web: update the type names for routes.

While writing up the commit message for the previous commit, I realized that I didn't really like the typenames as they're outlaid in `routeUtils`. This is much more explicit, describing the four types of routes we have: ListRoute, ViewRoute, InternalRedirect, ExternalRedirect.
web: remove a lot of duplication from the Routes
2024-03-14 14:40:19 -07:00 · 2024-03-14 14:19:41 -07:00 · 2024-03-14 10:35:46 -07:00 · 2024-03-14 08:14:43 -07:00 · 2024-03-13 14:05:11 -07:00 · 2024-03-12 13:31:35 -07:00
1482 changed files with 26348 additions and 107655 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.3
+current_version = 2024.2.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,14 +17,10 @@ optional_value = final
 [bumpversion:file:pyproject.toml]
 [bumpversion:file:package.json]
 [bumpversion:file:docker-compose.yml]
 [bumpversion:file:schema.yml]
 [bumpversion:file:blueprints/schema.json]
 [bumpversion:file:authentik/__init__.py]
 [bumpversion:file:internal/constants/constants.go]
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1 +1 @@
-custom: https://goauthentik.io/pricing/
+github: [BeryJu]
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -54,10 +54,9 @@ runs:
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
+            image:
-                image:
+                repository: ghcr.io/goauthentik/dev-server
-                    repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
                    tag: ${{ inputs.tag }}
            ```
            For arm64, use these values:
@ -66,10 +65,9 @@ runs:
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
+            image:
-                image:
+                repository: ghcr.io/goauthentik/dev-server
-                    repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
                    tag: ${{ inputs.tag }}-arm64
            ```
            Afterwards, run the upgrade commands from the latest release notes.
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -29,15 +29,9 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
  imageNames:
    description: "Docker image names"
    value: ${{ steps.ev.outputs.imageNames }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
 runs:
  using: "composite"
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -7,12 +7,12 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
-should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
+should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
    branch_name = os.environ["GITHUB_HEAD_REF"]
-safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
+safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
 image_names = os.getenv("IMAGE_NAME").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None
@ -50,16 +50,13 @@ else:
            f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
        ]
-image_main_tag = image_tags[0].split(":")[-1]
+image_main_tag = image_tags[0]
 image_tags_rendered = ",".join(image_tags)
 image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldBuild={should_build}", file=_output)
+    print("shouldBuild=%s" % should_build, file=_output)
-    print(f"sha={sha}", file=_output)
+    print("sha=%s" % sha, file=_output)
-    print(f"version={version}", file=_output)
+    print("version=%s" % version, file=_output)
-    print(f"prerelease={prerelease}", file=_output)
+    print("prerelease=%s" % prerelease, file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
+    print("imageTags=%s" % image_tags_rendered, file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
+    print("imageMainTag=%s" % image_main_tag, file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -16,25 +16,25 @@ runs:
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
    - name: Setup python and restore poetry
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@v4
      with:
        python-version-file: "pyproject.toml"
        cache: "poetry"
    - name: Setup node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v3
      with:
        node-version-file: web/package.json
        cache: "npm"
        cache-dependency-path: web/package-lock.json
    - name: Setup go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
      with:
        go-version-file: "go.mod"
    - name: Setup dependencies
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        docker-compose -f .github/actions/setup/docker-compose.yml up -d
        poetry install
        cd web && npm ci
    - name: Generate config
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -1,3 +1,5 @@
 version: "3.7"
 services:
  postgresql:
    image: docker.io/library/postgres:${PSQL_TAG:-16}
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@ -4,4 +4,3 @@ hass
 warmup
 ontext
 singed
 assertIn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -21,10 +21,7 @@ updates:
    labels:
      - dependencies
  - package-ecosystem: npm
-    directories:
+    directory: "/web"
      - "/web"
      - "/tests/wdio"
      - "/web/sfe"
    schedule:
      interval: daily
      time: "04:00"
@ -33,6 +30,7 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
    # TODO: deduplicate these groups
    groups:
      sentry:
        patterns:
@ -58,6 +56,38 @@ updates:
        patterns:
          - "@rollup/*"
          - "rollup-*"
  - package-ecosystem: npm
    directory: "/tests/wdio"
    schedule:
      interval: daily
      time: "04:00"
    labels:
      - dependencies
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
    # TODO: deduplicate these groups
    groups:
      sentry:
        patterns:
          - "@sentry/*"
          - "@spotlightjs/*"
      babel:
        patterns:
          - "@babel/*"
          - "babel-*"
      eslint:
        patterns:
          - "@typescript-eslint/*"
          - "eslint"
          - "eslint-*"
      storybook:
        patterns:
          - "@storybook/*"
          - "*storybook*"
      esbuild:
        patterns:
          - "@esbuild/*"
      wdio:
        patterns:
          - "@wdio/*"
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -1,65 +0,0 @@
 name: authentik-api-py-publish
 on:
  push:
    branches: [main]
    paths:
      - "schema.yml"
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Install poetry & deps
        shell: bash
        run: |
          pipx install poetry || true
          sudo apt-get update
          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
      - name: Setup python and restore poetry
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
        working-directory: gen-py-api/
        run: |
          poetry build
      - name: Publish package to PyPI
        uses: pypa/gh-action-pypi-publish@release/v1
        with:
          packages-dir: gen-py-api/dist/
      # We can't easily upgrade the API client being used due to poetry being poetry
      # so we'll have to rely on dependabot
      # - name: Upgrade /
      #   run: |
      #     export VERSION=$(cd gen-py-api && poetry version -s)
      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
      # - uses: peter-evans/create-pull-request@v6
      #   id: cpr
      #   with:
      #     token: ${{ steps.generate_token.outputs.token }}
      #     branch: update-root-api-client
      #     commit-message: "root: bump API Client version"
      #     title: "root: bump API Client version"
      #     body: "root: bump API Client version"
      #     delete-branch: true
      #     signoff: true
      #     # ID from https://api.github.com/users/authentik-automation[bot]
      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
      # - uses: peter-evans/enable-pull-request-automerge@v3
      #   with:
      #     token: ${{ steps.generate_token.outputs.token }}
      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
      #     merge-method: squash
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -7,6 +7,8 @@ on:
      - main
      - next
      - version-*
    paths-ignore:
      - website/**
  pull_request:
    branches:
      - main
@ -50,6 +52,7 @@ jobs:
      fail-fast: false
      matrix:
        psql:
          - 12-alpine
          - 15-alpine
          - 16-alpine
    steps:
@ -103,6 +106,7 @@ jobs:
      fail-fast: false
      matrix:
        psql:
          - 12-alpine
          - 15-alpine
          - 16-alpine
    steps:
@ -128,7 +132,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.10.0
+        uses: helm/kind-action@v1.9.0
      - name: run integration
        run: |
          poetry run coverage run manage.py test tests/integration
@ -158,8 +162,6 @@ jobs:
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
          - name: radius
            glob: tests/e2e/test_provider_radius*
          - name: scim
            glob: tests/e2e/test_source_scim*
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
@ -168,7 +170,7 @@ jobs:
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d
+          docker-compose -f tests/e2e/docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v4
        with:
@ -213,16 +215,13 @@ jobs:
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -243,8 +242,7 @@ jobs:
      - name: generate ts client
        run: make gen-client-ts
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        id: push
        with:
          context: .
          secrets: |
@ -254,16 +252,9 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
+          cache-from: type=gha
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: type=gha,mode=max
          platforms: linux/${{ matrix.arch }}
      - uses: actions/attest-build-provenance@v1
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.imageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  pr-comment:
    needs:
      - build
@ -285,7 +276,6 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/dev-server
      - name: Comment on PR
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: ./.github/actions/comment-pr-instructions
        with:
-          tag: ${{ steps.ev.outputs.imageMainTag }}
+          tag: gh-${{ steps.ev.outputs.imageMainTag }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v4
        with:
          version: v1.54.2
          args: --timeout 5000s --verbose
@ -71,15 +71,12 @@ jobs:
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -99,8 +96,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: Build Docker Image
-        id: push
+        uses: docker/build-push-action@v5
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
@ -109,15 +105,8 @@ jobs:
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
+          cache-from: type=gha
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+          cache-to: type=gha,mode=max
      - uses: actions/attest-build-provenance@v1
        id: attest
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.imageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-binary:
    timeout-minutes: 120
    needs:
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -12,29 +12,14 @@ on:
      - version-*
 jobs:
-  lint:
+  lint-eslint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        command:
          - lint
          - lint:lockfile
          - tsc
          - prettier-check
        project:
          - web
          - tests/wdio
        include:
          - command: tsc
            project: web
          - command: lit-analyse
            project: web
        exclude:
          - command: lint:lockfile
            project: tests/wdio
          - command: tsc
            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -43,17 +28,77 @@ jobs:
          cache: "npm"
          cache-dependency-path: ${{ matrix.project }}/package-lock.json
      - working-directory: ${{ matrix.project }}/
-        run: |
+        run: npm ci
          npm ci
          ${{ matrix.extra_setup }}
      - name: Generate API
        run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
  lint-build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
      - name: Generate API
        run: make gen-client-ts
      - name: TSC
        working-directory: web/
        run: npm run tsc
  lint-prettier:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        project:
          - web
          - tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: ${{ matrix.project }}/package.json
          cache: "npm"
          cache-dependency-path: ${{ matrix.project }}/package-lock.json
      - working-directory: ${{ matrix.project }}/
        run: npm ci
      - name: Generate API
        run: make gen-client-ts
      - name: prettier
        working-directory: ${{ matrix.project }}/
        run: npm run prettier-check
  lint-lit-analyse:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: |
          npm ci
          # lit-analyse doesn't understand path rewrites, so make it
          # belive it's an actual module
          cd node_modules/@goauthentik
          ln -s ../../src/ web
      - name: Generate API
        run: make gen-client-ts
      - name: lit-analyse
        working-directory: web/
        run: npm run lit-analyse
  ci-web-mark:
    needs:
-      - lint
+      - lint-eslint
      - lint-prettier
      - lint-lit-analyse
      - lint-build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -75,21 +120,3 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
  test:
    needs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
      - name: Generate API
        run: make gen-client-ts
      - name: test
        working-directory: web/
        run: npm run test
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -12,21 +12,20 @@ on:
      - version-*
 jobs:
-  lint:
+  lint-prettier:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        command:
          - lint:lockfile
          - prettier-check
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
-      - name: Lint
+      - name: prettier
        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
  test:
    runs-on: ubuntu-latest
    steps:
@ -63,7 +62,7 @@ jobs:
        run: npm run ${{ matrix.job }}
  ci-website-mark:
    needs:
-      - lint
+      - lint-prettier
      - test
      - build
    runs-on: ubuntu-latest
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -1,43 +0,0 @@
 name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
    - cron: '30 1 1,15 * *'
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - run: poetry run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v6
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: update-fido-mds-client
          commit-message: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
          title: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
          body: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
          delete-branch: true
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
          merge-method: squash
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -11,13 +11,10 @@ jobs:
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -43,8 +40,7 @@ jobs:
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        id: push
        with:
          context: .
          push: true
@ -53,20 +49,11 @@ jobs:
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/amd64,linux/arm64
      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.imageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload contianer images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    strategy:
      fail-fast: false
      matrix:
@ -81,7 +68,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -107,20 +94,13 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        id: push
        with:
          push: true
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.imageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
@ -175,12 +155,12 @@ jobs:
      - uses: actions/checkout@v4
      - name: Run test suite in final docker images
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
-          docker compose pull -q
+          docker-compose pull -q
-          docker compose up --no-start
+          docker-compose up --no-start
-          docker compose start postgresql redis
+          docker-compose start postgresql redis
-          docker compose run -u root server test-all
+          docker-compose run -u root server test-all
  sentry-release:
    needs:
      - build-server
@ -198,8 +178,8 @@ jobs:
          image-name: ghcr.io/goauthentik/server
      - name: Get static files from docker image
        run: |
-          docker pull ${{ steps.ev.outputs.imageMainName }}
+          docker pull ${{ steps.ev.outputs.imageMainTag }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
+          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
        uses: getsentry/action-release@v1
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,16 +14,16 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
          docker build -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
-          docker compose up --no-start
+          docker-compose up --no-start
-          docker compose start postgresql redis
+          docker-compose start postgresql redis
-          docker compose run -u root server test-all
+          docker-compose run -u root server test-all
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -23,7 +23,7 @@ jobs:
          repo-token: ${{ steps.generate_token.outputs.token }}
          days-before-stale: 60
          days-before-close: 7
-          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
+          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question
          stale-issue-label: wontfix
          stale-issue-message: >
            This issue has been automatically marked as stale because it has not had
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -1,4 +1,4 @@
-name: authentik-api-ts-publish
+name: authentik-web-api-publish
 on:
  push:
    branches: [main]
@ -31,12 +31,7 @@ jobs:
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
-        working-directory: web
+        working-directory: web/
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
      - name: Upgrade /web/packages/sfe
        working-directory: web/packages/sfe
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -16,6 +16,6 @@
        "ms-python.black-formatter",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
    ]
 }
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -22,6 +22,6 @@
            },
            "justMyCode": true,
            "django": true
-        }
+        },
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -4,35 +4,33 @@
        "asgi",
        "authentik",
        "authn",
        "entra",
        "goauthentik",
        "jwks",
        "kubernetes",
        "oidc",
        "openid",
        "passwordless",
        "plex",
        "saml",
        "scim",
        "slo",
        "sso",
        "totp",
        "webauthn",
        "traefik",
-        "webauthn"
+        "passwordless",
        "kubernetes",
        "sso",
        "slo",
        "scim",
    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
        "!Condition sequence",
        "!Context scalar",
        "!Enumerate sequence",
        "!Env scalar",
        "!Find sequence",
        "!Format sequence",
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar"
+        "!Context scalar",
        "!Context sequence",
        "!Format sequence",
        "!Condition sequence",
        "!Env sequence",
        "!Env scalar",
        "!If sequence"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
@ -49,7 +47,9 @@
            "ignoreCase": false
        }
    ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
        "-count=1"
    ],
    "github-actions.workflows.pinned.workflows": [
        ".github/workflows/ci-main.yml"
    ]
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -2,67 +2,85 @@
    "version": "2.0.0",
    "tasks": [
        {
-            "label": "authentik/core: make",
+            "label": "authentik[core]: format & test",
            "command": "poetry",
-            "args": ["run", "make", "lint-fix", "lint"],
+            "args": [
-            "presentation": {
+                "run",
-                "panel": "new"
+                "make"
-            },
+            ],
-            "group": "test"
+            "group": "build",
        },
        {
-            "label": "authentik/core: run",
+            "label": "authentik[core]: run",
            "command": "poetry",
-            "args": ["run", "ak", "server"],
+            "args": [
                "run",
                "make",
                "run",
            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
                "group": "running"
-            }
+            },
        },
        {
-            "label": "authentik/web: make",
+            "label": "authentik[web]: format",
            "command": "make",
            "args": ["web"],
-            "group": "build"
+            "group": "build",
        },
        {
-            "label": "authentik/web: watch",
+            "label": "authentik[web]: watch",
            "command": "make",
            "args": ["web-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
                "group": "running"
-            }
+            },
        },
        {
            "label": "authentik: install",
            "command": "make",
-            "args": ["install", "-j4"],
+            "args": ["install"],
-            "group": "build"
+            "group": "build",
        },
        {
-            "label": "authentik/website: make",
+            "label": "authentik: i18n-extract",
            "command": "poetry",
            "args": [
                "run",
                "make",
                "i18n-extract"
            ],
            "group": "build",
        },
        {
            "label": "authentik[website]: format",
            "command": "make",
            "args": ["website"],
-            "group": "build"
+            "group": "build",
        },
        {
-            "label": "authentik/website: watch",
+            "label": "authentik[website]: watch",
            "command": "make",
            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
                "group": "running"
-            }
+            },
        },
        {
-            "label": "authentik/api: generate",
+            "label": "authentik[api]: generate",
            "command": "poetry",
-            "args": ["run", "make", "gen"],
+            "args": [
                "run",
                "make",
                "gen"
            ],
            "group": "build"
-        }
+        },
    ]
 }
--- a/43
+++ b/43
@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 ENV NODE_ENV=production
@ -20,22 +20,17 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 WORKDIR /work/web
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
    npm ci --include=dev
 COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
@ -43,7 +38,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.1-bookworm AS go-builder
 ARG TARGETOS
 ARG TARGETARCH
@ -54,11 +49,6 @@ ARG GOARCH=$TARGETARCH
 WORKDIR /go/src/goauthentik.io
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    dpkg --add-architecture arm64 && \
    apt-get update && \
    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
 RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
    --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
    --mount=type=cache,target=/go/pkg/mod \
@ -73,17 +63,17 @@ COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
 ENV CGO_ENABLED=0
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.1 as geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
-ENV GEOIPUPDATE_VERBOSE="1"
+ENV GEOIPUPDATE_VERBOSE="true"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
@ -94,7 +84,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM docker.io/python:3.12.2-slim-bookworm AS python-deps
 WORKDIR /ak-root/poetry
@ -107,7 +97,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@ -115,13 +105,12 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=cache,target=/root/.cache/pypoetry \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
+        pip3 install --upgrade pip && \
-    pip3 install poetry && \
+        pip3 install poetry && \
-    poetry install --only=main --no-ansi --no-interaction --no-root && \
+        poetry install --only=main --no-ansi --no-interaction --no-root"
    pip install --force-reinstall /wheels/*"
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM docker.io/python:3.12.2-slim-bookworm AS final-image
 ARG GIT_BUILD_HASH
 ARG VERSION
@ -138,7 +127,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -174,8 +163,6 @@ ENV TMPDIR=/dev/shm/ \
    VENV_PATH="/ak-root/venv" \
    POETRY_VIRTUALENVS_CREATE=false
 ENV GOFIPS=1
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 ENTRYPOINT [ "dumb-init", "--", "ak" ]
--- a/42
+++ b/42
@ -9,7 +9,6 @@ PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
 pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
@ -19,7 +18,6 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
 		-S 'website/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
@ -47,12 +45,12 @@ test-go:
 	go test -timeout 0 -v -race -cover ./...
