wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
wip
2025-03-07 19:23:34 +01:00 · 2025-03-07 16:24:55 +01:00 · 2025-03-07 14:04:21 +01:00
609 changed files with 13083 additions and 52829 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.4
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,8 +17,6 @@ optional_value = final
 [bumpversion:file:pyproject.toml]
 [bumpversion:file:uv.lock]
 [bumpversion:file:package.json]
 [bumpversion:file:docker-compose.yml]
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@ -1,22 +0,0 @@
 ---
 name: Documentation issue
 about: Suggest an improvement or report a problem
 title: ""
 labels: documentation
 assignees: ""
 ---
 **Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
 A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
 **Provide the URL or link to the exact page in the documentation to which you are referring.**
 If there are multiple pages, list them all, and be sure to state the header or section where the content is.
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Additional context**
 Add any other context or screenshots about the documentation issue here.
 **Consider opening a PR!**
 If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -44,6 +44,7 @@ if is_release:
        ]
        if not prerelease:
            image_tags += [
                f"{name}:latest",
                f"{name}:{version_family}",
            ]
 else:
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -9,22 +9,17 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
+    - name: Install poetry & deps
      shell: bash
      run: |
        pipx install poetry || true
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
+    - name: Setup python and restore poetry
      uses: astral-sh/setup-uv@v5
      with:
        enable-cache: true
    - name: Setup python
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-    - name: Install Python deps
+        cache: "poetry"
      shell: bash
      run: uv sync --all-extras --dev --frozen
    - name: Setup node
      uses: actions/setup-node@v4
      with:
@ -44,9 +39,10 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
        poetry sync
        cd web && npm ci
    - name: Generate config
-      shell: uv run python {0}
+      shell: poetry run python {0}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -98,7 +98,7 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: daily
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -30,6 +30,7 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -33,7 +33,7 @@ jobs:
          npm ci
      - name: Check changes have been applied
        run: |
-          uv run make aws-cfn
+          poetry run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -34,7 +34,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@ -42,7 +42,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-make-seed:
    runs-on: ubuntu-latest
    steps:
@ -69,21 +69,19 @@ jobs:
          fetch-depth: 0
      - name: checkout stable
        run: |
          # Delete all poetry envs
          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          # cp -R .github ..
+          cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          # rm -rf .github/ scripts/
+          rm -rf .github/ scripts/
-          # mv ../.github ../scripts .
+          mv ../.github ../scripts .
          rm -rf scripts/
          mv ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
        continue-on-error: true
      - name: run migrations to stable
        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
@ -93,13 +91,15 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
          # Delete previous poetry env
          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
@ -108,7 +108,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
  test-unittest:
    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
@ -133,7 +133,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -156,8 +156,8 @@ jobs:
        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
-          uv run coverage run manage.py test tests/integration
+          poetry run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -214,8 +214,8 @@ jobs:
          npm run build
      - name: run e2e
        run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout 5000s --verbose
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -2,7 +2,7 @@ name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'
 env:
  POSTGRES_DB: authentik
@ -24,7 +24,7 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
+      - run: poetry run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -1,45 +0,0 @@
 name: authentik-packages-npm-publish
 on:
  push:
    branches: [main]
    paths:
      - packages/docusaurus-config
      - packages/eslint-config
      - packages/prettier-config
      - packages/tsconfig
  workflow_dispatch:
 jobs:
  publish:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        package:
          - docusaurus-config
          - eslint-config
          - prettier-config
          - tsconfig
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v4
        with:
          node-version-file: packages/${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
            packages/${{ matrix.package }}/package.json
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: packages/${{ matrix.package}}
        run: |
          npm ci
          npm run build
          npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -21,8 +21,8 @@ jobs:
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          uv run make migrate
+          poetry run make migrate
-          uv run ak build_source_docs
+          poetry run ak build_source_docs
      - name: Publish
        uses: netlify/actions/cli@master
        with:
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,27 +0,0 @@
 name: authentik-semgrep
 on:
  workflow_dispatch: {}
  pull_request: {}
  push:
    branches:
      - main
      - master
    paths:
      - .github/workflows/semgrep.yml
  schedule:
    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
    - cron: '12 15 * * *'
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
    container:
      image: semgrep/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -36,10 +36,10 @@ jobs:
        run: make gen-client-ts
      - name: run extract
        run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
      - name: run compile
        run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
--- a/.gitignore
+++ b/.gitignore
@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media
 # Node
 node_modules
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
 out/
 sdist/
 var/
 wheels/
--- a/.prettierignore
+++ b/.prettierignore
@ -1,47 +0,0 @@
 # Prettier Ignorefile
 ## Static Files
 **/LICENSE
 authentik/stages/**/*
 ## Build asset directories
 coverage
 dist
 out
 .docusaurus
 website/docs/developer-docs/api/**/*
 ## Environment
 *.env
 ## Secrets
 *.secrets
 ## Yarn
 .yarn/**/*
 ## Node
 node_modules
 coverage
 ## Configs
 *.log
 *.yaml
 *.yml
 # Templates
 # TODO: Rename affected files to *.template.* or similar.
 *.html
 *.mdx
 *.md
 ## Import order matters
 poly.ts
 src/locale-codes.ts
 src/locales/
 # Storybook
 storybook-static/
 .storybook/css-import-maps*
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -3,13 +3,8 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "uv",
+            "command": "poetry",
-            "args": [
+            "args": ["run", "make", "lint-fix", "lint"],
                "run",
                "make",
                "lint-fix",
                "lint"
            ],
            "presentation": {
                "panel": "new"
            },
@ -17,12 +12,8 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "uv",
+            "command": "poetry",
-            "args": [
+            "args": ["run", "ak", "server"],
                "run",
                "ak",
                "server"
            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -32,17 +23,13 @@
        {
            "label": "authentik/web: make",
            "command": "make",
-            "args": [
+            "args": ["web"],
                "web"
            ],
            "group": "build"
        },
        {
            "label": "authentik/web: watch",
            "command": "make",
-            "args": [
+            "args": ["web-watch"],
                "web-watch"
            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -52,26 +39,19 @@
        {
            "label": "authentik: install",
            "command": "make",
-            "args": [
+            "args": ["install", "-j4"],
                "install",
                "-j4"
            ],
            "group": "build"
        },
        {
            "label": "authentik/website: make",
            "command": "make",
-            "args": [
+            "args": ["website"],
                "website"
            ],
            "group": "build"
        },
        {
            "label": "authentik/website: watch",
            "command": "make",
-            "args": [
+            "args": ["website-watch"],
                "website-watch"
            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -80,12 +60,8 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "uv",
+            "command": "poetry",
-            "args": [
+            "args": ["run", "make", "gen"],
                "run",
                "make",
                "gen"
            ],
            "group": "build"
        }
    ]
--- a/4
+++ b/4
@ -10,7 +10,7 @@ schemas/                        @goauthentik/backend
 scripts/                        @goauthentik/backend
 tests/                          @goauthentik/backend
 pyproject.toml                  @goauthentik/backend
-uv.lock                         @goauthentik/backend
+poetry.lock                     @goauthentik/backend
 go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
@ -23,8 +23,6 @@ docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
 # Web packages
 packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
--- a/89
+++ b/89
@ -43,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder
 ARG TARGETOS
 ARG TARGETARCH
@ -76,7 +76,7 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
@ -93,59 +93,53 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
-# Stage 5: Download uv
+# Stage 5: Python dependencies
-FROM ghcr.io/astral-sh/uv:0.6.14 AS uv
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
    UV_COMPILE_BYTECODE=1 \
    UV_LINK_MODE=copy \
    UV_NATIVE_TLS=1 \
    UV_PYTHON_DOWNLOADS=0
 WORKDIR /ak-root/
 COPY --from=uv /uv /uvx /bin/
 # Stage 7: Python dependencies
 FROM python-base AS python-deps
 ARG TARGETARCH
 ARG TARGETVARIANT
-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry
-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
    POETRY_VIRTUALENVS_CREATE=false \
    PATH="/ak-root/venv/bin:$PATH"
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
    pip install --no-cache cffi && \
    apt-get update && \
    apt-get install -y --no-install-recommends \
-    # Build essentials
+        build-essential libffi-dev \
-    build-essential pkg-config libffi-dev git \
+        # Required for cryptography
-    # cryptography
+        curl pkg-config \
-    curl \
+        # Required for lxml
-    # libxml
+        libxslt-dev zlib1g-dev \
-    libxslt-dev zlib1g-dev \
+        # Required for xmlsec
-    # postgresql
+        libltdl-dev \
-    libpq-dev \
+        # Required for kadmin
-    # python-kadmin-rs
+        sccache clang && \
-    clang libkrb5-dev sccache \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
-    # xmlsec
+    . "$HOME/.cargo/env" && \
-    libltdl-dev && \
+    python -m venv /ak-root/venv/ && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+    bash -c "source ${VENV_PATH}/bin/activate && \
    pip3 install --upgrade pip poetry && \
    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
    pip uninstall cryptography -y && \
    poetry install --only=main --no-ansi --no-interaction --no-root"
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+# Stage 6: Run
-
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
 RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=bind,target=uv.lock,src=uv.lock \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev
 # Stage 8: Run
 FROM python-base AS final-image
 ARG VERSION
 ARG GIT_BUILD_HASH
@ -177,7 +171,7 @@ RUN apt-get update && \
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
@ -186,7 +180,7 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
+COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
@ -197,6 +191,9 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
    POETRY_VIRTUALENVS_CREATE=false \
    GOFIPS=1
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/55
+++ b/55
@ -4,7 +4,7 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
+NPM_VERSION = $(shell poetry run python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
@ -12,9 +12,9 @@ GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)
 all: lint-fix lint test gen web  ## Lint, build, and test everything
@ -32,37 +32,34 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...
