core: bump boto3 from 1.38.11 to v1.38.12

* web/flows/sfe: add initial loading spinner

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix brand-level default flow background not working with SFE and loading original image with full flow interface

https://github.com/goauthentik/authentik/pull/13079#issuecomment-2853357407
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v8
         with:
           version: latest
           args: --timeout 5000s --verbose

Dockerfile

@@ -85,18 +85,17 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
-ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
     mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.3 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

README.md

@@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 
 ## Adoption and Contributions
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).

authentik/api/schema.py

@@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
     return component
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
     """Workaround to set a default response for endpoints.
     Workaround suggested at
     <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>

authentik/blueprints/v1/common.py

@@ -164,9 +164,7 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(
-        self, blueprint: "Blueprint"
-    ) -> Generator[BlueprintEntryPermission, None, None]:
+    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
         """Get permissions of this entry, with all yaml tags resolved"""
         for perm in self.permissions:
             yield BlueprintEntryPermission(

authentik/events/logs.py

@@ -57,7 +57,7 @@ class LogEventSerializer(PassiveSerializer):
 
 
 @contextmanager
-def capture_logs(log_default_output=True) -> Generator[list[LogEvent], None, None]:
+def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:
     """Capture log entries created"""
     logs = []
     cap = LogCapture()

authentik/flows/templates/if/flow-sfe.html

@@ -15,6 +15,7 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
         <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        <link rel="prefetch" href="{{ flow_background_url }}" />
         {% include "base/header_js.html" %}
         <style>
           html,
@@ -22,7 +23,7 @@
             height: 100%;
           }
           body {
-            background-image: url("{{ flow.background_url }}");
+            background-image: url("{{ flow_background_url }}");
             background-repeat: no-repeat;
             background-size: cover;
           }

authentik/flows/templates/if/flow.html

@@ -5,7 +5,7 @@
 
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow.background_url }}" />
+<link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
@@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow.background_url }}");
+    --ak-flow-background: url("{{ flow_background_url }}");
 }
 </style>
 {% endblock %}

authentik/flows/views/interface.py

@@ -13,7 +13,9 @@ class FlowInterfaceView(InterfaceView):
     """Flow interface"""
 
     def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = flow
+        kwargs["flow_background_url"] = flow.background_url(self.request)
         kwargs["inspector"] = "inspector" in self.request.GET
         return super().get_context_data(**kwargs)
 

authentik/lib/sync/mapper.py

@@ -59,7 +59,7 @@ class PropertyMappingManager:
         request: HttpRequest | None,
         return_mapping: bool = False,
         **kwargs,
-    ) -> Generator[tuple[dict, PropertyMapping], None]:
+    ) -> Generator[tuple[dict, PropertyMapping]]:
         """Iterate over all mappings that were pre-compiled and
         execute all of them with the given context"""
         if not self.__has_compiled:

authentik/providers/scim/clients/groups.py

@@ -199,7 +199,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
             chunk_size = len(ops)
         if len(ops) < 1:
             return
-        for chunk in batched(ops, chunk_size):
+        for chunk in batched(ops, chunk_size, strict=False):
             req = PatchRequest(Operations=list(chunk))
             self._request(
                 "PATCH",

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
-	github.com/pires/go-proxyproto v0.8.0
+	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
 	github.com/redis/go-redis/v9 v9.8.0
 	github.com/sethvargo/go-envconfig v1.3.0
@@ -29,8 +29,8 @@ require (
 	github.com/wwt/guac v1.3.2
 	goauthentik.io/api/v3 v3.2025040.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.29.0
-	golang.org/x/sync v0.13.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.14.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -75,7 +75,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -230,8 +230,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
-github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
-github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -358,16 +358,16 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -376,8 +376,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -412,8 +412,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

ldap.Dockerfile

@@ -56,6 +56,7 @@ EXPOSE 3389 6636 9300
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/ldap"]

lifecycle/ak

@@ -97,6 +97,7 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
     run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
+    shift
     exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
     exec sleep infinity

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1013.0",
+                "aws-cdk": "^2.1014.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1013.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1013.0.tgz",
-            "integrity": "sha512-cbq4cOoEIZueMWenGgfI4RujS+AQ9GaMCTlW/3CnvEIhMD8j/tgZx7PTtgMuvwYrRoEeb/wTxgLPgUd5FhsoHA==",
+            "version": "2.1014.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1014.0.tgz",
+            "integrity": "sha512-es101rtRAClix9BncNL54iW90MiOyRv4iCC5tv/firGDnidS6pPinuK0IIFt0RO6w0+3heRxWBXg8HY+f9877w==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1013.0",
+        "aws-cdk": "^2.1014.0",
         "cross-env": "^7.0.3"
     }
 }

packages/docusaurus-config/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.5",
+    "version": "1.0.6",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/docusaurus-config",
-            "version": "1.0.5",
+            "version": "1.0.6",
             "license": "MIT",
             "dependencies": {
                 "deepmerge-ts": "^7.1.5",

packages/docusaurus-config/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.5",
+    "version": "1.0.6",
     "description": "authentik's Docusaurus config",
     "license": "MIT",
     "scripts": {

proxy.Dockerfile

@@ -76,6 +76,7 @@ EXPOSE 9000 9300 9443
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/proxy"]

pyproject.toml

@@ -3,7 +3,7 @@ name = "authentik"
 version = "2025.4.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
-requires-python = "==3.12.*"
+requires-python = "==3.13.*"
 dependencies = [
     "argon2-cffi",
     "celery",
@@ -52,7 +52,7 @@ dependencies = [
     "pydantic-scim",
     "pyjwt",
     "pyrad",
-    "python-kadmin-rs ==0.6.0",
+    "python-kadmin-rs",
     "pyyaml",
     "requests-oauthlib",
     "scim2-filter-parser",
@@ -70,7 +70,7 @@ dependencies = [
     "watchdog",
     "webauthn",
     "wsproto",
-    "xmlsec <= 1.3.14",
+    "xmlsec",
     "zxcvbn",
 ]
 
