root: monitoring: force db connection reload before healthcheck

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-06-04 14:35:30 +02:00
725 changed files with 16648 additions and 34376 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.1
+current_version = 2024.4.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,8 +17,6 @@ optional_value = final

 [bumpversion:file:pyproject.toml]

-[bumpversion:file:package.json]
-
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -54,10 +54,9 @@ runs:
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
            ```

            For arm64, use these values:
@ -66,10 +65,9 @@ runs:
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
            ```

            Afterwards, run the upgrade commands from the latest release notes.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -21,10 +21,7 @@ updates:
    labels:
      - dependencies
  - package-ecosystem: npm
-    directories:
-      - "/web"
-      - "/tests/wdio"
-      - "/web/sfe"
+    directory: "/web"
    schedule:
      interval: daily
      time: "04:00"
@ -33,6 +30,7 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
+    # TODO: deduplicate these groups
    groups:
      sentry:
        patterns:
@ -58,6 +56,38 @@ updates:
        patterns:
          - "@rollup/*"
          - "rollup-*"
+  - package-ecosystem: npm
+    directory: "/tests/wdio"
+    schedule:
+      interval: daily
+      time: "04:00"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "web:"
+    # TODO: deduplicate these groups
+    groups:
+      sentry:
+        patterns:
+          - "@sentry/*"
+          - "@spotlightjs/*"
+      babel:
+        patterns:
+          - "@babel/*"
+          - "babel-*"
+      eslint:
+        patterns:
+          - "@typescript-eslint/*"
+          - "eslint"
+          - "eslint-*"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "*storybook*"
+      esbuild:
+        patterns:
+          - "@esbuild/*"
      wdio:
        patterns:
          - "@wdio/*"
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -31,12 +31,7 @@ jobs:
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
-        working-directory: web
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/sfe
-        working-directory: web/sfe
+        working-directory: web/
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -219,7 +219,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -240,7 +240,7 @@ jobs:
      - name: generate ts client
        run: make gen-client-ts
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          context: .
          secrets: |
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -76,7 +76,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -96,7 +96,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -12,36 +12,14 @@ on:
      - version-*

 jobs:
-  lint:
+  lint-eslint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
        project:
          - web
          - tests/wdio
-        include:
-          - command: tsc
-            project: web
-            extra_setup: |
-              cd sfe/ && npm ci
-          - command: lit-analyse
-            project: web
-            extra_setup: |
-              # lit-analyse doesn't understand path rewrites, so make it
-              # belive it's an actual module
-              cd node_modules/@goauthentik
-              ln -s ../../src/ web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -50,17 +28,85 @@ jobs:
          cache: "npm"
          cache-dependency-path: ${{ matrix.project }}/package-lock.json
      - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
-          ${{ matrix.extra_setup }}
+        run: npm ci
      - name: Generate API
        run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
+  lint-lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: web/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: TSC
+        working-directory: web/
+        run: npm run tsc
+  lint-prettier:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - web
+          - tests/wdio
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: prettier
+        working-directory: ${{ matrix.project }}/
+        run: npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: |
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-ts
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
  ci-web-mark:
    needs:
-      - lint
+      - lint-lockfile
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+      - lint-build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -82,21 +128,3 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
-  test:
-    needs:
-      - ci-web-mark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -12,21 +12,27 @@ on:
      - version-*

 jobs:
-  lint:
+  lint-lockfile:
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
    steps:
      - uses: actions/checkout@v4
+      - working-directory: website/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
-      - name: Lint
+      - name: prettier
        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
  test:
    runs-on: ubuntu-latest
    steps:
@ -63,7 +69,8 @@ jobs:
        run: npm run ${{ matrix.job }}
  ci-website-mark:
    needs:
-      - lint
+      - lint-lockfile
+      - lint-prettier
      - test
      - build
    runs-on: ubuntu-latest
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -14,7 +14,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -40,7 +40,7 @@ jobs:
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
@ -68,7 +68,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -94,7 +94,7 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ${{ steps.ev.outputs.imageTags }}
@ -155,8 +155,8 @@ jobs:
      - uses: actions/checkout@v4
      - name: Run test suite in final docker images
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
          docker compose pull -q
          docker compose up --no-start
          docker compose start postgresql redis
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,8 +14,8 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
          docker build -t testing:latest .
--- a/12
+++ b/12
@ -22,30 +22,20 @@ RUN npm run build-bundled
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder

-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production

 WORKDIR /work/web

 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
-    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci --include=dev && \
-    cd sfe && \
    npm ci --include=dev

-COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build && \
-    cd sfe && \
-    npm run build
+RUN npm run build

 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
--- a/10
+++ b/10
@ -47,8 +47,8 @@ test-go:
 	go test -timeout 0 -v -race -cover ./...

 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "PG_PASS=$(shell openssl rand 32 | base64)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
@ -60,11 +60,9 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report

-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
-
-lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)

 lint: ## Lint the python and golang sources
@ -241,7 +239,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci

-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier

 website-build:
--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version  | Supported |
-| -------- | --------- |
-| 2024.4.x | ✅        |
-| 2024.6.x | ✅        |
+| Version   | Supported |
+| --------- | --------- |
+| 2023.10.x | ✅        |
+| 2024.2.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.6.1"
+__version__ = "2024.4.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -16,7 +16,6 @@ from rest_framework.views import APIView

 from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@ -33,7 +32,7 @@ class RuntimeDict(TypedDict):
    platform: str
    uname: str
    openssl_version: str
-    openssl_fips_enabled: bool | None
+    openssl_fips_mode: bool
    authentik_version: str


@ -72,9 +71,7 @@ class SystemInfoSerializer(PassiveSerializer):
            "architecture": platform.machine(),
            "authentik_version": get_full_version(),
            "environment": get_env(),
-            "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().is_valid() else None
-            ),
+            "openssl_fips_enabled": backend._fips_enabled,
            "openssl_version": OPENSSL_VERSION,
            "platform": platform.platform(),
            "python_version": python_version,
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}

 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -58,7 +58,7 @@ from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@ -97,8 +97,8 @@ def excluded_models() -> list[type[Model]]:
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
        FlowToken,
        LicenseUsage,
-        SCIMProviderGroup,
-        SCIMProviderUser,
+        SCIMGroup,
+        SCIMUser,
        Tenant,
        SystemTask,
        ConnectionToken,
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -11,20 +11,21 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.tenants.utils import get_current_tenant


 class FooterLinkSerializer(PassiveSerializer):
    """Links returned in Config API"""

-    href = CharField(read_only=True, allow_null=True)
+    href = CharField(read_only=True)
    name = CharField(read_only=True)


--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -17,6 +17,7 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

@ -25,7 +26,6 @@ from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
@ -103,7 +103,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
    """Application Viewset"""

-    queryset = Application.objects.all().prefetch_related("provider").prefetch_related("policies")
+    queryset = Application.objects.all().prefetch_related("provider")
    serializer_class = ApplicationSerializer
    search_fields = [
        "name",
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,7 +2,6 @@

 from json import loads

-from django.db.models import Prefetch
 from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
@ -17,12 +16,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
@ -167,14 +166,8 @@ class GroupViewSet(UsedByMixin, ModelViewSet):

    def get_queryset(self):
        base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
-
        if self.serializer_class(context={"request": self.request})._should_include_users:
            base_qs = base_qs.prefetch_related("users")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("users", queryset=User.objects.all().only("id"))
-            )
-
        return base_qs

    @extend_schema(
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@ -8,10 +8,11 @@ from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet

 from authentik.blueprints.api import ManagedSerializer
@ -19,7 +20,6 @@ from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    MetaNameSerializer,
-    ModelSerializer,
    PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
@ -80,10 +80,8 @@ class PropertyMappingViewSet(
    class PropertyMappingTestSerializer(PolicyTestSerializer):
        """Test property mapping execution for a user/group with context"""

