lib/sync/outgoing: don't wait for tasks to finish on direct syncs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2025.4.1
+current_version = 2025.6.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.8 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.10 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
+| 2025.6.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.4.1"
+__version__ = "2025.6.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/migrations/0046_session_and_more.py

@@ -79,6 +79,7 @@ def _migrate_session(
         AuthenticatedSession.objects.using(db_alias).create(
             session=session,
             user=old_auth_session.user,
+            uuid=old_auth_session.uuid,
         )
 
 

authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py

@@ -1,10 +1,81 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15
 
-from django.apps.registry import Apps
+from django.apps.registry import Apps, apps as global_apps
 from django.db import migrations
+from django.contrib.contenttypes.management import create_contenttypes
+from django.contrib.auth.management import create_permissions
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
+def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
+    db_alias = schema_editor.connection.alias
+
+    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
+    # real config for creating permissions and content types
+    authentik_core_config = global_apps.get_app_config("authentik_core")
+    # These are only ran by django after all migrations, but we need them right now.
+    # `global_apps` is needed,
+    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
+    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
+
+    # But from now on, this is just a regular migration, so use `apps`
+    Permission = apps.get_model("auth", "Permission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    try:
+        old_ct = ContentType.objects.using(db_alias).get(
+            app_label="authentik_core", model="oldauthenticatedsession"
+        )
+        new_ct = ContentType.objects.using(db_alias).get(
+            app_label="authentik_core", model="authenticatedsession"
+        )
+    except ContentType.DoesNotExist:
+        # This should exist at this point, but if not, let's cut our losses
+        return
+
+    # Get all permissions for the old content type
+    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
+
+    # Create equivalent permissions for the new content type
+    for old_perm in old_perms:
+        new_perm = (
+            Permission.objects.using(db_alias)
+            .filter(
+                content_type=new_ct,
+                codename=old_perm.codename,
+            )
+            .first()
+        )
+        if not new_perm:
+            # This should exist at this point, but if not, let's cut our losses
+            continue
+
+        # Global user permissions
+        User = apps.get_model("authentik_core", "User")
+        User.user_permissions.through.objects.using(db_alias).filter(
+            permission=old_perm
+        ).all().update(permission=new_perm)
+
+        # Global role permissions
+        DjangoGroup = apps.get_model("auth", "Group")
+        DjangoGroup.permissions.through.objects.using(db_alias).filter(
+            permission=old_perm
+        ).all().update(permission=new_perm)
+
+        # Object user permissions
+        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
+        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
+            permission=new_perm, content_type=new_ct
+        )
+
+        # Object role permissions
+        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
+        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
+            permission=new_perm, content_type=new_ct
+        )
+
+
 def remove_old_authenticated_session_content_type(
     apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
@@ -21,7 +92,12 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.RunPython(
+            code=migrate_authenticated_session_permissions,
+            reverse_code=migrations.RunPython.noop,
+        ),
         migrations.RunPython(
             code=remove_old_authenticated_session_content_type,
+            reverse_code=migrations.RunPython.noop,
         ),
     ]

authentik/lib/default.yml

@@ -81,7 +81,6 @@ debugger: false
 
 log_level: info
 
-session_storage: cache
 sessions:
   unauthenticated_age: days=1
 

authentik/lib/sync/outgoing/signals.py

@@ -52,7 +52,7 @@ def register_signals(
             return
         task_sync_direct.delay(
             class_to_path(instance.__class__), instance.pk, Direction.remove.value
-        ).get(propagate=False)
+        )
 
     pre_delete.connect(model_pre_delete, User, dispatch_uid=uid, weak=False)
     pre_delete.connect(model_pre_delete, Group, dispatch_uid=uid, weak=False)

authentik/lib/sync/outgoing/tasks.py

@@ -130,7 +130,7 @@ class SyncTasks:
     def sync_objects(
         self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
     ):
-        _object_type = path_to_class(object_type)
+        _object_type: type[Model] = path_to_class(object_type)
         self.logger = get_logger().bind(
             provider_type=class_to_path(self._provider_model),
             provider_pk=provider_pk,
@@ -156,7 +156,11 @@ class SyncTasks:
         messages.append(
             asdict(
                 LogEvent(
-                    _("Syncing page {page} of groups".format(page=page)),
+                    _(
+                        "Syncing page {page} of {object_type}".format(
+                            page=page, object_type=_object_type._meta.verbose_name_plural
+                        )
+                    ),
                     log_level="info",
                     logger=f"{provider._meta.verbose_name}@{object_type}",
                 )

authentik/providers/rac/models.py

@@ -166,7 +166,6 @@ class ConnectionToken(ExpiringModel):
         always_merger.merge(settings, default_settings)
         always_merger.merge(settings, self.endpoint.provider.settings)
         always_merger.merge(settings, self.endpoint.settings)
-        always_merger.merge(settings, self.settings)
 
         def mapping_evaluator(mappings: QuerySet):
             for mapping in mappings:
@@ -191,6 +190,7 @@ class ConnectionToken(ExpiringModel):
         mapping_evaluator(
             RACPropertyMapping.objects.filter(endpoint__in=[self.endpoint]).order_by("name")
         )
+        always_merger.merge(settings, self.settings)
 
         settings["drive-path"] = f"/tmp/connection/{self.token}"  # nosec
         settings["create-drive-path"] = "true"

