.types import PolicyRequest

 PROPERTY_MAPPING_TIME = Histogram(
--- a/authentik/core/expression/exceptions.py
+++ b/authentik/core/expression/exceptions.py
@ -1,10 +1,10 @@
 """authentik core exceptions"""

-from authentik.common.exceptions import NotReportedException
-from authentik.common.expression.exceptions import ControlFlowException
+from authentik.lib.expression.exceptions import ControlFlowException
+from authentik.lib.sentry import SentryIgnoredException


-class PropertyMappingExpressionException(NotReportedException):
+class PropertyMappingExpressionException(SentryIgnoredException):
    """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""

    def __init__(self, exc: Exception, mapping) -> None:
--- a/authentik/core/management/commands/clearsessions.py
+++ b/authentik/core/management/commands/clearsessions.py
@ -1,15 +0,0 @@
-"""Change user type"""
-
-from importlib import import_module
-
-from django.conf import settings
-
-from authentik.tenants.management import TenantCommand
-
-
-class Command(TenantCommand):
-    """Delete all sessions"""
-
-    def handle_per_tenant(self, **options):
-        engine = import_module(settings.SESSION_ENGINE)
-        engine.SessionStore.clear_expired()
--- a/authentik/core/management/commands/dev_server.py
+++ b/authentik/core/management/commands/dev_server.py
@ -5,7 +5,7 @@ from typing import TextIO
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server

-from authentik.root.debug import start_debug_server
+from authentik.lib.debug import start_debug_server
 from authentik.root.signals import post_startup, pre_startup, startup


--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@ -8,9 +8,9 @@ from django.core.management.base import BaseCommand
 from django.db import close_old_connections
 from structlog.stdlib import get_logger

-from authentik.common.config import CONFIG
+from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
 from authentik.root.celery import CELERY_APP
-from authentik.root.debug import start_debug_server

 LOGGER = get_logger()

--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -2,14 +2,9 @@

 from collections.abc import Callable
 from contextvars import ContextVar
-from functools import partial
 from uuid import uuid4

-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
-from django.utils.deprecation import MiddlewareMixin
-from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -25,40 +20,6 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)


-def get_user(request):
-    if not hasattr(request, "_cached_user"):
-        user = None
-        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
-            user = authenticated_session.user
-        request._cached_user = user or AnonymousUser()
-    return request._cached_user
-
-
-async def aget_user(request):
-    if not hasattr(request, "_cached_user"):
-        user = None
-        if (
-            authenticated_session := await request.session.aget("authenticatedsession", None)
-        ) is not None:
-            user = authenticated_session.user
-        request._cached_user = user or AnonymousUser()
-    return request._cached_user
-
-
-class AuthenticationMiddleware(MiddlewareMixin):
-    def process_request(self, request):
-        if not hasattr(request, "session"):
-            raise ImproperlyConfigured(
-                "The Django authentication middleware requires session "
-                "middleware to be installed. Edit your MIDDLEWARE setting to "
-                "insert "
-                "'authentik.root.middleware.SessionMiddleware' before "
-                "'authentik.core.middleware.AuthenticationMiddleware'."
-            )
-        request.user = SimpleLazyObject(lambda: get_user(request))
-        request.auser = partial(aget_user, request)
-
-
 class ImpersonateMiddleware:
    """Middleware to impersonate users"""

--- a/authentik/core/migrations/0012_auto_20201003_1737_squashed_0016_auto_20201202_2234.py
+++ b/authentik/core/migrations/0012_auto_20201003_1737_squashed_0016_auto_20201202_2234.py
@ -5,7 +5,7 @@ from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.core.models
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id


 def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
--- a/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
+++ b/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
@ -10,7 +10,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db.models import Count

 import authentik.core.models
-import authentik.common.models
+import authentik.lib.models


