endpoints: initial data structure

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/setup/action.yml

@@ -36,7 +36,7 @@ runs:
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
-      uses: ScribeMD/docker-cache@0.5.0
+      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
       with:
         key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies

authentik/core/api/users.py

@@ -84,6 +84,7 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
+from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -451,7 +452,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     def list(self, request, *args, **kwargs):
         return super().list(request, *args, **kwargs)
 
-    def _create_recovery_link(self) -> tuple[str, Token]:
+    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
         """Create a recovery link (when the current brand has a recovery flow set),
         that can either be shown to an admin or sent to the user directly"""
         brand: Brand = self.request._request.brand
@@ -473,12 +474,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             raise ValidationError(
                 {"non_field_errors": "Recovery flow not applicable to user"}
             ) from None
+        _plan = FlowToken.pickle(plan)
+        if for_email:
+            _plan = pickle_flow_token_for_email(plan)
         token, __ = FlowToken.objects.update_or_create(
             identifier=f"{user.uid}-password-reset",
             defaults={
                 "user": user,
                 "flow": flow,
-                "_plan": FlowToken.pickle(plan),
+                "_plan": _plan,
+                "revoke_on_execution": not for_email,
             },
         )
         querystring = urlencode({QS_KEY_TOKEN: token.key})
@@ -648,7 +653,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if for_user.email == "":
             LOGGER.debug("User doesn't have an email address")
             raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link()
+        link, token = self._create_recovery_link(for_email=True)
         # Lookup the email stage to assure the current user can access it
         stages = get_objects_for_user(
             request.user, "authentik_stages_email.view_emailstage"

authentik/endpoints/apps.py

@@ -0,0 +1,12 @@
+"""authentik endpoints app config"""
+
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikEndpointsConfig(ManagedAppConfig):
+    """authentik endpoints app config"""
+
+    name = "authentik.endpoints"
+    label = "authentik_endpoints"
+    verbose_name = "authentik Endpoints"
+    default = True

authentik/endpoints/common_data.py

@@ -0,0 +1,47 @@
+from enum import Enum
+
+from pydantic import BaseModel
+
+
+class UNSUPPORTED(BaseModel):
+    pass
+
+
+class OSFamily(Enum):
+
+    linux = "linux"
+    unix = "unix"
+    bsd = "bsd"
+    windows = "windows"
+    macOS = "mac_os"
+    android = "android"
+    iOS = "i_os"
+    other = "other"
+
+class CommonDeviceData(BaseModel):
+    class Disk(BaseModel):
+        encryption: bool
+
+    class OS(BaseModel):
+        firewall_enabled: bool
+        family: OSFamily
+        name: str
+        version: str
+
+    class Network(BaseModel):
+        hostname: str
+        dns_servers: list[str]
+
+    class Hardware(BaseModel):
+        model: str
+        manufacturer: str
+
+    class Software(BaseModel):
+        name: str
+        version: str
+
+    os: OS | UNSUPPORTED
+    disks: list[Disk] | UNSUPPORTED
+    network: Network | UNSUPPORTED
+    hardware: Hardware | UNSUPPORTED
+    software: list[Software] | UNSUPPORTED

authentik/endpoints/connector.py

@@ -0,0 +1,16 @@
+from authentik.blueprints import models
+
+
+class EnrollmentMethods(models.TextChoices):
+    AUTOMATIC_USER = "automatic_user"  # Automatically enrolled through user action
+    AUTOMATIC_API = "automatic_api"  # Automatically enrolled through connector integration
+    MANUAL_USER = "manual_user"  # Manually enrolled
+
+
+class BaseConnector:
+
+    def __init__(self) -> None:
+        pass
+
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return []

authentik/endpoints/connectors/google_chrome/connector.py

@@ -0,0 +1,7 @@
+from authentik.endpoints.connector import BaseConnector, EnrollmentMethods
+
+
+class GoogleChromeConnector(BaseConnector):
+
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return [EnrollmentMethods.AUTOMATIC_USER]

authentik/endpoints/connectors/google_chrome/models.py

@@ -0,0 +1,7 @@
+from django.db import models
+
+from authentik.endpoints.models import Connector
+
+
+class GoogleChromeConnector(Connector):
+    credentials = models.JSONField()

authentik/endpoints/migrations/0001_initial.py

@@ -0,0 +1,125 @@
+# Generated by Django 5.0.9 on 2024-09-24 19:16
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Connector",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("connector_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("name", models.TextField()),
+                (
+                    "enrollment_method",
+                    models.TextField(
+                        choices=[
+                            ("automatic_user", "Automatic User"),
+                            ("automatic_api", "Automatic Api"),
+                            ("manual_user", "Manual User"),
+                        ]
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="Device",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("identifier", models.TextField(unique=True)),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="DeviceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_connection_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("data", models.JSONField(default=dict)),
+                (
+                    "connection",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_endpoints.connector",
+                    ),
+                ),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_endpoints.device"
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="device",
+            name="connections",
+            field=models.ManyToManyField(
+                through="authentik_endpoints.DeviceConnection", to="authentik_endpoints.connector"
+            ),
+        ),
+        migrations.CreateModel(
+            name="DeviceUser",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_user_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("is_primary", models.BooleanField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_endpoints.device"
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="device",
+            name="users",
+            field=models.ManyToManyField(
+                through="authentik_endpoints.DeviceUser", to=settings.AUTH_USER_MODEL
+            ),
+        ),
+    ]

authentik/endpoints/models.py

@@ -0,0 +1,40 @@
+from uuid import uuid4
+
+from django.db import models
+from django.utils.functional import cached_property
+
+from authentik.core.models import User
+from authentik.endpoints.common_data import CommonDeviceData
+from authentik.lib.models import SerializerModel
+
+
+class Device(SerializerModel):
+    device_uuid = models.UUIDField(default=uuid4)
+
+    identifier = models.TextField(unique=True)
+    users = models.ManyToManyField(User, through="DeviceUser")
+    connections = models.ManyToManyField("Connector", through="DeviceConnection")
+
+    @cached_property
+    def data(self) -> CommonDeviceData:
+        pass
+
+
+class DeviceUser(models.Model):
+    device_user_uuid = models.UUIDField(default=uuid4)
+    device = models.ForeignKey("Device", on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    is_primary = models.BooleanField()
+
+
+class DeviceConnection(models.Model):
+    device_connection_uuid = models.UUIDField(default=uuid4)
+    device = models.ForeignKey("Device", on_delete=models.CASCADE)
+    connection = models.ForeignKey("Connector", on_delete=models.CASCADE)
+    data = models.JSONField(default=dict)
+
+
+class Connector(SerializerModel):
+    connector_uuid = models.UUIDField(default=uuid4)
+
+    name = models.TextField()

authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.1.9 on 2025-05-27 12:52
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0027_auto_20231028_1424"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flowtoken",
+            name="revoke_on_execution",
+            field=models.BooleanField(default=True),
+        ),
+    ]

authentik/flows/models.py

@@ -303,9 +303,10 @@ class FlowToken(Token):
 
     flow = models.ForeignKey(Flow, on_delete=models.CASCADE)
     _plan = models.TextField()
+    revoke_on_execution = models.BooleanField(default=True)
 
     @staticmethod
-    def pickle(plan) -> str:
+    def pickle(plan: "FlowPlan") -> str:
         """Pickle into string"""
         data = dumps(plan)
         return b64encode(data).decode()

authentik/flows/stage.py

@@ -99,9 +99,10 @@ class ChallengeStageView(StageView):
             self.logger.debug("Got StageInvalidException", exc=exc)
             return self.executor.stage_invalid()
         if not challenge.is_valid():
-            self.logger.warning(
+            self.logger.error(
                 "f(ch): Invalid challenge",
                 errors=challenge.errors,
+                challenge=challenge.data,
             )
         return HttpChallengeResponse(challenge)
 

authentik/flows/views/executor.py

@@ -146,7 +146,8 @@ class FlowExecutorView(APIView):
         except (AttributeError, EOFError, ImportError, IndexError) as exc:
             LOGGER.warning("f(exec): Failed to restore token plan", exc=exc)
         finally:
-            token.delete()
+            if token.revoke_on_execution:
+                token.delete()
         if not isinstance(plan, FlowPlan):
             return None
         plan.context[PLAN_CONTEXT_IS_RESTORED] = token

authentik/lib/sync/outgoing/tasks.py

@@ -1,6 +1,7 @@
 from collections.abc import Callable
 from dataclasses import asdict
 
+from celery import group
 from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
@@ -82,21 +83,41 @@ class SyncTasks:
                 self.logger.debug("Failed to acquire sync lock, skipping", provider=provider.name)
                 return
             try:
-                for page in users_paginator.page_range:
+                messages.append(_("Syncing users"))
-                    messages.append(_("Syncing page {page} of users".format(page=page)))
+                user_results = (
-                    for msg in sync_objects.apply_async(
+                    group(
-                        args=(class_to_path(User), page, provider_pk),
+                        [
-                        time_limit=PAGE_TIMEOUT,
+                            sync_objects.signature(
-                        soft_time_limit=PAGE_TIMEOUT,
+                                args=(class_to_path(User), page, provider_pk),
-                    ).get():
+                                time_limit=PAGE_TIMEOUT,
+                                soft_time_limit=PAGE_TIMEOUT,
+                            )
+                            for page in users_paginator.page_range
+                        ]
+                    )
+                    .apply_async()
+                    .get()
+                )
+                for result in user_results:
+                    for msg in result:
                         messages.append(LogEvent(**msg))
-                for page in groups_paginator.page_range:
+                messages.append(_("Syncing groups"))
-                    messages.append(_("Syncing page {page} of groups".format(page=page)))
+                group_results = (
-                    for msg in sync_objects.apply_async(
+                    group(
-                        args=(class_to_path(Group), page, provider_pk),
+                        [
-                        time_limit=PAGE_TIMEOUT,
+                            sync_objects.signature(
-                        soft_time_limit=PAGE_TIMEOUT,
+                                args=(class_to_path(Group), page, provider_pk),
-                    ).get():
+                                time_limit=PAGE_TIMEOUT,
+                                soft_time_limit=PAGE_TIMEOUT,
+                            )
+                            for page in groups_paginator.page_range
+                        ]
+                    )
+                    .apply_async()
+                    .get()
+                )
+                for result in group_results:
+                    for msg in result:
                         messages.append(LogEvent(**msg))
             except TransientSyncException as exc:
                 self.logger.warning("transient sync exception", exc=exc)
@@ -132,6 +153,15 @@ class SyncTasks:
             self.logger.debug("starting discover")
             client.discover()
         self.logger.debug("starting sync for page", page=page)
+        messages.append(
+            asdict(
+                LogEvent(
+                    _("Syncing page {page} of groups".format(page=page)),
+                    log_level="info",
+                    logger=f"{provider._meta.verbose_name}@{object_type}",
+                )
+            )
+        )
         for obj in paginator.page(page).object_list:
             obj: Model
             try:

authentik/providers/scim/tests/test_user.py

@@ -384,7 +384,7 @@ class SCIMUserTests(TestCase):
                 self.assertIn(request.method, SAFE_METHODS)
         task = SystemTask.objects.filter(uid=slugify(self.provider.name)).first()
         self.assertIsNotNone(task)
-        drop_msg = task.messages[2]
+        drop_msg = task.messages[3]
         self.assertEqual(drop_msg["event"], "Dropping mutating request due to dry run")
         self.assertIsNotNone(drop_msg["attributes"]["url"])
         self.assertIsNotNone(drop_msg["attributes"]["body"])

authentik/root/settings.py

@@ -73,6 +73,7 @@ TENANT_APPS = [
     "authentik.admin",
     "authentik.api",
     "authentik.crypto",
+    "authentik.endpoints",
     "authentik.flows",
     "authentik.outposts",
     "authentik.policies.dummy",
@@ -424,7 +425,7 @@ else:
         "BACKEND": "authentik.root.storages.FileStorage",
         "OPTIONS": {
             "location": Path(CONFIG.get("storage.media.file.path")),
-            "base_url": "/media/",
+            "base_url": CONFIG.get("web.path", "/") + "media/",
         },
     }
     # Compatibility for apps not supporting top-level STORAGES

authentik/root/test_runner.py

@@ -31,6 +31,8 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
 
         if kwargs.get("randomly_seed", None):
             self.args.append(f"--randomly-seed={kwargs['randomly_seed']}")
+        if kwargs.get("no_capture", False):
+            self.args.append("--capture=no")
 
         settings.TEST = True
         settings.CELERY["task_always_eager"] = True
@@ -64,6 +66,11 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
             "Default behaviour: use random.Random().getrandbits(32), so the seed is"
             "different on each run.",
         )
+        parser.add_argument(
+            "--no-capture",
+            action="store_true",
+            help="Disable any capturing of stdout/stderr during tests.",
+        )
 
     def run_tests(self, test_labels, extra_tests=None, **kwargs):
         """Run pytest and return the exitcode.

authentik/sources/ldap/api.py

@@ -111,6 +111,7 @@ class LDAPSourceSerializer(SourceSerializer):
             "sync_parent_group",
             "connectivity",
             "lookup_groups_from_user",
+            "delete_not_found_objects",
         ]
         extra_kwargs = {"bind_password": {"write_only": True}}
 
@@ -147,6 +148,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "user_property_mappings",
         "group_property_mappings",
         "lookup_groups_from_user",
+        "delete_not_found_objects",
     ]
     search_fields = ["name", "slug"]
     ordering = ["name"]

authentik/sources/ldap/migrations/0009_groupldapsourceconnection_validated_by_and_more.py

@@ -0,0 +1,48 @@
+# Generated by Django 5.1.9 on 2025-05-28 08:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0048_delete_oldauthenticatedsession_content_type"),
+        ("authentik_sources_ldap", "0008_groupldapsourceconnection_userldapsourceconnection"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="groupldapsourceconnection",
+            name="validated_by",
+            field=models.UUIDField(
+                blank=True,
+                help_text="Unique ID used while checking if this object still exists in the directory.",
+                null=True,
+            ),
+        ),
+        migrations.AddField(
+            model_name="ldapsource",
+            name="delete_not_found_objects",
+            field=models.BooleanField(
+                default=False,
+                help_text="Delete authentik users and groups which were previously supplied by this source, but are now missing from it.",
+            ),
+        ),
+        migrations.AddField(
+            model_name="userldapsourceconnection",
+            name="validated_by",
+            field=models.UUIDField(
+                blank=True,
+                help_text="Unique ID used while checking if this object still exists in the directory.",
+                null=True,
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="groupldapsourceconnection",
+            index=models.Index(fields=["validated_by"], name="authentik_s_validat_b70447_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="userldapsourceconnection",
+            index=models.Index(fields=["validated_by"], name="authentik_s_validat_ff2ebc_idx"),
+        ),
+    ]

authentik/sources/ldap/models.py

@@ -137,6 +137,14 @@ class LDAPSource(Source):
         ),
     )
 