-        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False, allow_null=True)
-        group = PrimaryKeyRelatedField(
-            queryset=Group.objects.all(), required=False, allow_null=True
-        )
+        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False)
+        group = PrimaryKeyRelatedField(queryset=Group.objects.all(), required=False)

    queryset = PropertyMapping.objects.select_subclasses()
    serializer_class = PropertyMappingSerializer
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -6,12 +6,13 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField, SerializerMethodField
+from rest_framework.fields import ReadOnlyField
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer
 from authentik.core.models import Provider


--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -11,6 +11,7 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

@ -18,7 +19,7 @@ from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer
 from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -12,6 +12,7 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authorization import OwnerSuperuserPermissions
@ -19,7 +20,7 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
@ -44,13 +45,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["key"] = CharField(required=False)

-    def validate_user(self, user: User):
-        """Ensure user of token cannot be changed"""
-        if self.instance and self.instance.user_id:
-            if user.pk != self.instance.user_id:
-                raise ValidationError("User cannot be changed")
-        return user
-
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
        request: Request = self.context.get("request")
--- a/authentik/core/api/used_by.py
+++ b/authentik/core/api/used_by.py
@ -39,12 +39,12 @@ def get_delete_action(manager: Manager) -> str:
    """Get the delete action from the Foreign key, falls back to cascade"""
    if hasattr(manager, "field"):
        if manager.field.remote_field.on_delete.__name__ == SET_NULL.__name__:
-            return DeleteAction.SET_NULL.value
+            return DeleteAction.SET_NULL.name
        if manager.field.remote_field.on_delete.__name__ == SET_DEFAULT.__name__:
-            return DeleteAction.SET_DEFAULT.value
+            return DeleteAction.SET_DEFAULT.name
    if hasattr(manager, "source_field"):
-        return DeleteAction.CASCADE_MANY.value
-    return DeleteAction.CASCADE.value
+        return DeleteAction.CASCADE_MANY.name
+    return DeleteAction.CASCADE.name


 class UsedByMixin:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -40,6 +40,7 @@ from rest_framework.serializers import (
    BooleanField,
    DateTimeField,
    ListSerializer,
+    ModelSerializer,
    PrimaryKeyRelatedField,
    ValidationError,
 )
@ -51,12 +52,7 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
-    JSONDictField,
-    LinkSerializer,
-    ModelSerializer,
-    PassiveSerializer,
-)
+from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
 from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -12,12 +12,9 @@ from rest_framework.fields import (
    JSONField,
    SerializerMethodField,
 )
-from rest_framework.serializers import ModelSerializer as BaseModelSerializer
 from rest_framework.serializers import (
    Serializer,
    ValidationError,
-    model_meta,
-    raise_errors_on_nested_writes,
 )


@ -28,39 +25,6 @@ def is_dict(value: Any):
    raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")


-class ModelSerializer(BaseModelSerializer):
-
-    def update(self, instance: Model, validated_data):
-        raise_errors_on_nested_writes("update", self, validated_data)
-        info = model_meta.get_field_info(instance)
-
-        # Simply set each attribute on the instance, and then save it.
-        # Note that unlike `.create()` we don't need to treat many-to-many
-        # relationships as being a special case. During updates we already
-        # have an instance pk for the relationships to be associated with.
-        m2m_fields = []
-        for attr, value in validated_data.items():
-            if attr in info.relations and info.relations[attr].to_many:
-                m2m_fields.append((attr, value))
-            else:
-                setattr(instance, attr, value)
-
-        instance.save()
-
-        # Note that many-to-many fields are set after updating instance.
-        # Setting m2m fields triggers signals which could potentially change
-        # updated instance and we do not want it to collide with .update()
-        for attr, value in m2m_fields:
-            field = getattr(instance, attr)
-            # We can't check for inheritance here as m2m managers are generated dynamically
-            if field.__class__.__name__ == "RelatedManager":
-                field.set(value, bulk=False)
-            else:
-                field.set(value)
-
-        return instance
-
-
 class JSONDictField(JSONField):
    """JSON Field which only allows dictionaries"""

--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -76,11 +76,8 @@ class PropertyMappingEvaluator(BaseEvaluator):
        )
        if "request" in self._context:
            req: PolicyRequest = self._context["request"]
-            if req.http_request:
-                event.from_http(req.http_request, req.user)
-                return
-            elif req.user:
-                event.set_user(req.user)
+            event.from_http(req.http_request, req.user)
+            return
        event.save()

    def evaluate(self, *args, **kwargs) -> Any:
--- a/authentik/core/expression/exceptions.py
+++ b/authentik/core/expression/exceptions.py
@ -1,6 +1,5 @@
 """authentik core exceptions"""

-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sentry import SentryIgnoredException


@ -13,7 +12,7 @@ class PropertyMappingExpressionException(SentryIgnoredException):
        self.mapping = mapping


-class SkipObjectException(ControlFlowException):
+class SkipObjectException(PropertyMappingExpressionException):
    """Exception which can be raised in a property mapping to skip syncing an object.
    Only applies to Property mappings which sync objects, and not on mappings which transitively
    apply to a single user"""
--- a/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
+++ b/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
@ -7,13 +7,12 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor


 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
    from authentik.providers.ldap.models import LDAPProvider
    from authentik.providers.scim.models import SCIMProvider

    for model in [LDAPProvider, SCIMProvider]:
        try:
-            for obj in model.objects.using(db_alias).only("is_backchannel"):
+            for obj in model.objects.only("is_backchannel"):
                obj.is_backchannel = True
                obj.save()
        except (DatabaseError, InternalError, ProgrammingError):
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -26,7 +26,6 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
 from authentik.lib.models import (
    CreatedUpdatedModel,
@ -784,8 +783,6 @@ class PropertyMapping(SerializerModel, ManagedModel):
        evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
        try:
            return evaluator.evaluate(self.expression)
-        except ControlFlowException as exc:
-            raise exc
        except Exception as exc:
            raise PropertyMappingExpressionException(self, exc) from exc

--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -212,7 +212,7 @@ class SourceFlowManager:

    def _prepare_flow(
        self,
-        flow: Flow | None,
+        flow: Flow,
        connection: UserSourceConnection,
        stages: list[StageView] | None = None,
        **kwargs,
@ -309,9 +309,7 @@ class SourceFlowManager:
        # When request isn't authenticated we jump straight to auth
        if not self.request.user.is_authenticated:
            return self.handle_auth(connection)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
-            return self._prepare_flow(None, connection)
-        connection.save()
+        # Connection has already been saved
        Event.new(
            EventAction.SOURCE_LINKED,
            message="Linked Source",
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -10,7 +10,7 @@
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
    };
-    window.addEventListener("DOMContentLoaded", function () {
+    window.addEventListener("DOMContentLoaded", () => {
        {% for message in messages %}
        window.dispatchEvent(
            new CustomEvent("ak-message", {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -1,6 +1,5 @@
 {% load static %}
 {% load i18n %}
-{% load authentik_core %}

 <!DOCTYPE html>

@ -15,8 +14,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
+        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -1,7 +1,6 @@
 {% extends "base/skeleton.html" %}

 {% load static %}
-{% load authentik_core %}

 {% block head_before %}
 {{ block.super }}
@ -18,7 +17,7 @@ window.authentik.flow = {
 {% endblock %}

 {% block head %}
-{% versioned_script "dist/flow/FlowInterface-%v.js" %}
+<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -71,9 +71,9 @@
                </li>
                {% endfor %}
                <li>
-                    <span>
+                    <a href="https://goauthentik.io?utm_source=authentik">
                        {% trans 'Powered by authentik' %}
-                    </span>
+                    </a>
                </li>
            </ul>
        </footer>
--- a/authentik/core/templatetags/init.py
+++ b/authentik/core/templatetags/init.py
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -1,21 +0,0 @@
-"""authentik core tags"""
-
-from django import template
-from django.templatetags.static import static as static_loader
-from django.utils.safestring import mark_safe
-
-from authentik import get_full_version
-
-register = template.Library()
-
-
-@register.simple_tag()
-def versioned_script(path: str) -> str:
-    """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
-        (
-            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
-            '" type="module"></script>'
-        ),
-    ]
-    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_property_mapping.py
+++ b/authentik/core/tests/test_property_mapping.py
@ -3,10 +3,7 @@
 from django.test import RequestFactory, TestCase
 from guardian.shortcuts import get_anonymous_user