 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@ -160,7 +160,7 @@ class Migration(migrations.Migration):
            field=models.TextField(
                blank=True,
                default="",
-                validators=[authentik.common.models.DomainlessFormattedURLValidator()],
+                validators=[authentik.lib.models.DomainlessFormattedURLValidator()],
            ),
        ),
        migrations.RunPython(
--- a/authentik/core/migrations/0026_alter_propertymapping_name_alter_provider_name.py
+++ b/authentik/core/migrations/0026_alter_propertymapping_name_alter_provider_name.py
@ -2,7 +2,7 @@

 from django.db import migrations, models

-from authentik.common.migrations import fallback_names
+from authentik.lib.migrations import fallback_names


 class Migration(migrations.Migration):
--- a/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
+++ b/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
@ -1,19 +0,0 @@
-# Generated by Django 5.0.13 on 2025-04-07 14:04
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0043_alter_group_options"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="usersourceconnection",
-            name="new_identifier",
-            field=models.TextField(default=""),
-            preserve_default=False,
-        ),
-    ]
--- a/authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py
+++ b/authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py
@ -1,30 +0,0 @@
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0044_usersourceconnection_new_identifier"),
-        ("authentik_sources_kerberos", "0003_migrate_userkerberossourceconnection_identifier"),
-        ("authentik_sources_oauth", "0009_migrate_useroauthsourceconnection_identifier"),
-        ("authentik_sources_plex", "0005_migrate_userplexsourceconnection_identifier"),
-        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name="usersourceconnection",
-            old_name="new_identifier",
-            new_name="identifier",
-        ),
-        migrations.AddIndex(
-            model_name="usersourceconnection",
-            index=models.Index(fields=["identifier"], name="authentik_c_identif_59226f_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="usersourceconnection",
-            index=models.Index(
-                fields=["source", "identifier"], name="authentik_c_source__649e04_idx"
-            ),
-        ),
-    ]
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -1,238 +0,0 @@
-# Generated by Django 5.0.11 on 2025-01-27 12:58
-
-import uuid
-import pickle  # nosec
-from django.core import signing
-from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
-from django.db import migrations, models
-import django.db.models.deletion
-from django.conf import settings
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.utils.timezone import now, timedelta
-from authentik.common.migrations import progress_bar
-from authentik.root.middleware import ClientIPMiddleware
-
-
-SESSION_CACHE_ALIAS = "default"
-
-
-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        """Pickle data to be stored in redis"""
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec
-
-
-def _migrate_session(
-    apps,
-    db_alias,
-    session_key,
-    session_data,
-    expires,
-):
-    Session = apps.get_model("authentik_core", "Session")
-    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
-    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
-
-    old_auth_session = (
-        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
-    )
-
-    args = {
-        "session_key": session_key,
-        "expires": expires,
-        "last_ip": ClientIPMiddleware.default_ip,
-        "last_user_agent": "",
-        "session_data": {},
-    }
-    for k, v in session_data.items():
-        if k == "authentik/stages/user_login/last_ip":
-            args["last_ip"] = v
-        elif k in ["last_user_agent", "last_used"]:
-            args[k] = v
-        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
-            pass
-        else:
-            args["session_data"][k] = v
-    if old_auth_session:
-        args["last_user_agent"] = old_auth_session.last_user_agent
-        args["last_used"] = old_auth_session.last_used
-
-    args["session_data"] = pickle.dumps(args["session_data"])
-    session = Session.objects.using(db_alias).create(**args)
-
-    if old_auth_session:
-        AuthenticatedSession.objects.using(db_alias).create(
-            session=session,
-            user=old_auth_session.user,
-        )
-
-
-def migrate_redis_sessions(apps, schema_editor):
-    from django.core.cache import caches
-
-    db_alias = schema_editor.connection.alias
-    cache = caches[SESSION_CACHE_ALIAS]
-
-    # Not a redis cache, skipping
-    if not hasattr(cache, "keys"):
-        return
-
-    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
-    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
-        _migrate_session(
-            apps=apps,
-            db_alias=db_alias,
-            session_key=key.removeprefix(KEY_PREFIX),
-            session_data=session_data,
-            expires=now() + timedelta(seconds=cache.ttl(key)),
-        )
-
-
-def migrate_database_sessions(apps, schema_editor):