authentik/providers/rac/tests/test_models.py

@@ -90,23 +90,6 @@ class TestModels(TransactionTestCase):
                 "resize-method": "display-update",
             },
         )
-        # Set settings in token
-        token.settings = {
-            "level": "token",
-        }
-        token.save()
-        self.assertEqual(
-            token.get_settings(),
-            {
-                "hostname": self.endpoint.host.split(":")[0],
-                "port": "1324",
-                "client-name": f"authentik - {self.user}",
-                "drive-path": path,
-                "create-drive-path": "true",
-                "level": "token",
-                "resize-method": "display-update",
-            },
-        )
         # Set settings in property mapping (provider)
         mapping = RACPropertyMapping.objects.create(
             name=generate_id(),
@@ -151,3 +134,22 @@ class TestModels(TransactionTestCase):
                 "resize-method": "display-update",
             },
         )
+        # Set settings in token
+        token.settings = {
+            "level": "token",
+        }
+        token.save()
+        self.assertEqual(
+            token.get_settings(),
+            {
+                "hostname": self.endpoint.host.split(":")[0],
+                "port": "1324",
+                "client-name": f"authentik - {self.user}",
+                "drive-path": path,
+                "create-drive-path": "true",
+                "foo": "true",
+                "bar": "6",
+                "resize-method": "display-update",
+                "level": "token",
+            },
+        )

authentik/providers/scim/clients/groups.py

@@ -47,15 +47,16 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
 
     def to_schema(self, obj: Group, connection: SCIMProviderGroup) -> SCIMGroupSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_group = super().to_schema(
-            obj,
-            connection,
-            schemas=(SCIM_GROUP_SCHEMA,),
-        )
+        raw_scim_group = super().to_schema(obj, connection)
         try:
             scim_group = SCIMGroupSchema.model_validate(delete_none_values(raw_scim_group))
         except ValidationError as exc:
             raise StopSync(exc, obj) from exc
+        if SCIM_GROUP_SCHEMA not in scim_group.schemas:
+            scim_group.schemas.insert(0, SCIM_GROUP_SCHEMA)
+        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
+        # are included, even if its just the defaults
+        scim_group.schemas = list(scim_group.schemas)
         if not scim_group.externalId:
             scim_group.externalId = str(obj.pk)
 

authentik/providers/scim/clients/users.py

@@ -31,15 +31,16 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
 
     def to_schema(self, obj: User, connection: SCIMProviderUser) -> SCIMUserSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_user = super().to_schema(
-            obj,
-            connection,
-            schemas=(SCIM_USER_SCHEMA,),
-        )
+        raw_scim_user = super().to_schema(obj, connection)
         try:
             scim_user = SCIMUserSchema.model_validate(delete_none_values(raw_scim_user))
         except ValidationError as exc:
             raise StopSync(exc, obj) from exc
+        if SCIM_USER_SCHEMA not in scim_user.schemas:
+            scim_user.schemas.insert(0, SCIM_USER_SCHEMA)
+        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
+        # are included, even if its just the defaults
+        scim_user.schemas = list(scim_user.schemas)
         if not scim_user.externalId:
             scim_user.externalId = str(obj.uid)
         return scim_user

authentik/providers/scim/tests/test_user.py

@@ -91,6 +91,57 @@ class SCIMUserTests(TestCase):
             },
         )
 
+    @Mocker()
+    def test_user_create_custom_schema(self, mock: Mocker):
+        """Test user creation with custom schema"""
+        schema = SCIMMapping.objects.create(
+            name="custom_schema",
+            expression="""return {"schemas": ["foo"]}""",
+        )
+        self.provider.property_mappings.add(schema)
+        scim_id = generate_id()
+        mock.get(
+            "https://localhost/ServiceProviderConfig",
+            json={},
+        )
+        mock.post(
+            "https://localhost/Users",
+            json={
+                "id": scim_id,
+            },
+        )
+        uid = generate_id()
+        user = User.objects.create(
+            username=uid,
+            name=f"{uid} {uid}",
+            email=f"{uid}@goauthentik.io",
+        )
+        self.assertEqual(mock.call_count, 2)
+        self.assertEqual(mock.request_history[0].method, "GET")
+        self.assertEqual(mock.request_history[1].method, "POST")
+        self.assertJSONEqual(
+            mock.request_history[1].body,
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "foo"],
+                "active": True,
+                "emails": [
+                    {
+                        "primary": True,
+                        "type": "other",
+                        "value": f"{uid}@goauthentik.io",
+                    }
+                ],
+                "externalId": user.uid,
+                "name": {
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
+                    "givenName": uid,
+                },
+                "displayName": f"{uid} {uid}",
+                "userName": uid,
+            },
+        )
+
     @Mocker()
     def test_user_create_different_provider_same_id(self, mock: Mocker):
         """Test user creation with multiple providers that happen

authentik/sources/ldap/api.py

@@ -103,6 +103,7 @@ class LDAPSourceSerializer(SourceSerializer):
             "user_object_filter",
             "group_object_filter",
             "group_membership_field",
+            "user_membership_attribute",
             "object_uniqueness_field",
             "password_login_update_internal_password",
             "sync_users",
@@ -139,6 +140,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "user_object_filter",
         "group_object_filter",
         "group_membership_field",
+        "user_membership_attribute",
         "object_uniqueness_field",
         "password_login_update_internal_password",
         "sync_users",

authentik/sources/ldap/migrations/0010_ldapsource_user_membership_attribute.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.1.9 on 2025-05-29 11:22
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def set_user_membership_attribute(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    LDAPSource = apps.get_model("authentik_sources_ldap", "LDAPSource")
+    db_alias = schema_editor.connection.alias
+
+    LDAPSource.objects.using(db_alias).filter(group_membership_field="memberUid").all().update(
+        user_membership_attribute="ldap_uniq"
+    )
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_sources_ldap", "0009_groupldapsourceconnection_validated_by_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapsource",
+            name="user_membership_attribute",
+            field=models.TextField(
+                default="distinguishedName",
+                help_text="Attribute which matches the value of `group_membership_field`.",
+            ),
+        ),
+        migrations.RunPython(set_user_membership_attribute, migrations.RunPython.noop),
+    ]

authentik/sources/ldap/models.py

@@ -100,6 +100,10 @@ class LDAPSource(Source):
         default="(objectClass=person)",
         help_text=_("Consider Objects matching this filter to be Users."),
     )
+    user_membership_attribute = models.TextField(
+        default=LDAP_DISTINGUISHED_NAME,
+        help_text=_("Attribute which matches the value of `group_membership_field`."),
+    )
     group_membership_field = models.TextField(
         default="member", help_text=_("Field which contains members of a group.")
     )

authentik/sources/ldap/sync/membership.py

@@ -71,17 +71,11 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
             if not ak_group:
                 continue
 