-from authentik.core.expression.exceptions import (
-    PropertyMappingExpressionException,
-    SkipObjectException,
-)
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
@ -45,17 +42,6 @@ class TestPropertyMappings(TestCase):
        self.assertTrue(events.exists())
        self.assertEqual(len(events), 1)

-    def test_expression_skip(self):
-        """Test expression error"""
-        expr = "raise SkipObject"
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
-        with self.assertRaises(SkipObjectException):
-            mapping.evaluate(None, None)
-        events = Event.objects.filter(
-            action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
-        )
-        self.assertFalse(events.exists())
-
    def test_expression_error_extended(self):
        """Test expression error (with user and http request"""
        expr = "return aaa"
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -13,8 +13,9 @@ from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
    Token,
    TokenIntents,
+    User,
 )
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id


@ -23,7 +24,7 @@ class TestTokenAPI(APITestCase):

    def setUp(self) -> None:
        super().setUp()
-        self.user = create_test_user()
+        self.user = User.objects.create(username="testuser")
        self.admin = create_test_admin_user()
        self.client.force_login(self.user)

@ -153,24 +154,6 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(token.expiring, True)
        self.assertNotEqual(token.expires.timestamp(), expires.timestamp())

-    def test_token_change_user(self):
-        """Test creating a token and then changing the user"""
-        ident = generate_id()
-        response = self.client.post(reverse("authentik_api:token-list"), {"identifier": ident})
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier=ident)
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.expiring, True)
-        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
-        response = self.client.put(
-            reverse("authentik_api:token-detail", kwargs={"identifier": ident}),
-            data={"identifier": "user_token_poc_v3", "intent": "api", "user": self.admin.pk},
-        )
-        self.assertEqual(response.status_code, 400)
-        token.refresh_from_db()
-        self.assertEqual(token.user, self.user)
-
    def test_list(self):
        """Test Token List (Test normal authentication)"""
        Token.objects.all().delete()
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -20,9 +20,8 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import InterfaceView
+from authentik.core.views.interface import FlowInterfaceView, InterfaceView
 from authentik.core.views.session import EndSessionView
-from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@ -54,8 +53,6 @@ urlpatterns = [
    ),
    path(
        "if/flow/<slug:flow_slug>/",
-        # FIXME: move this url to the flows app...also will cause all
-        # of the reverse calls to be adjusted
        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -8,6 +8,7 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
    ChallengeResponse,
+    ChallengeTypes,
    HttpChallengeResponse,
    RedirectChallenge,
 )
@ -73,6 +74,7 @@ class RedirectToAppStage(ChallengeStageView):
            raise Http404
        return RedirectChallenge(
            instance={
+                "type": ChallengeTypes.REDIRECT.value,
                "to": launch,
            }
        )
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -3,6 +3,7 @@
 from json import dumps
 from typing import Any

+from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request

@ -10,6 +11,7 @@ from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
+from authentik.flows.models import Flow


 class InterfaceView(TemplateView):
@ -23,3 +25,14 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        return super().get_context_data(**kwargs)
+
+
+class FlowInterfaceView(InterfaceView):
+    """Flow interface"""
+
+    template_name = "if/flow.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["inspector"] = "inspector" in self.request.GET
+        return super().get_context_data(**kwargs)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,12 +24,13 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -241,7 +241,7 @@ class TestCrypto(APITestCase):
                    "model_name": "oauth2provider",
                    "pk": str(provider.pk),
                    "name": str(provider),
-                    "action": DeleteAction.SET_NULL.value,
+                    "action": DeleteAction.SET_NULL.name,
                }
            ],
        )
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@ -13,10 +13,11 @@ from rest_framework.fields import CharField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License
--- a/authentik/enterprise/providers/google_workspace/api/groups.py
+++ b/authentik/enterprise/providers/google_workspace/api/groups.py
@ -1,13 +1,12 @@
 """GoogleWorkspaceProviderGroup API Views"""

 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
@ -20,7 +19,6 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
        model = GoogleWorkspaceProviderGroup
        fields = [
            "id",
-            "google_id",
            "group",
            "group_obj",
            "provider",
@ -31,7 +29,6 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):

 class GoogleWorkspaceProviderGroupViewSet(
    mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
--- a/authentik/enterprise/providers/google_workspace/api/users.py
+++ b/authentik/enterprise/providers/google_workspace/api/users.py
@ -1,13 +1,12 @@
 """GoogleWorkspaceProviderUser API Views"""

 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
@ -20,7 +19,6 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
        model = GoogleWorkspaceProviderUser
        fields = [
            "id",
-            "google_id",
            "user",
            "user_obj",
            "provider",
@ -31,7 +29,6 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):

 class GoogleWorkspaceProviderUserViewSet(
    mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
--- a/authentik/enterprise/providers/google_workspace/clients/groups.py
+++ b/authentik/enterprise/providers/google_workspace/clients/groups.py
@ -92,14 +92,12 @@ class GoogleWorkspaceGroupClient(
        google_group = self.to_schema(group, connection)
        self.check_email_valid(google_group["email"])
        try:
-            response = self._request(
+            return self._request(
                self.directory_service.groups().update(
                    groupKey=connection.google_id,
                    body=google_group,
                )
            )
-            connection.attributes = response
-            connection.save()
        except NotFoundSyncException:
            # Resource missing is handled by self.write, which will re-create the group
            raise
@ -214,7 +212,3 @@ class GoogleWorkspaceGroupClient(
            google_id=google_id,
            attributes=group,
        )
-
-    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
-        group = self.directory_service.groups().get(connection.google_id)
-        connection.attributes = group
--- a/authentik/enterprise/providers/google_workspace/clients/users.py
+++ b/authentik/enterprise/providers/google_workspace/clients/users.py
@ -88,11 +88,9 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
        self.check_email_valid(
            google_user["primaryEmail"], *[x["address"] for x in google_user.get("emails", [])]
        )
-        response = self._request(
+        self._request(
            self.directory_service.users().update(userKey=connection.google_id, body=google_user)
        )
-        connection.attributes = response
-        connection.save()

    def discover(self):
        """Iterate through all users and connect them with authentik users if possible"""
@ -119,7 +117,3 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
            google_id=email,
            attributes=user,
        )
-
-    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
-        user = self.directory_service.users().get(connection.google_id)
-        connection.attributes = user
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@ -31,58 +31,6 @@ def default_scopes() -> list[str]:
    ]


-class GoogleWorkspaceProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Google user ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.users import (
-            GoogleWorkspaceProviderUserSerializer,
-        )
-
-        return GoogleWorkspaceProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider User")
-        verbose_name_plural = _("Google Workspace Provider Users")
-        unique_together = (("google_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
-
-
-class GoogleWorkspaceProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Google group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.groups import (
-            GoogleWorkspaceProviderGroupSerializer,
-        )
-
-        return GoogleWorkspaceProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider Group")
-        verbose_name_plural = _("Google Workspace Provider Groups")
-        unique_together = (("google_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
-
-
 class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
    """Sync users from authentik into Google Workspace."""