+    delete_not_found_objects = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Delete authentik users and groups which were previously supplied by this source, "
+            "but are now missing from it."
+        ),
+    )
+
     @property
     def component(self) -> str:
         return "ak-source-ldap-form"
@@ -321,6 +329,12 @@ class LDAPSourcePropertyMapping(PropertyMapping):
 
 
 class UserLDAPSourceConnection(UserSourceConnection):
+    validated_by = models.UUIDField(
+        null=True,
+        blank=True,
+        help_text=_("Unique ID used while checking if this object still exists in the directory."),
+    )
+
     @property
     def serializer(self) -> type[Serializer]:
         from authentik.sources.ldap.api import (
@@ -332,9 +346,18 @@ class UserLDAPSourceConnection(UserSourceConnection):
     class Meta:
         verbose_name = _("User LDAP Source Connection")
         verbose_name_plural = _("User LDAP Source Connections")
+        indexes = [
+            models.Index(fields=["validated_by"]),
+        ]
 
 
 class GroupLDAPSourceConnection(GroupSourceConnection):
+    validated_by = models.UUIDField(
+        null=True,
+        blank=True,
+        help_text=_("Unique ID used while checking if this object still exists in the directory."),
+    )
+
     @property
     def serializer(self) -> type[Serializer]:
         from authentik.sources.ldap.api import (
@@ -346,3 +369,6 @@ class GroupLDAPSourceConnection(GroupSourceConnection):
     class Meta:
         verbose_name = _("Group LDAP Source Connection")
         verbose_name_plural = _("Group LDAP Source Connections")
+        indexes = [
+            models.Index(fields=["validated_by"]),
+        ]

authentik/sources/ldap/sync/base.py

@@ -9,7 +9,7 @@ from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.sources.mapper import SourceMapper
 from authentik.lib.config import CONFIG
 from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.sources.ldap.models import LDAPSource
+from authentik.sources.ldap.models import LDAPSource, flatten
 
 
 class BaseLDAPSynchronizer:
@@ -77,6 +77,16 @@ class BaseLDAPSynchronizer:
         """Get objects from LDAP, implemented in subclass"""
         raise NotImplementedError()
 
+    def get_attributes(self, object):
+        if "attributes" not in object:
+            return
+        return object.get("attributes", {})
+
+    def get_identifier(self, attributes: dict):
+        if not attributes.get(self._source.object_uniqueness_field):
+            return
+        return flatten(attributes[self._source.object_uniqueness_field])
+
     def search_paginator(  # noqa: PLR0913
         self,
         search_base,

authentik/sources/ldap/sync/forward_delete_groups.py

@@ -0,0 +1,61 @@
+from collections.abc import Generator
+from itertools import batched
+from uuid import uuid4
+
+from ldap3 import SUBTREE
+
+from authentik.core.models import Group
+from authentik.sources.ldap.models import GroupLDAPSourceConnection
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.forward_delete_users import DELETE_CHUNK_SIZE, UPDATE_CHUNK_SIZE
+
+
+class GroupLDAPForwardDeletion(BaseLDAPSynchronizer):
+    """Delete LDAP Groups from authentik"""
+
+    @staticmethod
+    def name() -> str:
+        return "group_deletions"
+
+    def get_objects(self, **kwargs) -> Generator:
+        if not self._source.sync_groups or not self._source.delete_not_found_objects:
+            self.message("Group syncing is disabled for this Source")
+            return iter(())
+
+        uuid = uuid4()
+        groups = self._source.connection().extend.standard.paged_search(
+            search_base=self.base_dn_groups,
+            search_filter=self._source.group_object_filter,
+            search_scope=SUBTREE,
+            attributes=[self._source.object_uniqueness_field],
+            generator=True,
+            **kwargs,
+        )
+        for batch in batched(groups, UPDATE_CHUNK_SIZE, strict=False):
+            identifiers = []
+            for group in batch:
+                if not (attributes := self.get_attributes(group)):
+                    continue
+                if identifier := self.get_identifier(attributes):
+                    identifiers.append(identifier)
+            GroupLDAPSourceConnection.objects.filter(identifier__in=identifiers).update(
+                validated_by=uuid
+            )
+
+        return batched(
+            GroupLDAPSourceConnection.objects.filter(source=self._source)
+            .exclude(validated_by=uuid)
+            .values_list("group", flat=True)
+            .iterator(chunk_size=DELETE_CHUNK_SIZE),
+            DELETE_CHUNK_SIZE,
+            strict=False,
+        )
+
+    def sync(self, group_pks: tuple) -> int:
+        """Delete authentik groups"""
+        if not self._source.sync_groups or not self._source.delete_not_found_objects:
+            self.message("Group syncing is disabled for this Source")
+            return -1
+        self._logger.debug("Deleting groups", group_pks=group_pks)
+        _, deleted_per_type = Group.objects.filter(pk__in=group_pks).delete()
+        return deleted_per_type.get(Group._meta.label, 0)

authentik/sources/ldap/sync/forward_delete_users.py

@@ -0,0 +1,63 @@
+from collections.abc import Generator
+from itertools import batched
+from uuid import uuid4
+
+from ldap3 import SUBTREE
+
+from authentik.core.models import User
+from authentik.sources.ldap.models import UserLDAPSourceConnection
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
+
+UPDATE_CHUNK_SIZE = 10_000
+DELETE_CHUNK_SIZE = 50
+
+
+class UserLDAPForwardDeletion(BaseLDAPSynchronizer):
+    """Delete LDAP Users from authentik"""
+
+    @staticmethod
+    def name() -> str:
+        return "user_deletions"
+
+    def get_objects(self, **kwargs) -> Generator:
+        if not self._source.sync_users or not self._source.delete_not_found_objects:
+            self.message("User syncing is disabled for this Source")
+            return iter(())
+
+        uuid = uuid4()
+        users = self._source.connection().extend.standard.paged_search(
+            search_base=self.base_dn_users,
+            search_filter=self._source.user_object_filter,
+            search_scope=SUBTREE,
+            attributes=[self._source.object_uniqueness_field],
+            generator=True,
+            **kwargs,
+        )
+        for batch in batched(users, UPDATE_CHUNK_SIZE, strict=False):
+            identifiers = []
+            for user in batch:
+                if not (attributes := self.get_attributes(user)):
+                    continue
+                if identifier := self.get_identifier(attributes):
+                    identifiers.append(identifier)
+            UserLDAPSourceConnection.objects.filter(identifier__in=identifiers).update(
+                validated_by=uuid
+            )
+
+        return batched(
+            UserLDAPSourceConnection.objects.filter(source=self._source)
+            .exclude(validated_by=uuid)
+            .values_list("user", flat=True)
+            .iterator(chunk_size=DELETE_CHUNK_SIZE),
+            DELETE_CHUNK_SIZE,
+            strict=False,
+        )
+
+    def sync(self, user_pks: tuple) -> int:
+        """Delete authentik users"""
+        if not self._source.sync_users or not self._source.delete_not_found_objects:
+            self.message("User syncing is disabled for this Source")
+            return -1
+        self._logger.debug("Deleting users", user_pks=user_pks)
+        _, deleted_per_type = User.objects.filter(pk__in=user_pks).delete()
+        return deleted_per_type.get(User._meta.label, 0)

authentik/sources/ldap/sync/groups.py

@@ -58,18 +58,16 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
             return -1
         group_count = 0
         for group in page_data:
-            if "attributes" not in group:
+            if (attributes := self.get_attributes(group)) is None:
                 continue
-            attributes = group.get("attributes", {})
             group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
-            if not attributes.get(self._source.object_uniqueness_field):
+            if not (uniq := self.get_identifier(attributes)):
                 self.message(
                     f"Uniqueness field not found/not set in attributes: '{group_dn}'",
                     attributes=attributes.keys(),
                     dn=group_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = {
                     k: flatten(v)

authentik/sources/ldap/sync/membership.py

@@ -63,9 +63,9 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
                     group_member_dn = group_member.get("dn", {})
                     members.append(group_member_dn)
             else:
-                if "attributes" not in group:
+                if (attributes := self.get_attributes(group)) is None:
                     continue
-                members = group.get("attributes", {}).get(self._source.group_membership_field, [])
+                members = attributes.get(self._source.group_membership_field, [])
 
             ak_group = self.get_group(group)
             if not ak_group:

authentik/sources/ldap/sync/users.py

@@ -60,18 +60,16 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             return -1
         user_count = 0
         for user in page_data:
-            if "attributes" not in user:
+            if (attributes := self.get_attributes(user)) is None:
                 continue
-            attributes = user.get("attributes", {})
             user_dn = flatten(user.get("entryDN", user.get("dn")))
-            if not attributes.get(self._source.object_uniqueness_field):
+            if not (uniq := self.get_identifier(attributes)):
                 self.message(
                     f"Uniqueness field not found/not set in attributes: '{user_dn}'",
                     attributes=attributes.keys(),
                     dn=user_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = {
                     k: flatten(v)

authentik/sources/ldap/tasks.py

@@ -17,6 +17,8 @@ from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
+from authentik.sources.ldap.sync.forward_delete_groups import GroupLDAPForwardDeletion
+from authentik.sources.ldap.sync.forward_delete_users import UserLDAPForwardDeletion
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
 from authentik.sources.ldap.sync.membership import MembershipLDAPSynchronizer
 from authentik.sources.ldap.sync.users import UserLDAPSynchronizer
@@ -52,11 +54,11 @@ def ldap_connectivity_check(pk: str | None = None):
 
 
 @CELERY_APP.task(
-    # We take the configured hours timeout time by 2.5 as we run user and
+    # We take the configured hours timeout time by 3.5 as we run user and
-    # group in parallel and then membership, so 2x is to cover the serial tasks,
+    # group in parallel and then membership, then deletions, so 3x is to cover the serial tasks,
     # and 0.5x on top of that to give some more leeway
-    soft_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 2.5,
+    soft_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3.5,
-    task_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 2.5,
+    task_time_limit=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3.5,
 )
 def ldap_sync_single(source_pk: str):
     """Sync a single source"""
@@ -79,6 +81,25 @@ def ldap_sync_single(source_pk: str):
             group(
                 ldap_sync_paginator(source, MembershipLDAPSynchronizer),
             ),
+            # Finally, deletions. What we'd really like to do here is something like
+            # ```
+            # user_identifiers = <ldap query>
+            # User.objects.exclude(
+            #     usersourceconnection__identifier__in=user_uniqueness_identifiers,
+            # ).delete()
+            # ```
+            # This runs into performance issues in large installations. So instead we spread the
+            # work out into three steps:
+            # 1. Get every object from the LDAP source.
+            # 2. Mark every object as "safe" in the database. This is quick, but any error could
+            #    mean deleting users which should not be deleted, so we do it immediately, in
+            #    large chunks, and only queue the deletion step afterwards.
+            # 3. Delete every unmarked item. This is slow, so we spread it over many tasks in
+            #    small chunks.
+            group(
+                ldap_sync_paginator(source, UserLDAPForwardDeletion)
+                + ldap_sync_paginator(source, GroupLDAPForwardDeletion),
+            ),
         )
         task()
 

authentik/sources/ldap/tests/mock_slapd.py

@@ -2,6 +2,33 @@
 
 from ldap3 import MOCK_SYNC, OFFLINE_SLAPD_2_4, Connection, Server
 
+# The mock modifies these in place, so we have to define them per string
+user_in_slapd_dn = "cn=user_in_slapd_cn,ou=users,dc=goauthentik,dc=io"
+user_in_slapd_cn = "user_in_slapd_cn"
+user_in_slapd_uid = "user_in_slapd_uid"
+user_in_slapd_object_class = "person"
+user_in_slapd = {
+    "dn": user_in_slapd_dn,
+    "attributes": {
+        "cn": user_in_slapd_cn,
+        "uid": user_in_slapd_uid,
+        "objectClass": user_in_slapd_object_class,
+    },
+}
+group_in_slapd_dn = "cn=user_in_slapd_cn,ou=groups,dc=goauthentik,dc=io"
+group_in_slapd_cn = "group_in_slapd_cn"
+group_in_slapd_uid = "group_in_slapd_uid"
+group_in_slapd_object_class = "groupOfNames"
+group_in_slapd = {
+    "dn": group_in_slapd_dn,
+    "attributes": {
+        "cn": group_in_slapd_cn,
+        "uid": group_in_slapd_uid,
+        "objectClass": group_in_slapd_object_class,
+        "member": [user_in_slapd["dn"]],
+    },
+}
+
 
 def mock_slapd_connection(password: str) -> Connection:
     """Create mock SLAPD connection"""
@@ -96,5 +123,14 @@ def mock_slapd_connection(password: str) -> Connection:
             "objectClass": "posixAccount",
         },
     )
+    # Known user and group
+    connection.strategy.add_entry(
+        user_in_slapd["dn"],
+        user_in_slapd["attributes"],
+    )
+    connection.strategy.add_entry(
+        group_in_slapd["dn"],
+        group_in_slapd["attributes"],
+    )
     connection.bind()
     return connection

authentik/sources/ldap/tests/test_sync.py

@@ -13,14 +13,26 @@ from authentik.events.system_tasks import TaskStatus
 from authentik.lib.generators import generate_id, generate_key
 from authentik.lib.sync.outgoing.exceptions import StopSync
 from authentik.lib.utils.reflection import class_to_path
-from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
+from authentik.sources.ldap.models import (
+    GroupLDAPSourceConnection,
+    LDAPSource,
+    LDAPSourcePropertyMapping,
+    UserLDAPSourceConnection,
+)
+from authentik.sources.ldap.sync.forward_delete_users import DELETE_CHUNK_SIZE
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
 from authentik.sources.ldap.sync.membership import MembershipLDAPSynchronizer
 from authentik.sources.ldap.sync.users import UserLDAPSynchronizer
 from authentik.sources.ldap.tasks import ldap_sync, ldap_sync_all
 from authentik.sources.ldap.tests.mock_ad import mock_ad_connection
 from authentik.sources.ldap.tests.mock_freeipa import mock_freeipa_connection
-from authentik.sources.ldap.tests.mock_slapd import mock_slapd_connection
+from authentik.sources.ldap.tests.mock_slapd import (
+    group_in_slapd_cn,
+    group_in_slapd_uid,
+    mock_slapd_connection,
+    user_in_slapd_cn,
+    user_in_slapd_uid,
+)
 
 LDAP_PASSWORD = generate_key()
 