 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
-	docker compose pull -q
+	docker-compose pull -q
-	docker compose up --no-start
+	docker-compose up --no-start
-	docker compose start postgresql redis
+	docker-compose start postgresql redis
-	docker compose run -u root server test-all
+	docker-compose run -u root server test-all
 	rm -f .env
 test: ## Run the server tests and produce a coverage report (locally)
@ -60,15 +58,13 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
 lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)
 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
+	bandit -r $(PY_SOURCES) -x node_modules
 	golangci-lint run -v
 core-install:
@ -141,10 +137,7 @@ gen-clean-ts:  ## Remove generated API client for Typescript
 gen-clean-go:  ## Remove generated API client for Go
 	rm -rf ./${GEN_API_GO}/
-gen-clean-py:  ## Remove generated API client for Python
+gen-clean: gen-clean-ts gen-clean-go  ## Remove generated API clients
 	rm -rf ./${GEN_API_PY}/
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
 	docker run \
@ -162,20 +155,6 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	cd ./${GEN_API_TS} && npm i
 	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
 		-c /local/scripts/api-py-config.yaml \
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	pip install ./${GEN_API_PY}
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
 	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
@ -241,7 +220,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier
 website-build:
@ -255,7 +234,6 @@ website-watch:  ## Build and watch the documentation website, updating automatic
 #########################
 docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 #########################
--- a/README.md
+++ b/README.md
@ -25,10 +25,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 ## Screenshots
-| Light                                                       | Dark                                                       |
+| Light                                                  | Dark                                                  |
-| ----------------------------------------------------------- | ---------------------------------------------------------- |
+| ------------------------------------------------------ | ----------------------------------------------------- |
-| ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
+| ![](https://goauthentik.io/img/screen_apps_light.jpg)  | ![](https://goauthentik.io/img/screen_apps_dark.jpg)  |
-| ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
+| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
 ## Development
--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 (.x being the latest patch release for each version)
-| Version  | Supported |
+| Version | Supported |
-| -------- | --------- |
+| --- | --- |
-| 2024.4.x | ✅        |
+| 2023.6.x | ✅ |
-| 2024.6.x | ✅        |
+| 2023.8.x | ✅ |
 ## Reporting a Vulnerability
@ -31,12 +31,12 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se
 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:
-| Score      | Severity |
+| Score | Severity |
-| ---------- | -------- |
+| --- | --- |
-| 0.0        | None     |
+| 0.0 | None |
-| 0.1 – 3.9  | Low      |
+| 0.1 – 3.9 | Low |
-| 4.0 – 6.9  | Medium   |
+| 4.0 – 6.9 | Medium |
-| 7.0 – 8.9  | High     |
+| 7.0 – 8.9 | High |
 | 9.0 – 10.0 | Critical |
 ## Disclosure process
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.6.3"
+__version__ = "2024.2.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -2,21 +2,18 @@
 import platform
 from datetime import datetime
 from ssl import OPENSSL_VERSION
 from sys import version as python_version
 from typing import TypedDict
 from cryptography.hazmat.backends.openssl.backend import backend
 from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
 from gunicorn import version_info as gunicorn_version
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@ -28,13 +25,11 @@ class RuntimeDict(TypedDict):
    """Runtime information"""
    python_version: str
    gunicorn_version: str
    environment: str
    architecture: str
    platform: str
    uname: str
    openssl_version: str
    openssl_fips_enabled: bool | None
    authentik_version: str
 class SystemInfoSerializer(PassiveSerializer):
@ -69,15 +64,11 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_runtime(self, request: Request) -> RuntimeDict:
        """Get versions"""
        return {
            "architecture": platform.machine(),
            "authentik_version": get_full_version(),
            "environment": get_env(),
            "openssl_fips_enabled": (
                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
            ),
            "openssl_version": OPENSSL_VERSION,
            "platform": platform.platform(),
            "python_version": python_version,
            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
            "environment": get_env(),
            "architecture": platform.machine(),
            "platform": platform.platform(),
            "uname": " ".join(platform.uname()),
        }
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -10,7 +10,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik import __version__, get_build_hash
-from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
+from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
@ -19,7 +19,6 @@ class VersionSerializer(PassiveSerializer):
    version_current = SerializerMethodField()
    version_latest = SerializerMethodField()
    version_latest_valid = SerializerMethodField()
    build_hash = SerializerMethodField()
    outdated = SerializerMethodField()
@ -39,10 +38,6 @@ class VersionSerializer(PassiveSerializer):
            return __version__
        return version_in_cache
    def get_version_latest_valid(self, _) -> bool:
        """Check if latest version is valid"""
        return cache.get(VERSION_CACHE_KEY) != VERSION_NULL
    def get_outdated(self, instance) -> bool:
        """Check if we're running the latest version"""
        return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -18,7 +18,6 @@ from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
@ -56,7 +55,7 @@ def clear_update_notifications():
 def update_latest_version(self: SystemTask):
    """Update latest version info"""
    if CONFIG.get_bool("disable_update_check"):
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
        self.set_status(TaskStatus.WARNING, "Version check disabled.")
        return
    try:
@ -83,7 +82,7 @@ def update_latest_version(self: SystemTask):
                event_dict["message"] = f"Changelog: {match.group()}"
            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
    except (RequestException, IndexError) as exc:
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
        self.set_error(exc)
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -10,3 +10,26 @@ class AuthentikAPIConfig(AppConfig):
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
    def ready(self) -> None:
        from drf_spectacular.extensions import OpenApiAuthenticationExtension
        from authentik.api.authentication import TokenAuthentication
        # Class is defined here as it needs to be created early enough that drf-spectacular will
        # find it, but also won't cause any import issues
        class TokenSchema(OpenApiAuthenticationExtension):
            """Auth schema"""
            target_class = TokenAuthentication
            name = "authentik"
            def get_security_definition(self, auto_schema):
                """Auth schema"""
                return {
                    "type": "apiKey",
                    "in": "header",
                    "name": "Authorization",
                    "scheme": "bearer",
                }
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -4,7 +4,6 @@ from hmac import compare_digest
 from typing import Any
 from django.conf import settings
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
@ -103,14 +102,3 @@ class TokenAuthentication(BaseAuthentication):
            return None
        return (user, None)  # pragma: no cover
 class TokenSchema(OpenApiAuthenticationExtension):
    """Auth schema"""
    target_class = TokenAuthentication
    name = "authentik"
    def get_security_definition(self, auto_schema):
        """Auth schema"""
        return {"type": "http", "scheme": "bearer"}
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -12,7 +12,6 @@ from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
 from authentik.api.apps import AuthentikAPIConfig
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
@ -102,12 +101,3 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
            comp = result["components"]["schemas"][component]
            comp["additionalProperties"] = {}
    return result
 def preprocess_schema_exclude_non_api(endpoints, **kwargs):
    """Filter out all API Views which are not mounted under /api"""
    return [
        (path, path_regex, method, callback)
        for path, path_regex, method, callback in endpoints
        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
    ]
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
-{% load authentik_core %}
+{% load static %}
 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}
 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@ -8,8 +8,6 @@ from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.root.signals import startup
 class ManagedAppConfig(AppConfig):
    """Basic reconciliation logic for apps"""
@ -25,12 +23,9 @@ class ManagedAppConfig(AppConfig):
    def ready(self) -> None:
        self.import_related()
        startup.connect(self._on_startup_callback, dispatch_uid=self.label)
        return super().ready()
    def _on_startup_callback(self, sender, **_):
        self._reconcile_global()
        self._reconcile_tenant()
        return super().ready()
    def import_related(self):
        """Automatically import related modules which rely on just being imported
--- a/authentik/blueprints/management/commands/apply_blueprint.py
+++ b/authentik/blueprints/management/commands/apply_blueprint.py
@ -23,11 +23,9 @@ class Command(BaseCommand):
                for blueprint_path in options.get("blueprints", []):
                    content = BlueprintInstance(path=blueprint_path).retrieve()
                    importer = Importer.from_string(content)
-                    valid, logs = importer.validate()
+                    valid, _ = importer.validate()
                    if not valid:
-                        self.stderr.write("Blueprint invalid")
+                        self.stderr.write("blueprint invalid")
                        for log in logs:
                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
                        sys_exit(1)
                    importer.apply()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -4,14 +4,12 @@ from json import dumps
 from typing import Any
 from django.core.management.base import BaseCommand, no_translations
-from django.db.models import Model, fields
+from django.db.models import Model
-from drf_jsonschema_serializer.convert import converter, field_to_converter
+from drf_jsonschema_serializer.convert import field_to_converter
 from rest_framework.fields import Field, JSONField, UUIDField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@ -20,23 +18,6 @@ from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
@converter
 class PrimaryKeyRelatedFieldConverter:
    """Custom primary key field converter which is aware of non-integer based PKs
    This is not an exhaustive fix for other non-int PKs, however in authentik we either
    use UUIDs or ints"""
    field_class = PrimaryKeyRelatedField
    def convert(self, field: PrimaryKeyRelatedField):
        model: Model = field.queryset.model
        pk_field = model._meta.pk
        if isinstance(pk_field, fields.UUIDField):
            return {"type": "string", "format": "uuid"}
        return {"type": "integer"}
 class Command(BaseCommand):
    """Generate JSON Schema for blueprints"""
@ -48,7 +29,7 @@ class Command(BaseCommand):
            "$schema": "http://json-schema.org/draft-07/schema",
            "$id": "https://goauthentik.io/blueprints/schema.json",
            "type": "object",
-            "title": f"authentik {__version__} Blueprint schema",
+            "title": "authentik Blueprint schema",
            "required": ["version", "entries"],
            "properties": {
                "version": {
@ -113,19 +94,16 @@ class Command(BaseCommand):
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
            self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, model, serializer)
+                self.template_entry(model_path, serializer)
            )
-    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
        """Template entry for a single model"""
        model_schema = self.to_jsonschema(serializer)
        model_schema["required"] = []
        def_name = f"model_{model_path}"
        def_path = f"#/$defs/{def_name}"
        self.schema["$defs"][def_name] = model_schema
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
        return {
            "type": "object",
            "required": ["model", "identifiers"],
@ -138,7 +116,6 @@ class Command(BaseCommand):
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
                "permissions": {"$ref": def_path_perm},
                "attrs": {"$ref": def_path},
                "identifiers": {"$ref": def_path},
            },
@ -189,20 +166,3 @@ class Command(BaseCommand):
        if required:
            result["required"] = required
        return result
    def model_permissions(self, model: type[Model]) -> dict:
        perms = [x[0] for x in model._meta.permissions]
        for action in model._meta.default_permissions:
            perms.append(f"{action}_{model._meta.model_name}")
        return {
            "type": "array",
            "items": {
                "type": "object",
                "required": ["permission"],
                "properties": {
                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
            },
        }
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@ -39,7 +39,7 @@ def reconcile_app(app_name: str):
        def wrapper(*args, **kwargs):
            config = apps.get_app_config(app_name)
            if isinstance(config, ManagedAppConfig):
-                config._on_startup_callback(None)
+                config.ready()
            return func(*args, **kwargs)
        return wrapper
--- a/authentik/blueprints/tests/fixtures/rbac_object.yaml
+++ b/authentik/blueprints/tests/fixtures/rbac_object.yaml
@ -1,24 +0,0 @@
 version: 1
 entries:
  - model: authentik_core.user
    id: user
    identifiers:
      username: "%(id)s"
    attrs:
      name: "%(id)s"
  - model: authentik_rbac.role
    id: role
    identifiers:
      name: "%(id)s"
  - model: authentik_flows.flow
    identifiers:
      slug: "%(id)s"
    attrs:
      designation: authentication
      name: foo
      title: foo
    permissions:
      - permission: view_flow
        user: !KeyOf user
      - permission: view_flow
        role: !KeyOf role
--- a/authentik/blueprints/tests/fixtures/rbac_role.yaml
+++ b/authentik/blueprints/tests/fixtures/rbac_role.yaml
@ -1,8 +0,0 @@
 version: 1
 entries:
  - model: authentik_rbac.role
    identifiers:
      name: "%(id)s"
    attrs:
      permissions:
        - authentik_blueprints.view_blueprintinstance
--- a/authentik/blueprints/tests/fixtures/rbac_user.yaml
+++ b/authentik/blueprints/tests/fixtures/rbac_user.yaml
@ -1,9 +0,0 @@
 version: 1
 entries:
  - model: authentik_core.user
    identifiers:
      username: "%(id)s"
    attrs:
      name: "%(id)s"
      permissions:
        - authentik_blueprints.view_blueprintinstance
--- a/authentik/blueprints/tests/test_v1_rbac.py
+++ b/authentik/blueprints/tests/test_v1_rbac.py
@ -1,57 +0,0 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase
 from guardian.shortcuts import get_perms
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.models import User
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.rbac.models import Role
 class TestBlueprintsV1RBAC(TransactionTestCase):
    """Test Blueprints rbac attribute"""
    def test_user_permission(self):
        """Test permissions"""
        uid = generate_id()
        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
        importer = Importer.from_string(import_yaml)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        user = User.objects.filter(username=uid).first()
        self.assertIsNotNone(user)
        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
    def test_role_permission(self):
        """Test permissions"""
        uid = generate_id()
        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
        importer = Importer.from_string(import_yaml)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        role = Role.objects.filter(name=uid).first()
        self.assertIsNotNone(role)
        self.assertEqual(
            list(role.group.permissions.all().values_list("codename", flat=True)),
            ["view_blueprintinstance"],
        )
    def test_object_permission(self):
        """Test permissions"""
        uid = generate_id()
        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
        importer = Importer.from_string(import_yaml)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        flow = Flow.objects.filter(slug=uid).first()
        user = User.objects.filter(username=uid).first()
        role = Role.objects.filter(name=uid).first()
        self.assertIsNotNone(flow)
        self.assertEqual(get_perms(user, flow), ["view_flow"])
        self.assertEqual(get_perms(role.group, flow), ["view_flow"])
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -1,7 +1,7 @@
 """transfer common classes"""
 from collections import OrderedDict
-from collections.abc import Generator, Iterable, Mapping
+from collections.abc import Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@ -58,15 +58,6 @@ class BlueprintEntryDesiredState(Enum):
    MUST_CREATED = "must_created"
@dataclass
 class BlueprintEntryPermission:
    """Describe object-level permissions"""
    permission: Union[str, "YAMLTag"]
    user: Union[int, "YAMLTag", None] = field(default=None)
    role: Union[str, "YAMLTag", None] = field(default=None)
@dataclass
 class BlueprintEntry:
    """Single entry of a blueprint"""
@ -78,14 +69,13 @@ class BlueprintEntry:
    conditions: list[Any] = field(default_factory=list)
    identifiers: dict[str, Any] = field(default_factory=dict)
    attrs: dict[str, Any] | None = field(default_factory=dict)
    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
    id: str | None = None
    _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)
    def __post_init__(self, *args, **kwargs) -> None:
-        self.__tag_contexts: list[YAMLTagContext] = []
+        self.__tag_contexts: list["YAMLTagContext"] = []
    @staticmethod
    def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
@ -160,17 +150,6 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))
    def get_permissions(
        self, blueprint: "Blueprint"
    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
                permission=self.tag_resolver(perm.permission, blueprint),
                user=self.tag_resolver(perm.user, blueprint),
                role=self.tag_resolver(perm.role, blueprint),
            )
    def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
        """Check all conditions of this entry match (evaluate to True)"""
        return all(self.tag_resolver(self.conditions, blueprint))
@ -328,10 +307,7 @@ class Find(YAMLTag):
        else:
            model_name = self.model_name
-        try:
+        model_class = apps.get_model(*model_name.split("."))