@ -111,16 +59,15 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
    )

    def client_for_model(
-        self,
-        model: type[User | Group | GoogleWorkspaceProviderUser | GoogleWorkspaceProviderGroup],
+        self, model: type[User | Group]
    ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User | GoogleWorkspaceProviderUser):
+        if issubclass(model, User):
            from authentik.enterprise.providers.google_workspace.clients.users import (
                GoogleWorkspaceUserClient,
            )

            return GoogleWorkspaceUserClient(self)
-        if issubclass(model, Group | GoogleWorkspaceProviderGroup):
+        if issubclass(model, Group):
            from authentik.enterprise.providers.google_workspace.clients.groups import (
                GoogleWorkspaceGroupClient,
            )
@ -197,3 +144,55 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
    class Meta:
        verbose_name = _("Google Workspace Provider Mapping")
        verbose_name_plural = _("Google Workspace Provider Mappings")
+
+
+class GoogleWorkspaceProviderUser(SerializerModel):
+    """Mapping of a user and provider to a Google user ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.google_workspace.api.users import (
+            GoogleWorkspaceProviderUserSerializer,
+        )
+
+        return GoogleWorkspaceProviderUserSerializer
+
+    class Meta:
+        verbose_name = _("Google Workspace Provider User")
+        verbose_name_plural = _("Google Workspace Provider Users")
+        unique_together = (("google_id", "user", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
+
+
+class GoogleWorkspaceProviderGroup(SerializerModel):
+    """Mapping of a group and provider to a Google group ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.google_workspace.api.groups import (
+            GoogleWorkspaceProviderGroupSerializer,
+        )
+
+        return GoogleWorkspaceProviderGroupSerializer
+
+    class Meta:
+        verbose_name = _("Google Workspace Provider Group")
+        verbose_name_plural = _("Google Workspace Provider Groups")
+        unique_together = (("google_id", "group", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
--- a/authentik/enterprise/providers/microsoft_entra/api/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/groups.py
@ -1,13 +1,12 @@
 """MicrosoftEntraProviderGroup API Views"""

 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
@ -20,7 +19,6 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
        model = MicrosoftEntraProviderGroup
        fields = [
            "id",
-            "microsoft_id",
            "group",
            "group_obj",
            "provider",
@ -31,7 +29,6 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):

 class MicrosoftEntraProviderGroupViewSet(
    mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
--- a/authentik/enterprise/providers/microsoft_entra/api/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/users.py
@ -1,13 +1,12 @@
 """MicrosoftEntraProviderUser API Views"""

 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin


 class MicrosoftEntraProviderUserSerializer(ModelSerializer):
@ -20,7 +19,6 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
        model = MicrosoftEntraProviderUser
        fields = [
            "id",
-            "microsoft_id",
            "user",
            "user_obj",
            "provider",
@ -30,7 +28,6 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):


 class MicrosoftEntraProviderUserViewSet(
-    OutgoingSyncConnectionCreateMixin,
    mixins.CreateModelMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
--- a/authentik/enterprise/providers/microsoft_entra/clients/base.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/base.py
@ -23,7 +23,6 @@ from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory

 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
-from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
@ -107,4 +106,4 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
        we can't JSON serialize"""
        raw_data = asdict(entity)
        raw_data.pop("backing_store", None)
-        return sanitize_item(raw_data)
+        return raw_data
--- a/authentik/enterprise/providers/microsoft_entra/clients/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/groups.py
@ -1,4 +1,3 @@
-from deepmerge import always_merger
 from django.db import transaction
 from msgraph.generated.groups.groups_request_builder import GroupsRequestBuilder
 from msgraph.generated.models.group import Group as MSGroup
@ -105,12 +104,9 @@ class MicrosoftEntraGroupClient(
        microsoft_group = self.to_schema(group, connection)
        microsoft_group.id = connection.microsoft_id
        try:
-            response = self._request(
+            return self._request(
                self.client.groups.by_group_id(connection.microsoft_id).patch(microsoft_group)
            )
-            if response:
-                always_merger.merge(connection.attributes, self.entity_as_dict(response))
-                connection.save()
        except NotFoundSyncException:
            # Resource missing is handled by self.write, which will re-create the group
            raise
@ -226,7 +222,3 @@ class MicrosoftEntraGroupClient(
            microsoft_id=group.id,
            attributes=self.entity_as_dict(group),
        )
-
-    def update_single_attribute(self, connection: MicrosoftEntraProviderGroup):
-        data = self._request(self.client.groups.by_group_id(connection.microsoft_id).get())
-        connection.attributes = self.entity_as_dict(data)
--- a/authentik/enterprise/providers/microsoft_entra/clients/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/users.py
@ -1,4 +1,3 @@
-from deepmerge import always_merger
 from django.db import transaction
 from msgraph.generated.models.user import User as MSUser
 from msgraph.generated.users.users_request_builder import UsersRequestBuilder
@ -66,26 +65,6 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
            microsoft_user.delete()
        return response

-    def get_select_fields(self) -> list[str]:
-        """All fields that should be selected when we fetch user data."""
-        # TODO: Make this customizable in the future
-        return [
-            # Default fields
-            "businessPhones",
-            "displayName",
-            "givenName",
-            "jobTitle",
-            "mail",
-            "mobilePhone",
-            "officeLocation",
-            "preferredLanguage",
-            "surname",
-            "userPrincipalName",
-            "id",
-            # Required for logging into M365 using authentik
-            "onPremisesImmutableId",
-        ]
-
    def create(self, user: User):
        """Create user from scratch and create a connection object"""
        microsoft_user = self.to_schema(user, None)
@ -95,12 +74,12 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
                response = self._request(self.client.users.post(microsoft_user))
            except ObjectExistsSyncException:
                # user already exists in microsoft entra, so we can connect them manually
+                query_params = UsersRequestBuilder.UsersRequestBuilderGetQueryParameters()(
+                    filter=f"mail eq '{microsoft_user.mail}'",
+                )
                request_configuration = (
                    UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-                        query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                            filter=f"mail eq '{microsoft_user.mail}'",
-                            select=self.get_select_fields(),
-                        ),
+                        query_parameters=query_params,
                    )
                )
                user_data = self._request(self.client.users.get(request_configuration))
@ -119,6 +98,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
            except TransientSyncException as exc:
                raise exc
            else:
+                print(self.entity_as_dict(response))
                return MicrosoftEntraProviderUser.objects.create(
                    provider=self.provider,
                    user=user,
@ -130,21 +110,11 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
        """Update existing user"""
        microsoft_user = self.to_schema(user, connection)
        self.check_email_valid(microsoft_user.user_principal_name)
-        response = self._request(
-            self.client.users.by_user_id(connection.microsoft_id).patch(microsoft_user)
-        )
-        if response:
-            always_merger.merge(connection.attributes, self.entity_as_dict(response))
-            connection.save()
+        self._request(self.client.users.by_user_id(connection.microsoft_id).patch(microsoft_user))

    def discover(self):
        """Iterate through all users and connect them with authentik users if possible"""
-        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                select=self.get_select_fields(),
-            ),
-        )
-        users = self._request(self.client.users.get(request_configuration))
+        users = self._request(self.client.users.get())
        next_link = True
        while next_link:
            for user in users.value:
@ -165,14 +135,3 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
            microsoft_id=user.id,
            attributes=self.entity_as_dict(user),
        )
-
-    def update_single_attribute(self, connection: MicrosoftEntraProviderUser):
-        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                select=self.get_select_fields(),
-            ),
-        )
-        data = self._request(
-            self.client.users.by_user_id(connection.microsoft_id).get(request_configuration)
-        )
-        connection.attributes = self.entity_as_dict(data)
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@ -22,58 +22,6 @@ from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider


-class MicrosoftEntraProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Microsoft user ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    microsoft_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.users import (
-            MicrosoftEntraProviderUserSerializer,
-        )
-
-        return MicrosoftEntraProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider User")
-        verbose_name_plural = _("Microsoft Entra Provider User")
-        unique_together = (("microsoft_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
-
-
-class MicrosoftEntraProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Microsoft group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    microsoft_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.groups import (
-            MicrosoftEntraProviderGroupSerializer,
-        )
-
-        return MicrosoftEntraProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider Group")
-        verbose_name_plural = _("Microsoft Entra Provider Groups")
-        unique_together = (("microsoft_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
-
-
 class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
    """Sync users from authentik into Microsoft Entra."""