@@ -101,6 +101,18 @@ dev = [
     "selenium",
 ]
 
+[tool.uv]
+no-binary-package = [
+    # This differs from the no-binary packages in the Dockerfile. This is due to the fact
+    # that these packages are built from source for different reasons than cryptography and kadmin.
+    # These packages are built from source to link against the libxml2 on the system which is
+    # required for functionality and to stay up-to-date on both libraries.
+    # The other packages specified in the dockerfile are compiled from source to link against the
+    # correct FIPS OpenSSL libraries
+    "lxml",
+    "xmlsec",
+]
+
 [tool.uv.sources]
 django-tenants = { git = "https://github.com/rissson/django-tenants.git", branch = "authentik-fixes" }
 opencontainers = { git = "https://github.com/BeryJu/oci-python", rev = "c791b19056769cd67957322806809ab70f5bead8" }
@@ -143,12 +155,12 @@ ignore-words = ".github/codespell-words.txt"
 
 [tool.black]
 line-length = 100
-target-version = ['py312']
+target-version = ['py313']
 exclude = 'node_modules'
 
 [tool.ruff]
 line-length = 100
-target-version = "py312"
+target-version = "py313"
 exclude = ["**/migrations/**", "**/node_modules/**"]
 
 [tool.ruff.lint]

rac.Dockerfile

@@ -56,6 +56,7 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/rac"]

radius.Dockerfile

@@ -56,6 +56,7 @@ EXPOSE 1812/udp 9300
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/radius"]

tests/e2e/docker-compose.yml

@@ -1,12 +1,12 @@
 services:
   chrome:
-    image: docker.io/selenium/standalone-chrome:122.0
+    image: docker.io/selenium/standalone-chrome:136.0
     volumes:
       - /dev/shm:/dev/shm
     network_mode: host
     restart: always
   mailpit:
-    image: docker.io/axllent/mailpit:v1.6.5
+    image: docker.io/axllent/mailpit:v1.24.2
     ports:
       - 1025:1025
       - 8025:8025

tests/e2e/utils.py

@@ -26,6 +26,7 @@ from selenium import webdriver
 from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.remote.command import Command
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.remote.webelement import WebElement
 from selenium.webdriver.support.wait import WebDriverWait
@@ -197,7 +198,12 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
         super().tearDown()
         if IS_CI:
             print("::group::Browser logs")
-        for line in self.driver.get_log("browser"):
+        # Very verbose way to get browser logs
+        # https://github.com/SeleniumHQ/selenium/pull/15641
+        # for some reason this removes the `get_log` API from Remote Webdriver
+        # and only keeps it on the local Chrome web driver, even when using
+        # a remote chrome driver...? (nvm the fact this was released as a minor version)
+        for line in self.driver.execute(Command.GET_LOG, {"type": "browser"})["value"]:
             print(line["message"])
         if IS_CI:
             print("::endgroup::")

web/package-lock.json

@@ -9472,9 +9472,9 @@
             }
         },
         "node_modules/caniuse-lite": {
-            "version": "1.0.30001667",
-            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001667.tgz",
-            "integrity": "sha512-7LTwJjcRkzKFmtqGsibMeuXmvFDfZq/nzIjnmgCGzKKRVzjD72selLDK1oPF/Oxzmt4fNcPvTDvGqSDG4tCALw==",
+            "version": "1.0.30001716",
+            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001716.tgz",
+            "integrity": "sha512-49/c1+x3Kwz7ZIWt+4DvK3aMJy9oYXXG6/97JKsnjdCk/6n9vVyWL8NAwVt95Lwt9eigI10Hl782kDfZUUlRXw==",
             "dev": true,
             "funding": [
                 {
@@ -9489,7 +9489,8 @@
                     "type": "github",
                     "url": "https://github.com/sponsors/ai"
                 }
-            ]
+            ],
+            "license": "CC-BY-4.0"
         },
         "node_modules/ccount": {
             "version": "2.0.1",

web/packages/sfe/src/index.ts

@@ -47,7 +47,16 @@ class SimpleFlowExecutor {
         return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
     }
 
+    loading() {
+        this.container.innerHTML = `<div class="d-flex justify-content-center">
+            <div class="spinner-border spinner-border-md" role="status">
+                <span class="sr-only">Loading...</span>
+            </div>
+        </div>`;
+    }
+
     start() {
+        this.loading();
         $.ajax({
             type: "GET",
             url: this.apiURL,

web/src/admin/applications/ApplicationViewPage.ts

@@ -113,8 +113,7 @@ export class ApplicationViewPage extends AKElement {
 
     renderApp(): TemplateResult {
         if (!this.application) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html`<ak-tabs>
             ${this.missingOutpost

web/src/admin/providers/ProviderViewPage.ts

@@ -42,7 +42,7 @@ export class ProviderViewPage extends AKElement {
 
     renderProvider(): TemplateResult {
         if (!this.provider) {
-            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
         }
         switch (this.provider?.component) {
             case "ak-provider-saml-form":

web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts

@@ -432,7 +432,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                 <div class="pf-c-card__body">
                     ${this.preview
                         ? html`<pre>${JSON.stringify(this.preview?.preview, null, 4)}</pre>`
-                        : html` <ak-empty-state ?loading=${true}></ak-empty-state> `}
+                        : html` <ak-empty-state loading></ak-empty-state> `}
                 </div>
             </div>
         </div>`;