            model_class = apps.get_model(*model_name.split("."))
        except LookupError as exc:
            raise EntryInvalidError.from_entry(exc, entry) from exc
        query = Q()
        for cond in self.conditions:
@ -580,11 +556,7 @@ class BlueprintDumper(SafeDumper):
            def factory(items):
                final_dict = dict(items)
                # Remove internal state variables
                final_dict.pop("_state", None)
                # Future-proof to only remove the ID if we don't set a value
                if "id" in final_dict and final_dict.get("id") is None:
                    final_dict.pop("id")
                return final_dict
            data = asdict(data, dict_factory=factory)
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -16,10 +16,11 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
 from structlog.testing import capture_logs
 from structlog.types import EventDict
 from yaml import load
 from authentik.blueprints.v1.common import (
@ -33,39 +34,24 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
    AuthenticatedSession,
    GroupSourceConnection,
    PropertyMapping,
    Provider,
    Source,
    User,
    UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
 from authentik.enterprise.providers.google_workspace.models import (
    GoogleWorkspaceProviderGroup,
    GoogleWorkspaceProviderUser,
 )
 from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderGroup,
    MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 # Context set when the serializer is created in a blueprint context
@ -92,7 +78,6 @@ def excluded_models() -> list[type[Model]]:
        Source,
        PropertyMapping,
        UserSourceConnection,
        GroupSourceConnection,
        Stage,
        OutpostServiceConnection,
        Policy,
@ -100,11 +85,10 @@ def excluded_models() -> list[type[Model]]:
        # Classes that have other dependencies
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
        FlowToken,
        LicenseUsage,
-        SCIMProviderGroup,
+        SCIMGroup,
-        SCIMProviderUser,
+        SCIMUser,
        Tenant,
        SystemTask,
        ConnectionToken,
@ -112,13 +96,6 @@ def excluded_models() -> list[type[Model]]:
        AccessToken,
        RefreshToken,
        Reputation,
        WebAuthnDeviceType,
        SCIMSourceUser,
        SCIMSourceGroup,
        GoogleWorkspaceProviderUser,
        GoogleWorkspaceProviderGroup,
        MicrosoftEntraProviderUser,
        MicrosoftEntraProviderGroup,
    )
@ -142,16 +119,6 @@ def transaction_rollback():
        pass
 def rbac_models() -> dict:
    models = {}
    for app in get_apps():
        for model in app.get_models():
            if not is_model_allowed(model):
                continue
            models[model._meta.model_name] = app.label
    return models
 class Importer:
    """Import Blueprint from raw dict or YAML/JSON"""
@ -170,10 +137,7 @@ class Importer:
    def default_context(self):
        """Default context"""
-        return {
+        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
            "goauthentik.io/rbac/models": rbac_models(),
        }
    @staticmethod
    def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@ -197,7 +161,7 @@ class Importer:
        def updater(value) -> Any:
            if value in self.__pk_map:
-                self.logger.debug("Updating reference in entry", value=value)
+                self.logger.debug("updating reference in entry", value=value)
                return self.__pk_map[value]
            return value
@ -233,17 +197,14 @@ class Importer:
        return main_query | sub_query
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
        """Validate a single entry"""
        if not entry.check_all_conditions_match(self._import):
            self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
            return None
        model_app_label, model_name = entry.get_model(self._import).split(".")
-        try:
+        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
        except LookupError as exc:
            raise EntryInvalidError.from_entry(exc, entry) from exc
        # Don't use isinstance since we don't want to check for inheritance
        if not is_model_allowed(model):
            raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@ -289,7 +250,7 @@ class Importer:
        model_instance = existing_models.first()
        if not isinstance(model(), BaseMetaModel) and model_instance:
            self.logger.debug(
-                "Initialise serializer with instance",
+                "initialise serializer with instance",
                model=model,
                instance=model_instance,
                pk=model_instance.pk,
@ -299,14 +260,14 @@ class Importer:
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
            raise EntryInvalidError.from_entry(
                (
-                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    f"state is set to {BlueprintEntryDesiredState.MUST_CREATED} "
                    "and object exists already",
                ),
                entry,
            )
        else:
            self.logger.debug(
-                "Initialised new serializer instance",
+                "initialised new serializer instance",
                model=model,
                **cleanse_dict(updated_identifiers),
            )
@ -318,7 +279,10 @@ class Importer:
        try:
            full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
        except ValueError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(
                exc,
                entry,
            ) from exc
        always_merger.merge(full_data, updated_identifiers)
        serializer_kwargs["data"] = full_data
@ -339,15 +303,6 @@ class Importer:
            ) from exc
        return serializer
    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
        """Apply object-level permissions for an entry"""
        for perm in entry.get_permissions(self._import):
            if perm.user is not None:
                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
            if perm.role is not None:
                role = Role.objects.get(pk=perm.role)
                role.assign_permission(perm.permission, obj=instance)
    def apply(self) -> bool:
        """Apply (create/update) models yaml, in database transaction"""
        try:
@ -369,7 +324,7 @@ class Importer:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
            except LookupError:
                self.logger.warning(
-                    "App or Model does not exist", app=model_app_label, model=model_name
+                    "app or model does not exist", app=model_app_label, model=model_name
                )
                return False
            # Validate each single entry
@ -381,7 +336,7 @@ class Importer:
                if entry.get_state(self._import) == BlueprintEntryDesiredState.ABSENT:
                    serializer = exc.serializer
                else:
-                    self.logger.warning(f"Entry invalid: {exc}", entry=entry, error=exc)
+                    self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                    if raise_errors:
                        raise exc
                    return False
@ -401,28 +356,27 @@ class Importer:
                    and state == BlueprintEntryDesiredState.CREATED
                ):
                    self.logger.debug(
-                        "Instance exists, skipping",
+                        "instance exists, skipping",
                        model=model,
                        instance=instance,
                        pk=instance.pk,
                    )
                else:
                    instance = serializer.save()
-                    self.logger.debug("Updated model", model=instance)
+                    self.logger.debug("updated model", model=instance)
                if "pk" in entry.identifiers:
                    self.__pk_map[entry.identifiers["pk"]] = instance.pk
                entry._state = BlueprintEntryState(instance)
                self._apply_permissions(instance, entry)
            elif state == BlueprintEntryDesiredState.ABSENT:
                instance: Model | None = serializer.instance
                if instance.pk:
                    instance.delete()
-                    self.logger.debug("Deleted model", mode=instance)
+                    self.logger.debug("deleted model", mode=instance)
                    continue
-                self.logger.debug("Entry to delete with no instance, skipping")
+                self.logger.debug("entry to delete with no instance, skipping")
        return True
-    def validate(self, raise_validation_errors=False) -> tuple[bool, list[LogEvent]]:
+    def validate(self, raise_validation_errors=False) -> tuple[bool, list[EventDict]]:
        """Validate loaded blueprint export, ensure all models are allowed
        and serializers have no errors"""
        self.logger.debug("Starting blueprint import validation")
@ -436,7 +390,9 @@ class Importer:
        ):
            successful = self._apply_models(raise_errors=raise_validation_errors)
            if not successful:
-                self.logger.warning("Blueprint validation failed")
+                self.logger.debug("Blueprint validation failed")
        for log in logs:
            getattr(self.logger, log.get("log_level"))(**log)
        self.logger.debug("Finished blueprint import validation")
        self._import = orig_import
        return successful, logs
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -30,7 +30,6 @@ from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata, E
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
@ -212,15 +211,14 @@ def apply_blueprint(self: SystemTask, instance_pk: str):
        if not valid:
            instance.status = BlueprintInstanceStatus.ERROR
            instance.save()
-            self.set_status(TaskStatus.ERROR, *logs)
+            self.set_status(TaskStatus.ERROR, *[x["event"] for x in logs])
            return
        applied = importer.apply()
        if not applied:
            instance.status = BlueprintInstanceStatus.ERROR
            instance.save()
            self.set_status(TaskStatus.ERROR, "Failed to apply")
            return
        with capture_logs() as logs:
            applied = importer.apply()
            if not applied:
                instance.status = BlueprintInstanceStatus.ERROR
                instance.save()
                self.set_status(TaskStatus.ERROR, *logs)
                return
        instance.status = BlueprintInstanceStatus.SUCCESSFUL
        instance.last_applied_hash = file_hash
        instance.last_applied = now()
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -11,20 +11,21 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.tenants.utils import get_current_tenant
 class FooterLinkSerializer(PassiveSerializer):
    """Links returned in Config API"""
-    href = CharField(read_only=True, allow_null=True)
+    href = CharField(read_only=True)
    name = CharField(read_only=True)
@ -55,7 +56,6 @@ class BrandSerializer(ModelSerializer):
            "flow_unenrollment",
            "flow_user_settings",
            "flow_device_code",
            "default_application",
            "web_certificate",
            "attributes",
        ]
--- a/authentik/brands/apps.py
+++ b/authentik/brands/apps.py
@ -9,6 +9,3 @@ class AuthentikBrandsConfig(AppConfig):
    name = "authentik.brands"
    label = "authentik_brands"
    verbose_name = "authentik Brands"
    mountpoints = {
        "authentik.brands.urls_root": "",
    }
--- a/authentik/brands/migrations/0006_brand_authentik_b_domain_b9b24a_idx_and_more.py
+++ b/authentik/brands/migrations/0006_brand_authentik_b_domain_b9b24a_idx_and_more.py
@ -1,21 +0,0 @@
 # Generated by Django 5.0.4 on 2024-04-18 18:56
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_brands", "0005_tenantuuid_to_branduuid"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="brand",
            index=models.Index(fields=["domain"], name="authentik_b_domain_b9b24a_idx"),
        ),
        migrations.AddIndex(
            model_name="brand",
            index=models.Index(fields=["default"], name="authentik_b_default_3ccf12_idx"),
        ),
    ]
--- a/authentik/brands/migrations/0007_brand_default_application.py
+++ b/authentik/brands/migrations/0007_brand_default_application.py
@ -1,26 +0,0 @@
 # Generated by Django 5.0.6 on 2024-07-04 20:32
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
        ("authentik_core", "0035_alter_group_options_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="brand",
            name="default_application",
            field=models.ForeignKey(
                default=None,
                help_text="When set, external users will be redirected to this application after authenticating.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                to="authentik_core.application",
            ),
        ),
    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -3,7 +3,6 @@
 from uuid import uuid4
 from django.db import models
 from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@ -52,16 +51,6 @@ class Brand(SerializerModel):
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
    )
    default_application = models.ForeignKey(
        "authentik_core.Application",
        null=True,
        default=None,
        on_delete=models.SET_DEFAULT,
        help_text=_(
            "When set, external users will be redirected to this application after authenticating."
        ),
    )
    web_certificate = models.ForeignKey(
        CertificateKeyPair,
        null=True,
@ -95,17 +84,3 @@ class Brand(SerializerModel):
    class Meta:
        verbose_name = _("Brand")
        verbose_name_plural = _("Brands")
        indexes = [
            models.Index(fields=["domain"]),
            models.Index(fields=["default"]),
        ]
 class WebfingerProvider(models.Model):
    """Provider which supports webfinger discovery"""
    class Meta:
        abstract = True
    def webfinger(self, resource: str, request: HttpRequest) -> dict:
        raise NotImplementedError()
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -5,11 +5,7 @@ from rest_framework.test import APITestCase
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLProvider
 class TestBrands(APITestCase):
@ -79,45 +75,3 @@ class TestBrands(APITestCase):
            reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
        )
        self.assertEqual(response.status_code, 400)
    def test_webfinger_no_app(self):
        """Test Webfinger"""
        create_test_brand()
        self.assertJSONEqual(
            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
        )
    def test_webfinger_not_supported(self):
        """Test Webfinger"""
        brand = create_test_brand()
        provider = SAMLProvider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        brand.default_application = app
        brand.save()
        self.assertJSONEqual(
            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
        )
    def test_webfinger_oidc(self):
        """Test Webfinger"""
        brand = create_test_brand()
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        brand.default_application = app
        brand.save()
        self.assertJSONEqual(
            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
            {
                "links": [
                    {
                        "href": f"http://testserver/application/o/{app.slug}/",
                        "rel": "http://openid.net/specs/connect/1.0/issuer",
                    }
                ],
                "subject": None,
            },
        )
--- a/authentik/brands/urls_root.py
+++ b/authentik/brands/urls_root.py
@ -1,9 +0,0 @@
 """authentik brand root URLs"""
 from django.urls import path
 from authentik.brands.views.webfinger import WebFingerView
 urlpatterns = [
    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
 ]
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span
+from sentry_sdk.hub import Hub
 from authentik import get_full_version
 from authentik.brands.models import Brand
@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
    trace = ""
-    span = get_current_span()
+    span = Hub.current.scope.span
    if span:
        trace = span.to_traceparent()
    return {
--- a/authentik/brands/views/init.py
+++ b/authentik/brands/views/init.py
--- a/authentik/brands/views/webfinger.py
+++ b/authentik/brands/views/webfinger.py
@ -1,29 +0,0 @@
 from typing import Any
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.views import View
 from authentik.brands.models import Brand, WebfingerProvider
 from authentik.core.models import Application
 class WebFingerView(View):
    """Webfinger endpoint"""
    def get(self, request: HttpRequest) -> HttpResponse:
        brand: Brand = request.brand
        if not brand.default_application:
            return JsonResponse({})
        application: Application = brand.default_application
        provider = application.get_provider()
        if not provider or not isinstance(provider, WebfingerProvider):
            return JsonResponse({})
        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
        return JsonResponse(webfinger_data)
    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        response = super().dispatch(request, *args, **kwargs)
        # RFC7033 spec
        response["Access-Control-Allow-Origin"] = "*"
        response["Content-Type"] = "application/jrd+json"
        return response
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -17,18 +17,18 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
 from authentik.events.utils import sanitize_dict
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -37,19 +37,16 @@ from authentik.lib.utils.file import (
 )
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.types import CACHE_PREFIX, PolicyResult
+from authentik.policies.types import PolicyResult
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()
-def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
+def user_app_cache_key(user_pk: str) -> str:
    """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
+    return f"goauthentik.io/core/app_access/{user_pk}"
    if page_number:
        key += f"/{page_number}"
    return key
 class ApplicationSerializer(ModelSerializer):
@ -103,12 +100,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
    """Application Viewset"""
-    queryset = (
+    queryset = Application.objects.all().prefetch_related("provider")
        Application.objects.all()
        .with_provider()
        .prefetch_related("policies")
        .prefetch_related("backchannel_providers")
    )
    serializer_class = ApplicationSerializer
    search_fields = [
        "name",
@ -152,15 +144,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                applications.append(application)
        return applications
    def _filter_applications_with_launch_url(
        self, pagined_apps: Iterator[Application]
    ) -> list[Application]:
        applications = []
        for app in pagined_apps:
            if app.get_launch_url():
                applications.append(app)
        return applications
    @extend_schema(
        parameters=[
            OpenApiParameter(
@ -199,9 +182,9 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        if request.user.is_superuser:
            log_messages = []
            for log in logs:
-                if log.attributes.get("process", "") == "PolicyProcess":
+                if log.get("process", "") == "PolicyProcess":
                    continue
-                log_messages.append(LogEventSerializer(log).data)
+                log_messages.append(sanitize_dict(log))
            result.log_messages = log_messages
            response = PolicyTestResultSerializer(result)
        return Response(response.data)
@ -218,11 +201,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.INT,
            ),
            OpenApiParameter(
                name="only_with_launch_url",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.BOOL,
            ),
        ]
    )
    def list(self, request: Request) -> Response:
@ -235,13 +213,8 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        if superuser_full_list and request.user.is_superuser:
            return super().list(request)
        only_with_launch_url = str(
            request.query_params.get("only_with_launch_url", "false")
        ).lower()
        queryset = self._filter_queryset_for_list(self.get_queryset())
-        paginator: Pagination = self.paginator
+        pagined_apps = self.paginate_queryset(queryset)
        paginated_apps = paginator.paginate_queryset(queryset, request)
        if "for_user" in request.query_params:
            try:
@ -255,29 +228,23 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                    raise ValidationError({"for_user": "User not found"})
            except ValueError as exc:
                raise ValidationError from exc
-            allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+            allowed_applications = self._get_allowed_applications(pagined_apps, user=for_user)
            serializer = self.get_serializer(allowed_applications, many=True)
            return self.get_paginated_response(serializer.data)
        allowed_applications = []
        if not should_cache:
-            allowed_applications = self._get_allowed_applications(paginated_apps)
+            allowed_applications = self._get_allowed_applications(pagined_apps)
        if should_cache:
-            allowed_applications = cache.get(
+            allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
                user_app_cache_key(self.request.user.pk, paginator.page.number)
            )
            if not allowed_applications:
-                LOGGER.debug("Caching allowed application list", page=paginator.page.number)