-            membership_mapping_attribute = LDAP_DISTINGUISHED_NAME
-            if self._source.group_membership_field == "memberUid":
-                # If memberships are based on the posixGroup's 'memberUid'
-                # attribute we use the RDN instead of the FDN to lookup members.
-                membership_mapping_attribute = LDAP_UNIQUENESS
-
             users = User.objects.filter(
-                Q(**{f"attributes__{membership_mapping_attribute}__in": members})
+                Q(**{f"attributes__{self._source.user_membership_attribute}__in": members})
                 | Q(
                     **{
-                        f"attributes__{membership_mapping_attribute}__isnull": True,
+                        f"attributes__{self._source.user_membership_attribute}__isnull": True,
                         "ak_groups__in": [ak_group],
                     }
                 )

authentik/sources/ldap/tests/test_sync.py

@@ -269,12 +269,56 @@ class LDAPSyncTests(TestCase):
         self.source.group_membership_field = "memberUid"
         self.source.user_object_filter = "(objectClass=posixAccount)"
         self.source.group_object_filter = "(objectClass=posixGroup)"
+        self.source.user_membership_attribute = "uid"
         self.source.user_property_mappings.set(
+            [
+                *LDAPSourcePropertyMapping.objects.filter(
+                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+                ).all(),
+                LDAPSourcePropertyMapping.objects.create(
+                    name="name",
+                    expression='return {"attributes": {"uid": list_flatten(ldap.get("uid"))}}',
+                ),
+            ]
+        )
+        self.source.group_property_mappings.set(
             LDAPSourcePropertyMapping.objects.filter(
-                Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+                managed="goauthentik.io/sources/ldap/openldap-cn"
             )
         )
+        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            self.source.save()
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync_full()
+            group_sync = GroupLDAPSynchronizer(self.source)
+            group_sync.sync_full()
+            membership_sync = MembershipLDAPSynchronizer(self.source)
+            membership_sync.sync_full()
+            # Test if membership mapping based on memberUid works.
+            posix_group = Group.objects.filter(name="group-posix").first()
+            self.assertTrue(posix_group.users.filter(name="user-posix").exists())
+
+    def test_sync_groups_openldap_posix_group_nonstandard_membership_attribute(self):
+        """Test posix group sync"""
+        self.source.object_uniqueness_field = "cn"
+        self.source.group_membership_field = "memberUid"
+        self.source.user_object_filter = "(objectClass=posixAccount)"
+        self.source.group_object_filter = "(objectClass=posixGroup)"
+        self.source.user_membership_attribute = "cn"
+        self.source.user_property_mappings.set(
+            [
+                *LDAPSourcePropertyMapping.objects.filter(
+                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+                ).all(),
+                LDAPSourcePropertyMapping.objects.create(
+                    name="name",
+                    expression='return {"attributes": {"cn": list_flatten(ldap.get("cn"))}}',
+                ),
+            ]
+        )
         self.source.group_property_mappings.set(
             LDAPSourcePropertyMapping.objects.filter(
                 managed="goauthentik.io/sources/ldap/openldap-cn"

authentik/stages/authenticator_validate/tests/test_webauthn.py

@@ -151,9 +151,7 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
             webauthn_user_verification=UserVerification.PREFERRED,
         )
         stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(
-                description="Android Authenticator with SafetyNet Attestation"
-            )
+            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
         )
         session = self.client.session
         plan = FlowPlan(flow_pk=flow.pk.hex)
@@ -339,9 +337,7 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
             device_classes=[DeviceClasses.WEBAUTHN],
         )
         stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(
-                description="Android Authenticator with SafetyNet Attestation"
-            )
+            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
         )
         session = self.client.session
         plan = FlowPlan(flow_pk=flow.pk.hex)

authentik/stages/authenticator_webauthn/tests.py

@@ -141,9 +141,7 @@ class TestAuthenticatorWebAuthnStage(FlowTestCase):
         """Test registration with restricted devices (fail)"""
         webauthn_mds_import.delay(force=True).get()
         self.stage.device_type_restrictions.set(
-            WebAuthnDeviceType.objects.filter(
-                description="Android Authenticator with SafetyNet Attestation"
-            )
+            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
         )
 
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])

authentik/stages/user_login/stage.py

@@ -11,7 +11,7 @@ from rest_framework.fields import BooleanField, CharField
 from authentik.core.models import Session, User
 from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, WithUserInfoChallenge
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
@@ -108,10 +108,6 @@ class UserLoginStageView(ChallengeStageView):
             flow_slug=self.executor.flow.slug,
             session_duration=delta,
         )
-        # Only show success message if we don't have a source in the flow
-        # as sources show their own success messages
-        if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
-            messages.success(self.request, _("Successfully logged in!"))
         if self.executor.current_stage.terminate_other_sessions:
             Session.objects.filter(
                 authenticatedsession__user=user,

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.4.1 Blueprint schema",
+    "title": "authentik 2025.6.0 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -8147,6 +8147,12 @@
                     "title": "Group membership field",
                     "description": "Field which contains members of a group."
                 },
+                "user_membership_attribute": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "User membership attribute",
+                    "description": "Attribute which matches the value of `group_membership_field`."
+                },
                 "object_uniqueness_field": {
                     "type": "string",
                     "minLength": 1,