@@ -308,3 +320,160 @@ class LDAPSyncTests(TestCase):
         connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
         with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
             ldap_sync_all.delay().get()
+
+    def test_user_deletion(self):
+        """Test user deletion"""
+        user = User.objects.create_user(username="not-in-the-source")
+        UserLDAPSourceConnection.objects.create(
+            user=user, source=self.source, identifier="not-in-the-source"
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertFalse(User.objects.filter(username="not-in-the-source").exists())
+
+    def test_user_deletion_still_in_source(self):
+        """Test that user is not deleted if it's still in the source"""
+        username = user_in_slapd_cn
+        identifier = user_in_slapd_uid
+        user = User.objects.create_user(username=username)
+        UserLDAPSourceConnection.objects.create(
+            user=user, source=self.source, identifier=identifier
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertTrue(User.objects.filter(username=username).exists())
+
+    def test_user_deletion_no_sync(self):
+        """Test that user is not deleted if sync_users is False"""
+        user = User.objects.create_user(username="not-in-the-source")
+        UserLDAPSourceConnection.objects.create(
+            user=user, source=self.source, identifier="not-in-the-source"
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.sync_users = False
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertTrue(User.objects.filter(username="not-in-the-source").exists())
+
+    def test_user_deletion_no_delete(self):
+        """Test that user is not deleted if delete_not_found_objects is False"""
+        user = User.objects.create_user(username="not-in-the-source")
+        UserLDAPSourceConnection.objects.create(
+            user=user, source=self.source, identifier="not-in-the-source"
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertTrue(User.objects.filter(username="not-in-the-source").exists())
+
+    def test_group_deletion(self):
+        """Test group deletion"""
+        group = Group.objects.create(name="not-in-the-source")
+        GroupLDAPSourceConnection.objects.create(
+            group=group, source=self.source, identifier="not-in-the-source"
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertFalse(Group.objects.filter(name="not-in-the-source").exists())
+
+    def test_group_deletion_still_in_source(self):
+        """Test that group is not deleted if it's still in the source"""
+        groupname = group_in_slapd_cn
+        identifier = group_in_slapd_uid
+        group = Group.objects.create(name=groupname)
+        GroupLDAPSourceConnection.objects.create(
+            group=group, source=self.source, identifier=identifier
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertTrue(Group.objects.filter(name=groupname).exists())
+
+    def test_group_deletion_no_sync(self):
+        """Test that group is not deleted if sync_groups is False"""
+        group = Group.objects.create(name="not-in-the-source")
+        GroupLDAPSourceConnection.objects.create(
+            group=group, source=self.source, identifier="not-in-the-source"
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.sync_groups = False
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertTrue(Group.objects.filter(name="not-in-the-source").exists())
+
+    def test_group_deletion_no_delete(self):
+        """Test that group is not deleted if delete_not_found_objects is False"""
+        group = Group.objects.create(name="not-in-the-source")
+        GroupLDAPSourceConnection.objects.create(
+            group=group, source=self.source, identifier="not-in-the-source"
+        )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+        self.assertTrue(Group.objects.filter(name="not-in-the-source").exists())
+
+    def test_batch_deletion(self):
+        """Test batch deletion"""
+        BATCH_SIZE = DELETE_CHUNK_SIZE + 1
+        for i in range(BATCH_SIZE):
+            user = User.objects.create_user(username=f"not-in-the-source-{i}")
+            group = Group.objects.create(name=f"not-in-the-source-{i}")
+            group.users.add(user)
+            UserLDAPSourceConnection.objects.create(
+                user=user, source=self.source, identifier=f"not-in-the-source-{i}-user"
+            )
+            GroupLDAPSourceConnection.objects.create(
+                group=group, source=self.source, identifier=f"not-in-the-source-{i}-group"
+            )
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.delete_not_found_objects = True
+        self.source.save()
+
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            ldap_sync_all.delay().get()
+
+        self.assertFalse(User.objects.filter(username__startswith="not-in-the-source").exists())
+        self.assertFalse(Group.objects.filter(name__startswith="not-in-the-source").exists())

authentik/sources/saml/views.py

@@ -9,6 +9,7 @@ from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404, redirect
 from django.utils.decorators import method_decorator
 from django.utils.http import urlencode
+from django.utils.translation import gettext as _
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
@@ -128,7 +129,9 @@ class InitiateView(View):
         # otherwise we default to POST_AUTO, with direct redirect
         if source.binding_type == SAMLBindingTypes.POST:
             injected_stages.append(in_memory_stage(ConsentStageView))
-            plan_kwargs[PLAN_CONTEXT_CONSENT_HEADER] = f"Continue to {source.name}"
+            plan_kwargs[PLAN_CONTEXT_CONSENT_HEADER] = _(
+                "Continue to {source_name}".format(source_name=source.name)
+            )
         injected_stages.append(in_memory_stage(AutosubmitStageView))
         return self.handle_login_flow(
             source,

authentik/stages/authenticator_validate/tests/test_duo.py

@@ -168,13 +168,10 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
             user__pk=self.user.pk,
         ).first()
         self.assertIsNotNone(event)
-        context = dict(event.context)
-        # The auth_method field is being obfuscated as it's marked as sensitive in Django 5.2
-        auth_method = context.pop("auth_method")
-        self.assertIn(auth_method, ["auth_mfa", "********************"])
         self.assertEqual(
-            context,
+            event.context,
             {
+                "auth_method": "auth_mfa",
                 "auth_method_args": {
                     "mfa_devices": [
                         {

authentik/stages/consent/stage.py

@@ -4,6 +4,8 @@ from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
 from django.utils.timezone import now
+from django.utils.translation import gettext as _
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
 
 from authentik.core.api.utils import PassiveSerializer
@@ -47,6 +49,11 @@ class ConsentChallengeResponse(ChallengeResponse):
     component = CharField(default="ak-stage-consent")
     token = CharField(required=True)
 
+    def validate_token(self, token: str):
+        if token != self.stage.executor.request.session[SESSION_KEY_CONSENT_TOKEN]:
+            raise ValidationError(_("Invalid consent token, re-showing prompt"))
+        return token
+
 
 class ConsentStageView(ChallengeStageView):
     """Simple consent checker."""
@@ -120,9 +127,6 @@ class ConsentStageView(ChallengeStageView):
         return super().get(request, *args, **kwargs)
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        if response.data["token"] != self.request.session[SESSION_KEY_CONSENT_TOKEN]:
-            self.logger.info("Invalid consent token, re-showing prompt")
-            return self.get(self.request)
         if self.should_always_prompt():
             return self.executor.stage_ok()
         current_stage: ConsentStage = self.executor.current_stage

authentik/stages/consent/tests.py

@@ -17,6 +17,7 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.stages.consent.models import ConsentMode, ConsentStage, UserConsent
 from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_HEADER,
     PLAN_CONTEXT_CONSENT_PERMISSIONS,
     SESSION_KEY_CONSENT_TOKEN,
 )
@@ -33,6 +34,40 @@ class TestConsentStage(FlowTestCase):
             slug=generate_id(),
         )
 
+    def test_mismatched_token(self):
+        """Test incorrect token"""
+        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+        stage = ConsentStage.objects.create(name=generate_id(), mode=ConsentMode.ALWAYS_REQUIRE)
+        binding = FlowStageBinding.objects.create(target=flow, stage=stage, order=2)
+
+        plan = FlowPlan(flow_pk=flow.pk.hex, bindings=[binding], markers=[StageMarker()])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        self.assertEqual(response.status_code, 200)
+
+        session = self.client.session
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            {
+                "token": generate_id(),
+            },
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(
+            response,
+            flow,
+            component="ak-stage-consent",
+            response_errors={
+                "token": [{"string": "Invalid consent token, re-showing prompt", "code": "invalid"}]
+            },
+        )
+        self.assertFalse(UserConsent.objects.filter(user=self.user).exists())
+
     def test_always_required(self):
         """Test always required consent"""
         flow = create_test_flow(FlowDesignation.AUTHENTICATION)
@@ -158,6 +193,7 @@ class TestConsentStage(FlowTestCase):
             context={
                 PLAN_CONTEXT_APPLICATION: self.application,
                 PLAN_CONTEXT_CONSENT_PERMISSIONS: [PermissionDict(id="foo", name="foo-desc")],
+                PLAN_CONTEXT_CONSENT_HEADER: "test header",
             },
         )
         session = self.client.session

authentik/stages/email/flow.py

@@ -0,0 +1,38 @@
+from base64 import b64encode
+from copy import deepcopy
+from pickle import dumps  # nosec
+
+from django.utils.translation import gettext as _
+
+from authentik.flows.models import FlowToken, in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
+from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_HEADER, ConsentStageView
+
+
+def pickle_flow_token_for_email(plan: FlowPlan):
+    """Insert a consent stage into the flow plan and pickle it for a FlowToken,
+    to be sent via Email. This is to prevent automated email scanners, which sometimes
+    open links in emails in a full browser from breaking the link."""
+    plan_copy = deepcopy(plan)
+    plan_copy.insert_stage(in_memory_stage(EmailTokenRevocationConsentStageView), index=0)
+    plan_copy.context[PLAN_CONTEXT_CONSENT_HEADER] = _("Continue to confirm this email address.")
+    data = dumps(plan_copy)
+    return b64encode(data).decode()
+
+
+class EmailTokenRevocationConsentStageView(ConsentStageView):
+
+    def get(self, request, *args, **kwargs):
+        token: FlowToken = self.executor.plan.context[PLAN_CONTEXT_IS_RESTORED]
+        try:
+            token.refresh_from_db()
+        except FlowToken.DoesNotExist:
+            return self.executor.stage_invalid(
+                _("Link was already used, please request a new link.")
+            )
+        return super().get(request, *args, **kwargs)
+
+    def challenge_valid(self, response):
+        token: FlowToken = self.executor.plan.context[PLAN_CONTEXT_IS_RESTORED]
+        token.delete()
+        return super().challenge_valid(response)

authentik/stages/email/stage.py

@@ -23,6 +23,7 @@ from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -86,7 +87,8 @@ class EmailStageView(ChallengeStageView):
                 user=pending_user,
                 identifier=identifier,
                 flow=self.executor.flow,
-                _plan=FlowToken.pickle(self.executor.plan),
+                _plan=pickle_flow_token_for_email(self.executor.plan),
+                revoke_on_execution=False,
             )
         token = tokens.first()
         # Check if token is expired and rotate key if so

authentik/stages/email/tests/test_sending.py

@@ -174,5 +174,5 @@ class TestEmailStageSending(FlowTestCase):
                 response = self.client.post(url)
             response = self.client.post(url)
             self.assertEqual(response.status_code, 200)
-            self.assertTrue(len(mail.outbox) >= 1)
+            self.assertGreaterEqual(len(mail.outbox), 1)
             self.assertEqual(mail.outbox[0].subject, "authentik")

authentik/stages/email/tests/test_stage.py

@@ -17,6 +17,7 @@ from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import QS_KEY_TOKEN, SESSION_KEY_PLAN, FlowExecutorView
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
+from authentik.stages.consent.stage import SESSION_KEY_CONSENT_TOKEN
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.stage import PLAN_CONTEXT_EMAIL_OVERRIDE, EmailStageView
 
@@ -160,6 +161,17 @@ class TestEmailStage(FlowTestCase):
                     kwargs={"flow_slug": self.flow.slug},
                 )
             )
+            self.assertStageResponse(response, self.flow, component="ak-stage-consent")
+            response = self.client.post(
+                reverse(
+                    "authentik_api:flow-executor",
+                    kwargs={"flow_slug": self.flow.slug},
+                ),
+                data={
+                    "token": self.client.session[SESSION_KEY_CONSENT_TOKEN],
+                },
+                follow=True,
+            )
 
             self.assertEqual(response.status_code, 200)
             self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
@@ -182,6 +194,7 @@ class TestEmailStage(FlowTestCase):
         # Set flow token user to a different user
         token: FlowToken = FlowToken.objects.get(user=self.user)
         token.user = create_test_admin_user()
+        token.revoke_on_execution = True
         token.save()
 
         with patch("authentik.flows.views.executor.FlowExecutorView.cancel", MagicMock()):

blueprints/schema.json

@@ -8180,6 +8180,11 @@
                     "type": "boolean",
                     "title": "Lookup groups from user",
                     "description": "Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory"
+                },
+                "delete_not_found_objects": {
+                    "type": "boolean",
+                    "title": "Delete not found objects",
+                    "description": "Delete authentik users and groups which were previously supplied by this source, but are now missing from it."
                 }
             },
             "required": []

internal/outpost/ldap/bind/memory/memory.go

@@ -28,16 +28,18 @@ func NewSessionBinder(si server.LDAPServerInstance, oldBinder bind.Binder) *Sess
 		si:  si,
 		log: log.WithField("logger", "authentik.outpost.ldap.binder.session"),
 	}
-	if oldSb, ok := oldBinder.(*SessionBinder); ok {
+	if oldBinder != nil {
-		sb.DirectBinder = oldSb.DirectBinder
+		if oldSb, ok := oldBinder.(*SessionBinder); ok {
-		sb.sessions = oldSb.sessions
+			sb.DirectBinder = oldSb.DirectBinder
-		sb.log.Debug("re-initialised session binder")
+			sb.sessions = oldSb.sessions
-	} else {
+			sb.log.Debug("re-initialised session binder")
-		sb.sessions = ttlcache.New(ttlcache.WithDisableTouchOnHit[Credentials, ldap.LDAPResultCode]())
+			return sb
-		sb.DirectBinder = *direct.NewDirectBinder(si)
+		}
-		go sb.sessions.Start()
-		sb.log.Debug("initialised session binder")
 	}
+	sb.sessions = ttlcache.New(ttlcache.WithDisableTouchOnHit[Credentials, ldap.LDAPResultCode]())
+	sb.DirectBinder = *direct.NewDirectBinder(si)
+	go sb.sessions.Start()
+	sb.log.Debug("initialised session binder")
 	return sb
 }
 

internal/outpost/ldap/refresh.go

@@ -16,6 +16,7 @@ import (
 	memorybind "goauthentik.io/internal/outpost/ldap/bind/memory"
 	"goauthentik.io/internal/outpost/ldap/constants"
 	"goauthentik.io/internal/outpost/ldap/flags"
+	"goauthentik.io/internal/outpost/ldap/search"
 	directsearch "goauthentik.io/internal/outpost/ldap/search/direct"
 	memorysearch "goauthentik.io/internal/outpost/ldap/search/memory"
 )
@@ -85,7 +86,11 @@ func (ls *LDAPServer) Refresh() error {
 			providers[idx].certUUID = *kp
 		}
 		if *provider.SearchMode.Ptr() == api.LDAPAPIACCESSMODE_CACHED {
-			providers[idx].searcher = memorysearch.NewMemorySearcher(providers[idx])
+			var oldSearcher search.Searcher
+			if existing != nil {
+				oldSearcher = existing.searcher
+			}
+			providers[idx].searcher = memorysearch.NewMemorySearcher(providers[idx], oldSearcher)
 		} else if *provider.SearchMode.Ptr() == api.LDAPAPIACCESSMODE_DIRECT {
 			providers[idx].searcher = directsearch.NewDirectSearcher(providers[idx])
 		}

internal/outpost/ldap/search/memory/memory.go

@@ -31,13 +31,26 @@ type MemorySearcher struct {
 	groups []api.Group
 }
 
-func NewMemorySearcher(si server.LDAPServerInstance) *MemorySearcher {
+func NewMemorySearcher(si server.LDAPServerInstance, existing search.Searcher) *MemorySearcher {
 	ms := &MemorySearcher{
 		si:  si,
 		log: log.WithField("logger", "authentik.outpost.ldap.searcher.memory"),
 		ds:  direct.NewDirectSearcher(si),
 	}
+	if existing != nil {
+		if ems, ok := existing.(*MemorySearcher); ok {
+			ems.si = si
+			ems.fetch()
+			ems.log.Debug("re-initialised memory searcher")
+			return ems
+		}
+	}
+	ms.fetch()
 	ms.log.Debug("initialised memory searcher")
+	return ms
+}
+
+func (ms *MemorySearcher) fetch() {
 	// Error is not handled here, we get an empty/truncated list and the error is logged
 	users, _ := ak.Paginator(ms.si.GetAPIClient().CoreApi.CoreUsersList(context.TODO()).IncludeGroups(true), ak.PaginatorOptions{
 		PageSize: 100,
@@ -49,7 +62,6 @@ func NewMemorySearcher(si server.LDAPServerInstance) *MemorySearcher {
 		Logger:   ms.log,
 	})
 	ms.groups = groups
-	return ms
 }
 
 func (ms *MemorySearcher) SearchBase(req *search.Request) (ldap.ServerSearchResult, error) {

internal/web/static.go

@@ -67,11 +67,15 @@ func (ws *WebServer) configureStatic() {
 
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
-		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
+		fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path))
-		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").Handler(pathStripper(
-			w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			fsMedia.ServeHTTP(w, r)
+				w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
-		})
+				fsMedia.ServeHTTP(w, r)
+			}),
+			"media/",
+			config.Get().Web.Path,
+		))
 	}
 