-    DjangoSession = apps.get_model("sessions", "Session")
-    db_alias = schema_editor.connection.alias
-
-    print("\nMigration database sessions, this might take a couple of minutes...")
-    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
-        session_data = signing.loads(
-            django_session.session_data,
-            salt="django.contrib.sessions.SessionStore",
-            serializer=PickleSerializer,
-        )
-        _migrate_session(
-            apps=apps,
-            db_alias=db_alias,
-            session_key=django_session.session_key,
-            session_data=session_data,
-            expires=django_session.expire_date,
-        )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("sessions", "0001_initial"),
-        ("authentik_core", "0045_rename_new_identifier_usersourceconnection_identifier_and_more"),
-        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
-        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
-    ]
-
-    operations = [
-        # Rename AuthenticatedSession to OldAuthenticatedSession
-        migrations.RenameModel(
-            old_name="AuthenticatedSession",
-            new_name="OldAuthenticatedSession",
-        ),
-        migrations.RenameIndex(
-            model_name="oldauthenticatedsession",
-            new_name="authentik_c_expires_cf4f72_idx",
-            old_name="authentik_c_expires_08251d_idx",
-        ),
-        migrations.RenameIndex(
-            model_name="oldauthenticatedsession",
-            new_name="authentik_c_expirin_c1f17f_idx",
-            old_name="authentik_c_expirin_9cd839_idx",
-        ),
-        migrations.RenameIndex(
-            model_name="oldauthenticatedsession",
-            new_name="authentik_c_expirin_e04f5d_idx",
-            old_name="authentik_c_expirin_195a84_idx",
-        ),
-        migrations.RenameIndex(
-            model_name="oldauthenticatedsession",
-            new_name="authentik_c_session_a44819_idx",
-            old_name="authentik_c_session_d0f005_idx",
-        ),
-        migrations.RunSQL(
-            sql="ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
-            reverse_sql="ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
-        ),
-        # Create new Session and AuthenticatedSession models
-        migrations.CreateModel(
-            name="Session",
-            fields=[
-                (
-                    "session_key",
-                    models.CharField(
-                        max_length=40, primary_key=True, serialize=False, verbose_name="session key"
-                    ),
-                ),
-                ("expires", models.DateTimeField(default=None, null=True)),
-                ("expiring", models.BooleanField(default=True)),
-                ("session_data", models.BinaryField(verbose_name="session data")),
-                ("last_ip", models.GenericIPAddressField()),
-                ("last_user_agent", models.TextField(blank=True)),
-                ("last_used", models.DateTimeField(auto_now=True)),
-            ],
-            options={
-                "default_permissions": [],
-                "verbose_name": "Session",
-                "verbose_name_plural": "Sessions",
-            },
-        ),
-        migrations.AddIndex(
-            model_name="session",
-            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="session",
-            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="session",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="session",
-            index=models.Index(
-                fields=["expires", "session_key"], name="authentik_c_expires_c49143_idx"
-            ),
-        ),
-        migrations.CreateModel(
-            name="AuthenticatedSession",
-            fields=[
-                (
-                    "session",
-                    models.OneToOneField(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_core.session",
-                    ),
-                ),
-                ("uuid", models.UUIDField(default=uuid.uuid4, unique=True)),
-                (
-                    "user",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Authenticated Session",
-                "verbose_name_plural": "Authenticated Sessions",
-            },
-        ),
-        migrations.RunPython(
-            code=migrate_redis_sessions,
-            reverse_code=migrations.RunPython.noop,
-        ),
-        migrations.RunPython(
-            code=migrate_database_sessions,
-            reverse_code=migrations.RunPython.noop,
-        ),
-    ]
--- a/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
+++ b/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
@ -1,18 +0,0 @@
-# Generated by Django 5.0.11 on 2025-01-27 13:02
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0046_session_and_more"),
-        ("authentik_providers_rac", "0007_migrate_session"),
-        ("authentik_providers_oauth2", "0028_migrate_session"),
-    ]
-
-    operations = [
-        migrations.DeleteModel(
-            name="OldAuthenticatedSession",
-        ),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,16 +1,14 @@
 """authentik core models"""

 from datetime import datetime
-from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4