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
     restart: unless-stopped
     command: server
     environment:
@@ -55,7 +55,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -21,13 +21,13 @@ require (
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.8.0
+	github.com/redis/go-redis/v9 v9.9.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025041.2
+	goauthentik.io/api/v3 v3.2025041.4
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.14.0

go.sum

@@ -245,8 +245,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
-github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.9.0 h1:URbPQ4xVQSQhZ27WMQVmZSo3uT3pL+4IdHVcYq2nVfM=
+github.com/redis/go-redis/v9 v9.9.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025041.2 h1:vFYYnhcDcxL95RczZwhzt3i4LptFXMvIRN+vgf8sQYg=
-goauthentik.io/api/v3 v3.2025041.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.4 h1:cGqzWYnUHrWDoaXWDpIL/kWnX9sFrIhkYDye0P0OEAo=
+goauthentik.io/api/v3 v3.2025041.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.4.1"
+const VERSION = "2025.6.0"

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1016.1",
+                "aws-cdk": "^2.1017.1",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1016.1",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1016.1.tgz",
-            "integrity": "sha512-248TBiluT8jHUjkpzvWJOHv2fS+An9fiII3eji8H7jwfTu5yMBk7on4B/AVNr9A1GXJk9I32qf9Q0A3rLWRYPQ==",
+            "version": "2.1017.1",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1017.1.tgz",
+            "integrity": "sha512-KtDdkMhfVjDeexjpMrVoSlz2mTYI5BE/KotvJ7iFbZy1G0nkpW1ImZ54TdBefeeFmZ+8DAjU3I6nUFtymyOI1A==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1016.1",
+        "aws-cdk": "^2.1017.1",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.4.1
+    Default: 2025.6.0
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -970,7 +970,7 @@ msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of groups"
+msgid "Syncing page {page} of {object_type}"
 msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
@@ -2226,6 +2226,10 @@ msgstr ""
 msgid "Consider Objects matching this filter to be Users."
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid "Attribute which matches the value of `group_membership_field`."
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr ""
@@ -3493,10 +3497,6 @@ msgstr ""
 msgid "No Pending user to login."
 msgstr ""
 
-#: authentik/stages/user_login/stage.py
-msgid "Successfully logged in!"
-msgstr ""
-
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr ""

locale/zh_CN/LC_MESSAGES/django.po

@@ -975,11 +975,11 @@ msgstr "开始全量提供程序同步"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr ""
+msgstr "正在同步用户"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr ""
+msgstr "正在同步组"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -2291,7 +2291,7 @@ msgstr "基于用户属性而非组属性查询组成员身份。这允许在 Fr
 msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
-msgstr ""
+msgstr "删除之前由此源提供，但现已缺失的用户和组。"
 
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@@ -2312,7 +2312,7 @@ msgstr "LDAP 源属性映射"
 #: authentik/sources/ldap/models.py
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
-msgstr ""
+msgstr "检查此对象是否仍在目录中时使用的唯一 ID。"
 
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
@@ -2694,7 +2694,7 @@ msgstr "组 SAML 源连接"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr ""
+msgstr "继续前往 {source_name}"
 
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@@ -3064,7 +3064,7 @@ msgstr "用户同意授权"
 
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr ""
+msgstr "无效的同意令牌，将重新显示输入"
 
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@@ -3084,11 +3084,11 @@ msgstr "虚拟阶段"
 
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr ""
+msgstr "继续以确认电子邮件地址。"
 
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr ""
+msgstr "链接已被使用，请申请一个新链接。"
 
 #: authentik/stages/email/models.py
 msgid "Password Reset"

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.4.1",
+    "version": "2025.6.0",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2025.4.1",
+            "version": "2025.6.0",
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                 "prettier": "^3.3.3",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.4.1",
+    "version": "2025.6.0",
     "private": true,
     "type": "module",
     "devDependencies": {