web/src/admin/providers/saml/SAMLProviderViewPage.ts

@@ -502,7 +502,7 @@ export class SAMLProviderViewPage extends AKElement {
 
     renderTabPreview(): TemplateResult {
         if (!this.preview) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         return html` <div
             class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter"

web/src/admin/sources/SourceViewPage.ts

@@ -34,7 +34,7 @@ export class SourceViewPage extends AKElement {
 
     renderSource(): TemplateResult {
         if (!this.source) {
-            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
         }
         switch (this.source?.component) {
             case "ak-source-kerberos-form":

web/src/elements/Diagram.ts

@@ -83,7 +83,7 @@ export class Diagram extends AKElement {
             }
         });
         if (!this.diagram) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         return html`${until(
             mermaid.render("graph", this.diagram).then((r) => {

web/src/elements/charts/Chart.ts

@@ -230,9 +230,7 @@ export abstract class AKChart<T> extends AKElement {
                               <p slot="body">${pluckErrorDetail(this.error)}</p>
                           </ak-empty-state>
                       `
-                    : html`${this.chart
-                          ? html``
-                          : html`<ak-empty-state ?loading="${true}"></ak-empty-state>`}`}
+                    : html`${this.chart ? html`` : html`<ak-empty-state loading></ak-empty-state>`}`}
                 ${this.centerText ? html` <span>${this.centerText}</span> ` : html``}
                 <canvas style="${this.chart === undefined ? "display: none;" : ""}"></canvas>
             </div>

web/src/elements/forms/ModelForm.ts

@@ -71,7 +71,7 @@ export abstract class ModelForm<T, PKT extends string | number> extends Form<T>
 
     renderVisible(): TemplateResult {
         if ((this._instancePk && !this.instance) || !this._initialDataLoad) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         return super.renderVisible();
     }

web/src/elements/router/Route.ts

@@ -51,7 +51,7 @@ export class Route {
         if (this.callback) {
             return html`${until(
                 this.callback(args),
-                html`<ak-empty-state ?loading=${true}></ak-empty-state>`,
+                html`<ak-empty-state loading></ak-empty-state>`,
             )}`;
         }
         if (this.element) {

web/src/elements/sync/SyncStatusCard.ts

@@ -121,7 +121,7 @@ export class SyncStatusCard extends AKElement {
 
     renderSyncStatus(): TemplateResult {
         if (this.loading) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         if (!this.syncState) {
             return html`${msg("No sync status.")}`;

web/src/elements/tests/EmptyState.test.ts

@@ -19,7 +19,7 @@ describe("ak-empty-state", () => {
     });
 
     it("should render the default loader", async () => {
-        render(html`<ak-empty-state ?loading=${true} header=${msg("Loading")}> </ak-empty-state>`);
+        render(html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`);
 
         const empty = await $("ak-empty-state").$(">>>.pf-c-empty-state__icon");
         await expect(empty).toExist();

web/src/elements/user/sources/SourceSettings.ts

@@ -139,8 +139,7 @@ export class UserSourceSettingsPage extends AKElement {
                                 })}
                             `}
                   `
-                : html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-                  </ak-empty-state>`}
+                : html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`}
         </ul>`;
     }
 }

web/src/flow/providers/SessionEnd.ts

@@ -24,8 +24,7 @@ export class SessionEnd extends BaseStage<SessionEndChallenge, unknown> {
 
     render(): TemplateResult {
         if (!this.challenge) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html`<header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">${this.challenge.flowInfo?.title}</h1>

web/src/user/LibraryPage/ak-library.ts

@@ -102,7 +102,7 @@ export class LibraryPage extends AKElement {
     }
 
     loading() {
-        return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}> </ak-empty-state>`;
+        return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
     }
 
     running() {

web/src/user/user-settings/details/UserSettingsFlowExecutor.ts

@@ -173,8 +173,7 @@ export class UserSettingsFlowExecutor
                     level: MessageLevel.success,
                     message: msg("Successfully updated details"),
                 });
-                return html`<ak-empty-state ?loading=${true} header=${msg("Loading")}>
-                </ak-empty-state>`;
+                return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
             default:
                 console.debug(
                     `authentik/user/flows: unsupported stage type ${this.challenge.component}`,
@@ -195,8 +194,7 @@ export class UserSettingsFlowExecutor
             return html`<p>${msg("No settings flow configured.")}</p> `;
         }
         if (!this.challenge || this.loading) {
-            return html`<ak-empty-state ?loading=${true} header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html` ${this.renderChallenge()} `;
     }

web/src/user/user-settings/details/stages/prompt/PromptStage.ts

@@ -64,8 +64,7 @@ export class UserSettingsPromptStage extends PromptStage {
 
     render(): TemplateResult {
         if (!this.challenge) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html`<div class="pf-c-login__main-body">
                 <form

web/xliff/de.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Willkommen,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9171,6 +9171,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -493,7 +493,7 @@
         <target>General system status</target>
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Welcome,
         <x id="0" equiv-text="${name}"/>.</target>
       </trans-unit>
@@ -7694,6 +7694,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Bienvenido,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9253,6 +9253,9 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Bienvenue,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9805,6 +9805,9 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
   <target>Nombre d'anciens mots de passe à vérifier</target>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Benvenuto,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9779,6 +9779,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -597,7 +597,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         
       </trans-unit>
       <trans-unit id="sc381422c585b867f">
@@ -9161,6 +9161,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -605,7 +605,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Welkom,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9063,6 +9063,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Witaj,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9488,6 +9488,9 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -603,7 +603,7 @@
 