+                LOGGER.debug("Caching allowed application list")
-                allowed_applications = self._get_allowed_applications(paginated_apps)
+                allowed_applications = self._get_allowed_applications(pagined_apps)
                cache.set(
-                    user_app_cache_key(self.request.user.pk, paginator.page.number),
+                    user_app_cache_key(self.request.user.pk),
                    allowed_applications,
                    timeout=86400,
                )
        if only_with_launch_url == "true":
            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
        serializer = self.get_serializer(allowed_applications, many=True)
        return self.get_paginated_response(serializer.data)
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -2,13 +2,7 @@
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import (
+from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
    BooleanField,
    CharField,
    DateTimeField,
    IntegerField,
    SerializerMethodField,
 )
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -26,9 +20,6 @@ class DeviceSerializer(MetaNameSerializer):
    name = CharField()
    type = SerializerMethodField()
    confirmed = BooleanField()
    created = DateTimeField(read_only=True)
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
    def get_type(self, instance: Device) -> str:
        """Get type of device"""
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,27 +2,20 @@
 from json import loads
 from django.db.models import Prefetch
 from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from drf_spectacular.utils import (
+from drf_spectacular.utils import OpenApiResponse, extend_schema
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
    extend_schema_field,
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, SerializerMethodField
+from rest_framework.fields import CharField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
@ -52,7 +45,9 @@ class GroupSerializer(ModelSerializer):
    """Group Serializer"""
    attributes = JSONDictField(required=False)
-    users_obj = SerializerMethodField(allow_null=True)
+    users_obj = ListSerializer(
        child=GroupMemberSerializer(), read_only=True, source="users", required=False
    )
    roles_obj = ListSerializer(
        child=RoleSerializer(),
        read_only=True,
@ -63,19 +58,6 @@ class GroupSerializer(ModelSerializer):
    num_pk = IntegerField(read_only=True)
    @property
    def _should_include_users(self) -> bool:
        request: Request = self.context.get("request", None)
        if not request:
            return True
        return str(request.query_params.get("include_users", "true")).lower() == "true"
    @extend_schema_field(GroupMemberSerializer(many=True))
    def get_users_obj(self, instance: Group) -> list[GroupMemberSerializer] | None:
        if not self._should_include_users:
            return None
        return GroupMemberSerializer(instance.users, many=True).data
    def validate_parent(self, parent: Group | None):
        """Validate group parent (if set), ensuring the parent isn't itself"""
        if not self.instance or not parent:
@ -102,10 +84,7 @@ class GroupSerializer(ModelSerializer):
        extra_kwargs = {
            "users": {
                "default": list,
-            },
+            }
            # TODO: This field isn't unique on the database which is hard to backport
            # hence we just validate the uniqueness here
            "name": {"validators": [UniqueValidator(Group.objects.all())]},
        }
@ -151,49 +130,22 @@ class GroupFilter(FilterSet):
        fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]
 class UserAccountSerializer(PassiveSerializer):
    """Account adding/removing operations"""
    pk = IntegerField(required=True)
 class GroupViewSet(UsedByMixin, ModelViewSet):
    """Group Viewset"""
-    class UserAccountSerializer(PassiveSerializer):
+    queryset = Group.objects.all().select_related("parent").prefetch_related("users")
        """Account adding/removing operations"""
        pk = IntegerField(required=True)
    queryset = Group.objects.none()
    serializer_class = GroupSerializer
    search_fields = ["name", "is_superuser"]
    filterset_class = GroupFilter
    ordering = ["name"]
-    def get_queryset(self):
+    @permission_required(None, ["authentik_core.add_user"])
        base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
        if self.serializer_class(context={"request": self.request})._should_include_users:
            base_qs = base_qs.prefetch_related("users")
        else:
            base_qs = base_qs.prefetch_related(
                Prefetch("users", queryset=User.objects.all().only("id"))
            )
        return base_qs
    @extend_schema(
        parameters=[
            OpenApiParameter("include_users", bool, default=True),
        ]
    )
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)
    @extend_schema(
        parameters=[
            OpenApiParameter("include_users", bool, default=True),
        ]
    )
    def retrieve(self, request, *args, **kwargs):
        return super().retrieve(request, *args, **kwargs)
    @permission_required("authentik_core.add_user_to_group")
    @extend_schema(
        request=UserAccountSerializer,
        responses={
@ -201,13 +153,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
            404: OpenApiResponse(description="User not found"),
        },
    )
-    @action(
+    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
        detail=True,
        methods=["POST"],
        pagination_class=None,
        filter_backends=[],
        permission_classes=[],
    )
    def add_user(self, request: Request, pk: str) -> Response:
        """Add user to group"""
        group: Group = self.get_object()
@ -223,7 +169,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        group.users.add(user)
        return Response(status=204)
-    @permission_required("authentik_core.remove_user_from_group")
+    @permission_required(None, ["authentik_core.add_user"])
    @extend_schema(
        request=UserAccountSerializer,
        responses={
@ -231,13 +177,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
            404: OpenApiResponse(description="User not found"),
        },
    )
-    @action(
+    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
        detail=True,
        methods=["POST"],
        pagination_class=None,
        filter_backends=[],
        permission_classes=[],
    )
    def remove_user(self, request: Request, pk: str) -> Response:
        """Add user to group"""
        group: Group = self.get_object()
--- a/authentik/core/api/object_types.py
+++ b/authentik/core/api/object_types.py
@ -1,79 +0,0 @@
 """API Utilities"""
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import (
    BooleanField,
    CharField,
 )
 from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.utils.reflection import all_subclasses
 class TypeCreateSerializer(PassiveSerializer):
    """Types of an object that can be created"""
    name = CharField(required=True)
    description = CharField(required=True)
    component = CharField(required=True)
    model_name = CharField(required=True)
    icon_url = CharField(required=False)
    requires_enterprise = BooleanField(default=False)
 class CreatableType:
    """Class to inherit from to mark a model as creatable, even if the model itself is marked
    as abstract"""
 class NonCreatableType:
    """Class to inherit from to mark a model as non-creatable even if it is not abstract"""
 class TypesMixin:
    """Mixin which adds an API endpoint to list all possible types that can be created"""
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request, additional: list[dict] | None = None) -> Response:
        """Get all creatable types"""
        data = []
        for subclass in all_subclasses(self.queryset.model):
            instance = None
            if subclass._meta.abstract:
                if not issubclass(subclass, CreatableType):
                    continue
                # Circumvent the django protection for not being able to instantiate
                # abstract models. We need a model instance to access .component
                # and further down .icon_url
                instance = subclass.__new__(subclass)
                # Django re-sets abstract = False so we need to override that
                instance.Meta.abstract = True
            else:
                if issubclass(subclass, NonCreatableType):
                    continue
                instance = subclass()
            try:
                data.append(
                    {
                        "name": subclass._meta.verbose_name,
                        "description": subclass.__doc__,
                        "component": instance.component,
                        "model_name": subclass._meta.model_name,
                        "icon_url": getattr(instance, "icon_url", None),
                        "requires_enterprise": isinstance(
                            subclass._meta.app_config, EnterpriseConfig
                        ),
                    }
                )
            except NotImplementedError:
                continue
        if additional:
            data.extend(additional)
        data = sorted(data, key=lambda x: x["name"])
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@ -2,36 +2,25 @@
 from json import dumps
 from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
    extend_schema_field,
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from authentik.blueprints.api import ManagedSerializer
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
+from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
    MetaNameSerializer,
    ModelSerializer,
    PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
-from authentik.core.models import Group, PropertyMapping, User
+from authentik.core.models import PropertyMapping
 from authentik.events.utils import sanitize_item
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
@ -74,20 +63,7 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
        ]
 class PropertyMappingFilterSet(FilterSet):
    """Filter for PropertyMapping"""
    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
    class Meta:
        model = PropertyMapping
        fields = ["name", "managed"]
 class PropertyMappingViewSet(
    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
@ -96,23 +72,37 @@ class PropertyMappingViewSet(
 ):
    """PropertyMapping Viewset"""
-    class PropertyMappingTestSerializer(PolicyTestSerializer):
+    queryset = PropertyMapping.objects.none()
        """Test property mapping execution for a user/group with context"""
        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False, allow_null=True)
        group = PrimaryKeyRelatedField(
            queryset=Group.objects.all(), required=False, allow_null=True
        )
    queryset = PropertyMapping.objects.select_subclasses()
    serializer_class = PropertyMappingSerializer
-    filterset_class = PropertyMappingFilterSet
+    search_fields = [
        "name",
    ]
    filterset_fields = {"managed": ["isnull"]}
    ordering = ["name"]
-    search_fields = ["name"]
+
    def get_queryset(self):  # pragma: no cover
        return PropertyMapping.objects.select_subclasses()
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable property-mapping types"""
        data = []
        for subclass in all_subclasses(self.queryset.model):
            subclass: PropertyMapping
            data.append(
                {
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
    @permission_required("authentik_core.view_propertymapping")
    @extend_schema(
-        request=PropertyMappingTestSerializer(),
+        request=PolicyTestSerializer(),
        responses={
            200: PropertyMappingTestResultSerializer,
            400: OpenApiResponse(description="Invalid parameters"),
@ -130,39 +120,29 @@ class PropertyMappingViewSet(
        """Test Property Mapping"""
        _mapping: PropertyMapping = self.get_object()
        # Use `get_subclass` to get correct class and correct `.evaluate` implementation
-        mapping: PropertyMapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
+        mapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
        # FIXME: when we separate policy mappings between ones for sources
        # and ones for providers, we need to make the user field optional for the source mapping
-        test_params = self.PropertyMappingTestSerializer(data=request.data)
+        test_params = PolicyTestSerializer(data=request.data)
        if not test_params.is_valid():
            return Response(test_params.errors, status=400)
        format_result = str(request.GET.get("format_result", "false")).lower() == "true"
-        context: dict = test_params.validated_data.get("context", {})
+        # User permission check, only allow mapping testing for users that are readable
-        context.setdefault("user", None)
+        users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
-
+            pk=test_params.validated_data["user"].pk
-        if user := test_params.validated_data.get("user"):
+        )
-            # User permission check, only allow mapping testing for users that are readable
+        if not users.exists():
-            users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
+            raise PermissionDenied()
                pk=user.pk
            )
            if not users.exists():
                raise PermissionDenied()
            context["user"] = user
        if group := test_params.validated_data.get("group"):
            # Group permission check, only allow mapping testing for groups that are readable
            groups = get_objects_for_user(request.user, "authentik_core.view_group").filter(
                pk=group.pk
            )
            if not groups.exists():
                raise PermissionDenied()
            context["group"] = group
        context["request"] = self.request
        response_data = {"successful": True, "result": ""}
        try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(
                users.first(),
                self.request,
                **test_params.validated_data.get("context", {}),
            )
            response_data["result"] = dumps(
                sanitize_item(result), indent=(4 if format_result else None)
            )
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -5,14 +5,20 @@ from django.db.models.query import Q
 from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField, SerializerMethodField
+from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.utils.reflection import all_subclasses
 class ProviderSerializer(ModelSerializer, MetaNameSerializer):
@ -57,12 +63,8 @@ class ProviderFilter(FilterSet):
    """Filter for providers"""
    application__isnull = BooleanFilter(method="filter_application__isnull")
-    backchannel = BooleanFilter(
+    backchannel_only = BooleanFilter(
-        method="filter_backchannel",
+        method="filter_backchannel_only",
        label=_(
            "When not set all providers are returned. When set to true, only backchannel "
            "providers are returned. When set to false, backchannel providers are excluded"
        ),
    )
    def filter_application__isnull(self, queryset: QuerySet, name, value):
@ -73,14 +75,12 @@ class ProviderFilter(FilterSet):
            | Q(application__isnull=value)
        )
-    def filter_backchannel(self, queryset: QuerySet, name, value):
+    def filter_backchannel_only(self, queryset: QuerySet, name, value):
-        """By default all providers are returned. When set to true, only backchannel providers are
+        """Only return backchannel providers"""
        returned. When set to false, backchannel providers are excluded"""
        return queryset.filter(is_backchannel=value)
 class ProviderViewSet(
    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
@ -99,3 +99,31 @@ class ProviderViewSet(
    def get_queryset(self):  # pragma: no cover
        return Provider.objects.select_subclasses()
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable provider types"""
        data = []
        for subclass in all_subclasses(self.queryset.model):
            subclass: Provider
            if subclass._meta.abstract:
                continue
            data.append(
                {
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                    "requires_enterprise": isinstance(subclass._meta.app_config, EnterpriseConfig),
                }
            )
        data.append(
            {
                "name": _("SAML Provider from Metadata"),
                "description": _("Create a SAML Provider by importing its Metadata."),
                "component": "ak-provider-saml-import-form",
                "model_name": "",
            }
        )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -11,15 +11,15 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
-from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
+from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
    FilePathSerializer,
@ -27,6 +27,7 @@ from authentik.lib.utils.file import (
    set_file,
    set_file_url,
 )
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.engine import PolicyEngine
 from authentik.rbac.decorators import permission_required
@ -60,8 +61,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
            "enabled",
            "authentication_flow",
            "enrollment_flow",
            "user_property_mappings",
            "group_property_mappings",
            "component",
            "verbose_name",
            "verbose_name_plural",
@ -75,7 +74,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 class SourceViewSet(
    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
@ -134,6 +132,30 @@ class SourceViewSet(
        source: Source = self.get_object()
        return set_file_url(request, source, "icon")
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable source types"""
        data = []
        for subclass in all_subclasses(self.queryset.model):
            subclass: Source
            component = ""
            if len(subclass.__subclasses__()) > 0:
                continue
            if subclass._meta.abstract:
                component = subclass.__bases__[0]().component
            else:
                component = subclass().component
            data.append(
                {
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": component,
                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
    @extend_schema(responses={200: UserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
@ -190,47 +212,6 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user", "source__slug"]
+    filterset_fields = ["user"]
    search_fields = ["source__slug"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["source__slug", "pk"]
+    ordering = ["pk"]
 class GroupSourceConnectionSerializer(SourceSerializer):
    """Group Source Connection Serializer"""
    source = SourceSerializer(read_only=True)
    class Meta:
        model = GroupSourceConnection
        fields = [
            "pk",
            "group",
            "source",
            "identifier",
            "created",
        ]
        extra_kwargs = {
            "group": {"read_only": True},
            "identifier": {"read_only": True},
            "created": {"read_only": True},
        }
 class GroupSourceConnectionViewSet(
    mixins.RetrieveModelMixin,
    mixins.UpdateModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
    mixins.ListModelMixin,
    GenericViewSet,
 ):
    """Group-source connection Viewset"""
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["group", "source__slug"]
    search_fields = ["source__slug"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -2,7 +2,6 @@
 from typing import Any
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
@ -12,6 +11,7 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import OwnerSuperuserPermissions
@ -19,18 +19,10 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import (
+from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
    Token,
    TokenIntents,
    User,
    default_token_duration,
 )
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.rbac.decorators import permission_required
@ -44,13 +36,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["key"] = CharField(required=False)
    def validate_user(self, user: User):
        """Ensure user of token cannot be changed"""
        if self.instance and self.instance.user_id:
            if user.pk != self.instance.user_id:
                raise ValidationError("User cannot be changed")
        return user
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
        request: Request = self.context.get("request")
@ -64,32 +49,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
        attrs.setdefault("intent", TokenIntents.INTENT_API)
        if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
            raise ValidationError({"intent": f"Invalid intent {attrs.get('intent')}"})
        if attrs.get("intent") == TokenIntents.INTENT_APP_PASSWORD:
            # user IS in attrs
            user: User = attrs.get("user")
            max_token_lifetime = user.group_attributes(request).get(
                USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
            )
            max_token_lifetime_dt = default_token_duration()
            if max_token_lifetime is not None:
                try:
                    max_token_lifetime_dt = now() + timedelta_from_string(max_token_lifetime)
                except ValueError:
                    pass
            if "expires" in attrs and attrs.get("expires") > max_token_lifetime_dt:
                raise ValidationError(
                    {
                        "expires": (
                            f"Token expires exceeds maximum lifetime ({max_token_lifetime_dt} UTC)."