packages/eslint-config/package-lock.json

@@ -274,9 +274,9 @@
             }
         },
         "node_modules/@eslint/js": {
-            "version": "9.27.0",
-            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.27.0.tgz",
-            "integrity": "sha512-G5JD9Tu5HJEu4z2Uo4aHY2sLV64B7CDMXxFzqzjl3NKd6RVzSXNoE80jk7Y0lJkTTkjiIhBAqmlYwjuBY3tvpA==",
+            "version": "9.28.0",
+            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.28.0.tgz",
+            "integrity": "sha512-fnqSjGWd/CoIp4EXIxWVK/sHA6DOHN4+8Ix2cX5ycOY7LG0UY8nHCU5pIp2eaE1Mc7Qd8kHspYNzYXT2ojPLzg==",
             "license": "MIT",
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -576,17 +576,17 @@
             "license": "MIT"
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.32.1.tgz",
-            "integrity": "sha512-6u6Plg9nP/J1GRpe/vcjjabo6Uc5YQPAMxsgQyGC/I0RuukiG1wIe3+Vtg3IrSCVJDmqK3j8adrtzXSENRtFgg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.33.0.tgz",
+            "integrity": "sha512-CACyQuqSHt7ma3Ns601xykeBK/rDeZa3w6IS6UtMQbixO5DWy+8TilKkviGDH6jtWCo8FGRKEK5cLLkPvEammQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.32.1",
-                "@typescript-eslint/type-utils": "8.32.1",
-                "@typescript-eslint/utils": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/type-utils": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                 "graphemer": "^1.4.0",
                 "ignore": "^7.0.0",
                 "natural-compare": "^1.4.0",
@@ -600,15 +600,15 @@
                 "url": "https://opencollective.com/typescript-eslint"
             },
             "peerDependencies": {
-                "@typescript-eslint/parser": "^8.0.0 || ^8.0.0-alpha.0",
+                "@typescript-eslint/parser": "^8.33.0",
                 "eslint": "^8.57.0 || ^9.0.0",
                 "typescript": ">=4.8.4 <5.9.0"
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin/node_modules/ignore": {
-            "version": "7.0.4",
-            "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.4.tgz",
-            "integrity": "sha512-gJzzk+PQNznz8ysRrC0aOkBNVRBDtE1n53IqyqEf3PXrYwomFs5q4pGMizBMJF+ykh03insJ27hB8gSrD2Hn8A==",
+            "version": "7.0.5",
+            "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
+            "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -616,16 +616,16 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.32.1.tgz",
-            "integrity": "sha512-LKMrmwCPoLhM45Z00O1ulb6jwyVr2kr3XJp+G+tSEZcbauNnScewcQwtJqXDhXeYPDEjZ8C1SjXm015CirEmGg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.33.0.tgz",
+            "integrity": "sha512-JaehZvf6m0yqYp34+RVnihBAChkqeH+tqqhS0GuX1qgPpwLvmTPheKEs6OeCK6hVJgXZHJ2vbjnC9j119auStQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/scope-manager": "8.32.1",
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/typescript-estree": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -640,15 +640,16 @@
                 "typescript": ">=4.8.4 <5.9.0"
             }
         },
-        "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.32.1.tgz",
-            "integrity": "sha512-7IsIaIDeZn7kffk7qXC3o6Z4UblZJKV3UBpkvRNpr5NSyLji7tvTcvmnMNYuYLyh26mN8W723xpo3i4MlD33vA==",
+        "node_modules/@typescript-eslint/project-service": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.33.0.tgz",
+            "integrity": "sha512-d1hz0u9l6N+u/gcrk6s6gYdl7/+pp8yHheRTqP6X5hVDKALEaTn8WfGiit7G511yueBEL3OpOEpD+3/MBdoN+A==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1"
+                "@typescript-eslint/tsconfig-utils": "^8.33.0",
+                "@typescript-eslint/types": "^8.33.0",
+                "debug": "^4.3.4"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -658,15 +659,50 @@
                 "url": "https://opencollective.com/typescript-eslint"
             }
         },
-        "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.32.1.tgz",
-            "integrity": "sha512-mv9YpQGA8iIsl5KyUPi+FGLm7+bA4fgXaeRcFKRDRwDMu4iwrSHeDPipwueNXhdIIZltwCJv+NkxftECbIZWfA==",
+        "node_modules/@typescript-eslint/scope-manager": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.33.0.tgz",
+            "integrity": "sha512-LMi/oqrzpqxyO72ltP+dBSP6V0xiUb4saY7WLtxSfiNEBI8m321LLVFU9/QDJxjDQG9/tjSqKz/E3380TEqSTw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "8.32.1",
-                "@typescript-eslint/utils": "8.32.1",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            }
+        },
+        "node_modules/@typescript-eslint/tsconfig-utils": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.33.0.tgz",
+            "integrity": "sha512-sTkETlbqhEoiFmGr1gsdq5HyVbSOF0145SYDJ/EQmXHtKViCaGvnyLqWFFHtEXoS0J1yU8Wyou2UGmgW88fEug==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/@typescript-eslint/type-utils": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.33.0.tgz",
+            "integrity": "sha512-lScnHNCBqL1QayuSrWeqAL5GmqNdVUQAAMTaCwdYEdWfIrSrOGzyLGRCHXcCixa5NK6i5l0AfSO2oBSjCjf4XQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^2.1.0"
             },
@@ -683,9 +719,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.32.1.tgz",
-            "integrity": "sha512-YmybwXUJcgGqgAp6bEsgpPXEg6dcCyPyCSr0CAAueacR/CCBi25G3V8gGQ2kRzQRBNol7VQknxMs9HvVa9Rvfg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.33.0.tgz",
+            "integrity": "sha512-DKuXOKpM5IDT1FA2g9x9x1Ug81YuKrzf4mYX8FAVSNu5Wo/LELHWQyM1pQaDkI42bX15PWl0vNPt1uGiIFUOpg==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -697,14 +733,16 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.32.1.tgz",
-            "integrity": "sha512-Y3AP9EIfYwBb4kWGb+simvPaqQoT5oJuzzj9m0i6FCY6SPvlomY2Ei4UEMm7+FXtlNJbor80ximyslzaQF6xhg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.33.0.tgz",
+            "integrity": "sha512-vegY4FQoB6jL97Tu/lWRsAiUUp8qJTqzAmENH2k59SJhw0Th1oszb9Idq/FyyONLuNqT1OADJPXfyUNOR8SzAQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1",
+                "@typescript-eslint/project-service": "8.33.0",
+                "@typescript-eslint/tsconfig-utils": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                 "debug": "^4.3.4",
                 "fast-glob": "^3.3.2",
                 "is-glob": "^4.0.3",
@@ -763,16 +801,16 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.32.1.tgz",
-            "integrity": "sha512-DsSFNIgLSrc89gpq1LJB7Hm1YpuhK086DRDJSNrewcGvYloWW1vZLHBTIvarKZDcAORIy/uWNx8Gad+4oMpkSA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.33.0.tgz",
+            "integrity": "sha512-lPFuQaLA9aSNa7D5u2EpRiqdAUhzShwGg/nhpBlc4GR6kcTABttCuyjFs8BcEZ8VWrjCBof/bePhP3Q3fS+Yrw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.32.1",
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/typescript-estree": "8.32.1"
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -787,13 +825,13 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.32.1.tgz",
-            "integrity": "sha512-ar0tjQfObzhSaW3C3QNmTc5ofj0hDoNQ5XWrCy6zDyabdr0TWhCkClp+rywGNj/odAFBVzzJrK4tEq5M4Hmu4w==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.33.0.tgz",
+            "integrity": "sha512-7RW7CMYoskiz5OOGAWjJFxgb7c5UNjTG292gYhWeOAcFmYCtVCSqjqSBj5zMhxbXo2JOW95YYrUWJfU0zrpaGQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.32.1",
+                "@typescript-eslint/types": "8.33.0",
                 "eslint-visitor-keys": "^4.2.0"
             },
             "engines": {
@@ -1513,9 +1551,9 @@
             }
         },
         "node_modules/eslint": {
-            "version": "9.27.0",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.27.0.tgz",
-            "integrity": "sha512-ixRawFQuMB9DZ7fjU3iGGganFDp3+45bPOdaRurcFHSXO1e/sYwUX/FtQZpLZJR6SjMoJH8hR2pPEAfDyCoU2Q==",
+            "version": "9.28.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.28.0.tgz",
+            "integrity": "sha512-ocgh41VhRlf9+fVpe7QKzwLj9c92fDiqOj8Y3Sd4/ZmVA4Btx4PlUYPq4pp9JDyupkf1upbEXecxL2mwNV7jPQ==",
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.2.0",
@@ -1524,7 +1562,7 @@
                 "@eslint/config-helpers": "^0.2.1",
                 "@eslint/core": "^0.14.0",
                 "@eslint/eslintrc": "^3.3.1",
-                "@eslint/js": "9.27.0",
+                "@eslint/js": "9.28.0",
                 "@eslint/plugin-kit": "^0.3.1",
                 "@humanfs/node": "^0.16.6",
                 "@humanwhocodes/module-importer": "^1.0.1",
@@ -3994,15 +4032,15 @@
             }
         },
         "node_modules/typescript-eslint": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.32.1.tgz",
-            "integrity": "sha512-D7el+eaDHAmXvrZBy1zpzSNIRqnCOrkwTgZxTu3MUqRWk8k0q9m9Ho4+vPf7iHtgUfrK/o8IZaEApsxPlHTFCg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.33.0.tgz",
+            "integrity": "sha512-5YmNhF24ylCsvdNW2oJwMzTbaeO4bg90KeGtMjUw0AGtHksgEPLRTUil+coHwCfiu4QjVJFnjp94DmU6zV7DhQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.32.1",
-                "@typescript-eslint/parser": "8.32.1",
-                "@typescript-eslint/utils": "8.32.1"
+                "@typescript-eslint/eslint-plugin": "8.33.0",
+                "@typescript-eslint/parser": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"