@ -100,16 +48,15 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
    )

    def client_for_model(
-        self,
-        model: type[User | Group | MicrosoftEntraProviderUser | MicrosoftEntraProviderGroup],
+        self, model: type[User | Group]
    ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User | MicrosoftEntraProviderUser):
+        if issubclass(model, User):
            from authentik.enterprise.providers.microsoft_entra.clients.users import (
                MicrosoftEntraUserClient,
            )

            return MicrosoftEntraUserClient(self)
-        if issubclass(model, Group | MicrosoftEntraProviderGroup):
+        if issubclass(model, Group):
            from authentik.enterprise.providers.microsoft_entra.clients.groups import (
                MicrosoftEntraGroupClient,
            )
@ -186,3 +133,55 @@ class MicrosoftEntraProviderMapping(PropertyMapping):
    class Meta:
        verbose_name = _("Microsoft Entra Provider Mapping")
        verbose_name_plural = _("Microsoft Entra Provider Mappings")
+
+
+class MicrosoftEntraProviderUser(SerializerModel):
+    """Mapping of a user and provider to a Microsoft user ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    microsoft_id = models.TextField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    provider = models.ForeignKey(MicrosoftEntraProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.microsoft_entra.api.users import (
+            MicrosoftEntraProviderUserSerializer,
+        )
+
+        return MicrosoftEntraProviderUserSerializer
+
+    class Meta:
+        verbose_name = _("Microsoft Entra Provider User")
+        verbose_name_plural = _("Microsoft Entra Provider User")
+        unique_together = (("microsoft_id", "user", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
+
+
+class MicrosoftEntraProviderGroup(SerializerModel):
+    """Mapping of a group and provider to a Microsoft group ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    microsoft_id = models.TextField()
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    provider = models.ForeignKey(MicrosoftEntraProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.microsoft_entra.api.groups import (
+            MicrosoftEntraProviderGroupSerializer,
+        )
+
+        return MicrosoftEntraProviderGroupSerializer
+
+    class Meta:
+        verbose_name = _("Microsoft Entra Provider Group")
+        verbose_name_plural = _("Microsoft Entra Provider Groups")
+        unique_together = (("microsoft_id", "group", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
--- a/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
@ -3,18 +3,16 @@
 from unittest.mock import AsyncMock, MagicMock, patch

 from azure.identity.aio import ClientSecretCredential
-from django.urls import reverse
+from django.test import TestCase
 from msgraph.generated.models.group_collection_response import GroupCollectionResponse
 from msgraph.generated.models.organization import Organization
 from msgraph.generated.models.organization_collection_response import OrganizationCollectionResponse
 from msgraph.generated.models.user import User as MSUser
 from msgraph.generated.models.user_collection_response import UserCollectionResponse
 from msgraph.generated.models.verified_domain import VerifiedDomain
-from rest_framework.test import APITestCase

 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
-from authentik.core.tests.utils import create_test_admin_user
 from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProvider,
    MicrosoftEntraProviderMapping,
@ -27,12 +25,11 @@ from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
 from authentik.tenants.models import Tenant


-class MicrosoftEntraUserTests(APITestCase):
+class MicrosoftEntraUserTests(TestCase):
    """Microsoft Entra User tests"""

    @apply_blueprint("system/providers-microsoft-entra.yaml")
    def setUp(self) -> None:
-
        # Delete all users and groups as the mocked HTTP responses only return one ID
        # which will cause errors with multiple users
        Tenant.objects.update(avatars="none")
@ -374,45 +371,3 @@ class MicrosoftEntraUserTests(APITestCase):
            )
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
            user_list.assert_called_once()
-
-    def test_connect_manual(self):
-        """test manual user connection"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        admin = create_test_admin_user()
-        different_user = User.objects.create(
-            username=uid,
-            email=f"{uid}@goauthentik.io",
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.clients.users.MicrosoftEntraUserClient.update_single_attribute",
-                MagicMock(),
-            ) as user_get,
-        ):
-            self.client.force_login(admin)
-            response = self.client.post(
-                reverse("authentik_api:microsoftentraprovideruser-list"),
-                data={
-                    "microsoft_id": generate_id(),
-                    "user": different_user.pk,
-                    "provider": self.provider.pk,
-                },
-            )
-            self.assertEqual(response.status_code, 201)
-            user_get.assert_called_once()
--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -3,12 +3,12 @@
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
--- a/authentik/enterprise/providers/rac/api/endpoints.py
+++ b/authentik/enterprise/providers/rac/api/endpoints.py
@ -8,11 +8,11 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block head %}
-{% versioned_script "dist/enterprise/rac/index-%v.js" %}
+<script src="{% static 'dist/enterprise/rac/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -15,11 +15,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction


--- a/authentik/events/api/notification_mappings.py
+++ b/authentik/events/api/notification_mappings.py
@ -1,9 +1,9 @@
 """NotificationWebhookMapping API Views"""

+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.events.models import NotificationWebhookMapping


--- a/authentik/events/api/notification_rules.py
+++ b/authentik/events/api/notification_rules.py
@ -1,10 +1,10 @@
 """NotificationRule API Views"""

+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.events.models import NotificationRule


--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -9,10 +9,11 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import (
    Event,
    Notification,
--- a/authentik/events/api/notifications.py
+++ b/authentik/events/api/notifications.py
@ -9,11 +9,11 @@ from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.events.api.events import EventSerializer
 from authentik.events.models import Notification

--- a/authentik/events/api/tasks.py
+++ b/authentik/events/api/tasks.py
@ -16,10 +16,10 @@ from rest_framework.fields import (
 )
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ReadOnlyModelViewSet
 from structlog.stdlib import get_logger

-from authentik.core.api.utils import ModelSerializer
 from authentik.events.logs import LogEventSerializer
 from authentik.events.models import SystemTask, TaskStatus
 from authentik.rbac.decorators import permission_required
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -75,10 +75,7 @@ def on_login_failed(
    **kwargs,
 ):
    """Failed Login, authentik custom event"""
-    user = User.objects.filter(username=credentials.get("username")).first()
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
-        request, user
-    )
+    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(request)


@receiver(invitation_used)
--- a/authentik/flows/api/bindings.py
+++ b/authentik/flows/api/bindings.py
@ -3,10 +3,10 @@
 from typing import Any

 from rest_framework.exceptions import ValidationError
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.flows.api.stages import StageSerializer
 from authentik.flows.models import FlowStageBinding

--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -7,22 +7,18 @@ from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, ReadOnlyField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField, ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, Importer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
-    CacheSerializer,
-    LinkSerializer,
-    ModelSerializer,
-    PassiveSerializer,
-)
+from authentik.core.api.utils import CacheSerializer, LinkSerializer, PassiveSerializer
 from authentik.events.logs import LogEventSerializer
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -4,15 +4,15 @@ from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.api.flows import FlowSetSerializer
 from authentik.flows.models import ConfigurableStage, Stage
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -32,6 +32,14 @@ class FlowLayout(models.TextChoices):
    SIDEBAR_RIGHT = "sidebar_right"


+class ChallengeTypes(Enum):
+    """Currently defined challenge types"""
+
+    NATIVE = "native"
+    SHELL = "shell"
+    REDIRECT = "redirect"
+
+
 class ErrorDetailSerializer(PassiveSerializer):
    """Serializer for rest_framework's error messages"""

@ -52,6 +60,9 @@ class Challenge(PassiveSerializer):
    """Challenge that gets sent to the client based on which stage
    is currently active"""

+    type = ChoiceField(
+        choices=[(x.value, x.name) for x in ChallengeTypes],
+    )
    flow_info = ContextualFlowInfo(required=False)
    component = CharField(default="")

@ -85,6 +96,7 @@ class FlowErrorChallenge(Challenge):
    """Challenge class when an unhandled error occurs during a stage. Normal users
    are shown an error message, superusers are shown a full stacktrace."""