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
   <target>Ŵēĺćōḿē, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</target>
 
       </trans-unit>
@@ -9496,4 +9496,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
 </trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Добро пожаловать,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9581,6 +9581,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -602,7 +602,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Hoş geldiniz, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</target>
         
       </trans-unit>
@@ -9551,6 +9551,9 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -399,7 +399,7 @@
   <source>General system status</source>
 </trans-unit>
 <trans-unit id="s6dfd15978586d05f">
-  <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+  <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
 </trans-unit>
 <trans-unit id="sc381422c585b867f">
   <source>Quick actions</source>
@@ -6302,6 +6302,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
 </trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>欢迎，
         <x id="0" equiv-text="${name}"/>。</target>
         
@@ -9806,6 +9806,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
   <target>检查历史密码数量</target>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+  <target>切换侧边栏</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -485,7 +485,7 @@
         <target>常规系统状态</target>
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>欢迎，
         <x id="0" equiv-text="${name}"/>。</target>
       </trans-unit>
@@ -7394,6 +7394,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_CN.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>欢迎，
         <x id="0" equiv-text="${name}"/>。</target>
         
@@ -9806,6 +9806,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
   <target>检查历史密码数量</target>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+  <target>切换侧边栏</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -596,7 +596,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         
       </trans-unit>
       <trans-unit id="sc381422c585b867f">
@@ -9138,6 +9138,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

website/.gitignore

@@ -3,6 +3,7 @@
 
 # Production
 /build
+/out
 /help
 
 # Generated files
@@ -25,4 +26,5 @@ yarn-error.log*
 
 static/docker-compose.yml
 static/schema.yml
+static/releases.gen.json
 docs/developer-docs/api/reference/**

website/.prettierignore

@@ -1,5 +1,6 @@
 # Ignore artifacts:
 build
+out
 coverage
 .docusaurus
 node_modules

website/.prettierrc.json

@@ -1 +0,0 @@
-{}

website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md

@@ -1,9 +1,8 @@
 ---
 title: Email Authenticator Setup stage
+authentik_version: "2025.2"
 ---
 
-<span class="badge badge--version">authentik 2025.2+</span>
-
 This stage configures an email-based authenticator that sends a one-time code to a user's email address for authentication.
 
 When a user goes through a flow that includes this stage, they are prompted for their email address (if not already set). The user then receives an email with a one-time code, which they enter into the authentik Login panel.

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx

@@ -2,8 +2,6 @@
 title: WebAuthn / Passkeys Authenticator setup stage
 ---
 
-<span class="badge badge--version">authentik 2021.3.1+</span>
-
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
 
 ### Options

website/docs/add-secure-apps/flows-stages/stages/email/index.mdx

@@ -29,8 +29,8 @@ You can also use custom email templates, to use your own design or layout.
 Starting with authentik 2024.2, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
 :::
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/add-secure-apps/providers/proxy/server_caddy.mdx

@@ -2,8 +2,9 @@
 title: Caddy
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
 import Placeholders from "./__placeholders.md";
 import CaddyStandalone from "./_caddy_standalone.md";
 

website/docs/add-secure-apps/providers/proxy/server_envoy.mdx

@@ -2,13 +2,12 @@
 title: Envoy
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
 import Placeholders from "./__placeholders.md";
 import EnvoyIstio from "./_envoy_istio.md";
 
-# Envoy
-
 The configuration template shown below apply to both single-application and domain-level forward auth.
 
 :::info

website/docs/add-secure-apps/providers/proxy/server_nginx.mdx

@@ -1,5 +1,5 @@
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 # nginx
 

website/docs/add-secure-apps/providers/proxy/server_traefik.mdx

@@ -1,5 +1,5 @@
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 # Traefik
 

website/docs/add-secure-apps/providers/radius/HashSupport.tsx

@@ -0,0 +1,82 @@
+import styles from "./styles.module.css";
+
+const RADIUSProtocols = [
+    "PAP",
+    "CHAP",
+    "Digest",
+    "MS-CHAP",
+    "PEAP",
+    "MS-CHAPv2",
+    "Cisco LEAP",
+    "EAP-GTC",
+    "EAP-MD5",
+    "EAP-PWD",
+] as const satisfies string[];
+
+type RADIUSProtocol = (typeof RADIUSProtocols)[number];
+
+const HashKinds = [
+    "Cleartext",
+    "NT",
+    "MD5",
+    "Salted MD5",
+    "SHA1",
+    "Salted SHA1",
+    "Unix Crypt",
+] as const satisfies string[];
+
+type HashKind = (typeof HashKinds)[number];
+
+const supportMatrix: Record<HashKind, RADIUSProtocol[]> = {
+    "Cleartext": [
+        "PAP",
+        "CHAP",
+        "Digest",
+        "MS-CHAP",
+        "PEAP",
+        "MS-CHAPv2",
+        "Cisco LEAP",
+        "EAP-GTC",
+        "EAP-MD5",
+        "EAP-PWD",
+    ],
+    "NT": ["PAP", "MS-CHAP", "PEAP", "MS-CHAPv2", "Cisco LEAP", "EAP-GTC"],
+    "MD5": ["PAP", "EAP-GTC"],
+    "Salted MD5": ["PAP", "EAP-GTC"],
+    "SHA1": ["PAP", "EAP-GTC"],
+    "Salted SHA1": ["PAP", "EAP-GTC", "EAP-PWD"],
+    "Unix Crypt": ["PAP", "EAP-GTC", "EAP-PWD"],
+};
+
+export const HashSupport: React.FC = () => {
+    return (
+        <table className={styles.table}>
+            <thead>
+                <tr>
+                    <th></th>
+                    {HashKinds.map((hashKind, i) => (
+                        <th key={i}>{hashKind}</th>
+                    ))}
+                </tr>
+            </thead>
+
+            <tbody>
+                {RADIUSProtocols.map((radiusProtocol, i) => (
+                    <tr key={i}>
+                        <td>{radiusProtocol}</td>
+                        {HashKinds.map((hashKind) => {
+                            const protocols = supportMatrix[hashKind];
+                            const supported = protocols.includes(radiusProtocol);
+
+                            return (
+                                <td data-supported={supported} key={hashKind}>
+                                    {supported ? "✓" : "✗"}
+                                </td>
+                            );
+                        })}
+                    </tr>
+                ))}
+            </tbody>
+        </table>
+    );
+};