-from deepmerge import Merger, always_merger
+from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
-from django.contrib.sessions.base_session import AbstractBaseSession
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
@ -26,18 +24,18 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

 from authentik.blueprints.models import ManagedModel
-from authentik.common.expression.exceptions import ControlFlowException
-from authentik.common.models import (
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.types import UILoginButton, UserSettingSerializer
+from authentik.lib.avatars import get_avatar
+from authentik.lib.expression.exceptions import ControlFlowException
+from authentik.lib.generators import generate_id
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.models import (
    CreatedUpdatedModel,
    DomainlessFormattedURLValidator,
    SerializerModel,
-    internal_model,
 )
-from authentik.common.utils.time import timedelta_from_string
-from authentik.core.avatars import get_avatar
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.core.types import UILoginButton, UserSettingSerializer
-from authentik.crypto.generators import generate_id
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGTH
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
@ -64,10 +62,6 @@ options.DEFAULT_NAMES = options.DEFAULT_NAMES + (

 GROUP_RECURSION_LIMIT = 20

-MERGE_LIST_UNIQUE = Merger(
-    [(list, ["append_unique"]), (dict, ["merge"]), (set, ["union"])], ["override"], ["override"]
-)
-

 def default_token_duration() -> datetime:
    """Default duration a Token is valid"""
@ -412,7 +406,6 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        return get_avatar(self)


-@internal_model
 class Provider(SerializerModel):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""

@ -653,30 +646,19 @@ class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""

    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    EMAIL_LINK = (
-        "email_link",
-        _(
-            "Link to a user with identical email address. Can have security implications "
-            "when a source doesn't validate email addresses."
-        ),
+    EMAIL_LINK = "email_link", _(
+        "Link to a user with identical email address. Can have security implications "
+        "when a source doesn't validate email addresses."
    )
-    EMAIL_DENY = (
-        "email_deny",
-        _(
-            "Use the user's email address, but deny enrollment when the email address already "
-            "exists."
-        ),
+    EMAIL_DENY = "email_deny", _(
+        "Use the user's email address, but deny enrollment when the email address already exists."
    )
-    USERNAME_LINK = (
-        "username_link",
-        _(
-            "Link to a user with identical username. Can have security implications "
-            "when a username is used with another source."
-        ),
+    USERNAME_LINK = "username_link", _(
+        "Link to a user with identical username. Can have security implications "
+        "when a username is used with another source."
    )
-    USERNAME_DENY = (
-        "username_deny",
-        _("Use the user's username, but deny enrollment when the username already exists."),
+    USERNAME_DENY = "username_deny", _(
+        "Use the user's username, but deny enrollment when the username already exists."
    )


@ -684,25 +666,18 @@ class SourceGroupMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning groups"""

    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = (
-        "name_link",
-        _(
-            "Link to a group with identical name. Can have security implications "
-            "when a group name is used with another source."
-        ),
+    NAME_LINK = "name_link", _(
+        "Link to a group with identical name. Can have security implications "
+        "when a group name is used with another source."
    )
-    NAME_DENY = (
-        "name_deny",
-        _("Use the group name, but deny enrollment when the name already exists."),
+    NAME_DENY = "name_deny", _(
+        "Use the group name, but deny enrollment when the name already exists."
    )


-@internal_model
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""

-    MANAGED_INBUILT = "goauthentik.io/sources/inbuilt"
-
    name = models.TextField(help_text=_("Source's display Name."))
    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)

@ -753,20 +728,13 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        choices=SourceGroupMatchingModes.choices,
        default=SourceGroupMatchingModes.IDENTIFIER,
        help_text=_(
-            "How the source determines if an existing group should be used or a new group created."
+            "How the source determines if an existing group should be used or "
+            "a new group created."
        ),
    )

    objects = InheritanceManager()