 	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/help/").Handler(pathStripper(

locale/de/LC_MESSAGES/django.po

@@ -32,15 +32,17 @@
 # datenschmutz, 2025
 # 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
 # Dominic Wagner <mail@dominic-wagner.de>, 2025
+# Till-Frederik Riechard, 2025
+# Alexander Mnich, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Dominic Wagner <mail@dominic-wagner.de>, 2025\n"
+"Last-Translator: Alexander Mnich, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -132,6 +134,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Vom Authentik-Core-Webserver verwendetes Zertifikat."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marke"
@@ -405,7 +411,7 @@ msgstr "Eigenschaften"
 
 #: authentik/core/models.py
 msgid "session data"
-msgstr ""
+msgstr "Sitzungsdaten"
 
 #: authentik/core/models.py
 msgid "Session"
@@ -533,7 +539,7 @@ msgstr ""
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr ""
+msgstr "Anzahl Passwörter, gegen die geprüft wird."
 
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@@ -543,18 +549,20 @@ msgstr "Passwort nicht im Kontext festgelegt"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
+"Dieses Passwort wurde in Vergangenheit bereits verwendet. Bitte nutzen Sie "
+"ein anderes."
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr ""
+msgstr "Passwort-Einzigartigkeits-Richtlinie"
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr ""
+msgstr "Passwort-Einzigartigkeits-Richtlinien"
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr ""
+msgstr "Nutzer-Passwort-Historie"
 
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@@ -693,6 +701,33 @@ msgstr "Endgeräte"
 msgid "Verifying your browser..."
 msgstr "Verifiziere deinen Browser..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -988,7 +1023,7 @@ msgstr ""
 
 #: authentik/flows/models.py
 msgid "Evaluate policies when the Stage is presented to the user."
-msgstr ""
+msgstr "Richtlinien auswerten, wenn die Phase dem Benutzer angezeigt wird."
 
 #: authentik/flows/models.py
 msgid ""
@@ -1043,9 +1078,12 @@ msgid "Starting full provider sync"
 msgstr "Starte komplette Provider Synchronisation."
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "Synchonisiere Benutzer Seite {page}"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -1593,11 +1631,11 @@ msgstr "ES256 (Asymmetrische Verschlüsselung)"
 
 #: authentik/providers/oauth2/models.py
 msgid "ES384 (Asymmetric Encryption)"
-msgstr ""
+msgstr "ES384 (Asymmetrische Verschlüsselung)"
 
 #: authentik/providers/oauth2/models.py
 msgid "ES512 (Asymmetric Encryption)"
-msgstr ""
+msgstr "ES5122 (Asymmetrische Verschlüsselung)"
 
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
@@ -2183,11 +2221,11 @@ msgstr "Standard"
 
 #: authentik/providers/scim/models.py
 msgid "AWS"
-msgstr ""
+msgstr "AWS"
 
 #: authentik/providers/scim/models.py
 msgid "Slack"
-msgstr ""
+msgstr "Slack"
 
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
@@ -2199,7 +2237,7 @@ msgstr "Authentifizierungstoken"
 
 #: authentik/providers/scim/models.py
 msgid "SCIM Compatibility Mode"
-msgstr ""
+msgstr "SCIM Kompatibilitätsmodus"
 
 #: authentik/providers/scim/models.py
 msgid "Alter authentik behavior for vendor-specific SCIM implementations."
@@ -2231,7 +2269,7 @@ msgstr "Rollen"
 
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
-msgstr ""
+msgstr "Initiale Berechtigungen"
 
 #: authentik/rbac/models.py
 msgid "System permission"
@@ -2487,6 +2525,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Quelle"
@@ -2504,20 +2548,25 @@ msgid "LDAP Source Property Mappings"
 msgstr "LDAP Quelle Eigenschafts-Zuordnungen"
 
 #: authentik/sources/ldap/models.py
-msgid "User LDAP Source Connection"
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr "Benutzer LDAP-Quellverbindung"
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
-msgstr ""
+msgstr "Benutzer LDAP-Quellverbindungen"
 
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
-msgstr ""
+msgstr "LDAP Gruppen Quellverbindung"
 
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
-msgstr ""
+msgstr "LDAP Gruppen Quellverbindungen"
 
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
@@ -2530,7 +2579,7 @@ msgstr "Kein Token empfangen."
 
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
-msgstr ""
+msgstr "HTTP Basic Authentifizierung"
 
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
@@ -2896,6 +2945,11 @@ msgstr "SAML Gruppen Quellverbindung"
 msgid "Group SAML Source Connections"
 msgstr "SAML Gruppen Quellverbindungen"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM Quelle"
@@ -2930,7 +2984,7 @@ msgstr "Duo Geräte"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email OTP"
-msgstr ""
+msgstr "E-Mail Einmalpasswort"
 
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
@@ -2963,11 +3017,11 @@ msgstr "Beim Rendern der E-Mail-Vorlage ist ein Fehler aufgetreten"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
-msgstr ""
+msgstr "E-Mail Gerät"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Devices"
-msgstr ""
+msgstr "E-Mail Geräte"
 
 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/authenticator_sms/stage.py
@@ -2977,7 +3031,7 @@ msgstr "Code stimmt nicht überein"
 
 #: authentik/stages/authenticator_email/stage.py
 msgid "Invalid email"
-msgstr ""
+msgstr "Ungültige E-Mail"
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #: authentik/stages/email/templates/email/password_reset.html
@@ -3273,6 +3327,10 @@ msgstr "Zustimmung der Benutzer"
 msgid "User Consents"
 msgstr "Zustimmungen der Benutzer"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Verweigerungsstufe"
@@ -3289,6 +3347,14 @@ msgstr "Dummy Stufe"
 msgid "Dummy Stages"
 msgstr "Dummy Stufen"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Passwort zurücksetzen"
@@ -3890,10 +3956,11 @@ msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
+"Reputation kann nicht niedriger als dieser Wert sein. Null oder negativ."
 
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
-msgstr ""
+msgstr "Reputation kann nicht höher als dieser Wert sein. Null oder positiv."
 
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-20 00:10+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -961,8 +961,11 @@ msgid "Starting full provider sync"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -2252,6 +2255,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr ""
@@ -2268,6 +2277,11 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2639,6 +2653,11 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@@ -2994,6 +3013,10 @@ msgstr ""
 msgid "User Consents"
 msgstr ""
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr ""
@@ -3010,6 +3033,14 @@ msgstr ""
 msgid "Dummy Stages"
 msgstr ""
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr ""

locale/es/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
@@ -109,6 +109,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificado Web usado por el servidor web Core de authentik"
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marca"
@@ -671,6 +675,33 @@ msgstr "Dispositivos de Punto de Conexión"
 msgid "Verifying your browser..."
 msgstr "Verificando tu navegador..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -1009,9 +1040,12 @@ msgid "Starting full provider sync"
 msgstr "Iniciando sincronización completa de proveedor"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "Sincronizando página {page} de usuarios"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2452,6 +2486,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fuente de LDAP"
@@ -2468,6 +2508,11 @@ msgstr "Asignación de Propiedades de Fuente de LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Asignaciones de Propiedades de Fuente de LDAP"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2859,6 +2904,11 @@ msgstr "Conexión de Fuente de SAML de Grupo"
 msgid "Group SAML Source Connections"
 msgstr "Conexiones de Fuente de SAML de Grupo"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Fuente de SCIM"
@@ -3245,6 +3295,10 @@ msgstr "Consentimiento del usuario"
 msgid "User Consents"
 msgstr "Consentimientos del usuario"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Etapa de denegación"
@@ -3261,6 +3315,14 @@ msgstr "Escenario ficticio"
 msgid "Dummy Stages"
 msgstr "Etapas ficticias"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Restablecimiento de contraseña"

locale/fi/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Ville Ranki, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/authentik/teams/119923/fi/)\n"
@@ -106,6 +106,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Web-sertifikaatti, jota authentik Core -verkkopalvelin käyttää."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Brändi"
@@ -658,6 +662,33 @@ msgstr "Päätelaitteet"
 msgid "Verifying your browser..."
 msgstr "Selaintasi varmennetaan..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -996,9 +1027,12 @@ msgid "Starting full provider sync"
 msgstr "Käynnistetään palveluntarjoajan täysi synkronisointi"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "Synkronoidaan käyttäjien sivua {page}"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2429,6 +2463,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP-lähde"
@@ -2445,6 +2485,11 @@ msgstr "LDAP-lähteen ominaisuuskytkentä"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP-lähteen ominaisuuskytkennät"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2837,6 +2882,11 @@ msgstr "Ryhmän SAML-lähteen yhteys"
 msgid "Group SAML Source Connections"
 msgstr "Ryhmän SAML-lähteen yhteydet"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM-lähde"
@@ -3216,6 +3266,10 @@ msgstr "Käyttäjän hyväksyntä"
 msgid "User Consents"
 msgstr "Käyttäjän hyväksynnät"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Kieltovaihe"
@@ -3232,6 +3286,14 @@ msgstr "Valevaihe"
 msgid "Dummy Stages"
 msgstr "Valevaiheet"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Salasanan nollaus"

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-20 00:10+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -1056,9 +1056,12 @@ msgid "Starting full provider sync"
 msgstr "Démarrage d'une synchronisation complète du fournisseur"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr "Synchronisation des utilisateurs"
-msgstr "Synchronisation de la page {page} d'utilisateurs"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr "Synchronisation des groupes"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2508,6 +2511,14 @@ msgstr ""
 "plutôt que sur un attribut de groupe. Cela permet la résolution des groupes "
 "imbriqués sur des systèmes tels que FreeIPA et Active Directory."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+"Supprimer les utilisateurs et les groupes authentik qui étaient auparavant "
+"fournis par cette source, mais qui en sont maintenant absents."
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Source LDAP"
@@ -2524,6 +2535,13 @@ msgstr "Mappage de propriété source LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappages de propriété source LDAP"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+"ID unique utilisé pour vérifier si cet objet existe toujours dans le "
+"répertoire."
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "Connexion de l'utilisateur à la source LDAP"
@@ -2918,6 +2936,11 @@ msgstr "Connexion du groupe à la source SAML"
 msgid "Group SAML Source Connections"
 msgstr "Connexions du groupe à la source SAML"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr "Continuer vers {source_name}"
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Source SCIM"
@@ -3308,6 +3331,10 @@ msgstr "Consentement Utilisateur"
 msgid "User Consents"
 msgstr "Consentements Utilisateur"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr "Jeton de consentement invalide, réaffichage de l'invite"
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Étape de Refus"
@@ -3324,6 +3351,14 @@ msgstr "Étape factice"
 msgid "Dummy Stages"
 msgstr "Étapes factices"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr "Continuer pour confirmer cette adresse courriel."
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr "Ce lien a déjà été utilisé, veuillez en demander un nouveau."
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Réinitialiser le Mot de Passe"

locale/it/LC_MESSAGES/django.po

@@ -20,7 +20,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
@@ -114,6 +114,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificato Web utilizzato dal server Web authentik Core."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Brand"
@@ -672,6 +676,33 @@ msgstr "Dispositivi di Accesso"
 msgid "Verifying your browser..."
 msgstr "Verifica del tuo browser..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -1018,9 +1049,12 @@ msgid "Starting full provider sync"
 msgstr "Avvio della sincronizzazione completa del provider"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "Sincronizzando pagina {page} degli utenti"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2463,6 +2497,12 @@ msgstr ""
 "attributo di gruppo. Questo consente la risoluzione di gruppi nidificati su "
 "sistemi come FreeIPA e Active Directory."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Sorgente LDAP"
@@ -2479,6 +2519,11 @@ msgstr "Mappatura delle proprietà sorgente LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappature delle proprietà della sorgente LDAP"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "Connessione Sorgente LDAP Utente"
@@ -2872,6 +2917,11 @@ msgstr "Connessione sorgente SAML di gruppo"
 msgid "Group SAML Source Connections"
 msgstr "Connessioni sorgente SAML di gruppo"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Sorgente SCIM"
@@ -3269,6 +3319,10 @@ msgstr "Consenso utente"
 msgid "User Consents"
 msgstr "Consensi utente"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Fase di negazione"
@@ -3285,6 +3339,14 @@ msgstr "Fase fittizia"
 msgid "Dummy Stages"
 msgstr "Fasi fittizie"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Ripristino password"

locale/ko/LC_MESSAGES/django.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: NavyStack, 2023\n"
 "Language-Team: Korean (https://app.transifex.com/authentik/teams/119923/ko/)\n"
@@ -99,6 +99,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Authentik Core 웹서버에서 사용하는 웹 인증서."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr ""
@@ -625,6 +629,33 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr ""
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -946,8 +977,11 @@ msgid "Starting full provider sync"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -2263,6 +2297,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 소스"
@@ -2279,6 +2319,11 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2657,6 +2702,11 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@@ -3017,6 +3067,10 @@ msgstr "사용자 동의"
 msgid "User Consents"
 msgstr "사용자 동의"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "거부 스테이지"
@@ -3033,6 +3087,14 @@ msgstr "더미 스테이지"
 msgid "Dummy Stages"
 msgstr "더미 스테이지"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "비밀번호 초기화"

locale/nl/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Dany Sluijk, 2025\n"
 "Language-Team: Dutch (https://app.transifex.com/authentik/teams/119923/nl/)\n"
@@ -113,6 +113,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Webcertificaat gebruikt door de authentik Core-webserver."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Merk"
@@ -191,6 +195,7 @@ msgid "User's display name."
 msgstr "Weergavenaam van de gebruiker."
 