website/docs/add-secure-apps/providers/radius/index.mdx

@@ -2,7 +2,7 @@
 title: RADIUS Provider
 ---
 
-import { Check, X, AlertTriangle } from "react-feather";
+import { HashSupport } from "./HashSupport";
 
 You can configure a Radius provider for applications that don't support any other protocols or that require Radius.
 
@@ -56,15 +56,4 @@ After creation, make sure to select the RADIUS property mapping in the RADIUS pr
 
 The RADIUS provider only supports the [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol:
 
-|              | Clear-text      | NT hash         | MD5 hash        | Salted MD5 hash | SHA1 hash       | Salted SHA1 hash | Unix Crypt      |
-| ------------ | --------------- | --------------- | --------------- | --------------- | --------------- | ---------------- | --------------- |
-| PAP          | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check>  | <Check></Check> |
-| CHAP         | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| Digest       | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| MS-CHAP      | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| PEAP         | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| EAP-MSCHAPv2 | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| Cisco LEAP   | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| EAP-GTC      | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check>  | <Check></Check> |
-| EAP-MD5      | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| EAP-PWD      | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <Check></Check>  | <Check></Check> |
+<HashSupport />

website/docs/add-secure-apps/providers/radius/styles.module.css

@@ -0,0 +1,20 @@
+.table td {
+    text-align: center;
+    font-weight: bold;
+
+    &:first-child {
+        text-align: right;
+        width: 13ch;
+    }
+
+    &:not(:first-child) {
+        width: 10ch;
+    }
+
+    &[data-supported="true"] {
+        color: var(--ifm-color-success-dark);
+    }
+    &[data-supported="false"] {
+        color: var(--ifm-color-danger-dark);
+    }
+}

website/docs/customize/blueprints/v1/example.md

@@ -4,6 +4,7 @@ title: Example
 
 This is one of the default packaged blueprints to create the default authentication flow.
 
+<!-- prettier-ignore-start -->
 ```yaml
 version: 1
 metadata:
@@ -64,3 +65,4 @@ entries:
           target: !KeyOf flow
       model: authentik_flows.flowstagebinding
 ```
+<!-- prettier-ignore-end -->

website/docs/customize/blueprints/v1/tags.mdx

@@ -48,6 +48,8 @@ Returns the value of the given environment variable. Can be used as a scalar wit
 
 Examples:
 
+{/* prettier-ignore-start */}
+
 ```yaml
 configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
 ```
@@ -60,6 +62,8 @@ configure_flow:
     ]
 ```
 
+{/* prettier-ignore-end */}
+
 Looks up any model and resolves to the the matches' primary key.
 First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
 
@@ -67,10 +71,15 @@ First argument is the model to be queried, remaining arguments are expected to b
 
 Example:
 
+{/* prettier-ignore-start */}
+
+
 ```yaml
 configure_flow: !Context foo
 ```
 
+{/* prettier-ignore-end */}
+
 Find values from the context. Can optionally be called with a default like `!Context [foo, default-value]`.
 
 #### `!Format`
@@ -209,6 +218,8 @@ For example, given a sequence like this - `["a", "b", "c"]`, this tag will resol
 
 Minimal examples:
 
+{/* prettier-ignore-start */}
+
 ```yaml
 configuration_stages: !Enumerate [
         !Context map_of_totp_stage_names_and_types,
@@ -224,6 +235,8 @@ configuration_stages: !Enumerate [
     ]
 ```
 
+{/* prettier-ignore-end */}
+
 The above example will resolve to something like this:
 
 ```yaml
@@ -265,6 +278,8 @@ Full example:
 Note that an `!Enumeration` tag's iterable can never be an `!Item` or `!Value` tag with a depth of `0`. Minimum depth allowed is `1`. This is because a depth of `0` refers to the `!Enumeration` tag the `!Item` or `!Value` tag is in, and an `!Enumeration` tag cannot iterate over itself.
 :::
 
+{/* prettier-ignore-start */}
+
 ```yaml
 example: !Enumerate [
         !Context sequence, # ["foo", "bar"]
@@ -288,6 +303,8 @@ example: !Enumerate [
     ]
 ```
 
+{/* prettier-ignore-end */}
+
 The above example will resolve to something like this:
 
 ```yaml

website/docs/customize/interfaces/_global/customcss.mdx

@@ -2,8 +2,8 @@
 
 To further modify the look of authentik, a custom CSS file can be created. Creating such a file is outside the scope of this document.
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/developer-docs/docs/style-guide.mdx

@@ -255,8 +255,8 @@ This section covers the usage of React components within our documentation. File
 Use **Tabs** to display different configurations (e.g., setting up authentication with OIDC vs. SAML) to help users navigate between options. Default to the easier or more common option. Insert the following lines wherever you want the code block to appear:
 
 ```jsx
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
     defaultValue="oidc"

website/docs/developer-docs/index.md

@@ -163,7 +163,7 @@ While the prerequisites above must be satisfied prior to having your pull reques
 
 All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff).
 