 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
+	poetry run coverage run manage.py test --keepdb authentik
-	uv run coverage html
+	poetry run coverage html
-	uv run coverage report
+	poetry run coverage report
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
+	poetry run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	poetry run ruff check --fix $(PY_SOURCES)
 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	poetry run codespell -w
 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v
 core-install:
-	uv sync --frozen
+	poetry install
 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	poetry run python -m lifecycle.migrate
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn
 run:  ## Run the main authentik server process
 	uv run ak server
 core-i18n-extract:
-	uv run ak makemessages \
+	poetry run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@ -93,11 +90,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema > blueprints/schema.json
+		poetry run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		poetry run ak spectacular --file schema.yml
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@ -148,7 +145,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@ -176,7 +173,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	poetry run scripts/generate_config.py
 gen: gen-build gen-client-ts
@ -257,21 +254,21 @@ ci--meta-debug:
 	node --version
 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	poetry run black --check $(PY_SOURCES)
 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	poetry run ruff check $(PY_SOURCES)
 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	poetry run codespell -s
 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	poetry run bandit -r $(PY_SOURCES)
 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
+	poetry run ak makemigrations --check
 ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	uv run coverage report
+	poetry run coverage report
-	uv run coverage xml
+	poetry run coverage xml
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.2.4"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -59,7 +59,7 @@ class SystemInfoSerializer(PassiveSerializer):
            if not isinstance(value, str):
                continue
            actual_value = value
-            if raw_session is not None and raw_session in actual_value:
+            if raw_session in actual_value:
                actual_value = actual_value.replace(
                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
                )
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -36,7 +36,6 @@ from authentik.core.models import (
    GroupSourceConnection,
    PropertyMapping,
    Provider,
    Session,
    Source,
    User,
    UserSourceConnection,
@ -109,7 +108,6 @@ def excluded_models() -> list[type[Model]]:
        Policy,
        PolicyBindingModel,
        # Classes that have other dependencies
        Session,
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -49,8 +49,6 @@ class BrandSerializer(ModelSerializer):
            "branding_title",
            "branding_logo",
            "branding_favicon",
            "branding_custom_css",
            "branding_default_flow_background",
            "flow_authentication",
            "flow_invalidation",
            "flow_recovery",
@ -88,7 +86,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    branding_title = CharField()
    branding_logo = CharField(source="branding_logo_url")
    branding_favicon = CharField(source="branding_favicon_url")
    branding_custom_css = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
@ -128,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "branding_title",
        "branding_logo",
        "branding_favicon",
        "branding_default_flow_background",
        "flow_authentication",
        "flow_invalidation",
        "flow_recovery",
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -1,35 +0,0 @@
 # Generated by Django 5.0.12 on 2025-02-22 01:51
 from pathlib import Path
 from django.db import migrations, models
 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    Brand = apps.get_model("authentik_brands", "brand")
    db_alias = schema_editor.connection.alias
    path = Path("/web/dist/custom.css")
    if not path.exists():
        return
    css = path.read_text()
    Brand.objects.using(db_alias).update(branding_custom_css=css)
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_brands", "0007_brand_default_application"),
    ]
    operations = [
        migrations.AddField(
            model_name="brand",
            name="branding_custom_css",
            field=models.TextField(blank=True, default=""),
        ),
        migrations.RunPython(migrate_custom_css),
    ]
--- a/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
+++ b/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
@ -1,18 +0,0 @@
 # Generated by Django 5.0.13 on 2025-03-19 22:54
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_brands", "0008_brand_branding_custom_css"),
    ]
    operations = [
        migrations.AddField(
            model_name="brand",
            name="branding_default_flow_background",
            field=models.TextField(default="/static/dist/assets/images/flow_background.jpg"),
        ),
    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -33,10 +33,6 @@ class Brand(SerializerModel):
    branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
    branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
    branding_custom_css = models.TextField(default="", blank=True)
    branding_default_flow_background = models.TextField(
        default="/static/dist/assets/images/flow_background.jpg"
    )
    flow_authentication = models.ForeignKey(
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
@ -88,12 +84,6 @@ class Brand(SerializerModel):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
        return self.branding_favicon
    def branding_default_flow_background_url(self) -> str:
        """Get branding_default_flow_background with the correct prefix"""
        if self.branding_default_flow_background.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_default_flow_background
        return self.branding_default_flow_background
    @property
    def serializer(self) -> Serializer:
        from authentik.brands.api import BrandSerializer
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -24,7 +24,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -44,7 +43,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "custom",
                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -61,7 +59,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": "fallback",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -124,27 +121,3 @@ class TestBrands(APITestCase):
                "subject": None,
            },
        )
    def test_branding_url(self):
        """Test branding attributes return correct values"""
        brand = create_test_brand()
        brand.branding_default_flow_background = "https://goauthentik.io/img/icon.png"
        brand.branding_favicon = "https://goauthentik.io/img/icon.png"
        brand.branding_logo = "https://goauthentik.io/img/icon.png"
        brand.save()
        self.assertEqual(
            brand.branding_default_flow_background_url(), "https://goauthentik.io/img/icon.png"
        )
        self.assertJSONEqual(
            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
            {
                "branding_logo": "https://goauthentik.io/img/icon.png",
                "branding_favicon": "https://goauthentik.io/img/icon.png",
                "branding_title": "authentik",
                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
                "default_locale": "",
            },
        )
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -46,7 +46,7 @@ LOGGER = get_logger()
 def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
    """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}app_access/{user_pk}"
+    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
    if page_number:
        key += f"/{page_number}"
    return key
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -5,7 +5,6 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
@ -55,11 +54,6 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""
    expires = DateTimeField(source="session.expires", read_only=True)
    last_ip = IPAddressField(source="session.last_ip", read_only=True)
    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
    last_used = DateTimeField(source="session.last_used", read_only=True)
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
@ -68,19 +62,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session.session_key
+        return request._request.session.session_key == instance.session_key
    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.session.last_user_agent)
+        return user_agent_parser.Parse(instance.last_user_agent)
    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
        """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
        """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
    class Meta:
        model = AuthenticatedSession
@ -96,7 +90,6 @@ class AuthenticatedSessionSerializer(ModelSerializer):
            "last_used",
            "expires",
        ]
        extra_args = {"uuid": {"read_only": True}}
 class AuthenticatedSessionViewSet(
@ -108,10 +101,9 @@ class AuthenticatedSessionViewSet(
 ):
    """AuthenticatedSession Viewset"""
-    lookup_field = "uuid"
+    queryset = AuthenticatedSession.objects.all()
    queryset = AuthenticatedSession.objects.select_related("session").all()
    serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
-    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -5,7 +5,6 @@ from collections.abc import Iterable
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@ -155,17 +154,6 @@ class SourceViewSet(
            matching_sources.append(source_settings.validated_data)
        return Response(matching_sources)
    def destroy(self, request: Request, *args, **kwargs):
        """Prevent deletion of built-in sources"""
        instance: Source = self.get_object()
        if instance.managed == Source.MANAGED_INBUILT:
            raise ValidationError(
                {"detail": "Built-in sources cannot be deleted"}, code="protected"
            )
        return super().destroy(request, *args, **kwargs)
 class UserSourceConnectionSerializer(SourceSerializer):
    """User source connection"""
@ -179,13 +167,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "user",
            "source",
            "source_obj",
            "identifier",
            "created",
            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
            "last_updated": {"read_only": True},
        }
@ -202,7 +187,7 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    filterset_fields = ["user", "source__slug"]
-    search_fields = ["user__username", "source__slug", "identifier"]
+    search_fields = ["source__slug"]
    ordering = ["source__slug", "pk"]
    owner_field = "user"
@ -221,11 +206,9 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "source_obj",
            "identifier",
            "created",
            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
            "last_updated": {"read_only": True},
        }
@ -242,5 +225,6 @@ class GroupSourceConnectionViewSet(
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    filterset_fields = ["group", "source__slug"]
-    search_fields = ["group__name", "source__slug", "identifier"]
+    search_fields = ["source__slug"]
    ordering = ["source__slug", "pk"]
    owner_field = "user"
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,6 +6,8 @@ from typing import Any
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -69,8 +71,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
    AuthenticatedSession,
    Group,
    Session,
    Token,
    TokenIntents,
    User,
@ -224,7 +226,6 @@ class UserSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
            "date_joined",
            "is_superuser",
            "groups",
            "groups_obj",
@ -239,7 +240,6 @@ class UserSerializer(ModelSerializer):
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
            "date_joined": {"read_only": True},
            "password_change_date": {"read_only": True},
        }
@ -373,7 +373,7 @@ class UsersFilter(FilterSet):
        method="filter_attributes",
    )
-    is_superuser = BooleanFilter(field_name="ak_groups", method="filter_is_superuser")
+    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
    uuid = UUIDFilter(field_name="uuid")
    path = CharFilter(field_name="path")
@ -391,11 +391,6 @@ class UsersFilter(FilterSet):
        queryset=Group.objects.all().order_by("name"),
    )
    def filter_is_superuser(self, queryset, name, value):
        if value:
            return queryset.filter(ak_groups__is_superuser=True).distinct()
        return queryset.exclude(ak_groups__is_superuser=True).distinct()
    def filter_attributes(self, queryset, name, value):
        """Filter attributes by query args"""
        try:
@ -772,6 +767,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
-            Session.objects.filter(authenticatedsession__user=instance).delete()
+            sessions = AuthenticatedSession.objects.filter(user=instance)
            session_ids = sessions.values_list("session_key", flat=True)
            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -32,5 +32,5 @@ class AuthentikCoreConfig(ManagedAppConfig):
                "name": "authentik Built-in",
                "slug": "authentik-built-in",
            },
-            managed=Source.MANAGED_INBUILT,
+            managed="goauthentik.io/sources/inbuilt",
        )
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -24,15 +24,6 @@ class InbuiltBackend(ModelBackend):
        self.set_method("password", request)
        return user
    async def aauthenticate(
        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
    ) -> User | None:
        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
        if not user:
            return None
        self.set_method("password", request)
        return user
    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
--- a/authentik/core/management/commands/clearsessions.py
+++ b/authentik/core/management/commands/clearsessions.py
@ -1,15 +0,0 @@
 """Change user type"""
 from importlib import import_module
 from django.conf import settings
 from authentik.tenants.management import TenantCommand
 class Command(TenantCommand):
    """Delete all sessions"""
    def handle_per_tenant(self, **options):
        engine = import_module(settings.SESSION_ENGINE)
        engine.SessionStore.clear_expired()
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -2,14 +2,9 @@
 from collections.abc import Callable
 from contextvars import ContextVar
 from functools import partial
 from uuid import uuid4
 from django.contrib.auth.models import AnonymousUser
 from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -25,40 +20,6 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)
 def get_user(request):
    if not hasattr(request, "_cached_user"):
        user = None
        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
            user = authenticated_session.user
        request._cached_user = user or AnonymousUser()
    return request._cached_user
 async def aget_user(request):
    if not hasattr(request, "_cached_user"):
        user = None
        if (
            authenticated_session := await request.session.aget("authenticatedsession", None)
        ) is not None:
            user = authenticated_session.user
        request._cached_user = user or AnonymousUser()
    return request._cached_user
 class AuthenticationMiddleware(MiddlewareMixin):
    def process_request(self, request):
        if not hasattr(request, "session"):
            raise ImproperlyConfigured(
                "The Django authentication middleware requires session "
                "middleware to be installed. Edit your MIDDLEWARE setting to "
                "insert "
                "'authentik.root.middleware.SessionMiddleware' before "
                "'authentik.core.middleware.AuthenticationMiddleware'."
            )
        request.user = SimpleLazyObject(lambda: get_user(request))
        request.auser = partial(aget_user, request)
 class ImpersonateMiddleware:
    """Middleware to impersonate users"""
--- a/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
+++ b/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
@ -1,19 +0,0 @@
 # Generated by Django 5.0.13 on 2025-04-07 14:04
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0043_alter_group_options"),
    ]
    operations = [
        migrations.AddField(
            model_name="usersourceconnection",
            name="new_identifier",
            field=models.TextField(default=""),
            preserve_default=False,
        ),
    ]
--- a/authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py
+++ b/authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py
@ -1,30 +0,0 @@
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0044_usersourceconnection_new_identifier"),
        ("authentik_sources_kerberos", "0003_migrate_userkerberossourceconnection_identifier"),
        ("authentik_sources_oauth", "0009_migrate_useroauthsourceconnection_identifier"),
        ("authentik_sources_plex", "0005_migrate_userplexsourceconnection_identifier"),
        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
    ]
    operations = [
        migrations.RenameField(
            model_name="usersourceconnection",
            old_name="new_identifier",
            new_name="identifier",
        ),
        migrations.AddIndex(
            model_name="usersourceconnection",
            index=models.Index(fields=["identifier"], name="authentik_c_identif_59226f_idx"),
        ),
        migrations.AddIndex(
            model_name="usersourceconnection",
            index=models.Index(
                fields=["source", "identifier"], name="authentik_c_source__649e04_idx"
            ),
        ),
    ]
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -1,238 +0,0 @@
 # Generated by Django 5.0.11 on 2025-01-27 12:58
 import uuid
 import pickle  # nosec
 from django.core import signing
 from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
 from django.db import migrations, models
 import django.db.models.deletion
 from django.conf import settings
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.utils.timezone import now, timedelta
 from authentik.lib.migrations import progress_bar
 from authentik.root.middleware import ClientIPMiddleware
 SESSION_CACHE_ALIAS = "default"
 class PickleSerializer:
    """
    Simple wrapper around pickle to be used in signing.dumps()/loads() and
    cache backends.
    """
    def __init__(self, protocol=None):
        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
    def dumps(self, obj):
        """Pickle data to be stored in redis"""
        return pickle.dumps(obj, self.protocol)
    def loads(self, data):
        """Unpickle data to be loaded from redis"""
        return pickle.loads(data)  # nosec
 def _migrate_session(
    apps,
    db_alias,
    session_key,
    session_data,
    expires,
 ):
    Session = apps.get_model("authentik_core", "Session")
    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
    old_auth_session = (
        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
    )
    args = {
        "session_key": session_key,
        "expires": expires,
        "last_ip": ClientIPMiddleware.default_ip,
        "last_user_agent": "",
        "session_data": {},
    }
    for k, v in session_data.items():
        if k == "authentik/stages/user_login/last_ip":
            args["last_ip"] = v
        elif k in ["last_user_agent", "last_used"]:
            args[k] = v
        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
            pass
        else:
            args["session_data"][k] = v
    if old_auth_session:
        args["last_user_agent"] = old_auth_session.last_user_agent
        args["last_used"] = old_auth_session.last_used
    args["session_data"] = pickle.dumps(args["session_data"])
    session = Session.objects.using(db_alias).create(**args)
    if old_auth_session:
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
        )
 def migrate_redis_sessions(apps, schema_editor):
    from django.core.cache import caches
    db_alias = schema_editor.connection.alias
    cache = caches[SESSION_CACHE_ALIAS]
    # Not a redis cache, skipping
    if not hasattr(cache, "keys"):
        return
    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
        _migrate_session(
            apps=apps,
            db_alias=db_alias,
            session_key=key.removeprefix(KEY_PREFIX),
            session_data=session_data,
            expires=now() + timedelta(seconds=cache.ttl(key)),
        )
 def migrate_database_sessions(apps, schema_editor):
    DjangoSession = apps.get_model("sessions", "Session")
    db_alias = schema_editor.connection.alias
    print("\nMigration database sessions, this might take a couple of minutes...")