-    @property
-    def serializer(self) -> type[Serializer]:
-        if self.managed == self.MANAGED_INBUILT:
-            from authentik.core.api.sources import SourceSerializer
-
-            return SourceSerializer
-        return super().serializer
-
    @property
    def icon_url(self) -> str | None:
        """Get the URL to the Icon. If the name is /static or
@ -791,17 +759,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
-        if self.managed == self.MANAGED_INBUILT:
-            return ""
        raise NotImplementedError

    @property
    def property_mapping_type(self) -> "type[PropertyMapping]":
        """Return property mapping type used by this object"""
-        if self.managed == self.MANAGED_INBUILT:
-            from authentik.core.models import PropertyMapping
-
-            return PropertyMapping
        raise NotImplementedError

    def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
@ -816,14 +778,10 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a user to build final properties upon."""
-        if self.managed == self.MANAGED_INBUILT:
-            return {}
        raise NotImplementedError

    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a group to build final properties upon."""
-        if self.managed == self.MANAGED_INBUILT:
-            return {}
        raise NotImplementedError

    def __str__(self):
@ -849,13 +807,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        ]


-@internal_model
 class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
    """Connection between User and Source."""

    user = models.ForeignKey(User, on_delete=models.CASCADE)
    source = models.ForeignKey(Source, on_delete=models.CASCADE)
-    identifier = models.TextField()

    objects = InheritanceManager()

@ -869,13 +825,8 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):

    class Meta:
        unique_together = (("user", "source"),)
-        indexes = (
-            models.Index(fields=("identifier",)),
-            models.Index(fields=("source", "identifier")),
-        )


-@internal_model
 class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
    """Connection between Group and Source."""

@ -1005,7 +956,6 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
        ).save()


-@internal_model
 class PropertyMapping(SerializerModel, ManagedModel):
    """User-defined key -> x mapping which can be used by providers to expose extra data."""

@ -1045,77 +995,45 @@ class PropertyMapping(SerializerModel, ManagedModel):
        verbose_name_plural = _("Property Mappings")


-@internal_model
-class Session(ExpiringModel, AbstractBaseSession):
-    """User session with extra fields for fast access"""
+class AuthenticatedSession(ExpiringModel):
+    """Additional session class for authenticated users. Augments the standard django session
+    to achieve the following:
+        - Make it queryable by user
+        - Have a direct connection to user objects
+        - Allow users to view their own sessions and terminate them
+        - Save structured and well-defined information.
+    """

-    # Remove upstream field because we're using our own ExpiringModel
-    expire_date = None
-    session_data = models.BinaryField(_("session data"))
+    uuid = models.UUIDField(default=uuid4, primary_key=True)

-    # Keep in sync with Session.Keys
-    last_ip = models.GenericIPAddressField()
+    session_key = models.CharField(max_length=40)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
+    last_ip = models.TextField()
    last_user_agent = models.TextField(blank=True)
    last_used = models.DateTimeField(auto_now=True)

-    class Meta:
-        verbose_name = _("Session")
-        verbose_name_plural = _("Sessions")
-        indexes = ExpiringModel.Meta.indexes + [
-            models.Index(fields=["expires", "session_key"]),
-        ]
-        default_permissions = []
-
-    def __str__(self):
-        return self.session_key
-
-    class Keys(StrEnum):
-        """
-        Keys to be set with the session interface for the fields above to be updated.
-
-        If a field is added here that needs to be initialized when the session is initialized,
-        it must also be reflected in authentik.root.middleware.SessionMiddleware.process_request
-        and in authentik.core.sessions.SessionStore.__init__
-        """
-
-        LAST_IP = "last_ip"
-        LAST_USER_AGENT = "last_user_agent"
-        LAST_USED = "last_used"
-
-    @classmethod
-    def get_session_store_class(cls):
-        from authentik.core.sessions import SessionStore
-
-        return SessionStore
-
-    def get_decoded(self):
-        raise NotImplementedError
-
-
-@internal_model
-class AuthenticatedSession(SerializerModel):
-    session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
-    # We use the session as primary key, but we need the API to be able to reference
-    # this object uniquely without exposing the session key
-    uuid = models.UUIDField(default=uuid4, unique=True)
-
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
+        indexes = ExpiringModel.Meta.indexes + [
+            models.Index(fields=["session_key"]),
+        ]

    def __str__(self) -> str:
-        return f"Authenticated Session {str(self.pk)[:10]}"
+        return f"Authenticated Session {self.session_key[:10]}"