-authentik runs on Python 3.12 at the time of writing this.
+authentik runs on Python 3.13 at the time of writing this.
 
 - Use native type-annotations wherever possible.
 - Add meaningful docstrings when possible.

website/docs/developer-docs/releases/index.md

@@ -148,7 +148,6 @@ We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _d
 
 <details>
 <summary>Mailing list template</summary>
-<p>
 
 Subject: `Release of authentik Security releases 2022.10.3 and 2022.11.3`
 
@@ -158,12 +157,10 @@ The security advisory for CVE-2022-xxxxx has been published: https://github.com/
 Releases 2022.10.3 and 2022.11.3 with fixes included are available here: https://github.com/goauthentik/authentik/releases
 ```
 
-</p>
 </details>
 
 <details>
 <summary>Discord template</summary>
-<p>
 
 ```markdown
 [...existing announcement...]
@@ -175,5 +172,4 @@ Advisory for for CVE-2022-xxxxx has been published here https://github.com/goaut
 The fixed versions 2022.10.3 and 2022.11.3 are available here: https://github.com/goauthentik/authentik/releases
 ```
 
-</p>
 </details>

website/docs/developer-docs/setup/full-dev-environment.mdx

@@ -9,15 +9,15 @@ tags:
     - docker
 ---
 
-import Tabs from "@theme/Tabs";
-import TabItem from "@theme/TabItem";
 import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment";
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## Requirements
 
-- [Python](https://www.python.org/) (3.12 or later)
+- [Python](https://www.python.org/) (3.13 or later)
 - [uv](https://docs.astral.sh/uv/getting-started/installation/), (Latest stable release)
-- [Go](https://go.dev/) (1.23 or later)
+- [Go](https://go.dev/) (1.24 or later)
 - [Node.js](https://nodejs.org/en) (22 or later)
 - [PostgreSQL](https://www.postgresql.org/) (16 or later)
 - [Redis](https://redis.io/) (7 or later)
@@ -54,9 +54,8 @@ values={[
     To install the native dependencies on macOS, run:
 
     ```sh
-    $ pip install uv
-    $ brew install libxmlsec1 libpq krb5   # Required development libraries,
-    $ brew install postgresql redis node@22 golangci-lint   # Required CLI tools
+    $ brew install libxmlsec1 libpq krb5 pkg-config  # Required development libraries,
+    $ brew install uv postgresql redis node@22 golangci-lint   # Required CLI tools
     ```
 
 </TabItem>
@@ -66,14 +65,13 @@ To install native dependencies on Debian or Ubuntu, run:
 