                        )
                    }
                )
        elif attrs.get("intent") == TokenIntents.INTENT_API:
            # For API tokens, expires cannot be overridden
            attrs["expires"] = default_token_duration()
        return attrs
    class Meta:
--- a/authentik/core/api/used_by.py
+++ b/authentik/core/api/used_by.py
@ -39,12 +39,12 @@ def get_delete_action(manager: Manager) -> str:
    """Get the delete action from the Foreign key, falls back to cascade"""
    if hasattr(manager, "field"):
        if manager.field.remote_field.on_delete.__name__ == SET_NULL.__name__:
-            return DeleteAction.SET_NULL.value
+            return DeleteAction.SET_NULL.name
        if manager.field.remote_field.on_delete.__name__ == SET_DEFAULT.__name__:
-            return DeleteAction.SET_DEFAULT.value
+            return DeleteAction.SET_DEFAULT.name
    if hasattr(manager, "source_field"):
-        return DeleteAction.CASCADE_MANY.value
+        return DeleteAction.CASCADE_MANY.name
-    return DeleteAction.CASCADE.value
+    return DeleteAction.CASCADE.name
 class UsedByMixin:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -5,7 +5,6 @@ from json import loads
 from typing import Any
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@ -34,21 +33,16 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
+from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
 from rest_framework.fields import (
    BooleanField,
    CharField,
    ChoiceField,
    DateTimeField,
    IntegerField,
    ListField,
    SerializerMethodField,
 )
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
    BooleanField,
    DateTimeField,
    ListSerializer,
    ModelSerializer,
    PrimaryKeyRelatedField,
    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@ -58,12 +52,7 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
+from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
    JSONDictField,
    LinkSerializer,
    ModelSerializer,
    PassiveSerializer,
 )
 from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
@ -85,7 +74,6 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -97,7 +85,7 @@ class UserGroupSerializer(ModelSerializer):
    """Simplified Group Serializer for user's groups"""
    attributes = JSONDictField(required=False)
-    parent_name = CharField(source="parent.name", read_only=True, allow_null=True)
+    parent_name = CharField(source="parent.name", read_only=True)
    class Meta:
        model = Group
@ -125,43 +113,23 @@ class UserSerializer(ModelSerializer):
        queryset=Group.objects.all().order_by("name"),
        default=list,
    )
-    groups_obj = SerializerMethodField(allow_null=True)
+    groups_obj = ListSerializer(child=UserGroupSerializer(), read_only=True, source="ak_groups")
    uid = CharField(read_only=True)
    username = CharField(
        max_length=150,
        validators=[UniqueValidator(queryset=User.objects.all().order_by("username"))],
    )
    @property
    def _should_include_groups(self) -> bool:
        request: Request = self.context.get("request", None)
        if not request:
            return True
        return str(request.query_params.get("include_groups", "true")).lower() == "true"
    @extend_schema_field(UserGroupSerializer(many=True))
    def get_groups_obj(self, instance: User) -> list[UserGroupSerializer] | None:
        if not self._should_include_groups:
            return None
        return UserGroupSerializer(instance.ak_groups, many=True).data
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["password"] = CharField(required=False, allow_null=True)
            self.fields["permissions"] = ListField(
                required=False, child=ChoiceField(choices=get_permission_choices())
            )
    def create(self, validated_data: dict) -> User:
        """If this serializer is used in the blueprint context, we allow for
        directly setting a password. However should be done via the `set_password`
        method instead of directly setting it like rest_framework."""
        password = validated_data.pop("password", None)
        permissions = Permission.objects.filter(
            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
        )
        validated_data["user_permissions"] = permissions
        instance: User = super().create(validated_data)
        self._set_password(instance, password)
        return instance
@ -170,10 +138,6 @@ class UserSerializer(ModelSerializer):
        """Same as `create` above, set the password directly if we're in a blueprint
        context"""
        password = validated_data.pop("password", None)
        permissions = Permission.objects.filter(
            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
        )
        validated_data["user_permissions"] = permissions
        instance = super().update(instance, validated_data)
        self._set_password(instance, password)
        return instance
@ -430,19 +394,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    search_fields = ["username", "name", "is_active", "email", "uuid"]
    filterset_class = UsersFilter
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
-        base_qs = User.objects.all().exclude_anonymous()
+        return User.objects.all().exclude_anonymous().prefetch_related("ak_groups")
        if self.serializer_class(context={"request": self.request})._should_include_groups:
            base_qs = base_qs.prefetch_related("ak_groups")
        return base_qs
    @extend_schema(
        parameters=[
            OpenApiParameter("include_groups", bool, default=True),
        ]
    )
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)
    def _create_recovery_link(self) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -6,19 +6,8 @@ from django.db.models import Model
 from drf_spectacular.extensions import OpenApiSerializerFieldExtension
 from drf_spectacular.plumbing import build_basic_type
 from drf_spectacular.types import OpenApiTypes
-from rest_framework.fields import (
+from rest_framework.fields import BooleanField, CharField, IntegerField, JSONField
-    CharField,
+from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
    IntegerField,
    JSONField,
    SerializerMethodField,
 )
 from rest_framework.serializers import ModelSerializer as BaseModelSerializer
 from rest_framework.serializers import (
    Serializer,
    ValidationError,
    model_meta,
    raise_errors_on_nested_writes,
 )
 def is_dict(value: Any):
@ -28,39 +17,6 @@ def is_dict(value: Any):
    raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 class ModelSerializer(BaseModelSerializer):
    def update(self, instance: Model, validated_data):
        raise_errors_on_nested_writes("update", self, validated_data)
        info = model_meta.get_field_info(instance)
        # Simply set each attribute on the instance, and then save it.
        # Note that unlike `.create()` we don't need to treat many-to-many
        # relationships as being a special case. During updates we already
        # have an instance pk for the relationships to be associated with.
        m2m_fields = []
        for attr, value in validated_data.items():
            if attr in info.relations and info.relations[attr].to_many:
                m2m_fields.append((attr, value))
            else:
                setattr(instance, attr, value)
        instance.save()
        # Note that many-to-many fields are set after updating instance.
        # Setting m2m fields triggers signals which could potentially change
        # updated instance and we do not want it to collide with .update()
        for attr, value in m2m_fields:
            field = getattr(instance, attr)
            # We can't check for inheritance here as m2m managers are generated dynamically
            if field.__class__.__name__ == "RelatedManager":
                field.set(value, bulk=False)
            else:
                field.set(value)
        return instance
 class JSONDictField(JSONField):
    """JSON Field which only allows dictionaries"""
@ -112,6 +68,16 @@ class MetaNameSerializer(PassiveSerializer):
        return f"{obj._meta.app_label}.{obj._meta.model_name}"
 class TypeCreateSerializer(PassiveSerializer):
    """Types of an object that can be created"""
    name = CharField(required=True)
    description = CharField(required=True)
    component = CharField(required=True)
    model_name = CharField(required=True)
    requires_enterprise = BooleanField(default=False)
 class CacheSerializer(PassiveSerializer):
    """Generic cache stats for an object"""
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -31,9 +31,8 @@ class InbuiltBackend(ModelBackend):
        # Since we can't directly pass other variables to signals, and we want to log the method
        # and the token used, we assume we're running in a flow and set a variable in the context
        flow_plan: FlowPlan = request.session.get(SESSION_KEY_PLAN, FlowPlan(""))
-        flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, method)
+        flow_plan.context[PLAN_CONTEXT_METHOD] = method
-        flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
+        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].update(cleanse_dict(sanitize_dict(kwargs)))
        request.session[SESSION_KEY_PLAN] = flow_plan
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
--- a/authentik/core/exceptions.py
+++ b/authentik/core/exceptions.py
@ -0,0 +1,7 @@
 """authentik core exceptions"""
 from authentik.lib.sentry import SentryIgnoredException
 class PropertyMappingExpressionException(SentryIgnoredException):
    """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -1,13 +1,11 @@
 """Property Mapping Evaluator"""
 from types import CodeType
 from typing import Any
 from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram
 from authentik.core.expression.exceptions import SkipObjectException
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
@ -25,8 +23,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
    """Custom Evaluator that adds some different context variables."""
    dry_run: bool
    model: Model
    _compiled: CodeType | None = None
    def __init__(
        self,
@ -36,32 +32,22 @@ class PropertyMappingEvaluator(BaseEvaluator):
        dry_run: bool | None = False,
        **kwargs,
    ):
        self.model = model
        if hasattr(model, "name"):
            _filename = model.name
        else:
            _filename = str(model)
        super().__init__(filename=_filename)
        self.dry_run = dry_run
        self.set_context(user, request, **kwargs)
    def set_context(
        self,
        user: User | None = None,
        request: HttpRequest | None = None,
        **kwargs,
    ):
        req = PolicyRequest(user=User())
-        req.obj = self.model
+        req.obj = model
        if user:
            req.user = user
            self._context["user"] = user
        if request:
            req.http_request = request
        req.context.update(**kwargs)
        self._context["request"] = req
        req.context.update(**kwargs)
        self._context.update(**kwargs)
-        self._globals["SkipObject"] = SkipObjectException
+        self.dry_run = dry_run
    def handle_error(self, exc: Exception, expression_source: str):
        """Exception Handler"""
@ -76,19 +62,10 @@ class PropertyMappingEvaluator(BaseEvaluator):
        )
        if "request" in self._context:
            req: PolicyRequest = self._context["request"]
-            if req.http_request:
+            event.from_http(req.http_request, req.user)
-                event.from_http(req.http_request, req.user)
+            return
                return
            elif req.user:
                event.set_user(req.user)
        event.save()
    def evaluate(self, *args, **kwargs) -> Any:
        with PROPERTY_MAPPING_TIME.labels(mapping_name=self._filename).time():
            return super().evaluate(*args, **kwargs)
    def compile(self, expression: str | None = None) -> Any:
        if not self._compiled:
            compiled = super().compile(expression or self.model.expression)
            self._compiled = compiled
        return self._compiled
--- a/authentik/core/expression/exceptions.py
+++ b/authentik/core/expression/exceptions.py
@ -1,19 +0,0 @@
 """authentik core exceptions"""
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sentry import SentryIgnoredException
 class PropertyMappingExpressionException(SentryIgnoredException):
    """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""
    def __init__(self, exc: Exception, mapping) -> None:
        super().__init__()
        self.exc = exc
        self.mapping = mapping
 class SkipObjectException(ControlFlowException):
    """Exception which can be raised in a property mapping to skip syncing an object.
    Only applies to Property mappings which sync objects, and not on mappings which transitively
    apply to a single user"""
--- a/authentik/core/management/commands/change_user_type.py
+++ b/authentik/core/management/commands/change_user_type.py
@ -1,28 +0,0 @@
 """Change user type"""
 from authentik.core.models import User, UserTypes
 from authentik.tenants.management import TenantCommand
 class Command(TenantCommand):
    """Change user type"""
    def add_arguments(self, parser):
        parser.add_argument("--type", type=str, required=True)
        parser.add_argument("--all", action="store_true")
        parser.add_argument("usernames", nargs="+", type=str)
    def handle_per_tenant(self, **options):
        new_type = UserTypes(options["type"])
        qs = (
            User.objects.exclude_anonymous()
            .exclude(type=UserTypes.SERVICE_ACCOUNT)
            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
        )
        if options["usernames"] and options["all"]:
            self.stderr.write("--all and usernames specified, only one can be specified")
            return
        if options["usernames"] and not options["all"]:
            qs = qs.filter(username__in=options["usernames"])
        updated = qs.update(type=new_type)
        self.stdout.write(f"Updated {updated} users.")