 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Gebruiker"
 
@@ -379,6 +384,18 @@ msgstr "Eigenschapskoppeling"
 msgid "Property Mappings"
 msgstr "Eigenschapskoppelingen"
 
+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sessie"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sessies"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Geauthenticeerde Sessie"
@@ -486,6 +503,38 @@ msgstr "Licentie Gebruik"
 msgid "License Usage Records"
 msgstr "Licentie Gebruik Records"
 
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Veldsleutel om te controleren, veldsleutels gedefinieerd in Prompt-stadia "
+"zijn beschikbaar."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Wachtwoord niet ingesteld in context"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Enterprise benodigd voor toegang tot deze functie."
@@ -622,6 +671,33 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr "Uw browser wordt geverifieerd..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -963,8 +1039,11 @@ msgid "Starting full provider sync"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -1265,12 +1344,6 @@ msgstr ""
 msgid "Clear Policy's cache metrics"
 msgstr ""
 
-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Veldsleutel om te controleren, veldsleutels gedefinieerd in Prompt-stadia "
-"zijn beschikbaar."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Hoe vaak het wachtwoordhash op haveibeenpwned mag voorkomen"
@@ -1282,10 +1355,6 @@ msgstr ""
 "Als de zxcvbn-score gelijk is aan of lager is dan deze waarde, zal het "
 "beleid falen."
 
-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Wachtwoord niet ingesteld in context"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@@ -1327,20 +1396,6 @@ msgstr "Reputatie Score"
 msgid "Reputation Scores"
 msgstr "Reputatie Scores"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Toestemming geweigerd"
@@ -2160,6 +2215,10 @@ msgstr ""
 msgid "Roles"
 msgstr ""
 
+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr ""
@@ -2392,6 +2451,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP-bron"
@@ -2408,6 +2473,27 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr ""
@@ -2417,6 +2503,14 @@ msgstr ""
 msgid "No token received."
 msgstr "Geen token ontvangen."
 
+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL voor aanvragen van token"
@@ -2458,6 +2552,12 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "Aanvullende scopes"
 
+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth-bron"
@@ -2769,6 +2869,11 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@@ -3142,6 +3247,10 @@ msgstr "Gebruikerstoestemming"
 msgid "User Consents"
 msgstr "Gebruikersinstemmingen"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Weigerfase"
@@ -3158,6 +3267,14 @@ msgstr "Dummystadium"
 msgid "Dummy Stages"
 msgstr "Dummystadia"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Wachtwoordherstel"
@@ -3357,6 +3474,12 @@ msgstr ""
 "Wanneer ingeschakeld, slaagt de stap en gaat verder wanneer ongeldige "
 "gebruikersgegevens zijn ingevoerd."
 
+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optionele inschrijvingsflow, die onderaan de pagina is gekoppeld."
@@ -3742,6 +3865,14 @@ msgstr ""
 "Gebeurtenissen worden verwijderd na deze duur. (Indeling: "
 "weken=3;dagen=2;uren=3;seconden=2)."
 
+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr "De optie stelt de voettekst links in op de flow uitvoer pagina's."

locale/pt/LC_MESSAGES/django.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Hugo Bicho, 2025\n"
 "Language-Team: Portuguese (https://app.transifex.com/authentik/teams/119923/pt/)\n"
@@ -105,6 +105,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificado Web usado pelo servidor web authentik Core."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marca"
@@ -662,6 +666,33 @@ msgstr "Dispositivos do ponto de ligação"
 msgid "Verifying your browser..."
 msgstr "A verificar o seu browser..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -1007,9 +1038,12 @@ msgid "Starting full provider sync"
 msgstr "Iniciando a sincronização completa com o provedor"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "A sincronizar a página {page} dos utilizadores"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2456,6 +2490,12 @@ msgstr ""
 " um atributo do grupo. Isto permite a resolução de grupos hierárquicos em "
 "sistemas como o FreeIPA e Active Directory."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fonte LDAP"
@@ -2472,6 +2512,11 @@ msgstr "Mapeamento de propriedades de fonte LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mapeamentos de propriedades de fonte LDAP"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "Ligação à fonte LDAP de Utilizador"
@@ -2865,6 +2910,11 @@ msgstr "Ligação à fonte SAML de Grupo"
 msgid "Group SAML Source Connections"
 msgstr "Ligações à fonte SAML de Grupo"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Fonte SCIM"
@@ -3255,6 +3305,10 @@ msgstr "Consentimento do Utilizador"
 msgid "User Consents"
 msgstr "Consentimentos do Utilizador"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Etapa de negação"
@@ -3271,6 +3325,14 @@ msgstr "Etapa fictícia"
 msgid "Dummy Stages"
 msgstr "Etapas fictícias"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Redefinição de Palavra-Passe"

locale/pt_BR/LC_MESSAGES/django.po

@@ -8,19 +8,19 @@
 # Josenivaldo Benito Junior, 2023
 # Caio Lima, 2023
 # Hacklab, 2023
-# Wagner Santos, 2024
 # Rafael Mundel, 2024
 # Anderson Silva Andrade <anderson.asa89@gmail.com>, 2025
 # Gil Poiares-Oliveira, 2025
+# Wagner Santos, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Gil Poiares-Oliveira, 2025\n"
+"Last-Translator: Wagner Santos, 2025\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -112,6 +112,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Certificado da Web usado pelo servidor da web authentik Core."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Brand"
@@ -271,11 +275,11 @@ msgstr "Aplicativos"
 
 #: authentik/core/models.py
 msgid "Application Entitlement"
-msgstr ""
+msgstr "Autorização de aplicação"
 
 #: authentik/core/models.py
 msgid "Application Entitlements"
-msgstr ""
+msgstr "Autorizações de aplicação"
 
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
@@ -379,15 +383,15 @@ msgstr "Mapeamentos de propriedades"
 
 #: authentik/core/models.py
 msgid "session data"
-msgstr ""
+msgstr "dados de sessão"
 
 #: authentik/core/models.py
 msgid "Session"
-msgstr ""
+msgstr "Sessão"
 
 #: authentik/core/models.py
 msgid "Sessions"
-msgstr ""
+msgstr "Sessões"
 
 #: authentik/core/models.py
 msgid "Authenticated Session"
@@ -505,7 +509,7 @@ msgstr ""
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr ""
+msgstr "Número de senhas para verificar."
 
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@@ -514,19 +518,19 @@ msgstr "Senha não definida no contexto"
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
-msgstr ""
+msgstr "A senha já foi utilizada antes. Por favor, escolha uma diferente."
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr ""
+msgstr "Política de exclusividade de senha"
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr ""
+msgstr "Políticas de exclusividade de senha"
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr ""
+msgstr "Histórico de senhas do usuário"
 
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@@ -610,39 +614,39 @@ msgstr "Chave de Assinatura"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr ""
+msgstr "Chave utilizada para assinar os eventos SSF."
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr ""
+msgstr "Provedor de Shared Signals Framework"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr ""
+msgstr "Provedores de Shared Signals Framework"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr ""
+msgstr "Adicionar stream ao fornecedor SSF"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr ""
+msgstr "Stream SSF"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr ""
+msgstr "Streams SSF"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr ""
+msgstr "Evento de stream SSF"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr ""
+msgstr "Eventos de stream SSF"
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr ""
+msgstr "Falha ao enviar requisição"
 
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@@ -664,6 +668,33 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr ""
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -681,7 +712,7 @@ msgstr ""
 #: authentik/events/api/tasks.py
 #, python-brace-format
 msgid "Successfully started task {name}."
-msgstr ""
+msgstr "Tarefa {name} iniciada com sucesso."
 
 #: authentik/events/models.py
 msgid "Event"
@@ -713,12 +744,16 @@ msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
 "serializable."
 msgstr ""
+"Personalize o corpo do pedido. O mapeamento deve retornar dados que sejam "
+"serializáveis em JSON."
 
 #: authentik/events/models.py
 msgid ""
 "Configure additional headers to be sent. Mapping should return a dictionary "
 "of key-value pairs"
 msgstr ""
+"Configurar cabeçalhos adicionais a serem enviados. O mapeamento deve "
+"retornar um dicionário de pares chave-valor"
 
 #: authentik/events/models.py
 msgid ""
@@ -998,8 +1033,11 @@ msgid "Starting full provider sync"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -1314,7 +1352,7 @@ msgstr ""
 #: authentik/policies/password/models.py
 #, python-brace-format
 msgid "Password exists on {count} online lists."
-msgstr ""
+msgstr "A senha está presente em {count}  listas de senhas vulneráveis."
 
 #: authentik/policies/password/models.py
 msgid "Password is too weak."
@@ -2396,6 +2434,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fonte LDAP"
@@ -2412,6 +2456,11 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2802,6 +2851,11 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr ""
@@ -3174,6 +3228,10 @@ msgstr "Consentimento do usuário"
 msgid "User Consents"
 msgstr "Consentimentos do usuário"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Negar Estágio"
@@ -3190,6 +3248,14 @@ msgstr "Palco fictício"
 msgid "Dummy Stages"
 msgstr "Fases fictícias"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Redefinição de senha"

locale/ru/LC_MESSAGES/django.po

@@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@@ -111,6 +111,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Web Certificate используемый для authentik Core webserver."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Бренд"
@@ -669,6 +673,33 @@ msgstr "Конечные устройства"
 msgid "Verifying your browser..."
 msgstr "Проверка вашего браузера..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -1009,8 +1040,11 @@ msgid "Starting full provider sync"
 msgstr "Запуск полной синхронизации провайдера"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -2430,6 +2464,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Источник LDAP"
@@ -2446,6 +2486,11 @@ msgstr "Сопоставление свойства LDAP источника"
 msgid "LDAP Source Property Mappings"
 msgstr "Сопоставление свойств LDAP источника"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2842,6 +2887,11 @@ msgstr "Групповое подключение к источнику SAML"
 msgid "Group SAML Source Connections"
 msgstr "Групповые подключения к источнику SAML"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "Источник SCIM"
@@ -3219,6 +3269,10 @@ msgstr "Согласие пользователя"
 msgid "User Consents"
 msgstr "Согласия пользователя"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Этап отказа"
@@ -3235,6 +3289,14 @@ msgstr "Фиктивный этап"
 msgid "Dummy Stages"
 msgstr "Фиктивные этапы"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Сброс пароля"

locale/tr/LC_MESSAGES/django.po

@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Turkish (https://app.transifex.com/authentik/teams/119923/tr/)\n"
@@ -107,6 +107,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "Authentik Core web sunucusu tarafından kullanılan Web Sertifikası."
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "Marka"
@@ -659,6 +663,33 @@ msgstr "Uç Nokta Cihazları"
 msgid "Verifying your browser..."
 msgstr "Tarayıcınız doğrulanıyor..."
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -1000,8 +1031,11 @@ msgid "Starting full provider sync"
 msgstr "Tam sağlayıcı senkronizasyonunu başlatma"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -2430,6 +2464,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Kaynağı"
@@ -2446,6 +2486,11 @@ msgstr "LDAP Kaynak Özellik Eşlemesi"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Kaynak Özellik Eşlemeleri"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2837,6 +2882,11 @@ msgstr "Grup SAML Kaynak Bağlantısı"
 msgid "Group SAML Source Connections"
 msgstr "Grup SAML Kaynak Bağlantıları"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM Kaynak"
@@ -3211,6 +3261,10 @@ msgstr "Kullanıcı Onayı"
 msgid "User Consents"
 msgstr "Kullanıcı Onayları"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "Aşama Alanını Reddet"
@@ -3227,6 +3281,14 @@ msgstr "Kukla Aşaması"
 msgid "Dummy Stages"
 msgstr "Kukla Aşamaları"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "Parola Sıfırlama"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-20 00:10+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -975,9 +975,12 @@ msgid "Starting full provider sync"
 msgstr "开始全量提供程序同步"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "正在同步用户页面 {page}"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2285,6 +2288,12 @@ msgid ""
 "Active Directory"
 msgstr "基于用户属性而非组属性查询组成员身份。这允许在 FreeIPA 或 Active Directory 等系统上支持嵌套组决策"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 源"
@@ -2301,6 +2310,11 @@ msgstr "LDAP 源属性映射"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP 源属性映射"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "用户 LDAP 源连接"
@@ -2678,6 +2692,11 @@ msgstr "组 SAML 源连接"
 msgid "Group SAML Source Connections"
 msgstr "组 SAML 源连接"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM 源"
@@ -3044,6 +3063,10 @@ msgstr "用户同意授权"
 msgid "User Consents"
 msgstr "用户同意授权"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "拒绝阶段"
@@ -3060,6 +3083,14 @@ msgstr "虚拟阶段"
 msgid "Dummy Stages"
 msgstr "虚拟阶段"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "密码重置"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-20 00:10+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -974,9 +974,12 @@ msgid "Starting full provider sync"
 msgstr "开始全量提供程序同步"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
-msgstr "正在同步用户页面 {page}"
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2284,6 +2287,12 @@ msgid ""
 "Active Directory"
 msgstr "基于用户属性而非组属性查询组成员身份。这允许在 FreeIPA 或 Active Directory 等系统上支持嵌套组决策"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 源"
@@ -2300,6 +2309,11 @@ msgstr "LDAP 源属性映射"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP 源属性映射"
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr "用户 LDAP 源连接"
@@ -2677,6 +2691,11 @@ msgstr "组 SAML 源连接"
 msgid "Group SAML Source Connections"
 msgstr "组 SAML 源连接"
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM 源"
@@ -3043,6 +3062,10 @@ msgstr "用户同意授权"
 msgid "User Consents"
 msgstr "用户同意授权"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "拒绝阶段"
@@ -3059,6 +3082,14 @@ msgstr "虚拟阶段"
 msgid "Dummy Stages"
 msgstr "虚拟阶段"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "密码重置"

locale/zh_TW/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-23 09:00+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: 刘松, 2025\n"
 "Language-Team: Chinese (Taiwan) (https://app.transifex.com/authentik/teams/119923/zh_TW/)\n"
@@ -101,6 +101,10 @@ msgstr ""
 msgid "Web Certificate used by the authentik Core webserver."
 msgstr "用於 authentik Core 網頁伺服器的網頁憑證。"
 