 ```sh
 $ pip install uv
-$ sudo apt-get install  libgss-dev krb5-config libkrb5-dev postgresql-server-dev-all
+$ sudo apt-get install libgss-dev krb5-config libkrb5-dev postgresql-server-dev-all
 $ sudo apt-get install postresql redis
 ```
 
 Adjust your needs as required for other distributions such as Red Hat, SUSE, or Arch.
 
-Install golangci-lint locally [from the site
-instructions](https://golangci-lint.run/welcome/install/#other-ci).
+Install golangci-lint locally [from the site instructions](https://golangci-lint.run/welcome/install/#other-ci).
 
   </TabItem>
 

website/docs/index.mdx

@@ -24,39 +24,34 @@ The authentik product provides the following consoles:
 
 In authentik, you can use Light or Dark mode for the Admin interface, User interface, and the Flow interface.
 
-import "react-before-after-slider-component/dist/build.css";
-import ReactBeforeSliderComponent from "react-before-after-slider-component";
 import useBaseUrl from "@docusaurus/useBaseUrl";
+import ReactBeforeSliderComponent from "react-before-after-slider-component";
+
+import "react-before-after-slider-component/dist/build.css";
 
 <ReactBeforeSliderComponent
     firstImage={{
-        id: 1,
         imageUrl: useBaseUrl("img/screen_flow_dark.jpg"),
     }}
     secondImage={{
-        id: 2,
         imageUrl: useBaseUrl("img/screen_flow_light.jpg"),
     }}
 />
 
 <ReactBeforeSliderComponent
     firstImage={{
-        id: 1,
         imageUrl: useBaseUrl("img/screen_apps_dark.jpg"),
     }}
     secondImage={{
-        id: 2,
         imageUrl: useBaseUrl("img/screen_apps_light.jpg"),
     }}
 />
 
 <ReactBeforeSliderComponent
     firstImage={{
-        id: 1,
         imageUrl: useBaseUrl("img/screen_admin_dark.jpg"),
     }}
     secondImage={{
-        id: 2,
         imageUrl: useBaseUrl("img/screen_admin_light.jpg"),
     }}
 />

website/docs/install-config/air-gapped.mdx

@@ -17,8 +17,8 @@ To disable these outbound connections, adjust the settings as follows:
 
 To view a list of all configuration options, refer to the [Configuration](./configuration/configuration.mdx) documentation.
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/install-config/beta.mdx

@@ -8,8 +8,8 @@ You can test upcoming authentik versions, including major new features that are
 Downgrading from the Beta is not supported. It is recommended to take a backup before upgrading, or test Beta versions on a separate install. Upgrading from Beta versions to the next release is usually possible, however also not supported.
 :::
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/install-config/configuration/configuration.mdx

@@ -17,8 +17,8 @@ All of these variables can be set to values, but you can also use a URI-like for
 
 ## Set your environment variables
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs groupId="platform">
   <TabItem value="docker-compose" label="Docker Compose" default>
@@ -356,7 +356,7 @@ Defaults to `86400`.
 
 ### `AUTHENTIK_SESSION_STORAGE`:ak-version[2024.4]
 
-Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
+Configure if the sessions are stored in the cache or the database. Defaults to `db`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
 ### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`:ak-version[2025.4]
 

website/docs/install-config/install/docker-compose.mdx

@@ -27,8 +27,8 @@ This installation method is for test setups and small-scale production setups.
 To download the latest `docker-compose.yml` open your terminal and navigate to the directory of your choice.
 Run the following command:
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 {/* prettier-ignore */}
 <Tabs groupId="OS">

website/docs/install-config/upgrade.mdx

@@ -20,8 +20,8 @@ authentik does not support downgrading. Make sure to back up your database in ca
 
 ## Upgrade authentik
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs groupId="platform">
   <TabItem value="docker-compose" label="Docker Compose" default>

website/docs/releases/2024/v2024.10.md

@@ -5,8 +5,8 @@ slug: "/releases/2024.10"
 
 ## Highlights
 
-- **Chrome Device Trust** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>: Verify that your users are logging in from managed devices and validate the devices' compliance with company policies.
-- **FIPS/FAL3 for FedRAMP "very high" compliance** <span class="badge badge--primary">Enterprise+</span>: with support for SAML encryption and now JWE (JSON Web Encryption) support, authentik can now be configured for FIPS compliance at Federation Assurance Level (FAL) 3.
+- **Chrome Device Trust** :ak-enterprise :ak-preview : Verify that your users are logging in from managed devices and validate the devices' compliance with company policies.
+- **FIPS/FAL3 for FedRAMP "very high" compliance** :ak-enterprise : with support for SAML encryption and now JWE (JSON Web Encryption) support, authentik can now be configured for FIPS compliance at Federation Assurance Level (FAL) 3.
 - **Captcha on Identification stage**: Run a CAPTCHA process in the background while the user is entering their identification.
 - **Kerberos source**: authentik can now integrate with existing Kerberos environments by allowing users to log in with their Kerberos credentials, SPNEGO, or syncing users into authentik.
 
@@ -16,7 +16,7 @@ We have no breaking changes this release!
 
 ## New features
 
-- **Chrome Device Trust** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **Chrome Device Trust** :ak-enterprise :ak-preview
 
     This is a new stage for Enterprise clients that verifies the user through the Chrome Verified Access API. This stage only works with Google Chrome. You'll need to bring your own [Verified Access API instance](https://developers.google.com/chrome/verified-access/overview) via Google Cloud.
 

website/docs/releases/2024/v2024.12.md

@@ -6,8 +6,8 @@ slug: "/releases/2024.12"
 ## Highlights
 
 - **Redirect stage** Conditionally redirect users to other flows and URLs.
-- **Application entitlements** <span class="badge badge--info">Preview</span> Additional granular permission configuration on an application-level basis.
-- **CloudFormation** <span class="badge badge--info">Preview</span> One-click deploy on AWS.
+- **Application entitlements** :ak-preview Additional granular permission configuration on an application-level basis.
+- **CloudFormation** :ak-preview One-click deploy on AWS.
 - **Policies in the application wizard** Configure access restriction while creating an application.
 
 ## Breaking changes
@@ -32,7 +32,7 @@ slug: "/releases/2024.12"
 
     This new stage allows redirecting a user to another flow or external URL. This allows for dynamically choosing which flow runs depending on user attributes or other factors, or redirection to another URL.
 
-- **Application entitlements** <span class="badge badge--info">Preview</span>
+- **Application entitlements** :ak-preview
 
     Centrally configure permissions by granting entitlements to groups and users on an application-level basis.
 
@@ -40,7 +40,7 @@ slug: "/releases/2024.12"
 
     In the application creation wizard, administrators can now configure policies bindings along with the other application settings.
 
-- **CloudFormation** <span class="badge badge--info">Preview</span>
+- **CloudFormation** :ak-preview
 
     Deploy authentik in your own AWS environment with one click using our new [AWS CloudFormation template](../../install-config/install/aws.md).
 

website/docs/releases/2024/v2024.2.md

@@ -5,9 +5,9 @@ slug: /releases/2024.2
 
 ## Highlights
 
-- **Remote Access Control** <span class="badge badge--primary">Enterprise</span> Access machines over RDP, SSH, and VNC from authentik
+- **Remote Access Control** :ak-enterprise Access machines over RDP, SSH, and VNC from authentik
 