--- a/authentik/core/management/commands/dev_server.py
+++ b/authentik/core/management/commands/dev_server.py
@ -1,34 +1,10 @@
 """custom runserver command"""
 from typing import TextIO
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
 from authentik.root.signals import post_startup, pre_startup, startup
 class SignalServer(Server):
    """Server which signals back to authentik when it finished starting up"""
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        def ready_callable():
            pre_startup.send(sender=self)
            startup.send(sender=self)
            post_startup.send(sender=self)
        self.ready_callable = ready_callable
 class Command(RunServer):
    """custom runserver command, which doesn't show the misleading django startup message"""
-    server_cls = SignalServer
+    def on_bind(self, server_port):
-
+        pass
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        # Redirect standard stdout banner from Daphne into the void
        # as there are a couple more steps that happen before startup is fully done
        self.stdout = TextIO()
--- a/authentik/core/migrations/0012_auto_20201003_1737_squashed_0016_auto_20201202_2234.py
+++ b/authentik/core/migrations/0012_auto_20201003_1737_squashed_0016_auto_20201202_2234.py
@ -5,7 +5,6 @@ from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 import authentik.core.models
 from authentik.lib.generators import generate_id
 def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@ -17,10 +16,6 @@ def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        token.save()
 def default_token_key():
    return generate_id(60)
 class Migration(migrations.Migration):
    replaces = [
        ("authentik_core", "0012_auto_20201003_1737"),
@ -67,7 +62,7 @@ class Migration(migrations.Migration):
        migrations.AddField(
            model_name="token",
            name="key",
-            field=models.TextField(default=default_token_key),
+            field=models.TextField(default=authentik.core.models.default_token_key),
        ),
        migrations.AlterUniqueTogether(
            name="token",
--- a/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
+++ b/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
@ -7,13 +7,11 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
+    from authentik.core.models import BackchannelProvider
    from authentik.providers.ldap.models import LDAPProvider
    from authentik.providers.scim.models import SCIMProvider
-    for model in [LDAPProvider, SCIMProvider]:
+    for model in BackchannelProvider.__subclasses__():
        try:
-            for obj in model.objects.using(db_alias).only("is_backchannel"):
+            for obj in model.objects.only("is_backchannel"):
                obj.is_backchannel = True
                obj.save()
        except (DatabaseError, InternalError, ProgrammingError):
--- a/authentik/core/migrations/0034_alter_authenticatedsession_expires_and_more.py
+++ b/authentik/core/migrations/0034_alter_authenticatedsession_expires_and_more.py
@ -1,31 +0,0 @@
 # Generated by Django 5.0.2 on 2024-02-29 10:15
 from django.db import migrations, models
 import authentik.core.models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0033_alter_user_options"),
        ("authentik_tenants", "0002_tenant_default_token_duration_and_more"),
    ]
    operations = [
        migrations.AlterField(
            model_name="authenticatedsession",
            name="expires",
            field=models.DateTimeField(default=None, null=True),
        ),
        migrations.AlterField(
            model_name="token",
            name="expires",
            field=models.DateTimeField(default=None, null=True),
        ),
        migrations.AlterField(
            model_name="token",
            name="key",
            field=models.TextField(default=authentik.core.models.default_token_key),
        ),
    ]
--- a/authentik/core/migrations/0035_alter_group_options_and_more.py
+++ b/authentik/core/migrations/0035_alter_group_options_and_more.py
@ -1,52 +0,0 @@
 # Generated by Django 5.0.4 on 2024-04-15 11:28
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("auth", "0012_alter_user_first_name_max_length"),
        ("authentik_core", "0034_alter_authenticatedsession_expires_and_more"),
        ("authentik_rbac", "0003_alter_systempermission_options"),
    ]
    operations = [
        migrations.AlterModelOptions(
            name="group",
            options={
                "permissions": [
                    ("add_user_to_group", "Add user to group"),
                    ("remove_user_from_group", "Remove user from group"),
                ],
                "verbose_name": "Group",
                "verbose_name_plural": "Groups",
            },
        ),
        migrations.AddIndex(
            model_name="group",
            index=models.Index(fields=["name"], name="authentik_c_name_9ba8e4_idx"),
        ),
        migrations.AddIndex(
            model_name="user",
            index=models.Index(fields=["last_login"], name="authentik_c_last_lo_f0179a_idx"),
        ),
        migrations.AddIndex(
            model_name="user",
            index=models.Index(
                fields=["password_change_date"], name="authentik_c_passwor_eec915_idx"
            ),
        ),
        migrations.AddIndex(
            model_name="user",
            index=models.Index(fields=["uuid"], name="authentik_c_uuid_3dae2f_idx"),
        ),
        migrations.AddIndex(
            model_name="user",
            index=models.Index(fields=["path"], name="authentik_c_path_b1f502_idx"),
        ),
        migrations.AddIndex(
            model_name="user",
            index=models.Index(fields=["type"], name="authentik_c_type_ecf60d_idx"),
        ),
    ]
--- a/authentik/core/migrations/0036_source_group_property_mappings_and_more.py
+++ b/authentik/core/migrations/0036_source_group_property_mappings_and_more.py
@ -1,43 +0,0 @@
 # Generated by Django 5.0.2 on 2024-02-29 11:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0035_alter_group_options_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="source",
            name="group_property_mappings",
            field=models.ManyToManyField(
                blank=True,
                default=None,
                related_name="source_grouppropertymappings_set",
                to="authentik_core.propertymapping",
            ),
        ),
        migrations.AddField(
            model_name="source",
            name="user_property_mappings",
            field=models.ManyToManyField(
                blank=True,
                default=None,
                related_name="source_userpropertymappings_set",
                to="authentik_core.propertymapping",
            ),
        ),
        migrations.AlterField(
            model_name="source",
            name="property_mappings",
            field=models.ManyToManyField(
                blank=True,
                default=None,
                related_name="source_set",
                to="authentik_core.propertymapping",
            ),
        ),
    ]
--- a/authentik/core/migrations/0037_remove_source_property_mappings.py
+++ b/authentik/core/migrations/0037_remove_source_property_mappings.py
@ -1,18 +0,0 @@
 # Generated by Django 5.0.2 on 2024-02-29 11:21
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
        ("authentik_core", "0036_source_group_property_mappings_and_more"),
    ]
    operations = [
        migrations.RemoveField(
            model_name="source",
            name="property_mappings",
        ),
    ]
--- a/authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py
+++ b/authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py
@ -1,19 +0,0 @@
 # Generated by Django 5.0.7 on 2024-07-22 13:32
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0037_remove_source_property_mappings"),
        ("authentik_flows", "0027_auto_20231028_1424"),
        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="source",
            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
        ),
    ]
--- a/authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py
+++ b/authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py
@ -1,67 +0,0 @@
 # Generated by Django 5.0.7 on 2024-08-01 18:52
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
    ]
    operations = [
        migrations.AddField(
            model_name="source",
            name="group_matching_mode",
            field=models.TextField(
                choices=[
                    ("identifier", "Use the source-specific identifier"),
                    (
                        "name_link",
                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
                    ),
                    (
                        "name_deny",
                        "Use the group name, but deny enrollment when the name already exists.",
                    ),
                ],
                default="identifier",
                help_text="How the source determines if an existing group should be used or a new group created.",
            ),
        ),
        migrations.AlterField(
            model_name="group",
            name="name",
            field=models.TextField(verbose_name="name"),
        ),
        migrations.CreateModel(
            name="GroupSourceConnection",
            fields=[
                (
                    "id",
                    models.AutoField(
                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
                    ),
                ),
                ("created", models.DateTimeField(auto_now_add=True)),
                ("last_updated", models.DateTimeField(auto_now=True)),
                ("identifier", models.TextField()),
                (
                    "group",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
                    ),
                ),
                (
                    "source",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
                    ),
                ),
            ],
            options={
                "unique_together": {("group", "source")},
            },
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,6 +1,6 @@
 """authentik core models"""
-from datetime import datetime
+from datetime import timedelta
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@ -11,12 +11,10 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_cte import CTEQuerySet, With
 from guardian.conf import settings
 from guardian.mixins import GuardianUserMixin
 from model_utils.managers import InheritanceManager
@ -24,21 +22,18 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 from authentik.blueprints.models import ManagedModel
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
-from authentik.lib.expression.exceptions import ControlFlowException
+from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
 from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
    CreatedUpdatedModel,
    DomainlessFormattedURLValidator,
    SerializerModel,
 )
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
-from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGTH
+from authentik.tenants.utils import get_unique_identifier
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
@ -47,44 +42,33 @@ USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
 USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
 USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = "goauthentik.io/user/token-maximum-lifetime"  # nosec
 USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
 USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
 USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
    # used_by API that allows models to specify if they shadow an object
    # for example the proxy provider which is built on top of an oauth provider
    "authentik_used_by_shadows",
    # List fields for which changes are not logged (due to them having dedicated objects)
    # for example user's password and last_login
    "authentik_signals_ignored_fields",
 )
 GROUP_RECURSION_LIMIT = 20
-
+def default_token_duration():
 def default_token_duration() -> datetime:
    """Default duration a Token is valid"""
-    current_tenant = get_current_tenant()
+    return now() + timedelta(minutes=30)
    token_duration = (
        current_tenant.default_token_duration
        if hasattr(current_tenant, "default_token_duration")
        else DEFAULT_TOKEN_DURATION
    )
    return now() + timedelta_from_string(token_duration)
-def default_token_key() -> str:
+def default_token_key():
    """Default token key"""
    current_tenant = get_current_tenant()
    token_length = (
        current_tenant.default_token_length
        if hasattr(current_tenant, "default_token_length")
        else DEFAULT_TOKEN_LENGTH
    )
    # We use generate_id since the chars in the key should be easy
    # to use in Emails (for verification) and URLs (for recovery)
-    return generate_id(token_length)
+    return generate_id(CONFIG.get_int("default_token_length"))
 class UserTypes(models.TextChoices):
@ -102,78 +86,12 @@ class UserTypes(models.TextChoices):
    INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
-class AttributesMixin(models.Model):
+class Group(SerializerModel):
    """Adds an attributes property to a model"""
    attributes = models.JSONField(default=dict, blank=True)
    class Meta:
        abstract = True
    def update_attributes(self, properties: dict[str, Any]):
        """Update fields and attributes, but correctly by merging dicts"""
        for key, value in properties.items():
            if key == "attributes":
                continue
            setattr(self, key, value)
        final_attributes = {}
        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
        self.attributes = final_attributes
        self.save()
    @classmethod
    def update_or_create_attributes(
        cls, query: dict[str, Any], properties: dict[str, Any]
    ) -> tuple[models.Model, bool]:
        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
        instance = cls.objects.filter(**query).first()
        if not instance:
            return cls.objects.create(**properties), True
        instance.update_attributes(properties)
        return instance, False
 class GroupQuerySet(CTEQuerySet):
    def with_children_recursive(self):
        """Recursively get all groups that have the current queryset as parents
        or are indirectly related."""
        def make_cte(cte):
            """Build the query that ends up in WITH RECURSIVE"""
            # Start from self, aka the current query
            # Add a depth attribute to limit the recursion
            return self.annotate(
                relative_depth=models.Value(0, output_field=models.IntegerField())
            ).union(
                # Here is the recursive part of the query. cte refers to the previous iteration
                # Only select groups for which the parent is part of the previous iteration
                # and increase the depth
                # Finally, limit the depth
                cte.join(Group, group_uuid=cte.col.parent_id)
                .annotate(
                    relative_depth=models.ExpressionWrapper(
                        cte.col.relative_depth
                        + models.Value(1, output_field=models.IntegerField()),
                        output_field=models.IntegerField(),
                    )
                )
                .filter(relative_depth__lt=GROUP_RECURSION_LIMIT),
                all=True,
            )
        # Build the recursive query, see above
        cte = With.recursive(make_cte)
        # Return the result, as a usable queryset for Group.
        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 class Group(SerializerModel, AttributesMixin):
    """Group model which supports a basic hierarchy and has attributes"""
    group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    name = models.TextField(_("name"))
+    name = models.CharField(_("name"), max_length=80)
    is_superuser = models.BooleanField(
        default=False, help_text=_("Users added to this group will be superusers.")
    )
@ -188,26 +106,7 @@ class Group(SerializerModel, AttributesMixin):
        on_delete=models.SET_NULL,
        related_name="children",
    )
-
+    attributes = models.JSONField(default=dict, blank=True)
    objects = GroupQuerySet.as_manager()
    class Meta:
        unique_together = (
            (
                "name",
                "parent",
            ),
        )
        indexes = [models.Index(fields=["name"])]
        verbose_name = _("Group")
        verbose_name_plural = _("Groups")
        permissions = [
            ("add_user_to_group", _("Add user to group")),
            ("remove_user_from_group", _("Remove user from group")),
        ]
    def __str__(self):
        return f"Group {self.name}"
    @property
    def serializer(self) -> Serializer:
@ -227,11 +126,49 @@ class Group(SerializerModel, AttributesMixin):
        return user.all_groups().filter(group_uuid=self.group_uuid).exists()
    def children_recursive(self: Self | QuerySet["Group"]) -> QuerySet["Group"]:
-        """Compatibility layer for Group.objects.with_children_recursive()"""
+        """Recursively get all groups that have this as parent or are indirectly related"""
-        qs = self
+        direct_groups = []
-        if not isinstance(self, QuerySet):
+        if isinstance(self, QuerySet):
-            qs = Group.objects.filter(group_uuid=self.group_uuid)
+            direct_groups = list(x for x in self.all().values_list("pk", flat=True).iterator())
-        return qs.with_children_recursive()
+        else:
            direct_groups = [self.pk]
        if len(direct_groups) < 1:
            return Group.objects.none()
        query = """
        WITH RECURSIVE parents AS (
            SELECT authentik_core_group.*, 0 AS relative_depth
            FROM authentik_core_group
            WHERE authentik_core_group.group_uuid = ANY(%s)
            UNION ALL
            SELECT authentik_core_group.*, parents.relative_depth + 1
            FROM authentik_core_group, parents
            WHERE (
                authentik_core_group.group_uuid = parents.parent_id and
                parents.relative_depth < 20
            )
        )
        SELECT group_uuid
        FROM parents
        GROUP BY group_uuid, name
        ORDER BY name;
        """
        group_pks = [group.pk for group in Group.objects.raw(query, [direct_groups]).iterator()]
        return Group.objects.filter(pk__in=group_pks)
    def __str__(self):
        return f"Group {self.name}"
    class Meta:
        unique_together = (
            (
                "name",
                "parent",
            ),
        )
        verbose_name = _("Group")
        verbose_name_plural = _("Groups")
 class UserQuerySet(models.QuerySet):
@ -258,7 +195,7 @@ class UserManager(DjangoUserManager):
        return self.get_queryset().exclude_anonymous()
-class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AbstractUser):
    """authentik User model, based on django's contrib auth user model."""
    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@ -270,38 +207,20 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
    ak_groups = models.ManyToManyField("Group", related_name="users")
    password_change_date = models.DateTimeField(auto_now_add=True)
    attributes = models.JSONField(default=dict, blank=True)
    objects = UserManager()
    class Meta:
        verbose_name = _("User")
        verbose_name_plural = _("Users")
        permissions = [
            ("reset_user_password", _("Reset Password")),
            ("impersonate", _("Can impersonate other users")),
            ("assign_user_permissions", _("Can assign permissions to users")),
            ("unassign_user_permissions", _("Can unassign permissions from users")),
            ("preview_user", _("Can preview user data sent to providers")),
            ("view_user_applications", _("View applications the user has access to")),
        ]
        indexes = [
            models.Index(fields=["last_login"]),
            models.Index(fields=["password_change_date"]),
            models.Index(fields=["uuid"]),
            models.Index(fields=["path"]),
            models.Index(fields=["type"]),
        ]
    def __str__(self):
        return self.username
    @staticmethod
    def default_path() -> str:
        """Get the default user path"""
        return User._meta.get_field("path").default
    def all_groups(self) -> QuerySet[Group]:
-        """Recursively get all groups this user is a member of."""
+        """Recursively get all groups this user is a member of.
-        return self.ak_groups.all().with_children_recursive()
+        At least one query is done to get the direct groups of the user, with groups
        there are at most 3 queries done"""
        return Group.children_recursive(self.ak_groups.all())
    def group_attributes(self, request: HttpRequest | None = None) -> dict[str, Any]:
        """Get a dictionary containing the attributes from all groups the user belongs to,
@ -375,6 +294,26 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """Get avatar, depending on authentik.avatar setting"""
        return get_avatar(self)
    class Meta:
        verbose_name = _("User")
        verbose_name_plural = _("Users")
        permissions = [
            ("reset_user_password", _("Reset Password")),
            ("impersonate", _("Can impersonate other users")),
            ("assign_user_permissions", _("Can assign permissions to users")),
            ("unassign_user_permissions", _("Can unassign permissions from users")),
            ("preview_user", _("Can preview user data sent to providers")),
            ("view_user_applications", _("View applications the user has access to")),
        ]
        authentik_signals_ignored_fields = [
            # Logged by the events `password_set`
            # the `password_set` action/signal doesn't currently convey which user
            # initiated the password change, so for now we'll log two actions
            # ("password", "password_change_date"),
            # Logged by `login`
            ("last_login",),
        ]
 class Provider(SerializerModel):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@ -424,10 +363,6 @@ class Provider(SerializerModel):
        Can return None for providers that are not URL-based"""
        return None
    @property
    def icon_url(self) -> str | None:
        return None
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
@ -462,16 +397,6 @@ class BackchannelProvider(Provider):
        abstract = True
 class ApplicationQuerySet(QuerySet):
    def with_provider(self) -> "QuerySet[Application]":
        qs = self.select_related("provider")
        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
            if LOOKUP_SEP in subclass:
                continue
            qs = qs.select_related(f"provider__{subclass}")
        return qs
 class Application(SerializerModel, PolicyBindingModel):
    """Every Application which uses authentik for authentication/identification/authorization
    needs an Application record. Other authentication types can subclass this Model to
@ -503,8 +428,6 @@ class Application(SerializerModel, PolicyBindingModel):
    meta_description = models.TextField(default="", blank=True)
    meta_publisher = models.TextField(default="", blank=True)
    objects = ApplicationQuerySet.as_manager()
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.applications import ApplicationSerializer
@ -541,19 +464,16 @@ class Application(SerializerModel, PolicyBindingModel):
        return url
    def get_provider(self) -> Provider | None:
-        """Get casted provider instance. Needs Application queryset with_provider"""
+        """Get casted provider instance"""
        if not self.provider:
            return None
-
+        # if the Application class has been cache, self.provider is set
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+        # but doing a direct query lookup will fail.
-            # We don't care about recursion, skip nested models
+        # In that case, just return None
-            if LOOKUP_SEP in subclass:
+        try:
-                continue
+            return Provider.objects.get_subclass(pk=self.provider.pk)
-            try:
+        except Provider.DoesNotExist:
-                return getattr(self.provider, subclass)
+            return None
            except AttributeError:
                pass
        return None
    def __str__(self):
        return str(self.name)
@ -583,19 +503,6 @@ class SourceUserMatchingModes(models.TextChoices):
    )
 class SourceGroupMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning groups"""
    IDENTIFIER = "identifier", _("Use the source-specific identifier")
    NAME_LINK = "name_link", _(
        "Link to a group with identical name. Can have security implications "
        "when a group name is used with another source."
    )
    NAME_DENY = "name_deny", _(
        "Use the group name, but deny enrollment when the name already exists."
    )
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
@ -605,12 +512,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
    enabled = models.BooleanField(default=True)
-    user_property_mappings = models.ManyToManyField(
+    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
    )
    group_property_mappings = models.ManyToManyField(
        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
    )
    icon = models.FileField(
        upload_to="source-icons/",
        default=None,
@ -645,14 +547,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
            "a new user enrolled."
        ),
    )
    group_matching_mode = models.TextField(
        choices=SourceGroupMatchingModes.choices,
        default=SourceGroupMatchingModes.IDENTIFIER,
        help_text=_(
            "How the source determines if an existing group should be used or "
            "a new group created."
        ),
    )
    objects = InheritanceManager()
@ -682,11 +576,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        """Return component used to edit this object"""
        raise NotImplementedError
    @property
    def property_mapping_type(self) -> "type[PropertyMapping]":
        """Return property mapping type used by this object"""
        raise NotImplementedError
    def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
        """If source uses a http-based flow, return UI Information about the login
        button. If source doesn't use http-based flow, return None."""