    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
        session_data = signing.loads(
            django_session.session_data,
            salt="django.contrib.sessions.SessionStore",
            serializer=PickleSerializer,
        )
        _migrate_session(
            apps=apps,
            db_alias=db_alias,
            session_key=django_session.session_key,
            session_data=session_data,
            expires=django_session.expire_date,
        )
 class Migration(migrations.Migration):
    dependencies = [
        ("sessions", "0001_initial"),
        ("authentik_core", "0045_rename_new_identifier_usersourceconnection_identifier_and_more"),
        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
    ]
    operations = [
        # Rename AuthenticatedSession to OldAuthenticatedSession
        migrations.RenameModel(
            old_name="AuthenticatedSession",
            new_name="OldAuthenticatedSession",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_expires_cf4f72_idx",
            old_name="authentik_c_expires_08251d_idx",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_expirin_c1f17f_idx",
            old_name="authentik_c_expirin_9cd839_idx",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_expirin_e04f5d_idx",
            old_name="authentik_c_expirin_195a84_idx",
        ),
        migrations.RenameIndex(
            model_name="oldauthenticatedsession",
            new_name="authentik_c_session_a44819_idx",
            old_name="authentik_c_session_d0f005_idx",
        ),
        migrations.RunSQL(
            sql="ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
            reverse_sql="ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
        ),
        # Create new Session and AuthenticatedSession models
        migrations.CreateModel(
            name="Session",
            fields=[
                (
                    "session_key",
                    models.CharField(
                        max_length=40, primary_key=True, serialize=False, verbose_name="session key"
                    ),
                ),
                ("expires", models.DateTimeField(default=None, null=True)),
                ("expiring", models.BooleanField(default=True)),
                ("session_data", models.BinaryField(verbose_name="session data")),
                ("last_ip", models.GenericIPAddressField()),
                ("last_user_agent", models.TextField(blank=True)),
                ("last_used", models.DateTimeField(auto_now=True)),
            ],
            options={
                "default_permissions": [],
                "verbose_name": "Session",
                "verbose_name_plural": "Sessions",
            },
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
            ),
        ),
        migrations.AddIndex(
            model_name="session",
            index=models.Index(
                fields=["expires", "session_key"], name="authentik_c_expires_c49143_idx"
            ),
        ),
        migrations.CreateModel(
            name="AuthenticatedSession",
            fields=[
                (
                    "session",
                    models.OneToOneField(
                        on_delete=django.db.models.deletion.CASCADE,
                        primary_key=True,
                        serialize=False,
                        to="authentik_core.session",
                    ),
                ),
                ("uuid", models.UUIDField(default=uuid.uuid4, unique=True)),
                (
                    "user",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
                    ),
                ),
            ],
            options={
                "verbose_name": "Authenticated Session",
                "verbose_name_plural": "Authenticated Sessions",
            },
        ),
        migrations.RunPython(
            code=migrate_redis_sessions,
            reverse_code=migrations.RunPython.noop,
        ),
        migrations.RunPython(
            code=migrate_database_sessions,
            reverse_code=migrations.RunPython.noop,
        ),
    ]
--- a/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
+++ b/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
@ -1,18 +0,0 @@
 # Generated by Django 5.0.11 on 2025-01-27 13:02
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0046_session_and_more"),
        ("authentik_providers_rac", "0007_migrate_session"),
        ("authentik_providers_oauth2", "0028_migrate_session"),
    ]
    operations = [
        migrations.DeleteModel(
            name="OldAuthenticatedSession",
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,7 +1,6 @@
 """authentik core models"""
 from datetime import datetime
 from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@ -10,7 +9,6 @@ from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
@ -648,30 +646,19 @@ class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""
    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    EMAIL_LINK = (
+    EMAIL_LINK = "email_link", _(
-        "email_link",
+        "Link to a user with identical email address. Can have security implications "
-        _(
+        "when a source doesn't validate email addresses."
            "Link to a user with identical email address. Can have security implications "
            "when a source doesn't validate email addresses."
        ),
    )
-    EMAIL_DENY = (
+    EMAIL_DENY = "email_deny", _(
-        "email_deny",
+        "Use the user's email address, but deny enrollment when the email address already exists."
        _(
            "Use the user's email address, but deny enrollment when the email address already "
            "exists."
        ),
    )
-    USERNAME_LINK = (
+    USERNAME_LINK = "username_link", _(
-        "username_link",
+        "Link to a user with identical username. Can have security implications "
-        _(
+        "when a username is used with another source."
            "Link to a user with identical username. Can have security implications "
            "when a username is used with another source."
        ),
    )
-    USERNAME_DENY = (
+    USERNAME_DENY = "username_deny", _(
-        "username_deny",
+        "Use the user's username, but deny enrollment when the username already exists."
        _("Use the user's username, but deny enrollment when the username already exists."),
    )
@ -679,24 +666,18 @@ class SourceGroupMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning groups"""
    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = (
+    NAME_LINK = "name_link", _(
-        "name_link",
+        "Link to a group with identical name. Can have security implications "
-        _(
+        "when a group name is used with another source."
            "Link to a group with identical name. Can have security implications "
            "when a group name is used with another source."
        ),
    )
-    NAME_DENY = (
+    NAME_DENY = "name_deny", _(
-        "name_deny",
+        "Use the group name, but deny enrollment when the name already exists."
        _("Use the group name, but deny enrollment when the name already exists."),
    )
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
    MANAGED_INBUILT = "goauthentik.io/sources/inbuilt"
    name = models.TextField(help_text=_("Source's display Name."))
    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)
@ -747,7 +728,8 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        choices=SourceGroupMatchingModes.choices,
        default=SourceGroupMatchingModes.IDENTIFIER,
        help_text=_(
-            "How the source determines if an existing group should be used or a new group created."
+            "How the source determines if an existing group should be used or "
            "a new group created."
        ),
    )
@ -777,17 +759,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
        if self.managed == self.MANAGED_INBUILT:
            return ""
        raise NotImplementedError
    @property
    def property_mapping_type(self) -> "type[PropertyMapping]":
        """Return property mapping type used by this object"""
        if self.managed == self.MANAGED_INBUILT:
            from authentik.core.models import PropertyMapping
            return PropertyMapping
        raise NotImplementedError
    def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
@ -802,14 +778,10 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a user to build final properties upon."""
        if self.managed == self.MANAGED_INBUILT:
            return {}
        raise NotImplementedError
    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a group to build final properties upon."""
        if self.managed == self.MANAGED_INBUILT:
            return {}
        raise NotImplementedError
    def __str__(self):
@ -840,7 +812,6 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    source = models.ForeignKey(Source, on_delete=models.CASCADE)
    identifier = models.TextField()
    objects = InheritanceManager()
@ -854,10 +825,6 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
    class Meta:
        unique_together = (("user", "source"),)
        indexes = (
            models.Index(fields=("identifier",)),
            models.Index(fields=("source", "identifier")),
        )
 class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
@ -1028,75 +995,45 @@ class PropertyMapping(SerializerModel, ManagedModel):
        verbose_name_plural = _("Property Mappings")
-class Session(ExpiringModel, AbstractBaseSession):
+class AuthenticatedSession(ExpiringModel):
-    """User session with extra fields for fast access"""
+    """Additional session class for authenticated users. Augments the standard django session
    to achieve the following:
        - Make it queryable by user
        - Have a direct connection to user objects
        - Allow users to view their own sessions and terminate them
        - Save structured and well-defined information.
    """
-    # Remove upstream field because we're using our own ExpiringModel
+    uuid = models.UUIDField(default=uuid4, primary_key=True)
    expire_date = None
    session_data = models.BinaryField(_("session data"))
-    # Keep in sync with Session.Keys
+    session_key = models.CharField(max_length=40)
-    last_ip = models.GenericIPAddressField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
    last_ip = models.TextField()
    last_user_agent = models.TextField(blank=True)
    last_used = models.DateTimeField(auto_now=True)
    class Meta:
        verbose_name = _("Session")
        verbose_name_plural = _("Sessions")
        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["expires", "session_key"]),
        ]
        default_permissions = []
    def __str__(self):
        return self.session_key
    class Keys(StrEnum):
        """
        Keys to be set with the session interface for the fields above to be updated.
        If a field is added here that needs to be initialized when the session is initialized,
        it must also be reflected in authentik.root.middleware.SessionMiddleware.process_request
        and in authentik.core.sessions.SessionStore.__init__
        """
        LAST_IP = "last_ip"
        LAST_USER_AGENT = "last_user_agent"
        LAST_USED = "last_used"
    @classmethod
    def get_session_store_class(cls):
        from authentik.core.sessions import SessionStore
        return SessionStore
    def get_decoded(self):
        raise NotImplementedError
 class AuthenticatedSession(SerializerModel):
    session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
    # We use the session as primary key, but we need the API to be able to reference
    # this object uniquely without exposing the session key
    uuid = models.UUIDField(default=uuid4, unique=True)
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["session_key"]),
        ]
    def __str__(self) -> str:
-        return f"Authenticated Session {str(self.pk)[:10]}"
+        return f"Authenticated Session {self.session_key[:10]}"
    @staticmethod
    def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
        """Create a new session from a http request"""
-        if not hasattr(request, "session") or not request.session.exists(
+        from authentik.root.middleware import ClientIPMiddleware
-            request.session.session_key
+
-        ):
+        if not hasattr(request, "session") or not request.session.session_key:
            return None
        return AuthenticatedSession(
-            session=Session.objects.filter(session_key=request.session.session_key).first(),
+            session_key=request.session.session_key,
            user=user,
            last_ip=ClientIPMiddleware.get_client_ip(request),
            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
            expires=request.session.get_expiry_date(),
        )
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@ -1,168 +0,0 @@
 """authentik sessions engine"""
 import pickle  # nosec
 from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
 from django.contrib.sessions.backends.db import SessionStore as SessionBase
 from django.core.exceptions import SuspiciousOperation
 from django.utils import timezone
 from django.utils.functional import cached_property
 from structlog.stdlib import get_logger
 from authentik.root.middleware import ClientIPMiddleware
 LOGGER = get_logger()
 class SessionStore(SessionBase):
    def __init__(self, session_key=None, last_ip=None, last_user_agent=""):
        super().__init__(session_key)
        self._create_kwargs = {
            "last_ip": last_ip or ClientIPMiddleware.default_ip,
            "last_user_agent": last_user_agent,
        }
    @classmethod
    def get_model_class(cls):
        from authentik.core.models import Session
        return Session
    @cached_property
    def model_fields(self):
        return [k.value for k in self.model.Keys]
    def _get_session_from_db(self):
        try:
            return (
                self.model.objects.select_related(
                    "authenticatedsession",
                    "authenticatedsession__user",
                )
                .prefetch_related(
                    "authenticatedsession__user__groups",
                    "authenticatedsession__user__user_permissions",
                )
                .get(
                    session_key=self.session_key,
                    expires__gt=timezone.now(),
                )
            )
        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
            if isinstance(exc, SuspiciousOperation):
                LOGGER.warning(str(exc))
            self._session_key = None
    async def _aget_session_from_db(self):
        try:
            return (
                await self.model.objects.select_related(
                    "authenticatedsession",
                    "authenticatedsession__user",
                )
                .prefetch_related(
                    "authenticatedsession__user__groups",
                    "authenticatedsession__user__user_permissions",
                )
                .aget(
                    session_key=self.session_key,
                    expires__gt=timezone.now(),
                )
            )
        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
            if isinstance(exc, SuspiciousOperation):
                LOGGER.warning(str(exc))
            self._session_key = None
    def encode(self, session_dict):
        return pickle.dumps(session_dict, protocol=pickle.HIGHEST_PROTOCOL)
    def decode(self, session_data):
        try:
            return pickle.loads(session_data)  # nosec
        except pickle.PickleError:
            # ValueError, unpickling exceptions. If any of these happen, just return an empty
            # dictionary (an empty session)
            pass
        return {}
    def load(self):
        s = self._get_session_from_db()
        if s:
            return {
                "authenticatedsession": getattr(s, "authenticatedsession", None),
                **{k: getattr(s, k) for k in self.model_fields},
                **self.decode(s.session_data),
            }
        else:
            return {}
    async def aload(self):
        s = await self._aget_session_from_db()
        if s:
            return {
                "authenticatedsession": getattr(s, "authenticatedsession", None),
                **{k: getattr(s, k) for k in self.model_fields},
                **self.decode(s.session_data),
            }
        else:
            return {}
    def create_model_instance(self, data):
        args = {
            "session_key": self._get_or_create_session_key(),
            "expires": self.get_expiry_date(),
            "session_data": {},
            **self._create_kwargs,
        }
        for k, v in data.items():
            # Don't save:
            # - unused auth data
            # - related models
            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
                pass
            elif k in self.model_fields:
                args[k] = v
            else:
                args["session_data"][k] = v
        args["session_data"] = self.encode(args["session_data"])
        return self.model(**args)
    async def acreate_model_instance(self, data):
        args = {
            "session_key": await self._aget_or_create_session_key(),
            "expires": await self.aget_expiry_date(),
            "session_data": {},
            **self._create_kwargs,
        }
        for k, v in data.items():
            # Don't save:
            # - unused auth data
            # - related models
            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
                pass
            elif k in self.model_fields:
                args[k] = v
            else:
                args["session_data"][k] = v
        args["session_data"] = self.encode(args["session_data"])
        return self.model(**args)
    @classmethod
    def clear_expired(cls):
        cls.get_model_class().objects.filter(expires__lt=timezone.now()).delete()
    @classmethod
    async def aclear_expired(cls):
        await cls.get_model_class().objects.filter(expires__lt=timezone.now()).adelete()
    def cycle_key(self):
        data = self._session
        key = self.session_key
        self.create()
        self._session_cache = data
        if key:
            self.delete(key)
        if (authenticated_session := data.get("authenticatedsession")) is not None:
            authenticated_session.session_id = self.session_key
            authenticated_session.save(force_insert=True)
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,10 +1,11 @@
 """authentik core signals"""
-from django.contrib.auth.signals import user_logged_in
+from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_delete, post_save, pre_save
+from django.db.models.signals import post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
@ -14,7 +15,6 @@ from authentik.core.models import (
    AuthenticatedSession,
    BackchannelProvider,
    ExpiringModel,
    Session,
    User,
    default_token_duration,
 )
@ -49,10 +49,19 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
        session.save()
-@receiver(post_delete, sender=AuthenticatedSession)
+@receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    """Delete AuthenticatedSession if it exists"""
    if not request.session or not request.session.session_key:
        return
    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    Session.objects.filter(session_key=instance.pk).delete()
+    cache_key = f"{KEY_PREFIX}{instance.session_key}"
    cache.delete(cache_key)
@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -48,7 +48,6 @@ LOGGER = get_logger()
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
 SESSION_KEY_SOURCE_FLOW_CONTEXT = "authentik/flows/source_flow_context"
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
@ -262,7 +261,6 @@ class SourceFlowManager:
                plan.append_stage(stage)
        for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
            plan.append_stage(stage)
        plan.context.update(self.request.session.get(SESSION_KEY_SOURCE_FLOW_CONTEXT, {}))
        return plan.to_redirect(self.request, flow)
    def handle_auth(
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -2,16 +2,22 @@
 from datetime import datetime, timedelta
 from django.conf import ImproperlyConfigured
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
 from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
    USER_ATTRIBUTE_GENERATED,
    AuthenticatedSession,
    ExpiringModel,
    User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -32,6 +38,40 @@ def clean_expired_models(self: SystemTask):
            obj.expire_action()
        LOGGER.debug("Expired models", model=cls, amount=amount)
        messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
    # Special case
    amount = 0
    for session in AuthenticatedSession.objects.all():
        match CONFIG.get("session_storage", "cache"):
            case "cache":
                cache_key = f"{KEY_PREFIX}{session.session_key}"
                value = None
                try:
                    value = cache.get(cache_key)
                except Exception as exc:
                    LOGGER.debug("Failed to get session from cache", exc=exc)
                if not value:
                    session.delete()
                    amount += 1
            case "db":
                if not (
                    DBSessionStore.get_model_class()
                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
                    .exists()
                ):
                    session.delete()
                    amount += 1
            case _:
                # Should never happen, as we check for other values in authentik/root/settings.py
                raise ImproperlyConfigured(
                    "Invalid session_storage setting, allowed values are db and cache"
                )
    if CONFIG.get("session_storage", "cache") == "db":
        DBSessionStore.clear_expired()
    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
    self.set_status(TaskStatus.SUCCESSFUL, *messages)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head_before %}
-<link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
+<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
+    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -5,7 +5,7 @@ from json import loads
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
-from authentik.core.models import AuthenticatedSession, Session, User
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
@ -30,18 +30,3 @@ class TestAuthenticatedSessionsAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["pagination"]["count"], 1)
    def test_delete(self):
        """Test deletion"""
        self.client.force_login(self.user)
        self.assertEqual(AuthenticatedSession.objects.all().count(), 1)
        self.assertEqual(Session.objects.all().count(), 1)
        response = self.client.delete(
            reverse(
                "authentik_api:authenticatedsession-detail",
                kwargs={"uuid": AuthenticatedSession.objects.first().uuid},
            )
        )
        self.assertEqual(response.status_code, 204)
        self.assertEqual(AuthenticatedSession.objects.all().count(), 0)
        self.assertEqual(Session.objects.all().count(), 0)
--- a/authentik/core/tests/test_source_api.py
+++ b/authentik/core/tests/test_source_api.py
@ -1,19 +0,0 @@
 from django.apps import apps
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
 class TestSourceAPI(APITestCase):
    def setUp(self) -> None:
        self.user = create_test_admin_user()
        self.client.force_login(self.user)
    def test_builtin_source_used_by(self):
        """Test Providers's types endpoint"""
        apps.get_app_config("authentik_core").source_inbuilt()
        response = self.client.get(
            reverse("authentik_api:source-used-by", kwargs={"slug": "authentik-built-in"}),
        )
        self.assertEqual(response.status_code, 200)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -1,8 +1,9 @@
 """Test Users API"""
 from datetime import datetime
 from json import loads
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
@ -10,17 +11,11 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
    Session,
    Token,
    User,
    UserTypes,
 )
-from authentik.core.tests.utils import (
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
    create_test_admin_user,
    create_test_brand,
    create_test_flow,
    create_test_user,
 )
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
@ -31,7 +26,7 @@ class TestUsersAPI(APITestCase):
    def setUp(self) -> None:
        self.admin = create_test_admin_user()
-        self.user = create_test_user()
+        self.user = User.objects.create(username="test-user")
    def test_filter_type(self):
        """Test API filtering by type"""
@ -46,35 +41,6 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)
    def test_filter_is_superuser(self):
        """Test API filtering by superuser status"""
        User.objects.all().delete()
        admin = create_test_admin_user()
        self.client.force_login(admin)
        # Test superuser
        response = self.client.get(
            reverse("authentik_api:user-list"),
            data={
                "is_superuser": True,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(len(body["results"]), 1)
        self.assertEqual(body["results"][0]["username"], admin.username)
        # Test non-superuser
        user = create_test_user()
        response = self.client.get(
            reverse("authentik_api:user-list"),
            data={
                "is_superuser": False,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(len(body["results"]), 1, body)
        self.assertEqual(body["results"][0]["username"], user.username)
    def test_list_with_groups(self):
        """Test listing with groups"""
        self.client.force_login(self.admin)
@ -133,8 +99,6 @@ class TestUsersAPI(APITestCase):
    def test_recovery_email_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
        self.user.email = ""
        self.user.save()
        response = self.client.post(
            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
        )
@ -380,15 +344,12 @@ class TestUsersAPI(APITestCase):
        """Ensure sessions are deleted when a user is deactivated"""
        user = create_test_admin_user()
        session_id = generate_id()
        session = Session.objects.create(
            session_key=session_id,
            last_ip="255.255.255.255",
            last_user_agent="",
        )
        AuthenticatedSession.objects.create(
            session=session,
            user=user,
            session_key=session_id,
            last_ip="",
        )
        cache.set(KEY_PREFIX + session_id, "foo")
        self.client.force_login(self.admin)
        response = self.client.patch(
@ -399,7 +360,5 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)
-        self.assertFalse(Session.objects.filter(session_key=session_id).exists())
+        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
-        self.assertFalse(
+        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
            AuthenticatedSession.objects.filter(session__session_key=session_id).exists()
        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -1,5 +1,7 @@
 """authentik URL Configuration"""
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
@ -11,11 +13,7 @@ from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.property_mappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
-from authentik.core.api.sources import (
+from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
    GroupSourceConnectionViewSet,
    SourceViewSet,
    UserSourceConnectionViewSet,
 )
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
@ -27,7 +25,7 @@ from authentik.core.views.interface import (
    RootRedirectView,
 )
 from authentik.flows.views.interface import FlowInterfaceView
-from authentik.root.asgi_middleware import AuthMiddlewareStack
+from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@ -83,7 +81,6 @@ api_urlpatterns = [
    ("core/tokens", TokenViewSet),
    ("sources/all", SourceViewSet),
    ("sources/user_connections/all", UserSourceConnectionViewSet),
    ("sources/group_connections/all", GroupSourceConnectionViewSet),
    ("providers/all", ProviderViewSet),
    ("propertymappings/all", PropertyMappingViewSet),
    ("authenticators/all", DeviceViewSet, "device"),
@ -97,7 +94,9 @@ api_urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/client/",
-        ChannelsLoggingMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi())),
+        ChannelsLoggingMiddleware(
            CookieMiddleware(SessionMiddleware(AuthMiddleware(MessageConsumer.as_asgi())))
        ),
    ),
 ]
--- a/authentik/enterprise/audit/apps.py
+++ b/authentik/enterprise/audit/apps.py
@ -9,7 +9,7 @@ class AuthentikEnterpriseAuditConfig(EnterpriseConfig):
    """Enterprise app config"""
    name = "authentik.enterprise.audit"
-    label = "authentik_enterprise_audit"
+    label = "authentik_audit"
    verbose_name = "authentik Enterprise.Audit"
    default = True
--- a/authentik/enterprise/audit/models.py
+++ b/authentik/enterprise/audit/models.py
@ -0,0 +1,107 @@
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes.fields import GenericForeignKey
 from authentik.lib.models import SerializerModel
 from django.db import models
 from uuid import uuid4
 from authentik.core.models import Group, User
 # # Names
 # Lifecycle
 # Access reviews
 # Access lifecycle
 # Governance
 # Audit
 # Compliance
 # Lifecycle
 # Lifecycle review
 # Review
 # Access review
 # Compliance review
 # X Scheduled review
 # Only some objects supported?
 #
 # For disabling support:
 # Application
 # Provider
 # Outpost (simply setting the list of providers to empty in the outpost itself)
 # Flow
 # Users
 # Groups <- will get tricky
 # Roles
 # Sources
 # Tokens (api, app_pass)
 # Brands
 # Outpost integrations
 #
 # w/o disabling support
 # System Settings
 # everything else
 #   would need to show in an audit dashboard cause not all have pages to get details
 # "default" policy for objects, by default, everlasting
 class AuditPolicyFailAction(models.TextChoices):
    # For preview
    NOTHING = "nothing"
    # Disable the thing failing, HOW
    DISABLE = "disable"
    # Emit events
    WARN = "warn"
 class LifecycleRule(SerializerModel):
    pass
 class ReviewRule(SerializerModel):
    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    # Check every 6 months, allow for daily/weekly/first of month, etc.
    interval = models.TextField()  # timedelta
    # Preventive notification
    reminder_interval = models.TextField()  # timedelta
    # Must be checked by these
    groups = models.ManyToManyField(Group)
    users = models.ManyToManyField(User)
    # How many of the above must approve
    required_approvals = models.IntegerField(default=1)
    # How long to wait before executing fail action
    grace_period = models.TextField()  # timedelta
    # What to do if not reviewed in time
    fail_action = models.CharField(choices=AuditPolicyFailAction)
 class AuditPolicyBinding(SerializerModel):
    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    # Many to many ? Bind users/groups here instead of on the policy ?