+    type = CharField(default=ChallengeTypes.NATIVE.value)
    component = CharField(default="ak-stage-flow-error")

    request_id = CharField()
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -21,9 +21,7 @@ def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEd
        pass

    if users.exists():
-        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
-            authentication="require_superuser"
-        )
+        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")


 class Migration(migrations.Migration):
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -18,6 +18,7 @@ from authentik.flows.challenge import (
    AccessDeniedChallenge,
    Challenge,
    ChallengeResponse,
+    ChallengeTypes,
    ContextualFlowInfo,
    HttpChallengeResponse,
    RedirectChallenge,
@ -243,6 +244,7 @@ class AccessDeniedChallengeView(ChallengeStageView):
        return AccessDeniedChallenge(
            data={
                "error_message": str(self.error_message or "Unknown error"),
+                "type": ChallengeTypes.NATIVE.value,
                "component": "ak-stage-access-denied",
            }
        )
@ -262,6 +264,7 @@ class RedirectStage(ChallengeStageView):
        )
        return RedirectChallenge(
            data={
+                "type": ChallengeTypes.REDIRECT.value,
                "to": destination,
            }
        )
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -1,54 +0,0 @@
-{% load static %}
-{% load i18n %}
-{% load authentik_core %}
-
-<!DOCTYPE html>
-
-<html lang="en">
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-        {% include "base/header_js.html" %}
-        <style>
-          html,
-          body {
-            height: 100%;
-          }
-          body {
-            background-image: url("{{ flow.background_url }}");
-            background-repeat: no-repeat;
-            background-size: cover;
-          }
-          .card {
-            padding: 3rem;
-          }
-
-          .form-signin {
-            max-width: 330px;
-            padding: 1rem;
-          }
-
-          .form-signin .form-floating:focus-within {
-            z-index: 2;
-          }
-          .brand-icon {
-            max-width: 100%;
-          }
-        </style>
-    </head>
-    <body class="d-flex align-items-center py-4 bg-body-tertiary">
-      <div class="card m-auto">
-        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
-        </main>
-        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
-      </div>
-      <script src="{% static 'dist/sfe/index.js' %}"></script>
-    </body>
-</html>
--- a/authentik/flows/tests/init.py
+++ b/authentik/flows/tests/init.py
@ -8,6 +8,7 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase

 from authentik.core.models import User
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow


@ -25,6 +26,7 @@ class FlowTestCase(APITestCase):
        self.assertEqual(response.status_code, 200)
        raw_response = loads(response.content.decode())
        self.assertIsNotNone(raw_response["component"])
+        self.assertIsNotNone(raw_response["type"])
        if flow:
            self.assertIn("flow_info", raw_response)
            self.assertEqual(raw_response["flow_info"]["background"], flow.background_url)
@ -44,4 +46,6 @@ class FlowTestCase(APITestCase):

    def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
        """Wrapper around assertStageResponse that checks for a redirect"""
-        return self.assertStageResponse(response, component="xak-flow-redirect", to=to)
+        return self.assertStageResponse(
+            response, component="xak-flow-redirect", to=to, type=ChallengeTypes.REDIRECT.value
+        )
--- a/authentik/flows/tests/test_challenges.py
+++ b/authentik/flows/tests/test_challenges.py
@ -2,7 +2,7 @@

 from django.test import TestCase

-from authentik.flows.challenge import AutosubmitChallenge
+from authentik.flows.challenge import AutosubmitChallenge, ChallengeTypes


 class TestChallenges(TestCase):
@ -12,6 +12,7 @@ class TestChallenges(TestCase):
        """Test blank autosubmit"""
        challenge = AutosubmitChallenge(
            data={
+                "type": ChallengeTypes.NATIVE.value,
                "url": "http://localhost",
                "attrs": {},
            }
@ -20,6 +21,7 @@ class TestChallenges(TestCase):
        # Test with an empty value
        challenge = AutosubmitChallenge(
            data={
+                "type": ChallengeTypes.NATIVE.value,
                "url": "http://localhost",
                "attrs": {"foo": ""},
            }
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -7,6 +7,7 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase

 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import FlowDesignation, FlowStageBinding, InvalidResponseAction
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields
@ -53,6 +54,7 @@ class TestFlowInspector(APITestCase):
                    "layout": "stacked",
                },
                "flow_designation": "authentication",
+                "type": ChallengeTypes.NATIVE.value,
                "password_fields": False,
                "primary_action": "Log in",
                "sources": [],
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -30,6 +30,7 @@ from authentik.flows.apps import HIST_FLOW_EXECUTION_STAGE_TIME
 from authentik.flows.challenge import (
    Challenge,
    ChallengeResponse,
+    ChallengeTypes,
    FlowErrorChallenge,
    HttpChallengeResponse,
    RedirectChallenge,
@ -551,6 +552,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
        return HttpChallengeResponse(
            RedirectChallenge(
                {
+                    "type": ChallengeTypes.REDIRECT,
                    "to": str(redirect_url),
                }
            )
@ -559,6 +561,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
        return HttpChallengeResponse(
            ShellChallenge(
                {
+                    "type": ChallengeTypes.SHELL,
                    "body": source.render().content.decode("utf-8"),
                }
            )
@ -568,6 +571,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
        return HttpChallengeResponse(
            ShellChallenge(
                {
+                    "type": ChallengeTypes.SHELL,
                    "body": source.content.decode("utf-8"),
                }
            )
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -1,41 +0,0 @@
-"""Interface views"""
-
-from typing import Any
-
-from django.shortcuts import get_object_or_404
-from ua_parser.user_agent_parser import Parse
-
-from authentik.core.views.interface import InterfaceView
-from authentik.flows.models import Flow
-
-
-class FlowInterfaceView(InterfaceView):
-    """Flow interface"""
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["inspector"] = "inspector" in self.request.GET
-        return super().get_context_data(**kwargs)
-
-    def compat_needs_sfe(self) -> bool:
-        """Check if we need to use the simplified flow executor for compatibility"""
-        ua = Parse(self.request.META.get("HTTP_USER_AGENT", ""))
-        if ua["user_agent"]["family"] == "IE":
-            return True
-        # Only use SFE for Edge 18 and older, after Edge 18 MS switched to chromium which supports
-        # the default flow executor
-        if (
-            ua["user_agent"]["family"] == "Edge"
-            and int(ua["user_agent"]["major"]) <= 18  # noqa: PLR2004
-        ):  # noqa: PLR2004
-            return True
-        # https://github.com/AzureAD/microsoft-authentication-library-for-objc
-        # Used by Microsoft Teams/Office on macOS, and also uses a very outdated browser engine
-        if "PKeyAuth" in ua["string"]:
-            return True
-        return False
-
-    def get_template_names(self) -> list[str]:
-        if self.compat_needs_sfe() or "sfe" in self.request.GET:
-            return ["if/flow-sfe.html"]
-        return ["if/flow.html"]
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -50,6 +50,7 @@ cache:
  timeout: 300
  timeout_flows: 300
  timeout_policies: 300
+  timeout_reputation: 300

 # channel:
 #   url: ""
@ -115,9 +116,6 @@ events:
  context_processors:
    geoip: "/geoip/GeoLite2-City.mmdb"
    asn: "/geoip/GeoLite2-ASN.mmdb"
-compliance:
-  fips:
-    enabled: false

 cert_discovery_dir: /certs

--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -19,7 +19,6 @@ from structlog.stdlib import get_logger

 from authentik.core.models import User
 from authentik.events.models import Event
-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
@ -217,8 +216,7 @@ class BaseEvaluator:
                # so the user only sees information relevant to them
                # and none of our surrounding error handling
                exc.__traceback__ = exc.__traceback__.tb_next
-                if not isinstance(exc, ControlFlowException):
-                    self.handle_error(exc, expression_source)
+                self.handle_error(exc, expression_source)
                raise exc
            return result