pyproject.toml

@@ -1,12 +1,12 @@
 [project]
 name = "authentik"
-version = "2025.4.1"
+version = "2025.6.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
 dependencies = [
-    "argon2-cffi==23.1.0",
-    "celery==5.5.2",
+    "argon2-cffi==25.1.0",
+    "celery==5.5.3",
     "channels==4.2.2",
     "channels-redis==4.2.1",
     "cryptography==45.0.3",
@@ -35,7 +35,7 @@ dependencies = [
     "flower==2.0.1",
     "geoip2==5.1.0",
     "geopy==2.4.1",
-    "google-api-python-client==2.170.0",
+    "google-api-python-client==2.171.0",
     "gssapi==1.9.0",
     "gunicorn==23.0.0",
     "jsonpatch==1.33",
@@ -43,7 +43,7 @@ dependencies = [
     "kubernetes==32.0.1",
     "ldap3==2.9.1",
     "lxml==5.4.0",
-    "msgraph-sdk==1.31.0",
+    "msgraph-sdk==1.32.0",
     "opencontainers==0.0.14",
     "packaging==25.0",
     "paramiko==3.5.1",
@@ -59,14 +59,14 @@ dependencies = [
     "sentry-sdk==2.29.1",
     "service-identity==24.2.0",
     "setproctitle==1.3.6",
-    "structlog==25.3.0",
+    "structlog==25.4.0",
     "swagger-spec-validator==3.0.4",
     "tenant-schemas-celery==4.0.1",
-    "twilio==9.6.1",
+    "twilio==9.6.2",
     "ua-parser==1.0.1",
     "unidecode==1.4.0",
     "urllib3<3",
-    "uvicorn[standard]==0.34.2",
+    "uvicorn[standard]==0.34.3",
     "watchdog==6.0.0",
     "webauthn==2.5.2",
     "wsproto==1.2.0",

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.4.1
+  version: 2025.6.0
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -28581,6 +28581,10 @@ paths:
         name: sync_users_password
         schema:
           type: boolean
+      - in: query
+        name: user_membership_attribute
+        schema:
+          type: string
       - in: query
         name: user_object_filter
         schema:
@@ -47893,6 +47897,9 @@ components:
         group_membership_field:
           type: string
           description: Field which contains members of a group.
+        user_membership_attribute:
+          type: string
+          description: Attribute which matches the value of `group_membership_field`.
         object_uniqueness_field:
           type: string
           description: Field which contains a unique Identifier.
@@ -48106,6 +48113,10 @@ components:
           type: string
           minLength: 1
           description: Field which contains members of a group.
+        user_membership_attribute:
+          type: string
+          minLength: 1
+          description: Attribute which matches the value of `group_membership_field`.
         object_uniqueness_field:
           type: string
           minLength: 1
@@ -53443,6 +53454,10 @@ components:
           type: string
           minLength: 1
           description: Field which contains members of a group.
+        user_membership_attribute:
+          type: string
+          minLength: 1
+          description: Attribute which matches the value of `group_membership_field`.
         object_uniqueness_field:
           type: string
           minLength: 1