    policy = models.ForeignKey(AuditPolicy, on_delete=models.PROTECT)
    content_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)
    object_id = models.TextField(blank=True)  # optional to apply on all objects of specific type
    content_object = GenericForeignKey("content_type", "object_id")
    # valid -> waiting review -> valid
    # valid -> waiting review -> review overdue -> valid
    # valid -> waiting review -> review overdue -> failed -> valid
    # look at django-fsm or django-viewflow
    status = models.TextField()
    class Meta:
        indexes = (
            models.Index(fields=["content_type"]),
            models.Index(fields=["content_type", "object_id"]),
        )
 class AuditHistory:
    pass
--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -102,7 +102,7 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi
            "format": "complex",
            "session": {
                "format": "opaque",
-                "id": sha256(instance.session.session_key.encode("ascii")).hexdigest(),
+                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
--- a/authentik/enterprise/stages/source/stage.py
+++ b/authentik/enterprise/stages/source/stage.py
@ -11,14 +11,13 @@ from guardian.shortcuts import get_anonymous_user
 from authentik.core.models import Source, User
 from authentik.core.sources.flow_manager import (
    SESSION_KEY_OVERRIDE_FLOW_TOKEN,
    SESSION_KEY_SOURCE_FLOW_CONTEXT,
    SESSION_KEY_SOURCE_FLOW_STAGES,
 )
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.flows.models import FlowToken, in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_IS_REDIRECTED, PLAN_CONTEXT_IS_RESTORED
+from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED
 from authentik.flows.stage import ChallengeStageView, StageView
 from authentik.lib.utils.time import timedelta_from_string
@ -54,9 +53,6 @@ class SourceStageView(ChallengeStageView):
        resume_token = self.create_flow_token()
        self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN] = resume_token
        self.request.session[SESSION_KEY_SOURCE_FLOW_STAGES] = [in_memory_stage(SourceStageFinal)]
        self.request.session[SESSION_KEY_SOURCE_FLOW_CONTEXT] = {
            PLAN_CONTEXT_IS_REDIRECTED: self.executor.flow,
        }
        return self.login_button.challenge
    def create_flow_token(self) -> FlowToken:
--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -50,8 +50,7 @@ class NotificationTransportSerializer(ModelSerializer):
            "mode",
            "mode_verbose",
            "webhook_url",
-            "webhook_mapping_body",
+            "webhook_mapping",
            "webhook_mapping_headers",
            "send_once",
        ]
--- a/authentik/events/migrations/0009_remove_notificationtransport_webhook_mapping_and_more.py
+++ b/authentik/events/migrations/0009_remove_notificationtransport_webhook_mapping_and_more.py
@ -1,43 +0,0 @@
 # Generated by Django 5.0.13 on 2025-03-20 19:54
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0008_event_authentik_e_expires_8c73a8_idx_and_more"),
    ]
    operations = [
        migrations.RenameField(
            model_name="notificationtransport",
            old_name="webhook_mapping",
            new_name="webhook_mapping_body",
        ),
        migrations.AlterField(
            model_name="notificationtransport",
            name="webhook_mapping_body",
            field=models.ForeignKey(
                default=None,
                help_text="Customize the body of the request. Mapping should return data that is JSON-serializable.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="+",
                to="authentik_events.notificationwebhookmapping",
            ),
        ),
        migrations.AddField(
            model_name="notificationtransport",
            name="webhook_mapping_headers",
            field=models.ForeignKey(
                default=None,
                help_text="Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="+",
                to="authentik_events.notificationwebhookmapping",
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -336,27 +336,8 @@ class NotificationTransport(SerializerModel):
    mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)
    webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
-    webhook_mapping_body = models.ForeignKey(
+    webhook_mapping = models.ForeignKey(
-        "NotificationWebhookMapping",
+        "NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
        on_delete=models.SET_DEFAULT,
        null=True,
        default=None,
        related_name="+",
        help_text=_(
            "Customize the body of the request. "
            "Mapping should return data that is JSON-serializable."
        ),
    )
    webhook_mapping_headers = models.ForeignKey(
        "NotificationWebhookMapping",
        on_delete=models.SET_DEFAULT,
        null=True,
        default=None,
        related_name="+",
        help_text=_(
            "Configure additional headers to be sent. "
            "Mapping should return a dictionary of key-value pairs"
        ),
    )
    send_once = models.BooleanField(
        default=False,
@ -379,8 +360,8 @@ class NotificationTransport(SerializerModel):
    def send_local(self, notification: "Notification") -> list[str]:
        """Local notification delivery"""
-        if self.webhook_mapping_body:
+        if self.webhook_mapping:
-            self.webhook_mapping_body.evaluate(
+            self.webhook_mapping.evaluate(
                user=notification.user,
                request=None,
                notification=notification,
@ -399,18 +380,9 @@ class NotificationTransport(SerializerModel):
        if notification.event and notification.event.user:
            default_body["event_user_email"] = notification.event.user.get("email", None)
            default_body["event_user_username"] = notification.event.user.get("username", None)
-        headers = {}
+        if self.webhook_mapping:
        if self.webhook_mapping_body:
            default_body = sanitize_item(
-                self.webhook_mapping_body.evaluate(
+                self.webhook_mapping.evaluate(
                    user=notification.user,
                    request=None,
                    notification=notification,
                )
            )
        if self.webhook_mapping_headers:
            headers = sanitize_item(
                self.webhook_mapping_headers.evaluate(
                    user=notification.user,
                    request=None,
                    notification=notification,
@ -420,7 +392,6 @@ class NotificationTransport(SerializerModel):
            response = get_http_session().post(
                self.webhook_url,
                json=default_body,
                headers=headers,
            )
            response.raise_for_status()
        except RequestException as exc:
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -59,7 +59,7 @@ def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | Non
        session = request_or_session.session
    if isinstance(request_or_session, AuthenticatedSession):
        SessionStore = _session_engine.SessionStore
-        session = SessionStore(request_or_session.session.session_key)
+        session = SessionStore(request_or_session.session_key)
    return session.get(SESSION_LOGIN_EVENT, None)
--- a/authentik/events/tests/test_notifications.py
+++ b/authentik/events/tests/test_notifications.py
@ -120,7 +120,7 @@ class TestEventsNotifications(APITestCase):
        )
        transport = NotificationTransport.objects.create(
-            name=generate_id(), webhook_mapping_body=mapping, mode=TransportMode.LOCAL
+            name=generate_id(), webhook_mapping=mapping, mode=TransportMode.LOCAL
        )
        NotificationRule.objects.filter(name__startswith="default").delete()
        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
--- a/authentik/events/tests/test_transports.py
+++ b/authentik/events/tests/test_transports.py
@ -60,25 +60,20 @@ class TestEventTransports(TestCase):
    def test_transport_webhook_mapping(self):
        """Test webhook transport with custom mapping"""
-        mapping_body = NotificationWebhookMapping.objects.create(
+        mapping = NotificationWebhookMapping.objects.create(
            name=generate_id(), expression="return request.user"
        )
        mapping_headers = NotificationWebhookMapping.objects.create(
            name=generate_id(), expression="""return {"foo": "bar"}"""
        )
        transport: NotificationTransport = NotificationTransport.objects.create(
            name=generate_id(),
            mode=TransportMode.WEBHOOK,
            webhook_url="http://localhost:1234/test",
-            webhook_mapping_body=mapping_body,
+            webhook_mapping=mapping,
            webhook_mapping_headers=mapping_headers,
        )
        with Mocker() as mocker:
            mocker.post("http://localhost:1234/test")
            transport.send(self.notification)
            self.assertEqual(mocker.call_count, 1)
            self.assertEqual(mocker.request_history[0].method, "POST")
            self.assertEqual(mocker.request_history[0].headers["foo"], "bar")
            self.assertJSONEqual(
                mocker.request_history[0].body.decode(),
                {"email": self.user.email, "pk": self.user.pk, "username": self.user.username},
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -6,7 +6,6 @@ from typing import TYPE_CHECKING
 from uuid import uuid4
 from django.db import models
 from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from model_utils.managers import InheritanceManager
 from rest_framework.serializers import BaseSerializer
@ -179,12 +178,11 @@ class Flow(SerializerModel, PolicyBindingModel):
        help_text=_("Required level of authentication and authorization to access a flow."),
    )
-    def background_url(self, request: HttpRequest | None = None) -> str:
+    @property
    def background_url(self) -> str:
        """Get the URL to the background image. If the name is /static or starts with http
        it is returned as-is"""
        if not self.background:
            if request:
                return request.brand.branding_default_flow_background_url()
            return (
                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
            )
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -184,7 +184,7 @@ class ChallengeStageView(StageView):
                flow_info = ContextualFlowInfo(
                    data={
                        "title": self.format_title(),
-                        "background": self.executor.flow.background_url(self.request),
+                        "background": self.executor.flow.background_url,
                        "cancel_url": reverse("authentik_flows:cancel"),
                        "layout": self.executor.flow.layout,
                    }
--- a/authentik/flows/tests/init.py
+++ b/authentik/flows/tests/init.py
@ -27,6 +27,7 @@ class FlowTestCase(APITestCase):
        self.assertIsNotNone(raw_response["component"])
        if flow:
            self.assertIn("flow_info", raw_response)
            self.assertEqual(raw_response["flow_info"]["background"], flow.background_url)
            self.assertEqual(
                raw_response["flow_info"]["cancel_url"], reverse("authentik_flows:cancel")
            )
--- a/authentik/flows/tests/test_api.py
+++ b/authentik/flows/tests/test_api.py
@ -1,11 +1,9 @@
 """API flow tests"""
 from json import loads
 from django.urls import reverse
 from rest_framework.test import APITestCase
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.api.stages import StageSerializer, StageViewSet
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage
 from authentik.lib.generators import generate_id
@ -79,22 +77,6 @@ class TestFlowsAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(response.content, {"diagram": DIAGRAM_EXPECTED})
    def test_api_background(self):
        """Test custom background"""
        user = create_test_admin_user()
        self.client.force_login(user)
        flow = create_test_flow()
        response = self.client.get(reverse("authentik_api:flow-detail", kwargs={"slug": flow.slug}))
        body = loads(response.content.decode())
        self.assertEqual(body["background"], "/static/dist/assets/images/flow_background.jpg")
        flow.background = "https://goauthentik.io/img/icon.png"
        flow.save()
        response = self.client.get(reverse("authentik_api:flow-detail", kwargs={"slug": flow.slug}))
        body = loads(response.content.decode())
        self.assertEqual(body["background"], "https://goauthentik.io/img/icon.png")
    def test_api_diagram_no_stages(self):
        """Test flow diagram with no stages."""
        user = create_test_admin_user()
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -49,7 +49,7 @@ class TestFlowInspector(APITestCase):
                "captcha_stage": None,
                "component": "ak-stage-identification",
                "flow_info": {
-                    "background": "/static/dist/assets/images/flow_background.jpg",
+                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": flow.title,
                    "layout": "stacked",
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -69,7 +69,6 @@ SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
 SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
 SESSION_KEY_AUTH_STARTED = "authentik/flows/auth_started"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"
@ -454,7 +453,6 @@ class FlowExecutorView(APIView):
            SESSION_KEY_APPLICATION_PRE,
            SESSION_KEY_PLAN,
            SESSION_KEY_GET,
            SESSION_KEY_AUTH_STARTED,
            # We might need the initial POST payloads for later requests
            # SESSION_KEY_POST,
            # We don't delete the history on purpose, as a user might
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -6,22 +6,14 @@ from django.shortcuts import get_object_or_404
 from ua_parser.user_agent_parser import Parse
 from authentik.core.views.interface import InterfaceView
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.models import Flow
 from authentik.flows.views.executor import SESSION_KEY_AUTH_STARTED
 class FlowInterfaceView(InterfaceView):
    """Flow interface"""
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["flow"] = flow
        if (
            not self.request.user.is_authenticated
            and flow.designation == FlowDesignation.AUTHENTICATION
        ):
            self.request.session[SESSION_KEY_AUTH_STARTED] = True
            self.request.session.save()