@ -697,14 +586,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        user settings are available, or UserSettingSerializer."""
        return None
    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a user to build final properties upon."""
        raise NotImplementedError
    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a group to build final properties upon."""
        raise NotImplementedError
    def __str__(self):
        return str(self.name)
@ -720,11 +601,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                    "name",
                ]
            ),
            models.Index(
                fields=[
                    "enabled",
                ]
            ),
        ]
@ -741,38 +617,14 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
        """Get serializer for this model"""
        raise NotImplementedError
    def __str__(self) -> str:
        return f"User-source connection (user={self.user_id}, source={self.source_id})"
    class Meta:
        unique_together = (("user", "source"),)
 class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
    """Connection between Group and Source."""
    group = models.ForeignKey(Group, on_delete=models.CASCADE)
    source = models.ForeignKey(Source, on_delete=models.CASCADE)
    identifier = models.TextField()
    objects = InheritanceManager()
    @property
    def serializer(self) -> type[Serializer]:
        """Get serializer for this model"""
        raise NotImplementedError
    def __str__(self) -> str:
        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
    class Meta:
        unique_together = (("group", "source"),)
 class ExpiringModel(models.Model):
    """Base Model which can expire, and is automatically cleaned up."""
-    expires = models.DateTimeField(default=None, null=True)
+    expires = models.DateTimeField(default=default_token_duration)
    expiring = models.BooleanField(default=True)
    class Meta:
@ -786,7 +638,7 @@ class ExpiringModel(models.Model):
        return self.delete(*args, **kwargs)
    @classmethod
-    def filter_not_expired(cls, **kwargs) -> QuerySet["Token"]:
+    def filter_not_expired(cls, **kwargs) -> QuerySet:
        """Filer for tokens which are not expired yet or are not expiring,
        and match filters in `kwargs`"""
        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
@ -898,10 +750,8 @@ class PropertyMapping(SerializerModel, ManagedModel):
        evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
        try:
            return evaluator.evaluate(self.expression)
        except ControlFlowException as exc:
            raise exc
        except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc) from exc
    def __str__(self):
        return f"Property Mapping {self.name}"
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -10,14 +10,7 @@ from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
-from authentik.core.models import (
+from authentik.core.models import Application, AuthenticatedSession, BackchannelProvider, User
    Application,
    AuthenticatedSession,
    BackchannelProvider,
    ExpiringModel,
    User,
    default_token_duration,
 )
 # Arguments: user: User, password: str
 password_changed = Signal()
@ -52,8 +45,6 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
@receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    """Delete AuthenticatedSession if it exists"""
    if not request.session or not request.session.session_key:
        return
    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
@ -70,12 +61,3 @@ def backchannel_provider_pre_save(sender: type[Model], instance: Model, **_):
    if not isinstance(instance, BackchannelProvider):
        return
    instance.is_backchannel = True
@receiver(pre_save)
 def expiring_model_pre_save(sender: type[Model], instance: Model, **_):
    """Ensure expires is set on ExpiringModels that are set to expire"""
    if not issubclass(sender, ExpiringModel):
        return
    if instance.expiring and instance.expires is None:
        instance.expires = default_token_duration()
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any
 from django.contrib import messages
-from django.db import IntegrityError, transaction
+from django.db import IntegrityError
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
@ -12,25 +12,12 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
-from authentik.core.models import (
+from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
-    Group,
+from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
    GroupSourceConnection,
    Source,
    SourceGroupMatchingModes,
    SourceUserMatchingModes,
    User,
    UserSourceConnection,
 )
 from authentik.core.sources.mapper import SourceMapper
 from authentik.core.sources.stage import (
    PLAN_CONTEXT_SOURCES_CONNECTION,
    PostSourceStage,
 )
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
-from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
+from authentik.flows.models import Flow, Stage, in_memory_stage
 from authentik.flows.planner import (
    PLAN_CONTEXT_IS_RESTORED,
    PLAN_CONTEXT_PENDING_USER,
    PLAN_CONTEXT_REDIRECT,
    PLAN_CONTEXT_SOURCE,
@ -48,11 +35,6 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 LOGGER = get_logger()
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 class Action(Enum):
    """Actions that can be decided based on the request
@ -85,69 +67,50 @@ class SourceFlowManager:
    or deny the request."""
    source: Source
    mapper: SourceMapper
    request: HttpRequest
    identifier: str
-    user_connection_type: type[UserSourceConnection] = UserSourceConnection
+    connection_type: type[UserSourceConnection] = UserSourceConnection
    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
-    user_info: dict[str, Any]
+    enroll_info: dict[str, Any]
    policy_context: dict[str, Any]
    user_properties: dict[str, Any | dict[str, Any]]
    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
    def __init__(
        self,
        source: Source,
        request: HttpRequest,
        identifier: str,
-        user_info: dict[str, Any],
+        enroll_info: dict[str, Any],
        policy_context: dict[str, Any],
    ) -> None:
        self.source = source
        self.mapper = SourceMapper(self.source)
        self.request = request
        self.identifier = identifier
-        self.user_info = user_info
+        self.enroll_info = enroll_info
        self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = policy_context
+        self.policy_context = {}
        self.user_properties = self.mapper.build_object_properties(
            object_type=User, request=request, user=None, **self.user_info
        )
        self.groups_properties = {
            group_id: self.mapper.build_object_properties(
                object_type=Group,
                request=request,
                user=None,
                group_id=group_id,
                **self.user_info,
            )
            for group_id in self.user_properties.setdefault("groups", [])
        }
        del self.user_properties["groups"]
    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
        """decide which action should be taken"""
-        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
+        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
        # When request is authenticated, always link
        if self.request.user.is_authenticated:
            new_connection.user = self.request.user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
+            new_connection = self.update_connection(new_connection, **kwargs)
            new_connection.save()
            return Action.LINK, new_connection
-        existing_connections = self.user_connection_type.objects.filter(
+        existing_connections = self.connection_type.objects.filter(
            source=self.source, identifier=self.identifier
        )
        if existing_connections.exists():
            connection = existing_connections.first()
-            return Action.AUTH, self.update_user_connection(connection, **kwargs)
+            return Action.AUTH, self.update_connection(connection, **kwargs)
        # No connection exists, but we match on identifier, so enroll
        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
        # Check for existing users with matching attributes
        query = Q()
@ -156,24 +119,24 @@ class SourceFlowManager:
            SourceUserMatchingModes.EMAIL_LINK,
            SourceUserMatchingModes.EMAIL_DENY,
        ]:
-            if not self.user_properties.get("email", None):
+            if not self.enroll_info.get("email", None):
-                self._logger.warning("Refusing to use none email")
+                self._logger.warning("Refusing to use none email", source=self.source)
                return Action.DENY, None
-            query = Q(email__exact=self.user_properties.get("email", None))
+            query = Q(email__exact=self.enroll_info.get("email", None))
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.USERNAME_LINK,
            SourceUserMatchingModes.USERNAME_DENY,
        ]:
-            if not self.user_properties.get("username", None):
+            if not self.enroll_info.get("username", None):
-                self._logger.warning("Refusing to use none username")
+                self._logger.warning("Refusing to use none username", source=self.source)
                return Action.DENY, None
-            query = Q(username__exact=self.user_properties.get("username", None))
+            query = Q(username__exact=self.enroll_info.get("username", None))
        self._logger.debug("trying to link with existing user", query=query)
        matching_users = User.objects.filter(query)
        # No matching users, always enroll
        if not matching_users.exists():
            self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
        user = matching_users.first()
        if self.source.user_matching_mode in [
@ -181,7 +144,8 @@ class SourceFlowManager:
            SourceUserMatchingModes.USERNAME_LINK,
        ]:
            new_connection.user = user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
+            new_connection = self.update_connection(new_connection, **kwargs)
            new_connection.save()
            return Action.LINK, new_connection
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_DENY,
@ -192,10 +156,10 @@ class SourceFlowManager:
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
-    def update_user_connection(
+    def update_connection(
        self, connection: UserSourceConnection, **kwargs
    ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the user connection after it is looked up/created."""
+        """Optionally make changes to the connection after it is looked up/created."""
        return connection
    def get_flow(self, **kwargs) -> HttpResponse:
@ -242,16 +206,20 @@ class SourceFlowManager:
    def get_stages_to_append(self, flow: Flow) -> list[Stage]:
        """Hook to override stages which are appended to the flow"""
-        return [
+        if not self.source.enrollment_flow:
-            in_memory_stage(PostSourceStage),
+            return []
-        ]
+        if flow.slug == self.source.enrollment_flow.slug:
            return [
                in_memory_stage(PostUserEnrollmentStage),
            ]
        return []
    def _prepare_flow(
        self,
-        flow: Flow | None,
+        flow: Flow,
        connection: UserSourceConnection,
        stages: list[StageView] | None = None,
-        **flow_context,
+        **kwargs,
    ) -> HttpResponse:
        """Prepare Authentication Plan, redirect user FlowExecutor"""
        # Ensure redirect is carried through when user was trying to
@ -259,44 +227,17 @@ class SourceFlowManager:
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        flow_context.update(
+        kwargs.update(
            {
                # Since we authenticate the user by their token, they have no backend set
                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                PLAN_CONTEXT_SSO: True,
                PLAN_CONTEXT_SOURCE: self.source,
                PLAN_CONTEXT_REDIRECT: final_redirect,
                PLAN_CONTEXT_SOURCES_CONNECTION: connection,
                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
            }
        )
-        flow_context.update(self.policy_context)
+        kwargs.update(self.policy_context)
        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
            token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
            self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
            plan = token.plan
            plan.context[PLAN_CONTEXT_IS_RESTORED] = token
            plan.context.update(flow_context)
            for stage in self.get_stages_to_append(flow):
                plan.append_stage(stage)
            if stages:
                for stage in stages:
                    plan.append_stage(stage)
            self.request.session[SESSION_KEY_PLAN] = plan
            flow_slug = token.flow.slug
            token.delete()
            return redirect_with_qs(
                "authentik_core:if-flow",
                self.request.GET,
                flow_slug=flow_slug,
            )
        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        if PLAN_CONTEXT_REDIRECT not in flow_context:
            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
        if not flow:
            return bad_request_message(
                self.request,
@ -304,15 +245,9 @@ class SourceFlowManager:
            )
        # We run the Flow planner here so we can pass the Pending user in the context
        planner = FlowPlanner(flow)
-        # We append some stages so the initial flow we get might be empty
+        plan = planner.plan(self.request, kwargs)
        planner.allow_empty_flows = True
        planner.use_cache = False
        plan = planner.plan(self.request, flow_context)
        for stage in self.get_stages_to_append(flow):
            plan.append_stage(stage)
        plan.append_stage(
            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
        )
        if stages:
            for stage in stages:
                plan.append_stage(stage)
@ -354,9 +289,7 @@ class SourceFlowManager:
        # When request isn't authenticated we jump straight to auth
        if not self.request.user.is_authenticated:
            return self.handle_auth(connection)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+        # Connection has already been saved
            return self._prepare_flow(None, connection)
        connection.save()
        Event.new(
            EventAction.SOURCE_LINKED,
            message="Linked Source",
@ -370,7 +303,7 @@ class SourceFlowManager:
            reverse(
                "authentik_core:if-user",
            )
-            + "#/settings;page-sources"
+            + f"#/settings;page-{self.source.slug}"
        )
    def handle_enroll(
@ -399,123 +332,7 @@ class SourceFlowManager:
                )
            ],
            **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
            },
        )
 class GroupUpdateStage(StageView):
    """Dynamically injected stage which updates the user after enrollment/authentication."""
    def get_action(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, GroupSourceConnection | None]:
        """decide which action should be taken"""
        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
        existing_connections = self.group_connection_type.objects.filter(
            source=self.source, identifier=group_id
        )
        if existing_connections.exists():
            return Action.LINK, existing_connections.first()
        # No connection exists, but we match on identifier, so enroll
        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
            # We don't save the connection here cause it doesn't have a user assigned yet
            return Action.ENROLL, new_connection
        # Check for existing groups with matching attributes
        query = Q()
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_LINK,
            SourceGroupMatchingModes.NAME_DENY,
        ]:
            if not group_properties.get("name", None):
                LOGGER.warning(
                    "Refusing to use none group name", source=self.source, group_id=group_id
                )
                return Action.DENY, None
            query = Q(name__exact=group_properties.get("name"))
        LOGGER.debug(
            "trying to link with existing group", source=self.source, query=query, group_id=group_id
        )
        matching_groups = Group.objects.filter(query)
        # No matching groups, always enroll
        if not matching_groups.exists():
            LOGGER.debug(
                "no matching groups found, enrolling", source=self.source, group_id=group_id
            )
            return Action.ENROLL, new_connection
        group = matching_groups.first()
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_LINK,
        ]:
            new_connection.group = group
            return Action.LINK, new_connection
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_DENY,
        ]:
            LOGGER.info(
                "denying source because group exists",
                source=self.source,
                group=group,
                group_id=group_id,
            )
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def handle_group(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> Group | None:
        action, connection = self.get_action(group_id, group_properties)
        if action == Action.ENROLL:
            group = Group.objects.create(**group_properties)
            connection.group = group
            connection.save()
            return group
        elif action == Action.LINK:
            group = connection.group
            group.update_attributes(group_properties)
            connection.save()
            return group
        return None
    def handle_groups(self) -> bool:
        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
        self.group_connection_type: GroupSourceConnection = (
            self.executor.current_stage.group_connection_type
        )
        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
            PLAN_CONTEXT_SOURCE_GROUPS
        ]
        groups: list[Group] = []
        for group_id, group_properties in raw_groups.items():
            group = self.handle_group(group_id, group_properties)
            if not group:
                return False
            groups.append(group)
        with transaction.atomic():
            self.user.ak_groups.remove(
                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
            )
            self.user.ak_groups.add(*groups)
        return True
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Stage used after the user has been enrolled to sync their groups from source data"""
        if self.handle_groups():
            return self.executor.stage_ok()
        else:
            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
    def post(self, request: HttpRequest) -> HttpResponse:
        """Wrapper for post requests"""
        return self.get(request)
--- a/authentik/core/sources/mapper.py
+++ b/authentik/core/sources/mapper.py
@ -1,103 +0,0 @@
 from typing import Any
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, Source, User
 from authentik.events.models import Event, EventAction
 from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.sync.mapper import PropertyMappingManager
 from authentik.policies.utils import delete_none_values
 LOGGER = get_logger()
 class SourceMapper:
    def __init__(self, source: Source):
        self.source = source
    def get_manager(
        self, object_type: type[User | Group], context_keys: list[str]
    ) -> PropertyMappingManager:
        """Get property mapping manager for this source."""
        qs = PropertyMapping.objects.none()
        if object_type == User:
            qs = self.source.user_property_mappings.all().select_subclasses()
        elif object_type == Group:
            qs = self.source.group_property_mappings.all().select_subclasses()
        qs = qs.order_by("name")
        return PropertyMappingManager(
            qs,
            self.source.property_mapping_type,
            ["source", "properties"] + context_keys,
        )
    def get_base_properties(
        self, object_type: type[User | Group], **kwargs
    ) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a user or a group to build final properties upon."""
        if object_type == User:
            properties = self.source.get_base_user_properties(**kwargs)
            properties.setdefault("path", self.source.get_user_path())
            return properties
        if object_type == Group:
            return self.source.get_base_group_properties(**kwargs)
        return {}
    def build_object_properties(
        self,
        object_type: type[User | Group],
        manager: "PropertyMappingManager | None" = None,
        user: User | None = None,
        request: HttpRequest | None = None,
        **kwargs,
    ) -> dict[str, Any | dict[str, Any]]:
        """Build a user or group properties from the source configured property mappings."""
        properties = self.get_base_properties(object_type, **kwargs)
        if "attributes" not in properties:
            properties["attributes"] = {}
        if not manager:
            manager = self.get_manager(object_type, list(kwargs.keys()))
        evaluations = manager.iter_eval(
            user=user,
            request=request,
            return_mapping=True,
            source=self.source,
            properties=properties,
            **kwargs,
        )
        while True:
            try:
                value, mapping = next(evaluations)
            except StopIteration:
                break
            except PropertyMappingExpressionException as exc:
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
                    source=self,
                    mapping=exc.mapping,
                ).save()
                LOGGER.warning(
                    "Mapping failed to evaluate",
                    exc=exc,
                    source=self,
                    mapping=exc.mapping,
                )
                raise exc
            if not value or not isinstance(value, dict):
                LOGGER.debug(
                    "Mapping evaluated to None or is not a dict. Skipping",
                    source=self,
                    mapping=mapping,
                )
                continue
            MERGE_LIST_UNIQUE.merge(properties, value)
        return delete_none_values(properties)
--- a/authentik/core/sources/stage.py
+++ b/authentik/core/sources/stage.py
@ -10,7 +10,7 @@ from authentik.flows.stage import StageView
 PLAN_CONTEXT_SOURCES_CONNECTION = "goauthentik.io/sources/connection"
-class PostSourceStage(StageView):
+class PostUserEnrollmentStage(StageView):
    """Dynamically injected stage which saves the Connection after
    the user has been enrolled."""