--- a/authentik/lib/expression/exceptions.py
+++ b/authentik/lib/expression/exceptions.py
@ -1,6 +0,0 @@
-from authentik.lib.sentry import SentryIgnoredException
-
-
-class ControlFlowException(SentryIgnoredException):
-    """Exceptions used to control the flow from exceptions, not reported as a warning/
-    error in logs"""
--- a/authentik/lib/logging.py
+++ b/authentik/lib/logging.py
@ -102,8 +102,6 @@ def get_logger_config():
        "gunicorn": "INFO",
        "requests_mock": "WARNING",
        "hpack": "WARNING",
-        "httpx": "WARNING",
-        "azure": "WARNING",
    }
    for handler_name, level in handler_level_map.items():
        base_config["loggers"][handler_name] = {
--- a/authentik/lib/models.py
+++ b/authentik/lib/models.py
@ -62,7 +62,7 @@ class DomainlessURLValidator(URLValidator):
            r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
            r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
            r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
-            r"(?::\d{1,5})?"  # port
+            r"(?::\d{2,5})?"  # port
            r"(?:[/?#][^\s]*)?"  # resource path
            r"\Z",
            re.IGNORECASE,
@ -88,7 +88,7 @@ class DomainlessFormattedURLValidator(DomainlessURLValidator):
            r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
            r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
            r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
-            r"(?::\d{1,5})?"  # port
+            r"(?::\d{2,5})?"  # port
            r"(?:[/?#][^\s]*)?"  # resource path
            r"\Z",
            re.IGNORECASE,
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -59,9 +59,8 @@ def sentry_init(**sentry_init_kwargs):
        "_experiments": {
            "profiles_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.1)),
        },
-        **sentry_init_kwargs,
-        **CONFIG.get_dict_from_b64_json("error_reporting.extra_args", {}),
    }
+    kwargs.update(**sentry_init_kwargs)

    sentry_sdk_init(
        dsn=CONFIG.get("error_reporting.sentry_dsn"),
--- a/authentik/lib/sync/mapper.py
+++ b/authentik/lib/sync/mapper.py
@ -4,11 +4,8 @@ from django.db.models import QuerySet
 from django.http import HttpRequest

 from authentik.core.expression.evaluator import PropertyMappingEvaluator
-from authentik.core.expression.exceptions import (
-    PropertyMappingExpressionException,
-)
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import PropertyMapping, User
-from authentik.lib.expression.exceptions import ControlFlowException


 class PropertyMappingManager:
@ -60,8 +57,6 @@ class PropertyMappingManager:
            mapping.set_context(user, request, **kwargs)
            try:
                value = mapping.evaluate(mapping.model.expression)
-            except (PropertyMappingExpressionException, ControlFlowException) as exc:
-                raise exc from exc
            except Exception as exc:
                raise PropertyMappingExpressionException(exc, mapping.model) from exc
            if value is None:
--- a/authentik/lib/sync/outgoing/api.py
+++ b/authentik/lib/sync/outgoing/api.py
@ -8,7 +8,7 @@ from rest_framework.fields import BooleanField
 from rest_framework.request import Request
 from rest_framework.response import Response

-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.events.api.tasks import SystemTaskSerializer
 from authentik.lib.sync.outgoing.models import OutgoingSyncProvider

@ -54,17 +54,3 @@ class OutgoingSyncProviderStatusMixin:
                "is_running": not lock_acquired,
            }
        return Response(SyncStatusSerializer(status).data)
-
-
-class OutgoingSyncConnectionCreateMixin:
-    """Mixin for connection objects that fetches remote data upon creation"""
-
-    def perform_create(self, serializer: ModelSerializer):
-        super().perform_create(serializer)
-        try:
-            instance = serializer.instance
-            client = instance.provider.client_for_model(instance.__class__)
-            client.update_single_attribute(instance)
-            instance.save()
-        except NotImplementedError:
-            pass
--- a/authentik/lib/sync/outgoing/base.py
+++ b/authentik/lib/sync/outgoing/base.py
@ -9,9 +9,9 @@ from structlog.stdlib import get_logger

 from authentik.core.expression.exceptions import (
    PropertyMappingExpressionException,
+    SkipObjectException,
 )
 from authentik.events.models import Event, EventAction
-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sync.mapper import PropertyMappingManager
 from authentik.lib.sync.outgoing.exceptions import NotFoundSyncException, StopSync
 from authentik.lib.utils.errors import exception_to_string
@ -91,9 +91,10 @@ class BaseOutgoingSyncClient[
            }
            eval_kwargs.setdefault("user", None)
            for value in self.mapper.iter_eval(**eval_kwargs):
-                always_merger.merge(raw_final_object, value)
-        except ControlFlowException as exc:
-            raise exc from exc
+                try:
+                    always_merger.merge(raw_final_object, value)
+                except SkipObjectException as exc:
+                    raise exc from exc
        except PropertyMappingExpressionException as exc:
            # Value error can be raised when assigning invalid data to an attribute
            Event.new(
@ -103,7 +104,7 @@ class BaseOutgoingSyncClient[
            ).save()
            raise StopSync(exc, obj, exc.mapping) from exc
        if not raw_final_object:
-            raise StopSync(ValueError("No mappings configured"), obj)
+            raise StopSync(ValueError("No user mappings configured"), obj)
        for key, value in defaults.items():
            raw_final_object.setdefault(key, value)
        return raw_final_object
@ -114,8 +115,3 @@ class BaseOutgoingSyncClient[
        pre-link any users/groups in the remote system with the respective
        object in authentik based on a common identifier"""
        raise NotImplementedError()
-
-    def update_single_attribute(self, connection: TConnection):
-        """Update connection attributes on a connection object, when the connection
-        is manually created"""
-        raise NotImplementedError
--- a/authentik/lib/sync/outgoing/signals.py
+++ b/authentik/lib/sync/outgoing/signals.py
@ -2,7 +2,6 @@ from collections.abc import Callable

 from django.core.paginator import Paginator
 from django.db.models import Model
-from django.db.models.query import Q
 from django.db.models.signals import m2m_changed, post_save, pre_delete

 from authentik.core.models import Group, User
@ -35,9 +34,7 @@ def register_signals(

    def model_post_save(sender: type[Model], instance: User | Group, created: bool, **_):
        """Post save handler"""
-        if not provider_type.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
-        ).exists():
+        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
            return
        task_sync_direct.delay(class_to_path(instance.__class__), instance.pk, Direction.add.value)

@ -46,9 +43,7 @@ def register_signals(

    def model_pre_delete(sender: type[Model], instance: User | Group, **_):
        """Pre-delete handler"""
-        if not provider_type.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
-        ).exists():
+        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
            return
        task_sync_direct.delay(
            class_to_path(instance.__class__), instance.pk, Direction.remove.value
@ -63,9 +58,7 @@ def register_signals(
        """Sync group membership"""
        if action not in ["post_add", "post_remove"]:
            return
-        if not provider_type.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
-        ).exists():
+        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
            return
        # reverse: instance is a Group, pk_set is a list of user pks
        # non-reverse: instance is a User, pk_set is a list of groups
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -5,7 +5,6 @@ from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
 from django.db.models import Model, QuerySet
-from django.db.models.query import Q
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import BoundLogger, get_logger
@ -15,7 +14,6 @@ from authentik.core.models import Group, User
 from authentik.events.logs import LogEvent
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask
-from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
@ -38,9 +36,7 @@ class SyncTasks:
        self._provider_model = provider_model

    def sync_all(self, single_sync: Callable[[int], None]):
-        for provider in self._provider_model.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
-        ):
+        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
            self.trigger_single_task(provider, single_sync)