uv.lock

@@ -104,14 +104,14 @@ wheels = [
 
 [[package]]
 name = "argon2-cffi"
-version = "23.1.0"
+version = "25.1.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "argon2-cffi-bindings" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/31/fa/57ec2c6d16ecd2ba0cf15f3c7d1c3c2e7b5fcb83555ff56d7ab10888ec8f/argon2_cffi-23.1.0.tar.gz", hash = "sha256:879c3e79a2729ce768ebb7d36d4609e3a78a4ca2ec3a9f12286ca057e3d0db08", size = 42798, upload-time = "2023-08-15T14:13:12.711Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/0e/89/ce5af8a7d472a67cc819d5d998aa8c82c5d860608c4db9f46f1162d7dab9/argon2_cffi-25.1.0.tar.gz", hash = "sha256:694ae5cc8a42f4c4e2bf2ca0e64e51e23a040c6a517a85074683d3959e1346c1", size = 45706, upload-time = "2025-06-03T06:55:32.073Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a4/6a/e8a041599e78b6b3752da48000b14c8d1e8a04ded09c88c714ba047f34f5/argon2_cffi-23.1.0-py3-none-any.whl", hash = "sha256:c670642b78ba29641818ab2e68bd4e6a78ba53b7eff7b4c3815ae16abf91c7ea", size = 15124, upload-time = "2023-08-15T14:13:10.752Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/d3/a8b22fa575b297cd6e3e3b0155c7e25db170edf1c74783d6a31a2490b8d9/argon2_cffi-25.1.0-py3-none-any.whl", hash = "sha256:fdc8b074db390fccb6eb4a3604ae7231f219aa669a2652e0f20e16ba513d5741", size = 14657, upload-time = "2025-06-03T06:55:30.804Z" },
 ]
 
 [[package]]
@@ -164,7 +164,7 @@ wheels = [
 
 [[package]]
 name = "authentik"
-version = "2025.4.1"
+version = "2025.6.0"
 source = { editable = "." }
 dependencies = [
     { name = "argon2-cffi" },
@@ -265,8 +265,8 @@ dev = [
 
 [package.metadata]
 requires-dist = [
-    { name = "argon2-cffi", specifier = "==23.1.0" },
-    { name = "celery", specifier = "==5.5.2" },
+    { name = "argon2-cffi", specifier = "==25.1.0" },
+    { name = "celery", specifier = "==5.5.3" },
     { name = "channels", specifier = "==4.2.2" },
     { name = "channels-redis", specifier = "==4.2.1" },
     { name = "cryptography", specifier = "==45.0.3" },
@@ -295,7 +295,7 @@ requires-dist = [
     { name = "flower", specifier = "==2.0.1" },
     { name = "geoip2", specifier = "==5.1.0" },
     { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.170.0" },
+    { name = "google-api-python-client", specifier = "==2.171.0" },
     { name = "gssapi", specifier = "==1.9.0" },
     { name = "gunicorn", specifier = "==23.0.0" },
     { name = "jsonpatch", specifier = "==1.33" },
@@ -303,7 +303,7 @@ requires-dist = [
     { name = "kubernetes", specifier = "==32.0.1" },
     { name = "ldap3", specifier = "==2.9.1" },
     { name = "lxml", specifier = "==5.4.0" },
-    { name = "msgraph-sdk", specifier = "==1.31.0" },
+    { name = "msgraph-sdk", specifier = "==1.32.0" },
     { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
     { name = "packaging", specifier = "==25.0" },
     { name = "paramiko", specifier = "==3.5.1" },
@@ -319,14 +319,14 @@ requires-dist = [
     { name = "sentry-sdk", specifier = "==2.29.1" },
     { name = "service-identity", specifier = "==24.2.0" },
     { name = "setproctitle", specifier = "==1.3.6" },
-    { name = "structlog", specifier = "==25.3.0" },
+    { name = "structlog", specifier = "==25.4.0" },
     { name = "swagger-spec-validator", specifier = "==3.0.4" },
     { name = "tenant-schemas-celery", specifier = "==4.0.1" },
-    { name = "twilio", specifier = "==9.6.1" },
+    { name = "twilio", specifier = "==9.6.2" },
     { name = "ua-parser", specifier = "==1.0.1" },
     { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
-    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.2" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.3" },
     { name = "watchdog", specifier = "==6.0.0" },
     { name = "webauthn", specifier = "==2.5.2" },
     { name = "wsproto", specifier = "==1.2.0" },
@@ -645,7 +645,7 @@ wheels = [
 
 [[package]]
 name = "celery"
-version = "5.5.2"
+version = "5.5.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "billiard" },
@@ -657,9 +657,9 @@ dependencies = [
     { name = "python-dateutil" },
     { name = "vine" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/bf/03/5d9c6c449248958f1a5870e633a29d7419ff3724c452a98ffd22688a1a6a/celery-5.5.2.tar.gz", hash = "sha256:4d6930f354f9d29295425d7a37261245c74a32807c45d764bedc286afd0e724e", size = 1666892, upload-time = "2025-04-25T20:10:04.695Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/bb/7d/6c289f407d219ba36d8b384b42489ebdd0c84ce9c413875a8aae0c85f35b/celery-5.5.3.tar.gz", hash = "sha256:6c972ae7968c2b5281227f01c3a3f984037d21c5129d07bf3550cc2afc6b10a5", size = 1667144, upload-time = "2025-06-01T11:08:12.563Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/04/94/8e825ac1cf59d45d20c4345d4461e6b5263ae475f708d047c3dad0ac6401/celery-5.5.2-py3-none-any.whl", hash = "sha256:54425a067afdc88b57cd8d94ed4af2ffaf13ab8c7680041ac2c4ac44357bdf4c", size = 438626, upload-time = "2025-04-25T20:10:01.383Z" },
+    { url = "https://files.pythonhosted.org/packages/c9/af/0dcccc7fdcdf170f9a1585e5e96b6fb0ba1749ef6be8c89a6202284759bd/celery-5.5.3-py3-none-any.whl", hash = "sha256:0b5761a07057acee94694464ca482416b959568904c9dfa41ce8413a7d65d525", size = 438775, upload-time = "2025-06-01T11:08:09.94Z" },
 ]
 