@ -21,12 +21,10 @@ class PostSourceStage(StageView):
        ]
        user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
        connection.user = user
        linked = connection.pk is None
        connection.save()
-        if linked:
+        Event.new(
-            Event.new(
+            EventAction.SOURCE_LINKED,
-                EventAction.SOURCE_LINKED,
+            message="Linked Source",
-                message="Linked Source",
+            source=connection.source,
-                source=connection.source,
+        ).from_http(self.request)
            ).from_http(self.request)
        return self.executor.stage_ok()
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -2,9 +2,7 @@
 from datetime import datetime, timedelta
 from django.conf import ImproperlyConfigured
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
 from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
@ -17,7 +15,6 @@ from authentik.core.models import (
    User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -42,31 +39,16 @@ def clean_expired_models(self: SystemTask):
    amount = 0
    for session in AuthenticatedSession.objects.all():
-        match CONFIG.get("session_storage", "cache"):
+        cache_key = f"{KEY_PREFIX}{session.session_key}"
-            case "cache":
+        value = None
-                cache_key = f"{KEY_PREFIX}{session.session_key}"
+        try:
-                value = None
+            value = cache.get(cache_key)
                try:
                    value = cache.get(cache_key)
-                except Exception as exc:
+        except Exception as exc:
-                    LOGGER.debug("Failed to get session from cache", exc=exc)
+            LOGGER.debug("Failed to get session from cache", exc=exc)
-                if not value:
+        if not value:
-                    session.delete()
+            session.delete()
-                    amount += 1
+            amount += 1
            case "db":
                if not (
                    DBSessionStore.get_model_class()
                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
                    .exists()
                ):
                    session.delete()
                    amount += 1
            case _:
                # Should never happen, as we check for other values in authentik/root/settings.py
                raise ImproperlyConfigured(
                    "Invalid session_storage setting, allowed values are db and cache"
                )
    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -10,7 +10,7 @@
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
    };
-    window.addEventListener("DOMContentLoaded", function () {
+    window.addEventListener("DOMContentLoaded", () => {
        {% for message in messages %}
        window.dispatchEvent(
            new CustomEvent("ak-message", {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -1,10 +1,9 @@
 {% load static %}
 {% load i18n %}
 {% load authentik_core %}
 <!DOCTYPE html>
-<html>
+<html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@ -15,8 +14,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
+        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
-{% load authentik_core %}
+{% load static %}
 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -1,7 +1,6 @@
 {% extends "base/skeleton.html" %}
 {% load static %}
 {% load authentik_core %}
 {% block head_before %}
 {{ block.super }}
@ -18,7 +17,7 @@ window.authentik.flow = {
 {% endblock %}
 {% block head %}
-{% versioned_script "dist/flow/FlowInterface-%v.js" %}
+<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
-{% load authentik_core %}
+{% load static %}
 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -71,9 +71,9 @@
                </li>
                {% endfor %}
                <li>
-                    <span>
+                    <a href="https://goauthentik.io?utm_source=authentik">
                        {% trans 'Powered by authentik' %}
-                    </span>
+                    </a>
                </li>
            </ul>
        </footer>
--- a/authentik/core/templatetags/init.py
+++ b/authentik/core/templatetags/init.py
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -1,21 +0,0 @@
 """authentik core tags"""
 from django import template
 from django.templatetags.static import static as static_loader
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
 register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
    returned_lines = [
        (
            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
            '" type="module"></script>'
        ),
    ]
    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -1,11 +1,10 @@
 """Test Groups API"""
 from django.urls.base import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
@ -13,33 +12,13 @@ class TestGroupsAPI(APITestCase):
    """Test Groups API"""
    def setUp(self) -> None:
-        self.login_user = create_test_user()
+        self.admin = create_test_admin_user()
        self.user = User.objects.create(username="test-user")
    def test_list_with_users(self):
        """Test listing with users"""
        admin = create_test_admin_user()
        self.client.force_login(admin)
        response = self.client.get(reverse("authentik_api:group-list"), {"include_users": "true"})
        self.assertEqual(response.status_code, 200)
    def test_retrieve_with_users(self):
        """Test retrieve with users"""
        admin = create_test_admin_user()
        group = Group.objects.create(name=generate_id())
        self.client.force_login(admin)
        response = self.client.get(
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
            {"include_users": "true"},
        )
        self.assertEqual(response.status_code, 200)
    def test_add_user(self):
        """Test add_user"""
        group = Group.objects.create(name=generate_id())
-        assign_perm("authentik_core.add_user_to_group", self.login_user, group)
+        self.client.force_login(self.admin)
        assign_perm("authentik_core.view_user", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
            data={
@ -53,9 +32,7 @@ class TestGroupsAPI(APITestCase):
    def test_add_user_404(self):
        """Test add_user"""
        group = Group.objects.create(name=generate_id())
-        assign_perm("authentik_core.add_user_to_group", self.login_user, group)
+        self.client.force_login(self.admin)
        assign_perm("authentik_core.view_user", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
            data={
@ -67,10 +44,8 @@ class TestGroupsAPI(APITestCase):
    def test_remove_user(self):
        """Test remove_user"""
        group = Group.objects.create(name=generate_id())
        assign_perm("authentik_core.remove_user_from_group", self.login_user, group)
        assign_perm("authentik_core.view_user", self.login_user)
        group.users.add(self.user)
-        self.client.force_login(self.login_user)
+        self.client.force_login(self.admin)
        res = self.client.post(
            reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
            data={
@ -84,10 +59,8 @@ class TestGroupsAPI(APITestCase):
    def test_remove_user_404(self):
        """Test remove_user"""
        group = Group.objects.create(name=generate_id())
        assign_perm("authentik_core.remove_user_from_group", self.login_user, group)
        assign_perm("authentik_core.view_user", self.login_user)
        group.users.add(self.user)
-        self.client.force_login(self.login_user)
+        self.client.force_login(self.admin)
        res = self.client.post(
            reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
            data={
@ -99,12 +72,11 @@ class TestGroupsAPI(APITestCase):
    def test_parent_self(self):
        """Test parent"""
        group = Group.objects.create(name=generate_id())
-        assign_perm("view_group", self.login_user, group)
+        self.client.force_login(self.admin)
        assign_perm("change_group", self.login_user, group)
        self.client.force_login(self.login_user)
        res = self.client.patch(
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
            data={
                "pk": self.user.pk + 3,
                "parent": group.pk,
            },
        )
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -1,14 +1,14 @@
 """authentik core models tests"""
 from collections.abc import Callable
-from datetime import timedelta
+from time import sleep
 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
 from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user
 from authentik.core.models import Provider, Source, Token
 from authentik.flows.models import Stage
 from authentik.lib.utils.reflection import all_subclasses
@ -17,20 +17,18 @@ class TestModels(TestCase):
    def test_token_expire(self):
        """Test token expiring"""
-        with freeze_time() as freeze:
+        token = Token.objects.create(expires=now(), user=get_anonymous_user())
-            token = Token.objects.create(expires=now(), user=get_anonymous_user())
+        sleep(0.5)
-            freeze.tick(timedelta(seconds=1))
+        self.assertTrue(token.is_expired)
            self.assertTrue(token.is_expired)
    def test_token_expire_no_expire(self):
        """Test token expiring with "expiring" set"""
-        with freeze_time() as freeze:
+        token = Token.objects.create(expires=now(), user=get_anonymous_user(), expiring=False)
-            token = Token.objects.create(expires=now(), user=get_anonymous_user(), expiring=False)
+        sleep(0.5)
-            freeze.tick(timedelta(seconds=1))
+        self.assertFalse(token.is_expired)
            self.assertFalse(token.is_expired)
-def source_tester_factory(test_model: type[Source]) -> Callable:
+def source_tester_factory(test_model: type[Stage]) -> Callable:
    """Test source"""
    factory = RequestFactory()
@ -38,19 +36,19 @@ def source_tester_factory(test_model: type[Source]) -> Callable:
    def tester(self: TestModels):
        model_class = None
-        if test_model._meta.abstract:
+        if test_model._meta.abstract:  # pragma: no cover
-            model_class = [x for x in test_model.__bases__ if issubclass(x, Source)][0]()
+            model_class = test_model.__bases__[0]()
        else:
            model_class = test_model()
        model_class.slug = "test"
        self.assertIsNotNone(model_class.component)
-        model_class.ui_login_button(request)
+        _ = model_class.ui_login_button(request)
-        model_class.ui_user_settings()
+        _ = model_class.ui_user_settings()
    return tester
-def provider_tester_factory(test_model: type[Provider]) -> Callable:
+def provider_tester_factory(test_model: type[Stage]) -> Callable:
    """Test provider"""
    def tester(self: TestModels):
--- a/authentik/core/tests/test_property_mapping.py
+++ b/authentik/core/tests/test_property_mapping.py
@ -3,10 +3,7 @@
 from django.test import RequestFactory, TestCase
 from guardian.shortcuts import get_anonymous_user
-from authentik.core.expression.exceptions import (
+from authentik.core.exceptions import PropertyMappingExpressionException
    PropertyMappingExpressionException,
    SkipObjectException,
 )
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
@ -45,17 +42,6 @@ class TestPropertyMappings(TestCase):
        self.assertTrue(events.exists())
        self.assertEqual(len(events), 1)
    def test_expression_skip(self):
        """Test expression error"""
        expr = "raise SkipObject"
        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
        with self.assertRaises(SkipObjectException):
            mapping.evaluate(None, None)
        events = Event.objects.filter(
            action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
        )
        self.assertFalse(events.exists())
    def test_expression_error_extended(self):
        """Test expression error (with user and http request"""
        expr = "return aaa"
@ -80,11 +66,14 @@ class TestPropertyMappings(TestCase):
            expression="return request.http_request.path",
        )
        http_request = self.factory.get("/")
-        tmpl = f"""
+        tmpl = (
-        res = ak_call_policy('{expr.name}')
+            """
        res = ak_call_policy('%s')
        result = [request.http_request.path, res.raw_result]
        return result
        """
            % expr.name
        )
        evaluator = PropertyMapping(expression=tmpl, name=generate_id())
        res = evaluator.evaluate(self.user, http_request)
        self.assertEqual(res, ["/", "/"])
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ken Sternberg	27e9e892e7	web: update the type names for routes. While writing up the commit message for the previous commit, I realized that I didn't really like the typenames as they're outlaid in `routeUtils`. This is much more explicit, describing the four types of routes we have: ListRoute, ViewRoute, InternalRedirect, ExternalRedirect.	2024-03-14 14:40:19 -07:00
Ken Sternberg	70bf745c0c	web: remove a lot of duplication from the Routes This commit extracts the highly repetitive `new Route(new RegExp(...))` syntax into a mappable function, leaving only the regular expression and the asynchronous loader behind. In the process, it creates a typed description of what kinds of routes we have, and uses type-level pattern matching to generate the route handlers and redirects. For example, it establishes that for the purposes of discriminating between redirects and loaders, the loader type is irrelevant to routing correctly. The loader type is still well-typed to prevent anyone from putting an incompatible loader into a route, but the two different loader types-- ones that take arguments, and ones that do not-- do not matter to the route builder. Likewise, the two different kinds of redirects do matter, but only because JavaScript makes a distinction between methods of one argument that can be `call`'ed and methods of more than one argument that must be `apply`'d. I suppose I could make this irrelevant by enforcing that the second argument to RawRedirect always be an Array, but that's not ergonomic, and when the `match()` function has such a lovely and simple way of distinguishing between the two forms, ergonomics always wins. This might seem like a curious bit of cleanup, but by exposing the regular expressions as strings, independent of the Routes that they ultimately represent, we get the power to associate paths to routeable objects with paths to navigable objects in the Sidebar, and ultimately with paths to navigable objects in a command palette. It might also lead to replacing our Routes infrastructure with an off-the-shelf router such as [Vaadin.router](https://github.com/vaadin/router) or Justin Fagnani's preferred [page.js](https://visionmedia.github.io/page.js/)	2024-03-14 14:19:41 -07:00
Ken Sternberg	8b4e0361c4	Merge branch 'main' into dev * main: web: clean up and remove redundant alias '@goauthentik/app' (#8889) web/admin: fix markdown table rendering (#8908)	2024-03-14 10:35:46 -07:00
Ken Sternberg	22cb5b7379	Merge branch 'main' into dev * main: web: bump chromedriver from 122.0.5 to 122.0.6 in /tests/wdio (#8902) web: bump vite-tsconfig-paths from 4.3.1 to 4.3.2 in /web (#8903) core: bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#8901) web: provide InstallID on EnterpriseListPage (#8898)	2024-03-14 08:14:43 -07:00
Ken Sternberg	2d0117d096	Merge branch 'main' into dev * main: api: capabilities: properly set can_save_media when s3 is enabled (#8896) web: bump the rollup group in /web with 3 updates (#8891) core: bump pydantic from 2.6.3 to 2.6.4 (#8892) core: bump twilio from 9.0.0 to 9.0.1 (#8893)	2024-03-13 14:05:11 -07:00
Ken Sternberg	035bda4eac	Merge branch 'main' into dev * main: Update _envoy_istio.md (#8888) website/docs: new landing page for Providers (#8879) web: bump the sentry group in /web with 1 update (#8881) web: bump chromedriver from 122.0.4 to 122.0.5 in /tests/wdio (#8884) web: bump the eslint group in /tests/wdio with 2 updates (#8883) web: bump the eslint group in /web with 2 updates (#8885) website: bump @types/react from 18.2.64 to 18.2.65 in /website (#8886)	2024-03-12 13:31:35 -07:00
Ken Sternberg	50906214e5	Merge branch 'main' into dev * main: web: upgrade to lit 3 (#8781)	2024-03-11 11:03:04 -07:00
Ken Sternberg	e505f274b6	Merge branch 'main' into dev * main: web: fix esbuild issue with style sheets (#8856)	2024-03-11 10:28:05 -07:00
Ken Sternberg	fe52f44dca	Merge branch 'main' into dev * main: tenants: really ensure default tenant cannot be deleted (#8875) core: bump github.com/go-openapi/runtime from 0.27.2 to 0.28.0 (#8867) core: bump pytest from 8.0.2 to 8.1.1 (#8868) core: bump github.com/go-openapi/strfmt from 0.22.2 to 0.23.0 (#8869) core: bump bandit from 1.7.7 to 1.7.8 (#8870) core: bump packaging from 23.2 to 24.0 (#8871) core: bump ruff from 0.3.1 to 0.3.2 (#8873) web: bump the wdio group in /tests/wdio with 3 updates (#8865) core: bump requests-oauthlib from 1.3.1 to 1.4.0 (#8866) core: bump uvicorn from 0.27.1 to 0.28.0 (#8872) core: bump django-filter from 23.5 to 24.1 (#8874)	2024-03-11 10:27:43 -07:00
Ken Sternberg	3146e5a50f	web: fix esbuild issue with style sheets Getting ESBuild, Lit, and Storybook to all agree on how to read and parse stylesheets is a serious pain. This fix better identifies the value types (instances) being passed from various sources in the repo to the three different kinds of style processors we're using (the native one, the polyfill one, and whatever the heck Storybook does internally). Falling back to using older CSS instantiating techniques one era at a time seems to do the trick. It's ugly, but in the face of the aggressive styling we use to avoid Flashes of Unstyled Content (FLoUC), it's the logic with which we're left. In standard mode, the following warning appears on the console when running a Flow: ``` Autofocus processing was blocked because a document already has a focused element. ``` In compatibility mode, the following error appears on the console when running a Flow: ``` crawler-inject.js:1106 Uncaught TypeError: Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'. at initDomMutationObservers (crawler-inject.js:1106:18) at crawler-inject.js:1114:24 at Array.forEach (<anonymous>) at initDomMutationObservers (crawler-inject.js:1114:10) at crawler-inject.js:1549:1 initDomMutationObservers @ crawler-inject.js:1106 (anonymous) @ crawler-inject.js:1114 initDomMutationObservers @ crawler-inject.js:1114 (anonymous) @ crawler-inject.js:1549 ``` Despite this error, nothing seems to be broken and flows work as anticipated.	2024-03-08 14:15:55 -08:00
`@ -1 +1 @@`
	`custom: https://goauthentik.io/pricing/`	`github: [BeryJu]`