+#: authentik/brands/models.py
+msgid "Certificates used for client authentication."
+msgstr ""
+
 #: authentik/brands/models.py
 msgid "Brand"
 msgstr "品牌"
@@ -625,6 +629,33 @@ msgstr ""
 msgid "Verifying your browser..."
 msgstr ""
 
+#: authentik/enterprise/stages/mtls/models.py
+msgid ""
+"Configure certificate authorities to validate the certificate against. This "
+"option has a higher priority than the `client_certificate` option on "
+"`Brand`."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Mutual TLS Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/models.py
+msgid "Permissions to pass Certificates for outposts."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "Certificate required but no certificate was given."
+msgstr ""
+
+#: authentik/enterprise/stages/mtls/stage.py
+msgid "No user found for certificate."
+msgstr ""
+
 #: authentik/enterprise/stages/source/models.py
 msgid ""
 "Amount of time a user can take to return from the source to continue the "
@@ -943,8 +974,11 @@ msgid "Starting full provider sync"
 msgstr "開始同步所有提供程式"
 
 #: authentik/lib/sync/outgoing/tasks.py
-#, python-brace-format
+msgid "Syncing users"
-msgid "Syncing page {page} of users"
+msgstr ""
+
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Syncing groups"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -2249,6 +2283,12 @@ msgid ""
 "Active Directory"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Delete authentik users and groups which were previously supplied by this "
+"source, but are now missing from it."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 來源"
@@ -2265,6 +2305,11 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Unique ID used while checking if this object still exists in the directory."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
 msgstr ""
@@ -2642,6 +2687,11 @@ msgstr ""
 msgid "Group SAML Source Connections"
 msgstr ""
 
+#: authentik/sources/saml/views.py
+#, python-brace-format
+msgid "Continue to {source_name}"
+msgstr ""
+
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
 msgstr "SCIM 來源"
@@ -2998,6 +3048,10 @@ msgstr "使用者同意"
 msgid "User Consents"
 msgstr "使用者同意"
 
+#: authentik/stages/consent/stage.py
+msgid "Invalid consent token, re-showing prompt"
+msgstr ""
+
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
 msgstr "拒絕階段"
@@ -3014,6 +3068,14 @@ msgstr "假階段"
 msgid "Dummy Stages"
 msgstr "假階段"
 
+#: authentik/stages/email/flow.py
+msgid "Continue to confirm this email address."
+msgstr ""
+
+#: authentik/stages/email/flow.py
+msgid "Link was already used, please request a new link."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Password Reset"
 msgstr "重設密碼"

pyproject.toml

@@ -13,7 +13,7 @@ dependencies = [
     "dacite==1.9.2",
     "deepmerge==2.0",
     "defusedxml==0.7.1",
-    "django==5.2.1",
+    "django==5.1.9",
     "django-countries==7.6.1",
     "django-cte==1.3.3",
     "django-filter==25.1",
@@ -43,7 +43,7 @@ dependencies = [
     "kubernetes==32.0.1",
     "ldap3==2.9.1",
     "lxml==5.4.0",
-    "msgraph-sdk==1.30.0",
+    "msgraph-sdk==1.31.0",
     "opencontainers==0.0.14",
     "packaging==25.0",
     "paramiko==3.5.1",

schema.yml

@@ -28473,6 +28473,10 @@ paths:
         schema:
           type: string
           format: uuid
+      - in: query
+        name: delete_not_found_objects
+        schema:
+          type: boolean
       - in: query
         name: enabled
         schema:
@@ -47922,6 +47926,10 @@ components:
           description: Lookup group membership based on a user attribute instead of
             a group attribute. This allows nested group resolution on systems like
             FreeIPA and Active Directory
+        delete_not_found_objects:
+          type: boolean
+          description: Delete authentik users and groups which were previously supplied
+            by this source, but are now missing from it.
       required:
       - base_dn
       - component
@@ -48123,6 +48131,10 @@ components:
           description: Lookup group membership based on a user attribute instead of
             a group attribute. This allows nested group resolution on systems like
             FreeIPA and Active Directory
+        delete_not_found_objects:
+          type: boolean
+          description: Delete authentik users and groups which were previously supplied
+            by this source, but are now missing from it.
       required:
       - base_dn
       - name
@@ -53456,6 +53468,10 @@ components:
           description: Lookup group membership based on a user attribute instead of
             a group attribute. This allows nested group resolution on systems like
             FreeIPA and Active Directory
+        delete_not_found_objects:
+          type: boolean
+          description: Delete authentik users and groups which were previously supplied
+            by this source, but are now missing from it.
     PatchedLicenseRequest:
       type: object
       description: License Serializer

scripts/api-ts-templates/tsconfig.esm.mustache

@@ -0,0 +1,7 @@
+{
+    "$schema": "https://json.schemastore.org/tsconfig",
+    "extends": "./tsconfig.json",
+    "compilerOptions": {
+        "outDir": "dist/esm",
+    },
+}

scripts/api-ts-templates/tsconfig.mustache

@@ -0,0 +1,23 @@
+{
+    "$schema": "https://json.schemastore.org/tsconfig",
+    "compilerOptions": {
+        "composite": true,
+        "isolatedModules": true,
+        "incremental": true,
+        "baseUrl": ".",
+        "rootDir": "src",
+        "strict": true,
+        "newLine": "lf",
+        "target": "ESNext",
+        "module": "ESNext",
+        "moduleResolution": "bundler",
+        "outDir": "dist",
+        "skipDefaultLibCheck": true,
+        "skipLibCheck": true,
+        "sourceMap": true,
+        "declaration": true,
+        "declarationMap": true,
+        "lib": ["DOM", "DOM.Iterable", "ESNext"],
+    },
+    "exclude": ["node_modules", "./out/**/*", "./dist/**/*"],
+}

tests/e2e/docker-compose.yml

@@ -1,5 +1,6 @@
 services:
   chrome:
+    platform: linux/x86_64
     image: docker.io/selenium/standalone-chrome:136.0
     volumes:
       - /dev/shm:/dev/shm

tests/e2e/test_flows_enroll.py

@@ -10,6 +10,7 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import User
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
+from authentik.lib.generators import generate_id
 from authentik.stages.identification.models import IdentificationStage
 from tests.e2e.utils import SeleniumTestCase, retry
 
@@ -17,6 +18,10 @@ from tests.e2e.utils import SeleniumTestCase, retry
 class TestFlowsEnroll(SeleniumTestCase):
     """Test Enroll flow"""
 
+    def setUp(self):
+        super().setUp()
+        self.username = generate_id()
+
     @retry()
     @apply_blueprint(
         "default/flow-default-authentication-flow.yaml",
@@ -39,8 +44,8 @@ class TestFlowsEnroll(SeleniumTestCase):
         self.initial_stages()
         sleep(2)
 
-        user = User.objects.get(username="foo")
+        user = User.objects.get(username=self.username)
-        self.assertEqual(user.username, "foo")
+        self.assertEqual(user.username, self.username)
         self.assertEqual(user.name, "some name")
         self.assertEqual(user.email, "foo@bar.baz")
 
@@ -87,7 +92,16 @@ class TestFlowsEnroll(SeleniumTestCase):
 
         sleep(2)
 
-        self.assert_user(User.objects.get(username="foo"))
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            "[type=submit]",
+        ).click()
+
+        self.wait_for_url(self.if_user_url())
+
+        self.assert_user(User.objects.get(username=self.username))
 
     def initial_stages(self):
         """Fill out initial stages"""
@@ -105,7 +119,7 @@ class TestFlowsEnroll(SeleniumTestCase):
         wait = WebDriverWait(prompt_stage, self.wait_timeout)
 
         wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=username]")))
-        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=username]").send_keys("foo")
+        prompt_stage.find_element(By.CSS_SELECTOR, "input[name=username]").send_keys(self.username)
         prompt_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
             self.user.username
         )
@@ -124,3 +138,82 @@ class TestFlowsEnroll(SeleniumTestCase):
         prompt_stage.find_element(By.CSS_SELECTOR, "input[name=name]").send_keys("some name")
         prompt_stage.find_element(By.CSS_SELECTOR, "input[name=email]").send_keys("foo@bar.baz")
         prompt_stage.find_element(By.CSS_SELECTOR, ".pf-c-button").click()
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint(
+        "example/flows-enrollment-email-verification.yaml",
+    )
+    @CONFIG.patch("email.port", 1025)
+    def test_enroll_email_pretend_email_scanner(self):
+        """Test enroll with Email verification. Open the email link twice to pretend we have an
+        email scanner that clicks on links"""
+        # Attach enrollment flow to identification stage
+        ident_stage: IdentificationStage = IdentificationStage.objects.get(
+            name="default-authentication-identification"
+        )
+        ident_stage.enrollment_flow = Flow.objects.get(slug="default-enrollment-flow")
+        ident_stage.save()
+
+        self.driver.get(self.live_server_url)
+        self.initial_stages()
+
+        # Email stage
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        email_stage = self.get_shadow_root("ak-stage-email", flow_executor)
+
+        wait = WebDriverWait(email_stage, self.wait_timeout)
+
+        # Wait for the success message so we know the email is sent
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, ".pf-c-form p")))
+
+        # Open Mailpit
+        self.driver.get("http://localhost:8025")
+
+        # Click on first message
+        self.wait.until(ec.presence_of_element_located((By.CLASS_NAME, "message")))
+        self.driver.find_element(By.CLASS_NAME, "message").click()
+        self.driver.switch_to.frame(self.driver.find_element(By.ID, "preview-html"))
+        confirmation_link = self.driver.find_element(By.ID, "confirm").get_attribute("href")
+
+        main_tab = self.driver.current_window_handle
+
+        self.driver.switch_to.new_window("tab")
+        confirm_tab = self.driver.current_window_handle
+
+        # On the new tab, check that we have the confirmation screen
+        self.driver.get(confirmation_link)
+        self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor")))
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+
+        self.assertEqual(
+            "Continue to confirm this email address.",
+            consent_stage.find_element(By.CSS_SELECTOR, "#header-text").text,
+        )
+
+        # Back on the main tab, confirm
+        self.driver.switch_to.window(main_tab)
+        self.driver.get(confirmation_link)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            "[type=submit]",
+        ).click()
+
+        self.wait_for_url(self.if_user_url())
+        sleep(2)
+
+        self.assert_user(User.objects.get(username=self.username))
+
+        self.driver.switch_to.window(confirm_tab)
+        self.driver.refresh()
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        wait = WebDriverWait(flow_executor, self.wait_timeout)
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "ak-stage-access-denied")))

tests/e2e/test_flows_recovery.py

@@ -84,6 +84,14 @@ class TestFlowsRecovery(SeleniumTestCase):
         self.driver.switch_to.window(self.driver.window_handles[0])
 
         sleep(2)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        consent_stage = self.get_shadow_root("ak-stage-consent", flow_executor)
+        consent_stage.find_element(
+            By.CSS_SELECTOR,
+            "[type=submit]",
+        ).click()
+
         # We can now enter the new password
         flow_executor = self.get_shadow_root("ak-flow-executor")
         prompt_stage = self.get_shadow_root("ak-stage-prompt", flow_executor)

tests/e2e/utils.py

@@ -166,30 +166,35 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
             print("::group::authentik Logs", file=stderr)
         apps.get_app_config("authentik_tenants").ready()
         self.wait_timeout = 60
+        self.logger = get_logger()
         self.driver = self._get_driver()
         self.driver.implicitly_wait(30)
         self.wait = WebDriverWait(self.driver, self.wait_timeout)
-        self.logger = get_logger()
         self.user = create_test_admin_user()
         super().setUp()
 
     def _get_driver(self) -> WebDriver:
         count = 0
-        try:
+        opts = webdriver.ChromeOptions()
-            opts = webdriver.ChromeOptions()
+        opts.add_argument("--disable-search-engine-choice-screen")
-            opts.add_argument("--disable-search-engine-choice-screen")
+        # This breaks selenium when running remotely...?
-            return webdriver.Chrome(options=opts)
+        # opts.set_capability("goog:loggingPrefs", {"browser": "ALL"})
-        except WebDriverException:
+        opts.add_experimental_option(
-            pass
+            "prefs",
+            {
+                "profile.password_manager_leak_detection": False,
+            },
+        )
         while count < RETRIES:
             try:
                 driver = webdriver.Remote(
                     command_executor="http://localhost:4444/wd/hub",
-                    options=webdriver.ChromeOptions(),
+                    options=opts,
                 )
                 driver.maximize_window()
                 return driver
-            except WebDriverException:
+            except WebDriverException as exc:
+                self.logger.warning("Failed to setup webdriver", exc=exc)
                 count += 1
         raise ValueError(f"Webdriver failed after {RETRIES}.")
 

uv.lock

@@ -273,7 +273,7 @@ requires-dist = [
     { name = "dacite", specifier = "==1.9.2" },
     { name = "deepmerge", specifier = "==2.0" },
     { name = "defusedxml", specifier = "==0.7.1" },
-    { name = "django", specifier = "==5.2.1" },
+    { name = "django", specifier = "==5.1.9" },
     { name = "django-countries", specifier = "==7.6.1" },
     { name = "django-cte", specifier = "==1.3.3" },
     { name = "django-filter", specifier = "==25.1" },
@@ -303,7 +303,7 @@ requires-dist = [
     { name = "kubernetes", specifier = "==32.0.1" },
     { name = "ldap3", specifier = "==2.9.1" },
     { name = "lxml", specifier = "==5.4.0" },
-    { name = "msgraph-sdk", specifier = "==1.30.0" },
+    { name = "msgraph-sdk", specifier = "==1.31.0" },
     { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
     { name = "packaging", specifier = "==25.0" },
     { name = "paramiko", specifier = "==3.5.1" },
@@ -979,16 +979,16 @@ wheels = [
 