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,20 +1,5 @@
-# authentik configuration
+# update website/docs/install-config/configuration/configuration.mdx
-#
+# This is the default configuration file
 # https://docs.goauthentik.io/docs/install-config/configuration/
 #
 # To override the settings in this file, run the following command from the repository root:
 #
 # ```shell
 # make gen-dev-config
 # ```
 #
 # You may edit the generated file to override the configuration below.  
 #
 # When making modifying the default configuration file, 
 # ensure that the corresponding documentation is updated to match.
 #
 # @see {@link ../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information.
 postgresql:
  host: localhost
  name: authentik
@ -60,8 +45,6 @@ redis:
 #   url: ""
 #   transport_options: ""
 http_timeout: 30
 cache:
  # url: ""
  timeout: 300
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -18,7 +18,7 @@ from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.events.models import Event
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
@ -203,7 +203,9 @@ class BaseEvaluator:
            provider = OAuth2Provider.objects.get(name=provider)
        session = None
        if hasattr(request, "session") and request.session.session_key:
-            session = request.session["authenticatedsession"]
+            session = AuthenticatedSession.objects.filter(
                session_key=request.session.session_key
            ).first()
        access_token = AccessToken(
            provider=provider,
            user=user,
--- a/authentik/lib/models.py
+++ b/authentik/lib/models.py
@ -18,15 +18,6 @@ class SerializerModel(models.Model):
    @property
    def serializer(self) -> type[BaseSerializer]:
        """Get serializer for this model"""
        # Special handling for built-in source
        if (
            hasattr(self, "managed")
            and hasattr(self, "MANAGED_INBUILT")
            and self.managed == self.MANAGED_INBUILT
        ):
            from authentik.core.api.sources import SourceSerializer
            return SourceSerializer
        raise NotImplementedError
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -16,40 +16,7 @@ def authentik_user_agent() -> str:
    return f"authentik@{get_full_version()}"
-class TimeoutSession(Session):
+class DebugSession(Session):
    """Always set a default HTTP request timeout"""
    def __init__(self, default_timeout=None):
        super().__init__()
        self.timeout = default_timeout
    def send(
        self,
        request,
        *,
        stream=...,
        verify=...,
        proxies=...,
        cert=...,
        timeout=...,
        allow_redirects=...,
        **kwargs,
    ):
        if not timeout and self.timeout:
            timeout = self.timeout
        return super().send(
            request,
            stream=stream,
            verify=verify,
            proxies=proxies,
            cert=cert,
            timeout=timeout,
            allow_redirects=allow_redirects,
            **kwargs,
        )
 class DebugSession(TimeoutSession):
    """requests session which logs http requests and responses"""
    def send(self, req: PreparedRequest, *args, **kwargs):
@ -75,9 +42,8 @@ class DebugSession(TimeoutSession):
 def get_http_session() -> Session:
    """Get a requests session with common headers"""
-    session = TimeoutSession()
+    session = Session()
    if CONFIG.get_bool("debug") or CONFIG.get("log_level") == "trace":
        session = DebugSession()
    session.headers["User-Agent"] = authentik_user_agent()
    session.timeout = CONFIG.get_optional_int("http_timeout")
    return session
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -13,7 +13,6 @@ from paramiko.ssh_exception import SSHException
 from structlog.stdlib import get_logger
 from yaml import safe_dump
 from authentik import __version__
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.docker_ssh import DockerInlineSSH, SSHManagedExternallyException
@ -185,7 +184,7 @@ class DockerController(BaseController):
        try:
            self.client.images.pull(image)
        except DockerException:  # pragma: no cover
-            image = f"ghcr.io/goauthentik/{self.outpost.type}:{__version__}"
+            image = f"ghcr.io/goauthentik/{self.outpost.type}:latest"
            self.client.images.pull(image)
        return image
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -1,6 +1,5 @@
 """Base Kubernetes Reconciler"""
 import re
 from dataclasses import asdict
 from json import dumps
 from typing import TYPE_CHECKING, Generic, TypeVar
@ -68,8 +67,7 @@ class KubernetesObjectReconciler(Generic[T]):
    @property
    def name(self) -> str:
        """Get the name of the object this reconciler manages"""
-
+        return (
        base_name = (
            self.controller.outpost.config.object_naming_template
            % {
                "name": slugify(self.controller.outpost.name),
@ -77,16 +75,6 @@ class KubernetesObjectReconciler(Generic[T]):
            }
        ).lower()
        formatted = slugify(base_name)
        formatted = re.sub(r"[^a-z0-9-]", "-", formatted)
        formatted = re.sub(r"-+", "-", formatted)
        formatted = formatted[:63]
        if not formatted:
            formatted = f"outpost-{self.controller.outpost.uuid.hex}"[:63]
        return formatted
    def get_patched_reference_object(self) -> T:
        """Get patched reference object"""
        reference = self.get_reference_object()
@ -124,6 +112,7 @@ class KubernetesObjectReconciler(Generic[T]):
            try:
                current = self.retrieve()
            except (OpenApiException, HTTPError) as exc:
                if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                    self.logger.debug("Failed to get current, triggering recreate")
                    raise NeedsRecreate from exc
@ -167,6 +156,7 @@ class KubernetesObjectReconciler(Generic[T]):
            self.delete(current)
            self.logger.debug("Removing")
        except (OpenApiException, HTTPError) as exc:
            if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                self.logger.debug("Failed to get current, assuming non-existent")
                return
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -61,14 +61,9 @@ class KubernetesController(BaseController):
    client: KubernetesClient
    connection: KubernetesServiceConnection
-    def __init__(
+    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection) -> None:
        self,
        outpost: Outpost,
        connection: KubernetesServiceConnection,
        client: KubernetesClient | None = None,
    ) -> None:
        super().__init__(outpost, connection)
-        self.client = client if client else KubernetesClient(connection)
+        self.client = KubernetesClient(connection)
        self.reconcilers = {
            SecretReconciler.reconciler_name(): SecretReconciler,
            DeploymentReconciler.reconciler_name(): DeploymentReconciler,
--- a/authentik/outposts/tests/test_controller_k8s.py
+++ b/authentik/outposts/tests/test_controller_k8s.py
@ -1,44 +0,0 @@
 """Kubernetes controller tests"""
 from django.test import TestCase
 from authentik.blueprints.tests import reconcile_app
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
 class KubernetesControllerTests(TestCase):
    """Kubernetes controller tests"""
    @reconcile_app("authentik_outposts")
    def setUp(self) -> None:
        self.outpost = Outpost.objects.create(
            name="test",
            type=OutpostType.PROXY,
        )
        self.integration = KubernetesServiceConnection(name="test")
    def test_gen_name(self):
        """Ensure the generated name is valid"""
        controller = KubernetesController(
            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(),
            self.integration,
            # Pass something not-none as client so we don't
            # attempt to connect to K8s as that's not needed
            client=self,
        )
        rec = DeploymentReconciler(controller)
        self.assertEqual(rec.name, "ak-outpost-authentik-embedded-outpost")
        controller.outpost.name = generate_id()
        self.assertLess(len(rec.name), 64)
        # Test custom naming template
        _cfg = controller.outpost.config
        _cfg.object_naming_template = ""
        controller.outpost.config = _cfg
        self.assertEqual(rec.name, f"outpost-{controller.outpost.uuid.hex}")
        self.assertLess(len(rec.name), 64)
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@ -35,4 +35,3 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
    label = "authentik_policies"
    verbose_name = "authentik Policies"
    default = True
    mountpoint = "policy/"
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -2,6 +2,7 @@
 from django.contrib.auth.signals import user_logged_in
 from django.db import transaction
 from django.db.models import F
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
@ -12,29 +13,20 @@ from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.policies.reputation.models import Reputation, reputation_expiry
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.identification.signals import identification_failed
 from authentik.tenants.utils import get_current_tenant
 LOGGER = get_logger()
 def clamp(value, min, max):
    return sorted([min, value, max])[1]
 def update_score(request: HttpRequest, identifier: str, amount: int):
    """Update score for IP and User"""
    remote_ip = ClientIPMiddleware.get_client_ip(request)
    tenant = get_current_tenant()
    new_score = clamp(amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit)
    with transaction.atomic():
        reputation, created = Reputation.objects.select_for_update().get_or_create(
            ip=remote_ip,
            identifier=identifier,
            defaults={
-                "score": clamp(
+                "score": amount,
                    amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit
                ),
                "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
                "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
                "expires": reputation_expiry(),
@ -42,15 +34,9 @@ def update_score(request: HttpRequest, identifier: str, amount: int):
        )
        if not created:
-            new_score = clamp(
+            reputation.score = F("score") + amount
                reputation.score + amount,
                tenant.reputation_lower_limit,
                tenant.reputation_upper_limit,
            )
            reputation.score = new_score
            reputation.save()
-
+    LOGGER.info("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
    LOGGER.info("Updated score", amount=new_score, for_user=identifier, for_ip=remote_ip)
@receiver(login_failed)
--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -6,11 +6,9 @@ from authentik.core.models import User
 from authentik.lib.generators import generate_id
 from authentik.policies.reputation.api import ReputationPolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy
 from authentik.policies.reputation.signals import update_score
 from authentik.policies.types import PolicyRequest
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import authenticate
 from authentik.tenants.models import DEFAULT_REPUTATION_LOWER_LIMIT, DEFAULT_REPUTATION_UPPER_LIMIT
 class TestReputationPolicy(TestCase):
@ -19,48 +17,36 @@ class TestReputationPolicy(TestCase):
    def setUp(self):
        self.request_factory = RequestFactory()
        self.request = self.request_factory.get("/")
-        self.ip = "127.0.0.1"
+        self.test_ip = "127.0.0.1"
-        self.username = "username"
+        self.test_username = "test"
        self.password = generate_id()
        # We need a user for the one-to-one in userreputation
-        self.user = User.objects.create(username=self.username)
+        self.user = User.objects.create(username=self.test_username)
        self.user.set_password(self.password)
        self.backends = [BACKEND_INBUILT]
    def test_ip_reputation(self):
        """test IP reputation"""
        # Trigger negative reputation
-        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        authenticate(
-        self.assertEqual(Reputation.objects.get(ip=self.ip).score, -1)
+            self.request, self.backends, username=self.test_username, password=self.test_username
        )
        self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
    def test_user_reputation(self):
        """test User reputation"""
        # Trigger negative reputation
-        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        authenticate(
-        self.assertEqual(Reputation.objects.get(identifier=self.username).score, -1)
+            self.request, self.backends, username=self.test_username, password=self.test_username
        )
        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
    def test_update_reputation(self):
        """test reputation update"""
-        Reputation.objects.create(identifier=self.username, ip=self.ip, score=4)
+        Reputation.objects.create(identifier=self.test_username, ip=self.test_ip, score=43)
        # Trigger negative reputation
-        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        authenticate(
-        self.assertEqual(Reputation.objects.get(identifier=self.username).score, 3)
+            self.request, self.backends, username=self.test_username, password=self.test_username
    def test_reputation_lower_limit(self):
        """test reputation lower limit"""
        Reputation.objects.create(identifier=self.username, ip=self.ip)
        update_score(self.request, identifier=self.username, amount=-1000)
        self.assertEqual(
            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_LOWER_LIMIT
        )
    def test_reputation_upper_limit(self):
        """test reputation upper limit"""
        Reputation.objects.create(identifier=self.username, ip=self.ip)
        update_score(self.request, identifier=self.username, amount=1000)
        self.assertEqual(
            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_UPPER_LIMIT
        )
        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, 42)
    def test_policy(self):
        """Test Policy"""
--- a/authentik/policies/templates/policies/buffer.html
+++ b/authentik/policies/templates/policies/buffer.html
@ -1,89 +0,0 @@
 {% extends 'login/base_full.html' %}
 {% load static %}
 {% load i18n %}
 {% block head %}
 {{ block.super }}
 <script>
  let redirecting = false;
  const checkAuth = async () => {
    if (redirecting) return true;
    const url = "{{ check_auth_url }}";
    console.debug("authentik/policies/buffer: Checking authentication...");
    try {
      const result = await fetch(url, {
        method: "HEAD",
      });
      if (result.status >= 400) {
        return false
      }
      console.debug("authentik/policies/buffer: Continuing");
      redirecting = true;
      if ("{{ auth_req_method }}" === "post") {
        document.querySelector("form").submit();
      } else {
        window.location.assign("{{ continue_url|escapejs }}");
      }
    } catch {
      return false;
    }
  };
  let timeout = 100;