    @staticmethod
    def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
        """Create a new session from a http request"""
-        if not hasattr(request, "session") or not request.session.exists(
-            request.session.session_key
-        ):
+        from authentik.root.middleware import ClientIPMiddleware
+
+        if not hasattr(request, "session") or not request.session.session_key:
            return None
        return AuthenticatedSession(
-            session=Session.objects.filter(session_key=request.session.session_key).first(),
+            session_key=request.session.session_key,
            user=user,
+            last_ip=ClientIPMiddleware.get_client_ip(request),
+            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
+            expires=request.session.get_expiry_date(),
        )
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@ -1,168 +0,0 @@
-"""authentik sessions engine"""
-
-import pickle  # nosec
-
-from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
-from django.contrib.sessions.backends.db import SessionStore as SessionBase
-from django.core.exceptions import SuspiciousOperation
-from django.utils import timezone
-from django.utils.functional import cached_property
-from structlog.stdlib import get_logger
-
-from authentik.root.middleware import ClientIPMiddleware
-
-LOGGER = get_logger()
-
-
-class SessionStore(SessionBase):
-    def __init__(self, session_key=None, last_ip=None, last_user_agent=""):
-        super().__init__(session_key)
-        self._create_kwargs = {
-            "last_ip": last_ip or ClientIPMiddleware.default_ip,
-            "last_user_agent": last_user_agent,
-        }
-
-    @classmethod
-    def get_model_class(cls):
-        from authentik.core.models import Session
-
-        return Session
-
-    @cached_property
-    def model_fields(self):
-        return [k.value for k in self.model.Keys]
-
-    def _get_session_from_db(self):
-        try:
-            return (
-                self.model.objects.select_related(
-                    "authenticatedsession",
-                    "authenticatedsession__user",
-                )
-                .prefetch_related(
-                    "authenticatedsession__user__groups",
-                    "authenticatedsession__user__user_permissions",
-                )
-                .get(
-                    session_key=self.session_key,
-                    expires__gt=timezone.now(),
-                )
-            )
-        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
-            if isinstance(exc, SuspiciousOperation):
-                LOGGER.warning(str(exc))
-            self._session_key = None
-
-    async def _aget_session_from_db(self):
-        try:
-            return (
-                await self.model.objects.select_related(
-                    "authenticatedsession",
-                    "authenticatedsession__user",
-                )
-                .prefetch_related(
-                    "authenticatedsession__user__groups",
-                    "authenticatedsession__user__user_permissions",
-                )
-                .aget(
-                    session_key=self.session_key,
-                    expires__gt=timezone.now(),
-                )
-            )
-        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
-            if isinstance(exc, SuspiciousOperation):
-                LOGGER.warning(str(exc))
-            self._session_key = None
-
-    def encode(self, session_dict):
-        return pickle.dumps(session_dict, protocol=pickle.HIGHEST_PROTOCOL)
-
-    def decode(self, session_data):
-        try:
-            return pickle.loads(session_data)  # nosec
-        except pickle.PickleError:
-            # ValueError, unpickling exceptions. If any of these happen, just return an empty
-            # dictionary (an empty session)
-            pass
-        return {}
-
-    def load(self):
-        s = self._get_session_from_db()
-        if s:
-            return {
-                "authenticatedsession": getattr(s, "authenticatedsession", None),
-                **{k: getattr(s, k) for k in self.model_fields},
-                **self.decode(s.session_data),
-            }
-        else:
-            return {}
-
-    async def aload(self):
-        s = await self._aget_session_from_db()
-        if s:
-            return {
-                "authenticatedsession": getattr(s, "authenticatedsession", None),
-                **{k: getattr(s, k) for k in self.model_fields},
-                **self.decode(s.session_data),
-            }
-        else:
-            return {}
-
-    def create_model_instance(self, data):
-        args = {
-            "session_key": self._get_or_create_session_key(),
-            "expires": self.get_expiry_date(),
-            "session_data": {},
-            **self._create_kwargs,
-        }
-        for k, v in data.items():
-            # Don't save:
-            # - unused auth data
-            # - related models
-            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
-                pass
-            elif k in self.model_fields:
-                args[k] = v
-            else:
-                args["session_data"][k] = v
-        args["session_data"] = self.encode(args["session_data"])
-        return self.model(**args)
-
-    async def acreate_model_instance(self, data):
-        args = {
-            "session_key": await self._aget_or_create_session_key(),
-            "expires": await self.aget_expiry_date(),
-            "session_data": {},
-            **self._create_kwargs,
-        }
-        for k, v in data.items():
-            # Don't save:
-            # - unused auth data
-            # - related models
-            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
-                pass
-            elif k in self.model_fields:
-                args[k] = v
-            else:
-                args["session_data"][k] = v
-        args["session_data"] = self.encode(args["session_data"])
-        return self.model(**args)
-
-    @classmethod
-    def clear_expired(cls):
-        cls.get_model_class().objects.filter(expires__lt=timezone.now()).delete()
-
-    @classmethod
-    async def aclear_expired(cls):
-        await cls.get_model_class().objects.filter(expires__lt=timezone.now()).adelete()
-
-    def cycle_key(self):
-        data = self._session
-        key = self.session_key
-        self.create()
-        self._session_cache = data
-        if key:
-            self.delete(key)
-        if (authenticated_session := data.get("authenticatedsession")) is not None:
-            authenticated_session.session_id = self.session_key
-            authenticated_session.save(force_insert=True)
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,10 +1,11 @@
 """authentik core signals"""