 [[package]]
 name = "django"
-version = "5.2.1"
+version = "5.1.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "sqlparse" },
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ac/10/0d546258772b8f31398e67c85e52c66ebc2b13a647193c3eef8ee433f1a8/django-5.2.1.tar.gz", hash = "sha256:57fe1f1b59462caed092c80b3dd324fd92161b620d59a9ba9181c34746c97284", size = 10818735, upload-time = "2025-05-07T14:06:17.543Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/10/08/2e6f05494b3fc0a3c53736846034f882b82ee6351791a7815bbb45715d79/django-5.1.9.tar.gz", hash = "sha256:565881bdd0eb67da36442e9ac788bda90275386b549070d70aee86327781a4fc", size = 10710887, upload-time = "2025-05-07T14:06:45.257Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/90/92/7448697b5838b3a1c6e1d2d6a673e908d0398e84dc4f803a2ce11e7ffc0f/django-5.2.1-py3-none-any.whl", hash = "sha256:a9b680e84f9a0e71da83e399f1e922e1ab37b2173ced046b541c72e1589a5961", size = 8301833, upload-time = "2025-05-07T14:06:10.955Z" },
+    { url = "https://files.pythonhosted.org/packages/e1/d1/d8b6b8250b84380d5a123e099ad3298a49407d81598faa13b43a2c6d96d7/django-5.1.9-py3-none-any.whl", hash = "sha256:2fd1d4a0a66a5ba702699eb692e75b0d828b73cc2f4e1fc4b6a854a918967411", size = 8277363, upload-time = "2025-05-07T14:06:37.426Z" },
 ]
 
 [[package]]
@@ -2066,7 +2066,7 @@ wheels = [
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.30.0"
+version = "1.31.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "azure-identity" },
@@ -2076,9 +2076,9 @@ dependencies = [
     { name = "microsoft-kiota-serialization-text" },
     { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e9/4a/4ff19671f6ea06f98fb2405f73a90350e4719ccc692e85e9e0c2fa066826/msgraph_sdk-1.30.0.tar.gz", hash = "sha256:59e30af6d7244c9009146d620c331e169701b651317746b16f561e2e2452e73f", size = 6608744, upload-time = "2025-05-13T13:09:12.594Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d3/1c/5afdf21f92840c7029f0fdb6c2ead7373b1fcdc3c4279fe556a2fc3702a2/msgraph_sdk-1.31.0.tar.gz", hash = "sha256:7ae5f29152251f61c1fc19cca6389dd03b0120b179ddf39d8ab8cdfed7952dba", size = 6626610, upload-time = "2025-05-20T13:15:08.062Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/70/95/451ec4db8a924274a1f7260809ea03fe9c2b446d84dc5238e92e49a1b522/msgraph_sdk-1.30.0-py3-none-any.whl", hash = "sha256:6748f5cdb5ddbcff9e4f3fb073dd0a604cb00e1cf285dd0fea6969c93ba8282f", size = 27140767, upload-time = "2025-05-13T13:09:07.718Z" },
+    { url = "https://files.pythonhosted.org/packages/d9/b9/099b28478575126ec26bd61ff0931fb291263ac813afb8baf4b4cc30c6fc/msgraph_sdk-1.31.0-py3-none-any.whl", hash = "sha256:bb2edfe17c377f37bbf2e155fc915171763d49e1cf93b665bafd721a85220dc5", size = 27185846, upload-time = "2025-05-20T13:15:05.307Z" },
 ]
 
 [[package]]

web/package.json

@@ -93,7 +93,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.7.11",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.4.1-1747687715",
+        "@goauthentik/api": "^2025.4.1-1748431399",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
         "@lit/reactive-element": "^2.0.4",
@@ -111,7 +111,7 @@
         "chartjs-adapter-date-fns": "^3.0.0",
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
-        "core-js": "^3.38.1",
+        "core-js": "^3.42.0",
         "country-flag-icons": "^1.5.19",
         "date-fns": "^4.1.0",
         "deepmerge-ts": "^7.1.5",
@@ -152,6 +152,7 @@
         "@storybook/addon-essentials": "^8.6.14",
         "@storybook/addon-links": "^8.6.14",
         "@storybook/blocks": "^8.6.12",
+        "@storybook/channels": "^8.6.14",
         "@storybook/experimental-addon-test": "^8.6.14",
         "@storybook/manager-api": "^8.6.14",
         "@storybook/test": "^8.6.14",

web/packages/esbuild-plugin-live-reload/.github/README.md

@@ -0,0 +1,59 @@
+_An ESBuild development plugin that watches for file changes and triggers automatic browser refreshes._
+
+## Quick start
+
+```sh
+npm install -D @goauthentik/esbuild-plugin-live-reload
+# Or with Yarn:
+yarn add -D @goauthentik/esbuild-plugin-live-reload
+```
+
+### 1. Configure ESBuild
+
+```js
+import { liveReloadPlugin } from "@goauthentik/esbuild-plugin-live-reload";
+import esbuild from "esbuild";
+
+const NodeEnvironment = process.env.NODE_ENV || "development";
+
+/**
+ * @type {esbuild.BuildOptions}
+ */
+const buildOptions = {
+    // ... Your build options.
+    define: {
+        "process.env.NODE_ENV": JSON.stringify(NodeEnvironment),
+    },
+    plugins: [
+        /** @see {@link LiveReloadPluginOptions} */
+        liveReloadPlugin(),
+    ],
+};
+
+const buildContext = await esbuild.context(buildOptions);
+
+await buildContext.rebuild();
+await buildContext.watch();
+```
+
+### 2. Connect your browser
+
+Add the following import near the beginning of your application's entry point.
+
+```js
+if (process.env.NODE_ENV === "development") {
+    await import("@goauthentik/esbuild-plugin-live-reload/client");
+}
+```
+
+That's it! Your browser will now automatically refresh whenever ESBuild finishes rebuilding your code.
+
+## About authentik
+
+[authentik](https://goauthentik.io) is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0.
+
+We built this plugin to streamline our development workflow, and we're sharing it with the community. If you have any questions, feature requests, or bug reports, please [open an issue](https://github.com/goauthentik/authentik/issues/new/choose).
+
+## License
+
+This code is licensed under the [MIT License](https://www.tldrlegal.com/license/mit-license)

web/packages/esbuild-plugin-live-reload/.gitignore

@@ -0,0 +1,3 @@
+README.md
+node_modules
+_media

web/packages/esbuild-plugin-live-reload/.prettierignore

@@ -0,0 +1,3 @@
+node_modules
+./README.md
+out

web/packages/esbuild-plugin-live-reload/LICENSE.txt

@@ -0,0 +1,18 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Authentik Security, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
+OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

web/packages/esbuild-plugin-live-reload/README.md

@@ -1,40 +0,0 @@
-# `@goauthentik/esbuild-plugin-live-reload`
-
-_A plugin that enables live reloading of ESBuild during development._
-
-## Usage
-
-### Node.js setup
-
-```js
-import { liveReloadPlugin } from "@goauthentik/esbuild-plugin-live-reload";
-import esbuild from "esbuild";
-
-const NodeEnvironment = process.env.NODE_ENV || "development";
-
-/**
- * @type {esbuild.BuildOptions}
- */
-const buildOptions = {
-    // ... Your build options.
-    define: {
-        "process.env.NODE_ENV": JSON.stringify(NodeEnvironment),
-    },
-    plugins: [liveReloadPlugin(/** @see {@link LiveReloadPluginOptions} */)],
-};
-
-const buildContext = await esbuild.context(buildOptions);
-
-await buildContext.rebuild();
-await buildContext.watch();
-```
-
-### Browser setup
-
-```js
-// Place this at the beginning of your application's entry point.
-
-if (process.env.NODE_ENV === "development") {
-    await import("@goauthentik/esbuild-plugin-live-reload/client");
-}
-```