-- **Audit logging** <span class="badge badge--primary">Enterprise</span> See what fields were changed when objects are updated
+- **Audit logging** :ak-enterprise See what fields were changed when objects are updated
 
 - **Session location and network binding** Increase security by preventing session theft
 
@@ -102,11 +102,11 @@ slug: /releases/2024.2
 
 ## New features
 
-- **New provider: Remote Access Control** <span class="badge badge--primary">Enterprise</span>
+- **New provider: Remote Access Control** :ak-enterprise
 
     The Remote Access Control provider allows you to remotely connect to remote machines over RDP, SSH and VNC through authentik. As such, you can use the same policy engine and customization options that are possible with other providers using the same user and admin interface.
 
-- **Audit logging** <span class="badge badge--primary">Enterprise</span>
+- **Audit logging** :ak-enterprise
 
     authentik instances that have a valid enterprise license installed will log any changes made to models, including which fields were changed with previous and new values of the fields. The values are censored if they are sensitive (for example a password hash), however a hash of the changed value will still be logged.
 

website/docs/releases/2024/v2024.4.md

@@ -5,9 +5,9 @@ slug: /releases/2024.4
 
 ## Highlights
 
-- **OAuth/SAML as authentication factor** <span class="badge badge--primary">Enterprise</span> Use an external provider as part of an MFA authentication flow, including custom implementations
+- **OAuth/SAML as authentication factor** :ak-enterprise Use an external provider as part of an MFA authentication flow, including custom implementations
 
-- **SCIM Source** <span class="badge badge--info">Preview</span> Provision users and groups in authentik using an SCIM API
+- **SCIM Source** :ak-preview Provision users and groups in authentik using an SCIM API
 
 - **Configurable WebAuthn device restrictions** Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.
 
@@ -27,13 +27,13 @@ slug: /releases/2024.4
 
 ## New features
 
-- **Source stage** <span class="badge badge--primary">Enterprise</span>
+- **Source stage** :ak-enterprise
 
     The source stage allows for an inclusion of a source as part of a flow. This can be used to link a user to a source as part of their authentication/enrollment, or it can be used as an external multi-factor to provide device health attestation for example.
 
     For details refer to [Source stage](../../add-secure-apps/flows-stages/stages/source/index.md)
 
-- **SCIM Source** <span class="badge badge--info">Preview</span>
+- **SCIM Source** :ak-preview
 
     Provision users and groups in authentik using an SCIM API.
 

website/docs/releases/2024/v2024.6.md

@@ -6,7 +6,7 @@ slug: /releases/2024.6
 ## Highlights
 
 - **PostgreSQL read replicas**: Optimize database query routing by using read replicas to balance the load
-- **New Enterprise providers**: <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span> Google Workspace and Microsoft Entra ID providers allow for user synchronization with authentik
+- **New Enterprise providers**: :ak-enterprise :ak-preview Google Workspace and Microsoft Entra ID providers allow for user synchronization with authentik
 - **Improved CAPTCHA stage**: Allows configurable dynamic use of CAPTCHAs
 
 ## Breaking changes
@@ -29,13 +29,13 @@ The `context["geoip"]` and `context["asn"]` objects available in expression poli
 
 ## New features
 
-- **Google Workspace Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **Google Workspace Provider** :ak-enterprise :ak-preview
 
     With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
 
     For details refer to the [Google Workspace Provider documentation](../../add-secure-apps/providers/gws/index.md)
 
-- **Microsoft Entra ID Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **Microsoft Entra ID Provider** :ak-enterprise :ak-preview
 
     With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
 

website/docs/releases/2025/v2025.2.md

@@ -5,7 +5,7 @@ slug: "/releases/2025.2"
 
 ## Highlights
 
-- **SSF Provider <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>** Add support for Shared Signals Framework.
+- **SSF Provider :ak-enterprise :ak-preview** Add support for Shared Signals Framework.
 - **RAC moved open source** Remote access is now available to everyone!
 - **GeoIP distance and impossible travel checks** Add the ability to check for the distance a user has moved compared to a previous login, and if the user could have travelled the distance.
 - **Email OTP Stage** Allow users to use their email accounts as a one-time-password during authentication.
@@ -13,7 +13,7 @@ slug: "/releases/2025.2"
 
 ## Breaking changes
 
-- **Fixed behaviour in Source stage <span class="badge badge--primary">Enterprise</span>**
+- **Fixed behaviour in Source stage :ak-enterprise**
 
     In previous versions, the Source stage would incorrectly continue with the initial flow after returning from the source, which didn't match the documented behaviour.
 
@@ -29,7 +29,7 @@ slug: "/releases/2025.2"
 
 ## New features
 
-- **SSF Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **SSF Provider** :ak-enterprise :ak-preview
 
     [Shared Signals Framework](../../add-secure-apps/providers/ssf/index.md) allows applications to register a stream with authentik within which they can received events from authentik such as when a session was revoked or a credential was add/changed/deleted and execute actions based on these events.
 

website/docs/releases/2025/v2025.4.md

@@ -11,7 +11,7 @@ slug: "/releases/2025.4"
 
 - **RBAC: Initial Permissions** :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.
 
-- **Password History Policy** <span class="badge badge--primary">Enterprise</span> A new policy (the Password Uniqueness policy) can be implemented to prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for FedRAMP compliance.
+- **Password History Policy** :ak-enterprise A new policy (the Password Uniqueness policy) can be implemented to prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for FedRAMP compliance.
 
 - **Provider Sync Dry Run** :ak-preview Add the option for dry-run syncs for SCIM, Google Workspace, and Microsoft Entra providers to preview the results of a sync without affecting live accounts.
 
@@ -108,7 +108,7 @@ When you upgrade, be aware that the version of the authentik instance and of any
 To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
 
 ```shell
-wget -O docker-compose.yml https://goauthentik.io/version/xxxx.x/docker-compose.yml
+wget -O docker-compose.yml https://goauthentik.io/version/2025.4/docker-compose.yml
 docker compose up -d
 ```
 

website/docs/sys-mgmt/ops/geoip.mdx

@@ -14,8 +14,8 @@ By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If mo
 
 If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP.
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/sys-mgmt/service-accounts.md

@@ -3,8 +3,6 @@ title: Service Accounts
 sidebar_label: Service Accounts
 ---
 
-# Service Accounts
-
 Service accounts are specialized user accounts designed for machine-to-machine authentication and automation purposes rather than interactive human use. They're ideal for integrating authentik with external systems, APIs, and services.
 
 ## Types of Service Accounts

website/docs/troubleshooting/forward_auth/general.mdx

@@ -2,8 +2,8 @@
 title: General troubleshooting steps
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## Set the log level to TRACE
 

website/docs/troubleshooting/logs.mdx

@@ -10,8 +10,8 @@ The server and worker containers support multiple log levels: `debug`, `info`, `
 
 To modify the log level, follow the steps for your platform
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   groupId="platform"