  let offset = 20;
  let attempt = 0;
  const main = async () => {
    attempt += 1;
    await checkAuth();
    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
    setTimeout(main, timeout);
    timeout += (offset * attempt);
    if (timeout >= 2000) {
      timeout = 2000;
    }
  }
  document.addEventListener("visibilitychange", async () => {
    if (document.hidden) return;
    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
    await checkAuth();
  });
  main();
 </script>
 {% endblock %}
 {% block title %}
 {% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
 {% endblock %}
 {% block card_title %}
 {% trans 'Waiting for authentication...' %}
 {% endblock %}
 {% block card %}
 <form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
  {% if auth_req_method == "post" %}
    {% for key, value in auth_req_body.items %}
      <input type="hidden" name="{{ key }}" value="{{ value }}" />
    {% endfor %}
  {% endif %}
  <div class="pf-c-empty-state">
    <div class="pf-c-empty-state__content">
      <div class="pf-c-empty-state__icon">
        <span class="pf-c-spinner pf-m-xl" role="progressbar">
          <span class="pf-c-spinner__clipper"></span>
          <span class="pf-c-spinner__lead-ball"></span>
          <span class="pf-c-spinner__tail-ball"></span>
        </span>
      </div>
      <h1 class="pf-c-title pf-m-lg">
        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
      </h1>
    </div>
  </div>
  <div class="pf-c-form__group pf-m-action">
    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
      {% trans "Authenticate in this tab" %}
    </a>
  </div>
 </form>
 {% endblock %}
--- a/authentik/policies/tests/test_views.py
+++ b/authentik/policies/tests/test_views.py
@ -1,121 +0,0 @@
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http import HttpResponse
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from authentik.core.models import Application, Provider
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.views import (
    QS_BUFFER_ID,
    SESSION_KEY_BUFFER,
    BufferedPolicyAccessView,
    BufferView,
    PolicyAccessView,
 )
 class TestPolicyViews(TestCase):
    """Test PolicyAccessView"""
    def setUp(self):
        super().setUp()
        self.factory = RequestFactory()
        self.user = create_test_user()
    def test_pav(self):
        """Test simple policy access view"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        class TestView(PolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/")
        req.user = self.user
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 200)
        self.assertEqual(res.content, b"foo")
    def test_pav_buffer(self):
        """Test simple policy access view"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        class TestView(BufferedPolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
        req.session.save()
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 302)
        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
    def test_pav_buffer_skip(self):
        """Test simple policy access view (skip buffer)"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        class TestView(BufferedPolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/?skip_buffer=true")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
        req.session.save()
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 302)
        self.assertTrue(res.url.startswith(reverse("authentik_flows:default-authentication")))
    def test_buffer(self):
        """Test buffer view"""
        uid = generate_id()
        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        ts = generate_id()
        req.session[SESSION_KEY_BUFFER % uid] = {
            "method": "get",
            "body": {},
            "url": f"/{ts}",
        }
        req.session.save()
        res = BufferView.as_view()(req)
        self.assertEqual(res.status_code, 200)
        self.assertIn(ts, res.render().content.decode())
--- a/authentik/policies/urls.py
+++ b/authentik/policies/urls.py
@ -1,14 +1,7 @@
 """API URLs"""
 from django.urls import path
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.views import BufferView
 urlpatterns = [
    path("buffer", BufferView.as_view(), name="buffer"),
 ]
 api_urlpatterns = [
    ("policies/all", PolicyViewSet),
--- a/authentik/policies/views.py
+++ b/authentik/policies/views.py
@ -1,37 +1,23 @@
 """authentik access helper classes"""
 from typing import Any
 from uuid import uuid4
 from django.contrib import messages
 from django.contrib.auth.mixins import AccessMixin
 from django.contrib.auth.views import redirect_to_login
-from django.http import HttpRequest, HttpResponse, QueryDict
+from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.http import urlencode
 from django.utils.translation import gettext as _
-from django.views.generic.base import TemplateView, View
+from django.views.generic.base import View
 from structlog.stdlib import get_logger
 from authentik.core.models import Application, Provider, User
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_POST
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import (
    SESSION_KEY_APPLICATION_PRE,
    SESSION_KEY_AUTH_STARTED,
    SESSION_KEY_PLAN,
    SESSION_KEY_POST,
 )
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyRequest, PolicyResult
 LOGGER = get_logger()
 QS_BUFFER_ID = "af_bf_id"
 QS_SKIP_BUFFER = "skip_buffer"
 SESSION_KEY_BUFFER = "authentik/policies/pav_buffer/%s"
 class RequestValidationError(SentryIgnoredException):
@ -139,65 +125,3 @@ class PolicyAccessView(AccessMixin, View):
            for message in result.messages:
                messages.error(self.request, _(message))
        return result
 def url_with_qs(url: str, **kwargs):
    """Update/set querystring of `url` with the parameters in `kwargs`. Original query string
    parameters are retained"""
    if "?" not in url:
        return url + f"?{urlencode(kwargs)}"
    url, _, qs = url.partition("?")
    qs = QueryDict(qs, mutable=True)
    qs.update(kwargs)
    return url + f"?{urlencode(qs.items())}"
 class BufferView(TemplateView):
    """Buffer view"""
    template_name = "policies/buffer.html"
    def get_context_data(self, **kwargs):
        buf_id = self.request.GET.get(QS_BUFFER_ID)
        buffer: dict = self.request.session.get(SESSION_KEY_BUFFER % buf_id)
        kwargs["auth_req_method"] = buffer["method"]
        kwargs["auth_req_body"] = buffer["body"]
        kwargs["auth_req_url"] = url_with_qs(buffer["url"], **{QS_SKIP_BUFFER: True})
        kwargs["check_auth_url"] = reverse("authentik_api:user-me")
        kwargs["continue_url"] = url_with_qs(buffer["url"], **{QS_BUFFER_ID: buf_id})
        return super().get_context_data(**kwargs)
 class BufferedPolicyAccessView(PolicyAccessView):
    """PolicyAccessView which buffers access requests in case the user is not logged in"""
    def handle_no_permission(self):
        plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
        authenticating = self.request.session.get(SESSION_KEY_AUTH_STARTED)
        if plan:
            flow = Flow.objects.filter(pk=plan.flow_pk).first()
            if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
                LOGGER.debug("Not buffering request, no flow or flow not for authentication")
                return super().handle_no_permission()
        if not plan and authenticating is None:
            LOGGER.debug("Not buffering request, no flow plan active")
            return super().handle_no_permission()
        if self.request.GET.get(QS_SKIP_BUFFER):
            LOGGER.debug("Not buffering request, explicit skip")
            return super().handle_no_permission()
        buffer_id = str(uuid4())
        LOGGER.debug("Buffering access request", bf_id=buffer_id)
        self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
            "body": self.request.POST,
            "url": self.request.build_absolute_uri(self.request.get_full_path()),
            "method": self.request.method.lower(),
        }
        return redirect(
            url_with_qs(reverse("authentik_policies:buffer"), **{QS_BUFFER_ID: buffer_id})
        )
    def dispatch(self, request, *args, **kwargs):
        response = super().dispatch(request, *args, **kwargs)
        if QS_BUFFER_ID in self.request.GET:
            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
        return response
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -126,7 +126,7 @@ class IDToken:
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
        if token.session:
-            id_token.sid = hash_session_key(token.session.session.session_key)
+            id_token.sid = hash_session_key(token.session.session_key)
        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
        auth_event = get_login_event(token.session)
--- a/authentik/providers/oauth2/migrations/0028_migrate_session.py
+++ b/authentik/providers/oauth2/migrations/0028_migrate_session.py
@ -1,116 +0,0 @@
 # Generated by Django 5.0.11 on 2025-01-27 13:00
 from django.db import migrations
 import django.db.models.deletion
 from django.db import migrations, models
 from functools import partial
 def migrate_sessions(apps, schema_editor, model):
    Model = apps.get_model("authentik_providers_oauth2", model)
    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
    db_alias = schema_editor.connection.alias
    for obj in Model.objects.using(db_alias).all():
        if not obj.old_session:
            continue
        obj.session = (
            AuthenticatedSession.objects.using(db_alias)
            .filter(session__session_key=obj.old_session.session_key)
            .first()
        )
        if obj.session:
            obj.save()
        else:
            obj.delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
        ("authentik_core", "0046_session_and_more"),
    ]
    operations = [
        migrations.RenameField(
            model_name="accesstoken",
            old_name="session",
            new_name="old_session",
        ),
        migrations.RenameField(
            model_name="authorizationcode",
            old_name="session",
            new_name="old_session",
        ),
        migrations.RenameField(
            model_name="devicetoken",
            old_name="session",
            new_name="old_session",
        ),
        migrations.RenameField(
            model_name="refreshtoken",
            old_name="session",
            new_name="old_session",
        ),
        migrations.AddField(
            model_name="accesstoken",
            name="session",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.CASCADE,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.AddField(
            model_name="authorizationcode",
            name="session",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.CASCADE,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.AddField(
            model_name="devicetoken",
            name="session",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.AddField(
            model_name="refreshtoken",
            name="session",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.RunPython(code=partial(migrate_sessions, model="AccessToken")),
        migrations.RunPython(code=partial(migrate_sessions, model="AuthorizationCode")),
        migrations.RunPython(code=partial(migrate_sessions, model="DeviceToken")),
        migrations.RunPython(code=partial(migrate_sessions, model="RefreshToken")),
        migrations.RemoveField(
            model_name="accesstoken",
            name="old_session",
        ),
        migrations.RemoveField(
            model_name="authorizationcode",
            name="old_session",
        ),
        migrations.RemoveField(
            model_name="devicetoken",
            name="old_session",
        ),
        migrations.RemoveField(
            model_name="refreshtoken",
            name="old_session",
        ),
    ]
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@ -1,30 +1,18 @@
 from django.contrib.auth.signals import user_logged_out
-from django.db.models.signals import post_save, pre_delete
+from django.db.models.signals import post_save
 from django.dispatch import receiver
 from django.http import HttpRequest
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.providers.oauth2.models import AccessToken, DeviceToken, RefreshToken
@receiver(user_logged_out)
-def user_logged_out_oauth_tokens_removal(sender, request: HttpRequest, user: User, **_):
+def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, **_):
-    """Revoke tokens upon user logout"""
+    """Revoke access tokens upon user logout"""
    if not request.session or not request.session.session_key:
        return
-    AccessToken.objects.filter(
+    AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
        user=user,
        session__session__session_key=request.session.session_key,
    ).delete()
@receiver(pre_delete, sender=AuthenticatedSession)
 def user_session_deleted_oauth_tokens_removal(sender, instance: AuthenticatedSession, **_):
    """Revoke tokens upon user logout"""
    AccessToken.objects.filter(
        user=instance.user,
        session__session__session_key=instance.session.session_key,
    ).delete()
@receiver(post_save, sender=User)
@ -32,6 +20,6 @@ def user_deactivated(sender, instance: User, **_):
    """Remove user tokens when deactivated"""
    if instance.is_active:
        return
-    AccessToken.objects.filter(user=instance).delete()
+    AccessToken.objects.filter(session__user=instance).delete()
-    RefreshToken.objects.filter(user=instance).delete()
+    RefreshToken.objects.filter(session__user=instance).delete()
-    DeviceToken.objects.filter(user=instance).delete()
+    DeviceToken.objects.filter(session__user=instance).delete()
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -7,13 +7,12 @@ from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
-from authentik.core.models import Application, AuthenticatedSession, Session
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import (
    AccessToken,
    ClientTypes,
    DeviceToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
@ -21,7 +20,6 @@ from authentik.providers.oauth2.models import (
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 from authentik.root.middleware import ClientIPMiddleware
 class TesOAuth2Revoke(OAuthTestCase):
@ -137,86 +135,3 @@ class TesOAuth2Revoke(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 200)
    def test_revoke_logout(self):
        """Test revoke on logout"""
        self.client.force_login(self.user)
        AccessToken.objects.create(
            provider=self.provider,
            user=self.user,
            session=self.client.session["authenticatedsession"],
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
                    IDToken("foo", "bar"),
                )
            ),
        )
        self.client.logout()
        self.assertEqual(AccessToken.objects.all().count(), 0)
    def test_revoke_session_delete(self):
        """Test revoke on logout"""
        session = AuthenticatedSession.objects.create(
            session=Session.objects.create(
                session_key=generate_id(),
                last_ip=ClientIPMiddleware.default_ip,