web/packages/esbuild-plugin-live-reload/client/ESBuildObserver.js

@@ -28,6 +28,8 @@ const log = console.debug.bind(console, logPrefix);
  * ```
  *
  * @implements {Disposable}
+ * @category Plugin
+ * runtime browser
  */
 export class ESBuildObserver extends EventSource {
     /**

web/packages/esbuild-plugin-live-reload/index.js

@@ -1,2 +1,6 @@
+/**
+ * @remarks Live reload plugin for ESBuild.
+ */
+
 export * from "./client/index.js";
 export * from "./plugin/index.js";

web/packages/esbuild-plugin-live-reload/package-lock.json

@@ -19,6 +19,8 @@
                 "esbuild": "^0.25.4",
                 "prettier": "^3.5.3",
                 "prettier-plugin-packagejson": "^2.5.14",
+                "typedoc": "^0.28.5",
+                "typedoc-plugin-markdown": "^4.6.3",
                 "typescript": "^5.8.3"
             },
             "engines": {
@@ -569,6 +571,20 @@
                 "node": ">=18"
             }
         },
+        "node_modules/@gerrit0/mini-shiki": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@gerrit0/mini-shiki/-/mini-shiki-3.4.2.tgz",
+            "integrity": "sha512-3jXo5bNjvvimvdbIhKGfFxSnKCX+MA8wzHv55ptzk/cx8wOzT+BRcYgj8aFN3yTiTs+zvQQiaZFr7Jce1ZG3fw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/engine-oniguruma": "^3.4.2",
+                "@shikijs/langs": "^3.4.2",
+                "@shikijs/themes": "^3.4.2",
+                "@shikijs/types": "^3.4.2",
+                "@shikijs/vscode-textmate": "^10.0.2"
+            }
+        },
         "node_modules/@goauthentik/prettier-config": {
             "version": "1.0.5",
             "resolved": "https://registry.npmjs.org/@goauthentik/prettier-config/-/prettier-config-1.0.5.tgz",
@@ -659,6 +675,55 @@
                 "url": "https://opencollective.com/pkgr"
             }
         },
+        "node_modules/@shikijs/engine-oniguruma": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-3.4.2.tgz",
+            "integrity": "sha512-zcZKMnNndgRa3ORja6Iemsr3DrLtkX3cAF7lTJkdMB6v9alhlBsX9uNiCpqofNrXOvpA3h6lHcLJxgCIhVOU5Q==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/types": "3.4.2",
+                "@shikijs/vscode-textmate": "^10.0.2"
+            }
+        },
+        "node_modules/@shikijs/langs": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-3.4.2.tgz",
+            "integrity": "sha512-H6azIAM+OXD98yztIfs/KH5H4PU39t+SREhmM8LaNXyUrqj2mx+zVkr8MWYqjceSjDw9I1jawm1WdFqU806rMA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/types": "3.4.2"
+            }
+        },
+        "node_modules/@shikijs/themes": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-3.4.2.tgz",
+            "integrity": "sha512-qAEuAQh+brd8Jyej2UDDf+b4V2g1Rm8aBIdvt32XhDPrHvDkEnpb7Kzc9hSuHUxz0Iuflmq7elaDuQAP9bHIhg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/types": "3.4.2"
+            }
+        },
+        "node_modules/@shikijs/types": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-3.4.2.tgz",
+            "integrity": "sha512-zHC1l7L+eQlDXLnxvM9R91Efh2V4+rN3oMVS2swCBssbj2U/FBwybD1eeLaq8yl/iwT+zih8iUbTBCgGZOYlVg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/vscode-textmate": "^10.0.2",
+                "@types/hast": "^3.0.4"
+            }
+        },
+        "node_modules/@shikijs/vscode-textmate": {
+            "version": "10.0.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/vscode-textmate/-/vscode-textmate-10.0.2.tgz",
+            "integrity": "sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/@trivago/prettier-plugin-sort-imports": {
             "version": "5.2.2",
             "resolved": "https://registry.npmjs.org/@trivago/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-5.2.2.tgz",
@@ -694,6 +759,16 @@
                 }
             }
         },
+        "node_modules/@types/hast": {
+            "version": "3.0.4",
+            "resolved": "https://registry.npmjs.org/@types/hast/-/hast-3.0.4.tgz",
+            "integrity": "sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@types/unist": "*"
+            }
+        },
         "node_modules/@types/node": {
             "version": "22.15.21",
             "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.21.tgz",
@@ -704,6 +779,37 @@
                 "undici-types": "~6.21.0"
             }
         },
+        "node_modules/@types/unist": {
+            "version": "3.0.3",
+            "resolved": "https://registry.npmjs.org/@types/unist/-/unist-3.0.3.tgz",
+            "integrity": "sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==",
+            "dev": true,
+            "license": "MIT"
+        },
+        "node_modules/argparse": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+            "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+            "dev": true,
+            "license": "Python-2.0"
+        },
+        "node_modules/balanced-match": {
+            "version": "1.0.2",
+            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+            "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+            "dev": true,
+            "license": "MIT"
+        },
+        "node_modules/brace-expansion": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+            "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "balanced-match": "^1.0.0"
+            }
+        },
         "node_modules/debug": {
             "version": "4.4.1",
             "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
@@ -745,6 +851,19 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
+        "node_modules/entities": {
+            "version": "4.5.0",
+            "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
+            "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
+            "dev": true,
+            "license": "BSD-2-Clause",
+            "engines": {
+                "node": ">=0.12"
+            },
+            "funding": {
+                "url": "https://github.com/fb55/entities?sponsor=1"
+            }
+        },
         "node_modules/esbuild": {
             "version": "0.25.4",
             "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.4.tgz",
@@ -865,6 +984,16 @@
                 "node": ">=6"
             }
         },
+        "node_modules/linkify-it": {
+            "version": "5.0.0",
+            "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz",
+            "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "uc.micro": "^2.0.0"
+            }
+        },
         "node_modules/lodash": {
             "version": "4.17.21",
             "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
@@ -872,6 +1001,54 @@
             "dev": true,
             "license": "MIT"
         },
+        "node_modules/lunr": {
+            "version": "2.3.9",
+            "resolved": "https://registry.npmjs.org/lunr/-/lunr-2.3.9.tgz",
+            "integrity": "sha512-zTU3DaZaF3Rt9rhN3uBMGQD3dD2/vFQqnvZCDv4dl5iOzq2IZQqTxu90r4E5J+nP70J3ilqVCrbho2eWaeW8Ow==",
+            "dev": true,
+            "license": "MIT"
+        },
+        "node_modules/markdown-it": {
+            "version": "14.1.0",
+            "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
+            "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "argparse": "^2.0.1",
+                "entities": "^4.4.0",
+                "linkify-it": "^5.0.0",
+                "mdurl": "^2.0.0",
+                "punycode.js": "^2.3.1",
+                "uc.micro": "^2.1.0"
+            },
+            "bin": {
+                "markdown-it": "bin/markdown-it.mjs"
+            }
+        },
+        "node_modules/mdurl": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",
+            "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
+            "dev": true,
+            "license": "MIT"
+        },
+        "node_modules/minimatch": {
+            "version": "9.0.5",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+            "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+            "dev": true,
+            "license": "ISC",
+            "dependencies": {
+                "brace-expansion": "^2.0.1"
+            },
+            "engines": {
+                "node": ">=16 || 14 >=14.17"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/isaacs"
+            }
+        },
         "node_modules/ms": {
             "version": "2.1.3",
             "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -950,6 +1127,16 @@
                 }
             }
         },
+        "node_modules/punycode.js": {
+            "version": "2.3.1",
+            "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz",
+            "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=6"
+            }
+        },
         "node_modules/semver": {
             "version": "7.7.2",
             "dev": true,
@@ -1016,6 +1203,43 @@
                 "url": "https://github.com/sponsors/SuperchupuDev"
             }
         },
+        "node_modules/typedoc": {
+            "version": "0.28.5",
+            "resolved": "https://registry.npmjs.org/typedoc/-/typedoc-0.28.5.tgz",
+            "integrity": "sha512-5PzUddaA9FbaarUzIsEc4wNXCiO4Ot3bJNeMF2qKpYlTmM9TTaSHQ7162w756ERCkXER/+o2purRG6YOAv6EMA==",
+            "dev": true,
+            "license": "Apache-2.0",
+            "dependencies": {
+                "@gerrit0/mini-shiki": "^3.2.2",
+                "lunr": "^2.3.9",
+                "markdown-it": "^14.1.0",
+                "minimatch": "^9.0.5",
+                "yaml": "^2.7.1"
+            },
+            "bin": {
+                "typedoc": "bin/typedoc"
+            },
+            "engines": {
+                "node": ">= 18",
+                "pnpm": ">= 10"
+            },
+            "peerDependencies": {
+                "typescript": "5.0.x || 5.1.x || 5.2.x || 5.3.x || 5.4.x || 5.5.x || 5.6.x || 5.7.x || 5.8.x"
+            }
+        },
+        "node_modules/typedoc-plugin-markdown": {
+            "version": "4.6.3",
+            "resolved": "https://registry.npmjs.org/typedoc-plugin-markdown/-/typedoc-plugin-markdown-4.6.3.tgz",
+            "integrity": "sha512-86oODyM2zajXwLs4Wok2mwVEfCwCnp756QyhLGX2IfsdRYr1DXLCgJgnLndaMUjJD7FBhnLk2okbNE9PdLxYRw==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 18"
+            },
+            "peerDependencies": {
+                "typedoc": "0.28.x"
+            }
+        },
         "node_modules/typescript": {
             "version": "5.8.3",
             "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
@@ -1030,10 +1254,30 @@
                 "node": ">=14.17"
             }
         },
+        "node_modules/uc.micro": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
+            "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/undici-types": {
             "version": "6.21.0",
             "dev": true,
             "license": "MIT"
+        },
+        "node_modules/yaml": {
+            "version": "2.8.0",
+            "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.0.tgz",
+            "integrity": "sha512-4lLa/EcQCB0cJkyts+FpIRx5G/llPxfP6VQU5KByHEhLxY3IJCH0f0Hy1MHI8sClTvsIb8qwRJ6R/ZdlDJ/leQ==",
+            "dev": true,
+            "license": "ISC",
+            "bin": {
+                "yaml": "bin.mjs"
+            },
+            "engines": {
+                "node": ">= 14.6"
+            }
         }
     }
 }

web/packages/esbuild-plugin-live-reload/package.json

@@ -1,10 +1,14 @@
 {
     "name": "@goauthentik/esbuild-plugin-live-reload",
     "version": "1.0.5",
-    "description": "ESBuild plugin to watch for file changes and trigger client-side reloads.",
+    "description": "ESBuild + browser refresh. Build completes, page reloads.",
     "license": "MIT",
     "scripts": {
-        "build": "tsc -p ."
+        "build": "npm run build:types && npm run build:docs",
+        "build:docs": "typedoc",
+        "build:types": "tsc -p .",
+        "prettier": "prettier --cache --write -u .",
+        "prettier-check": "prettier --cache --check -u ."
     },
     "main": "index.js",
     "type": "module",
@@ -34,6 +38,8 @@
         "esbuild": "^0.25.4",
         "prettier": "^3.5.3",
         "prettier-plugin-packagejson": "^2.5.14",
+        "typedoc": "^0.28.5",
+        "typedoc-plugin-markdown": "^4.6.3",
         "typescript": "^5.8.3"
     },
     "peerDependencies": {
@@ -42,6 +48,19 @@
     "engines": {
         "node": ">=22"
     },
+    "keywords": [
+        "esbuild",
+        "live-reload",
+        "browser",
+        "refresh",
+        "reload",
+        "authentik"
+    ],
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/goauthentik/authentik.git",
+        "directory": "web/packages/esbuild-plugin-live-reload"
+    },
     "types": "./out/index.d.ts",
     "files": [
         "./index.js",

web/packages/esbuild-plugin-live-reload/plugin/index.js

@@ -7,12 +7,18 @@
  */
 import { findFreePorts } from "find-free-ports";
 import * as http from "node:http";
-import * as path from "node:path";
+import { resolve as resolvePath } from "node:path";
 
 /**
  * Serializes a custom event to a text stream.
+ *
  * @param {Event} event
  * @returns {string}
+ *
+ * @category Server API
+ * @ignore
+ * @internal
+ * @runtime node
  */
 export function serializeCustomEventToStream(event) {
     // @ts-expect-error - TS doesn't know about the detail property
@@ -54,17 +60,26 @@ async function findDisparatePort() {
  * @property {string} pathname
  * @property {EventTarget} dispatcher
  * @property {string} [logPrefix]
+ *
+ * @category Server API
+ * @runtime node
  */
 
 /**
  * @typedef {(req: http.IncomingMessage, res: http.ServerResponse) => void} RequestHandler
+ *
+ * @category Server API
+ * @runtime node
  */
 
 /**
  * Create an event request handler.
+ *
  * @param {EventServerInit} options
  * @returns {RequestHandler}
- * @category ESBuild
+ *
+ * @category Server API
+ * @runtime node
  */
 export function createRequestHandler({ pathname, dispatcher, logPrefix = "Build Observer" }) {
     const log = console.log.bind(console, `[${logPrefix}]`);
@@ -129,6 +144,9 @@ export function createRequestHandler({ pathname, dispatcher, logPrefix = "Build
 /**
  * Options for the build observer plugin.
  *
+ * @category Plugin API
+ * @runtime node
+ *
  * @typedef {object} LiveReloadPluginOptions
  *
  * @property {HTTPServer | HTTPSServer} [server] A server to listen on. If not provided, a new server will be created.
@@ -141,8 +159,7 @@ export function createRequestHandler({ pathname, dispatcher, logPrefix = "Build
 /**
  * Creates a plugin that listens for build events and sends them to a server-sent event stream.
  *
- * @param {
+ * @param {LiveReloadPluginOptions} [options]
- * } [options]
  * @returns {import('esbuild').Plugin}
  */
 export function liveReloadPlugin(options = {}) {
@@ -234,7 +251,7 @@ export function liveReloadPlugin(options = {}) {
                             location: error.location
                                 ? {
                                       ...error.location,
-                                      file: path.resolve(relativeRoot, error.location.file),
+                                      file: resolvePath(relativeRoot, error.location.file),
                                   }
                                 : null,
                         })),

web/packages/esbuild-plugin-live-reload/tsconfig.json

@@ -6,5 +6,9 @@
         "baseUrl": ".",
         "checkJs": true,
         "emitDeclarationOnly": true
-    }
+    },
+    "exclude": [
+        // ---
+        "**/out/**/*"
+    ]
 }

web/packages/esbuild-plugin-live-reload/typedoc.json

@@ -0,0 +1,66 @@
+{
+    "$schema": "https://typedoc-plugin-markdown.org/schema.json",
+    "entryPoints": ["./plugin/index.js"],
+    "plugin": ["typedoc-plugin-markdown"],
+    "name": "ESBuild Plugin Live Reload",
+    "formatWithPrettier": true,
+    "prettierConfigFile": "@goauthentik/prettier-config",
+    "flattenOutputFiles": true,
+    "readme": ".github/README.md",
+    "mergeReadme": true,
+    "enumMembersFormat": "table",
+    "parametersFormat": "table",
+    "interfacePropertiesFormat": "table",
+    "typeDeclarationFormat": "table",
+    "indexFormat": "table",
+    "router": "module",
+    "jsDocCompatibility": true,
+    "defaultCategory": "Plugin API",
+    "disableSources": true,
+    "out": ".",
+    "cleanOutputDir": false,
+    "blockTags": [
+        "@runtime",
+        "@file",
+        "@defaultValue",
+        "@deprecated",
+        "@example",
+        "@param",
+        "@privateRemarks",
+        "@remarks",
+        "@returns",
+        "@see",
+        "@throws",
+        "@typeParam",
+        "@author",
+        "@callback",
+        "@category",
+        "@categoryDescription",
+        "@default",
+        "@document",
+        "@extends",
+        "@augments",
+        "@yields",
+        "@group",
+        "@groupDescription",
+        "@import",
+        "@inheritDoc",
+        "@jsx",
+        "@license",
+        "@module",
+        "@mergeModuleWith",
+        "@prop",
+        "@property",
+        "@return",
+        "@satisfies",
+        "@since",
+        "@template",
+        "@type",
+        "@typedef",
+        "@summary",
+        "@preventInline",
+        "@inlineType",
+        "@preventExpand",
+        "@expandType"
+    ]
+}

web/scripts/build-web.mjs

@@ -6,7 +6,6 @@
  */
 import { mdxPlugin } from "#bundler/mdx-plugin/node";
 import { createBundleDefinitions } from "#bundler/utils/node";
-import { DistDirectoryName } from "#paths";
 import { DistDirectory, EntryPoint, PackageRoot } from "#paths/node";
 import { NodeEnvironment } from "@goauthentik/core/environment/node";
 import { MonoRepoRoot, resolvePackage } from "@goauthentik/core/paths/node";
@@ -29,7 +28,6 @@ const BASE_ESBUILD_OPTIONS = {
     entryNames: `[dir]/[name]-${readBuildIdentifier()}`,
     chunkNames: "[dir]/chunks/[hash]",
     assetNames: "assets/[dir]/[name]-[hash]",
-    publicPath: path.join("/static", DistDirectoryName),
     outdir: DistDirectory,
     bundle: true,
     write: true,

web/src/admin/common/ak-license-notice.ts

@@ -1,3 +1,4 @@
+import { $PFBase } from "#common/theme";
 import { WithLicenseSummary } from "#elements/mixins/license";
 import "@goauthentik/elements/Alert";
 import { AKElement } from "@goauthentik/elements/Base";
@@ -8,6 +9,8 @@ import { customElement, property } from "lit/decorators.js";
 
 @customElement("ak-license-notice")
 export class AkLicenceNotice extends WithLicenseSummary(AKElement) {
+    static styles = [$PFBase];
+
     @property()
     notice = msg("Enterprise only");
 

web/src/admin/flows/BoundStagesList.ts

@@ -1,5 +1,6 @@
 import "@goauthentik/admin/flows/StageBindingForm";
 import "@goauthentik/admin/policies/BoundPoliciesList";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import "@goauthentik/admin/stages/StageWizard";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/Tabs";
@@ -14,7 +15,11 @@ import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import { FlowStageBinding, FlowsApi } from "@goauthentik/api";
+import {
+    FlowStageBinding,
+    FlowsApi,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-bound-stages-list")
 export class BoundStagesList extends Table<FlowStageBinding> {
@@ -99,7 +104,12 @@ export class BoundStagesList extends Table<FlowStageBinding> {
                     <button slot="trigger" class="pf-c-button pf-m-secondary">
                         ${msg("Edit Binding")}
                     </button>
-                </ak-forms-modal>`,
+                </ak-forms-modal>
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.AuthentikFlowsFlowstagebinding}
+                    objectPk=${item.pk}
+                >
+                </ak-rbac-object-permission-modal>`,
         ];
     }
 

web/src/admin/policies/BoundPoliciesList.ts

@@ -6,6 +6,7 @@ import {
     PolicyBindingCheckTarget,
     PolicyBindingCheckTargetToLabel,
 } from "@goauthentik/admin/policies/utils";
+import "@goauthentik/admin/rbac/ObjectPermissionModal";
 import "@goauthentik/admin/users/UserForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { PFSize } from "@goauthentik/common/enums.js";
@@ -22,7 +23,11 @@ import { TemplateResult, html, nothing } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import { PoliciesApi, PolicyBinding } from "@goauthentik/api";
+import {
+    PoliciesApi,
+    PolicyBinding,
+    RbacPermissionsAssignedByUsersListModelEnum,
+} from "@goauthentik/api";
 
 @customElement("ak-bound-policies-list")
 export class BoundPoliciesList extends Table<PolicyBinding> {
@@ -178,7 +183,12 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
                     <button slot="trigger" class="pf-c-button pf-m-secondary">
                         ${msg("Edit Binding")}
                     </button>
-                </ak-forms-modal>`,
+                </ak-forms-modal>
+                <ak-rbac-object-permission-modal
+                    model=${RbacPermissionsAssignedByUsersListModelEnum.AuthentikPoliciesPolicybinding}
+                    objectPk=${item.pk}
+                >
+                </ak-rbac-object-permission-modal>`,
         ];
     }
 

web/src/admin/sources/ldap/LDAPSourceForm.ts

@@ -148,6 +148,26 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                     <span class="pf-c-switch__label">${msg("Sync groups")}</span>
                 </label>
             </ak-form-element-horizontal>
+            <ak-form-element-horizontal name="deleteNotFoundObjects">
+                <label class="pf-c-switch">
+                    <input
+                        class="pf-c-switch__input"
+                        type="checkbox"
+                        ?checked=${this.instance?.deleteNotFoundObjects ?? false}
+                    />
+                    <span class="pf-c-switch__toggle">
+                        <span class="pf-c-switch__toggle-icon">
+                            <i class="fas fa-check" aria-hidden="true"></i>
+                        </span>
+                    </span>
+                    <span class="pf-c-switch__label">${msg("Delete Not Found Objects")}</span>
+                </label>
+                <p class="pf-c-form__helper-text">
+                    ${msg(
+                        "Delete authentik users and groups which were previously supplied by this source, but are now missing from it.",
+                    )}
+                </p>
+            </ak-form-element-horizontal>
             <ak-form-group .expanded=${true}>
                 <span slot="header"> ${msg("Connection settings")} </span>
                 <div slot="body" class="pf-c-form">

web/src/common/errors/network.ts

@@ -57,6 +57,19 @@ export function isAbortError(error: unknown): error is AbortErrorLike {
     return error instanceof DOMException && error.name === "AbortError";
 }
 
+/**
+ * Type predicate to check if an error originates from an aborted request.
+ *
+ * @see {@linkcode isAbortError} for the underlying implementation.
+ */
+export function isCausedByAbortError(error: unknown): error is AbortErrorLike {
+    return (
+        error instanceof Error &&
+        // ---
+        (isAbortError(error) || isAbortError(error.cause))
+    );
+}
+
 //#endregion
 
 //#region API

web/src/elements/AuthenticatedInterface.ts

@@ -1,5 +1,5 @@
 import { Interface } from "#elements/Interface";
-import { LicenseContextController } from "#elements/controllers/EnterpriseContextController";
+import { LicenseContextController } from "#elements/controllers/LicenseContextController";
 import { VersionContextController } from "#elements/controllers/VersionContextController";
 
 export class AuthenticatedInterface extends Interface {