-from django.contrib.auth.signals import user_logged_in
+from django.contrib.auth.signals import user_logged_in, user_logged_out
+from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_delete, post_save, pre_save
+from django.db.models.signals import post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
@ -14,7 +15,6 @@ from authentik.core.models import (
    AuthenticatedSession,
    BackchannelProvider,
    ExpiringModel,
-    Session,
    User,
    default_token_duration,
 )
@ -49,10 +49,19 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
        session.save()


-@receiver(post_delete, sender=AuthenticatedSession)
+@receiver(user_logged_out)
+def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
+    """Delete AuthenticatedSession if it exists"""
+    if not request.session or not request.session.session_key:
+        return
+    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    Session.objects.filter(session_key=instance.pk).delete()
+    cache_key = f"{KEY_PREFIX}{instance.session_key}"
+    cache.delete(cache_key)


@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -10,7 +10,6 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger

-from authentik.common.views import bad_request_message
 from authentik.core.models import (
    Group,
    GroupSourceConnection,
@ -37,6 +36,7 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
+from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
 from authentik.stages.password import BACKEND_INBUILT
@ -48,7 +48,6 @@ LOGGER = get_logger()

 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
-SESSION_KEY_SOURCE_FLOW_CONTEXT = "authentik/flows/source_flow_context"
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec


@ -262,7 +261,6 @@ class SourceFlowManager:
                plan.append_stage(stage)
        for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
            plan.append_stage(stage)
-        plan.context.update(self.request.session.get(SESSION_KEY_SOURCE_FLOW_CONTEXT, {}))
        return plan.to_redirect(self.request, flow)

    def handle_auth(
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	ab42a62916	wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 19:23:34 +01:00
Marc 'risson' Schmitt	ef8d2bdd40	wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 16:24:55 +01:00
Marc 'risson' Schmitt	32f4e08eac	writting down thoughts Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 14:04:21 +01:00
				`@ -1 +0,0 @@`
				`LDAP_DISTINGUISHED_NAME = "distinguishedName"`