    def trigger_single_task(self, provider: OutgoingSyncProvider, sync_task: Callable[[int], None]):
@ -65,8 +61,7 @@ class SyncTasks:
            provider_pk=provider_pk,
        )
        provider = self._provider_model.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
-            pk=provider_pk,
+            pk=provider_pk, backchannel_application__isnull=False
        ).first()
        if not provider:
            return
@ -130,7 +125,6 @@ class SyncTasks:
            try:
                client.write(obj)
            except SkipObjectException:
-                self.logger.debug("skipping object due to SkipObject", obj=obj)
                continue
            except BadRequestSyncException as exc:
                self.logger.warning("failed to sync object", exc=exc, obj=obj)
@ -150,8 +144,8 @@ class SyncTasks:
                                )
                            ),
                            log_level="warning",
-                            logger=f"{provider._meta.verbose_name}@{object_type}",
-                            attributes={"arguments": exc.args[1:], "obj": sanitize_item(obj)},
+                            logger="",
+                            attributes={"arguments": exc.args[1:]},
                        )
                    )
                )
@ -173,8 +167,7 @@ class SyncTasks:
                                )
                            ),
                            log_level="warning",
-                            logger=f"{provider._meta.verbose_name}@{object_type}",
-                            attributes={"obj": sanitize_item(obj)},
+                            logger="",
                        )
                    )
                )
@ -191,8 +184,7 @@ class SyncTasks:
                                )
                            ),
                            log_level="warning",
-                            logger=f"{provider._meta.verbose_name}@{object_type}",
-                            attributes={"obj": sanitize_item(obj)},
+                            logger="",
                        )
                    )
                )
@ -208,9 +200,7 @@ class SyncTasks:
        if not instance:
            return
        operation = Direction(raw_op)
-        for provider in self._provider_model.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
-        ):
+        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
            client = provider.client_for_model(instance.__class__)
            # Check if the object is allowed within the provider's restrictions
            queryset = provider.get_object_qs(instance.__class__)
@ -239,9 +229,7 @@ class SyncTasks:
        group = Group.objects.filter(pk=group_pk).first()
        if not group:
            return
-        for provider in self._provider_model.objects.filter(
-            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
-        ):
+        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
            # Check if the object is allowed within the provider's restrictions
            queryset: QuerySet = provider.get_object_qs(Group)
            # The queryset we get from the provider must include the instance we've got given
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -6,21 +6,19 @@ from django_filters.filters import ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, CharField, DateTimeField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField, DateTimeField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik import get_build_hash
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Provider
-from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.providers.rac.models import RACProvider
-from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
 from authentik.outposts.models import (
@ -50,10 +48,6 @@ class OutpostSerializer(ModelSerializer):
    service_connection_obj = ServiceConnectionSerializer(
        source="service_connection", read_only=True
    )
-    refresh_interval_s = SerializerMethodField()
-
-    def get_refresh_interval_s(self, obj: Outpost) -> int:
-        return int(timedelta_from_string(obj.config.refresh_interval).total_seconds())

    def validate_name(self, name: str) -> str:
        """Validate name (especially for embedded outpost)"""
@ -89,8 +83,7 @@ class OutpostSerializer(ModelSerializer):
    def validate_config(self, config) -> dict:
        """Check that the config has all required fields"""
        try:
-            parsed = from_dict(OutpostConfig, config)
-            timedelta_string_validator(parsed.refresh_interval)
+            from_dict(OutpostConfig, config)
        except DaciteError as exc:
            raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
        return config
@ -105,7 +98,6 @@ class OutpostSerializer(ModelSerializer):
            "providers_obj",
            "service_connection",
            "service_connection_obj",
-            "refresh_interval_s",
            "token_identifier",
            "config",
            "managed",
@ -128,7 +120,7 @@ class OutpostHealthSerializer(PassiveSerializer):
    golang_version = CharField(read_only=True)
    openssl_enabled = BooleanField(read_only=True)
    openssl_version = CharField(read_only=True)
-    fips_enabled = SerializerMethodField()
+    fips_enabled = BooleanField(read_only=True)

    version_should = CharField(read_only=True)
    version_outdated = BooleanField(read_only=True)
@ -138,12 +130,6 @@ class OutpostHealthSerializer(PassiveSerializer):

    hostname = CharField(read_only=True, required=False)

-    def get_fips_enabled(self, obj: dict) -> bool | None:
-        """Get FIPS enabled"""
-        if not LicenseKey.get_total().is_valid():
-            return None
-        return obj["fips_enabled"]
-

 class OutpostFilter(FilterSet):
    """Filter for Outposts"""
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@ -12,13 +12,13 @@ from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, ReadOnlyField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    MetaNameSerializer,
-    ModelSerializer,
    PassiveSerializer,
 )
 from authentik.outposts.models import (
--- a/authentik/outposts/migrations/0001_squashed_0017_outpost_managed.py
+++ b/authentik/outposts/migrations/0001_squashed_0017_outpost_managed.py
@ -13,17 +13,16 @@ import authentik.outposts.models


 def fix_missing_token_identifier(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
    User = apps.get_model("authentik_core", "User")
    Token = apps.get_model("authentik_core", "Token")
    from authentik.outposts.models import Outpost

-    for outpost in Outpost.objects.using(db_alias).all().only("pk"):
+    for outpost in Outpost.objects.using(schema_editor.connection.alias).all().only("pk"):
        user_identifier = outpost.user_identifier
-        users = User.objects.using(db_alias).filter(username=user_identifier)
+        users = User.objects.filter(username=user_identifier)
        if not users.exists():
            continue
-        tokens = Token.objects.using(db_alias).filter(user=users.first())
+        tokens = Token.objects.filter(user=users.first())
        for token in tokens:
            if token.identifier != outpost.token_identifier:
                token.identifier = outpost.token_identifier
@ -38,8 +37,8 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
        "authentik_outposts", "KubernetesServiceConnection"
    )

-    docker = DockerServiceConnection.objects.using(db_alias).filter(local=True).first()
-    k8s = KubernetesServiceConnection.objects.using(db_alias).filter(local=True).first()
+    docker = DockerServiceConnection.objects.filter(local=True).first()
+    k8s = KubernetesServiceConnection.objects.filter(local=True).first()

    try:
        for outpost in Outpost.objects.using(db_alias).all().exclude(deployment_type="custom"):
@ -55,21 +54,21 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE


 def remove_pb_prefix_users(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
+    alias = schema_editor.connection.alias
    User = apps.get_model("authentik_core", "User")
    Outpost = apps.get_model("authentik_outposts", "Outpost")

-    for outpost in Outpost.objects.using(db_alias).all():
-        matching = User.objects.using(db_alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
+    for outpost in Outpost.objects.using(alias).all():
+        matching = User.objects.using(alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
        if matching.exists():
            matching.delete()


 def update_config_prefix(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
+    alias = schema_editor.connection.alias
    Outpost = apps.get_model("authentik_outposts", "Outpost")

-    for outpost in Outpost.objects.using(db_alias).all():
+    for outpost in Outpost.objects.using(alias).all():
        config = outpost._config
        for key in list(config):
            if "passbook" in key:
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -61,7 +61,6 @@ class OutpostConfig:

    log_level: str = CONFIG.get("log_level")
    object_naming_template: str = field(default="ak-outpost-%(name)s")
-    refresh_interval: str = "minutes=5"

    container_image: str | None = field(default=None)

--- a/authentik/policies/api/bindings.py
+++ b/authentik/policies/api/bindings.py
@ -5,15 +5,13 @@ from collections import OrderedDict
 from django.core.exceptions import ObjectDoesNotExist
 from django_filters.filters import BooleanFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.exceptions import ValidationError
-from rest_framework.serializers import PrimaryKeyRelatedField
+from rest_framework.serializers import ModelSerializer, PrimaryKeyRelatedField, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer
 from authentik.policies.api.policies import PolicySerializer
 from authentik.policies.models import PolicyBinding, PolicyBindingModel

--- a/authentik/policies/api/policies.py
+++ b/authentik/policies/api/policies.py
@ -6,9 +6,9 @@ from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

@ -18,7 +18,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
    CacheSerializer,
    MetaNameSerializer,
-    ModelSerializer,
 )
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer, PolicyTestSerializer
--- a/Show More
+++ b/Show More