            ),
            user=self.user,
        )
        AccessToken.objects.create(
            provider=self.provider,
            user=self.user,
            session=session,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
                    IDToken("foo", "bar"),
                )
            ),
        )
        session.delete()
        self.assertEqual(AccessToken.objects.all().count(), 0)
    def test_revoke_user_deactivated(self):
        """Test revoke on logout"""
        AccessToken.objects.create(
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
                    IDToken("foo", "bar"),
                )
            ),
        )
        RefreshToken.objects.create(
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
                    IDToken("foo", "bar"),
                )
            ),
        )
        DeviceToken.objects.create(
            provider=self.provider,
            user=self.user,
            _scope="openid user profile",
        )
        self.user.is_active = False
        self.user.save()
        self.assertEqual(AccessToken.objects.all().count(), 0)
        self.assertEqual(RefreshToken.objects.all().count(), 0)
        self.assertEqual(DeviceToken.objects.all().count(), 0)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -15,7 +15,7 @@ from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
-from authentik.core.models import Application
+from authentik.core.models import Application, AuthenticatedSession
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
 from authentik.flows.challenge import (
@ -30,7 +30,7 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
-from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
+from authentik.policies.views import PolicyAccessView, RequestValidationError
 from authentik.providers.oauth2.constants import (
    PKCE_METHOD_PLAIN,
    PKCE_METHOD_S256,
@ -254,10 +254,10 @@ class OAuthAuthorizationParams:
            raise AuthorizeError(self.redirect_uri, "invalid_scope", self.grant_type, self.state)
        if SCOPE_OFFLINE_ACCESS in self.scope:
            # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-            # Don't explicitly request consent with offline_access, as the spec allows for
+            if PROMPT_CONSENT not in self.prompt:
-            # "other conditions for processing the request permitting offline access to the
+                # Instead of ignoring the `offline_access` scope when `prompt`
-            # requested resources are in place"
+                # isn't set to `consent`, we set override it ourselves
-            # which we interpret as "the admin picks an authorization flow with or without consent"
+                self.prompt.add(PROMPT_CONSENT)
            if self.response_type not in [
                ResponseTypes.CODE,
                ResponseTypes.CODE_TOKEN,
@ -316,7 +316,9 @@ class OAuthAuthorizationParams:
            expires=now + timedelta_from_string(self.provider.access_code_validity),
            scope=self.scope,
            nonce=self.nonce,
-            session=request.session["authenticatedsession"],
+            session=AuthenticatedSession.objects.filter(
                session_key=request.session.session_key
            ).first(),
        )
        if self.code_challenge and self.code_challenge_method:
@ -326,7 +328,7 @@ class OAuthAuthorizationParams:
        return code
-class AuthorizationFlowInitView(BufferedPolicyAccessView):
+class AuthorizationFlowInitView(PolicyAccessView):
    """OAuth2 Flow initializer, checks access to application and starts flow"""
    params: OAuthAuthorizationParams
@ -613,7 +615,9 @@ class OAuthFulfillmentStage(StageView):
            expires=access_token_expiry,
            provider=self.provider,
            auth_time=auth_event.created if auth_event else now,
-            session=self.request.session["authenticatedsession"],
+            session=AuthenticatedSession.objects.filter(
                session_key=self.request.session.session_key
            ).first(),
        )
        id_token = IDToken.new(self.provider, token, self.request)
--- a/authentik/providers/proxy/signals.py
+++ b/authentik/providers/proxy/signals.py
@ -20,4 +20,4 @@ def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
-    proxy_on_logout.delay(instance.session.session_key)
+    proxy_on_logout.delay(instance.session_key)
--- a/authentik/providers/rac/apps.py
+++ b/authentik/providers/rac/apps.py
@ -1,9 +1,9 @@
 """RAC app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikProviderRAC(ManagedAppConfig):
+class AuthentikProviderRAC(AppConfig):
    """authentik rac app config"""
    name = "authentik.providers.rac"
--- a/authentik/providers/rac/migrations/0007_migrate_session.py
+++ b/authentik/providers/rac/migrations/0007_migrate_session.py
@ -1,60 +0,0 @@
 # Generated by Django 5.0.11 on 2025-01-27 12:59
 from django.db import migrations
 import django.db.models.deletion
 from django.db import migrations, models
 def migrate_sessions(apps, schema_editor):
    ConnectionToken = apps.get_model("authentik_providers_rac", "ConnectionToken")
    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
    db_alias = schema_editor.connection.alias
    for token in ConnectionToken.objects.using(db_alias).all():
        token.session = (
            AuthenticatedSession.objects.using(db_alias)
            .filter(session_key=token.old_session.session_key)
            .first()
        )
        if token.session:
            token.save()
        else:
            token.delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
        ("authentik_core", "0046_session_and_more"),
    ]
    operations = [
        migrations.RenameField(
            model_name="connectiontoken",
            old_name="session",
            new_name="old_session",
        ),
        migrations.AddField(
            model_name="connectiontoken",
            name="session",
            field=models.ForeignKey(
                null=True,
                on_delete=django.db.models.deletion.CASCADE,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.RunPython(code=migrate_sessions),
        migrations.AlterField(
            model_name="connectiontoken",
            name="session",
            field=models.ForeignKey(
                on_delete=django.db.models.deletion.CASCADE,
                to="authentik_core.authenticatedsession",
            ),
        ),
        migrations.RemoveField(
            model_name="connectiontoken",
            name="old_session",
        ),
    ]
--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@ -4,11 +4,12 @@ from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
-from django.db.models.signals import post_delete, post_save, pre_delete
+from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
 from authentik.providers.rac.consumer_client import (
    RAC_CLIENT_GROUP_SESSION,
@ -32,18 +33,6 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    )
@receiver(pre_delete, sender=AuthenticatedSession)
 def user_session_deleted(sender, instance: AuthenticatedSession, **_):
    layer = get_channel_layer()
    async_to_sync(layer.group_send)(
        RAC_CLIENT_GROUP_SESSION
        % {
            "session": instance.session.session_key,
        },
        {"type": "event.disconnect", "reason": "session_logout"},
    )
@receiver(pre_delete, sender=ConnectionToken)
 def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **_):
    """Disconnect session when connection token is deleted"""
@ -57,8 +46,12 @@ def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **
    )
-@receiver([post_save, post_delete], sender=Endpoint)
+@receiver(post_save, sender=Endpoint)
-def post_save_post_delete_endpoint(**_):
+def post_save_endpoint(sender: type[Model], instance, created: bool, **_):
-    """Clear user's endpoint cache upon endpoint creation or deletion"""
+    """Clear user's endpoint cache upon endpoint creation"""
    if not created:  # pragma: no cover
        return
    # Delete user endpoint cache
    keys = cache.keys(user_endpoint_cache_key("*"))
    cache.delete_many(keys)
--- a/authentik/providers/rac/tests/test_models.py
+++ b/authentik/providers/rac/tests/test_models.py
@ -2,7 +2,7 @@
 from django.test import TransactionTestCase
-from authentik.core.models import Application, AuthenticatedSession, Session
+from authentik.core.models import Application, AuthenticatedSession
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.providers.rac.models import (
@ -36,15 +36,13 @@ class TestModels(TransactionTestCase):
    def test_settings_merge(self):
        """Test settings merge"""
        session = Session.objects.create(
            session_key=generate_id(),
            last_ip="255.255.255.255",
        )
        auth_session = AuthenticatedSession.objects.create(session=session, user=self.user)
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            session=auth_session,
+            session=AuthenticatedSession.objects.create(
                user=self.user,
                session_key=generate_id(),
            ),
        )
        path = f"/tmp/connection/{token.token}"  # nosec
        self.assertEqual(
--- a/authentik/providers/rac/urls.py
+++ b/authentik/providers/rac/urls.py
@ -1,5 +1,7 @@
 """rac urls"""
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
 from authentik.outposts.channels import TokenOutpostMiddleware
@ -10,7 +12,7 @@ from authentik.providers.rac.api.providers import RACProviderViewSet
 from authentik.providers.rac.consumer_client import RACClientConsumer
 from authentik.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.providers.rac.views import RACInterface, RACStartView
-from authentik.root.asgi_middleware import AuthMiddlewareStack
+from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
@ -29,7 +31,9 @@ urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/rac/<str:token>/",
-        ChannelsLoggingMiddleware(AuthMiddlewareStack(RACClientConsumer.as_asgi())),
+        ChannelsLoggingMiddleware(
            CookieMiddleware(SessionMiddleware(AuthMiddleware(RACClientConsumer.as_asgi())))
        ),
    ),
    path(
        "ws/outpost_rac/<str:channel>/",
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -8,7 +8,7 @@ from django.urls import reverse
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from authentik.core.models import Application
+from authentik.core.models import Application, AuthenticatedSession
 from authentik.core.views.interface import InterfaceView
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import RedirectChallenge
@ -18,11 +18,11 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
-class RACStartView(BufferedPolicyAccessView):
+class RACStartView(PolicyAccessView):
    """Start a RAC connection by checking access and creating a connection token"""
    endpoint: Endpoint
@ -113,7 +113,9 @@ class RACFinalStage(RedirectStage):
            provider=self.provider,
            endpoint=self.endpoint,
            settings=self.executor.plan.context.get("connection_settings", {}),
-            session=self.request.session["authenticatedsession"],
+            session=AuthenticatedSession.objects.filter(
                session_key=self.request.session.session_key
            ).first(),
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
        )
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -180,7 +180,6 @@ class SAMLProviderSerializer(ProviderSerializer):
            "session_valid_not_on_or_after",
            "property_mappings",
            "name_id_mapping",
            "authn_context_class_ref_mapping",
            "digest_algorithm",
            "signature_algorithm",
            "signing_kp",
--- a/authentik/providers/saml/migrations/0017_samlprovider_authn_context_class_ref_mapping.py
+++ b/authentik/providers/saml/migrations/0017_samlprovider_authn_context_class_ref_mapping.py
@ -1,28 +0,0 @@
 # Generated by Django 5.0.13 on 2025-03-18 17:41
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_saml", "0016_samlprovider_encryption_kp_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="samlprovider",
            name="authn_context_class_ref_mapping",
            field=models.ForeignKey(
                blank=True,
                default=None,
                help_text="Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="+",
                to="authentik_providers_saml.samlpropertymapping",
                verbose_name="AuthnContextClassRef Property Mapping",
            ),
        ),
    ]
--- a/authentik/providers/saml/migrations/0018_alter_samlprovider_acs_url.py
+++ b/authentik/providers/saml/migrations/0018_alter_samlprovider_acs_url.py
@ -1,22 +0,0 @@
 # Generated by Django 5.0.13 on 2025-03-31 13:50
 import authentik.lib.models
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_saml", "0017_samlprovider_authn_context_class_ref_mapping"),
    ]
    operations = [
        migrations.AlterField(
            model_name="samlprovider",
            name="acs_url",
            field=models.TextField(
                validators=[authentik.lib.models.DomainlessURLValidator(schemes=("http", "https"))],
                verbose_name="ACS URL",
            ),
        ),
    ]
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -10,7 +10,6 @@ from structlog.stdlib import get_logger
 from authentik.core.api.object_types import CreatableType
 from authentik.core.models import PropertyMapping, Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
@ -41,9 +40,7 @@ class SAMLBindings(models.TextChoices):
 class SAMLProvider(Provider):
    """SAML 2.0 Endpoint for applications which support SAML."""
-    acs_url = models.TextField(
+    acs_url = models.URLField(verbose_name=_("ACS URL"))
        validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL")
    )
    audience = models.TextField(
        default="",
        blank=True,
@ -74,20 +71,6 @@ class SAMLProvider(Provider):
            "the NameIDPolicy of the incoming request will be considered"
        ),
    )
    authn_context_class_ref_mapping = models.ForeignKey(
        "SAMLPropertyMapping",
        default=None,
        blank=True,
        null=True,
        on_delete=models.SET_DEFAULT,
        verbose_name=_("AuthnContextClassRef Property Mapping"),
        related_name="+",
        help_text=_(
            "Configure how the AuthnContextClassRef value will be created. When left empty, "
            "the AuthnContextClassRef will be set based on which authentication methods the user "
            "used to authenticate."
        ),
    )
    assertion_valid_not_before = models.TextField(
        default="minutes=-5",
@ -187,6 +170,7 @@ class SAMLProvider(Provider):
    def launch_url(self) -> str | None:
        """Use IDP-Initiated SAML flow as launch URL"""
        try:
            return reverse(
                "authentik_providers_saml:sso-init",
                kwargs={"application_slug": self.application.slug},
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	ab42a62916	wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 19:23:34 +01:00
Marc 'risson' Schmitt	ef8d2bdd40	wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 16:24:55 +01:00
Marc 'risson' Schmitt	32f4e08eac	writting down thoughts Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 14:04:21 +01:00