 [[package]]
@@ -1397,7 +1397,7 @@ wheels = [
 
 [[package]]
 name = "google-api-python-client"
-version = "2.170.0"
+version = "2.171.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "google-api-core" },
@@ -1406,10 +1406,7 @@ dependencies = [
     { name = "httplib2" },
     { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/db/86/1bd09aea2664a46bc65713cb7876381ec8949a4b1e71be97dfc359c79781/google_api_python_client-2.170.0.tar.gz", hash = "sha256:75f3a1856f11418ea3723214e0abc59d9b217fd7ed43dcf743aab7f06ab9e2b1", size = 12971933, upload-time = "2025-05-22T20:39:52.802Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/ca/ab/928fb4551ce9c791de96b0681924d46de9a5b50931394fd19850383a08a1/google_api_python_client-2.170.0-py3-none-any.whl", hash = "sha256:7bf518a0527ad23322f070fa69f4f24053170d5c766821dc970ff0571ec22748", size = 13490660, upload-time = "2025-05-22T20:39:49.834Z" },
-]
+sdist = { url = "https://files.pythonhosted.org/packages/35/99/237cd2510aecca9fabb54007e58553274cc43cb3c18512ee1ea574d11b87/google_api_python_client-2.171.0.tar.gz", hash = "sha256:057a5c08d28463c6b9eb89746355de5f14b7ed27a65c11fdbf1d06c66bb66b23", size = 13028937, upload-time = "2025-06-03T18:57:38.732Z" }
 
 [[package]]
 name = "google-auth"
@@ -2066,7 +2063,7 @@ wheels = [
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.31.0"
+version = "1.32.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "azure-identity" },
@@ -2076,9 +2073,9 @@ dependencies = [
     { name = "microsoft-kiota-serialization-text" },
     { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d3/1c/5afdf21f92840c7029f0fdb6c2ead7373b1fcdc3c4279fe556a2fc3702a2/msgraph_sdk-1.31.0.tar.gz", hash = "sha256:7ae5f29152251f61c1fc19cca6389dd03b0120b179ddf39d8ab8cdfed7952dba", size = 6626610, upload-time = "2025-05-20T13:15:08.062Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e0/2a/a5d67f631f8a0a9daa9059eed0f6703002efdf75f1d7575a289e23aceb5e/msgraph_sdk-1.32.0.tar.gz", hash = "sha256:485b25420ec4b3bf9c9d7abea166f9c51da99d9aad1bd57c191f84569af35143", size = 6628831, upload-time = "2025-06-03T18:22:21.526Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d9/b9/099b28478575126ec26bd61ff0931fb291263ac813afb8baf4b4cc30c6fc/msgraph_sdk-1.31.0-py3-none-any.whl", hash = "sha256:bb2edfe17c377f37bbf2e155fc915171763d49e1cf93b665bafd721a85220dc5", size = 27185846, upload-time = "2025-05-20T13:15:05.307Z" },
+    { url = "https://files.pythonhosted.org/packages/b9/59/7e0f170611eb1a213940816703522ecca47ddffc149ef8e001e4789ddf13/msgraph_sdk-1.32.0-py3-none-any.whl", hash = "sha256:d1256f1669706c2703963ef0103470ce7a1b8a06f555506fc6b5f1069847877b", size = 27190465, upload-time = "2025-06-03T18:22:18.944Z" },
 ]
 
 [[package]]
@@ -3076,11 +3073,11 @@ wheels = [
 
 [[package]]
 name = "structlog"
-version = "25.3.0"
+version = "25.4.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/ff/6a/b0b6d440e429d2267076c4819300d9929563b1da959cf1f68afbcd69fe45/structlog-25.3.0.tar.gz", hash = "sha256:8dab497e6f6ca962abad0c283c46744185e0c9ba900db52a423cb6db99f7abeb", size = 1367514, upload-time = "2025-04-25T16:00:39.167Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/79/b9/6e672db4fec07349e7a8a8172c1a6ae235c58679ca29c3f86a61b5e59ff3/structlog-25.4.0.tar.gz", hash = "sha256:186cd1b0a8ae762e29417095664adf1d6a31702160a46dacb7796ea82f7409e4", size = 1369138, upload-time = "2025-06-02T08:21:12.971Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f5/52/7a2c7a317b254af857464da3d60a0d3730c44f912f8c510c76a738a207fd/structlog-25.3.0-py3-none-any.whl", hash = "sha256:a341f5524004c158498c3127eecded091eb67d3a611e7a3093deca30db06e172", size = 68240, upload-time = "2025-04-25T16:00:37.295Z" },
+    { url = "https://files.pythonhosted.org/packages/a0/4a/97ee6973e3a73c74c8120d59829c3861ea52210667ec3e7a16045c62b64d/structlog-25.4.0-py3-none-any.whl", hash = "sha256:fe809ff5c27e557d14e613f45ca441aabda051d119ee5a0102aaba6ce40eed2c", size = 68720, upload-time = "2025-06-02T08:21:11.43Z" },
 ]
 
 [[package]]
@@ -3161,7 +3158,7 @@ wheels = [
 
 [[package]]
 name = "twilio"
-version = "9.6.1"
+version = "9.6.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aiohttp" },
@@ -3169,9 +3166,9 @@ dependencies = [
     { name = "pyjwt" },
     { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/95/78/453ff0d35442c53490c22d077f580684a2352846c721d3e01f4c6dfa85bd/twilio-9.6.1.tar.gz", hash = "sha256:bb80b31d4d9e55c33872efef7fb99373149ed4093f21c56cf582797da45862f5", size = 987002, upload-time = "2025-05-13T09:56:55.183Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fa/c9/441a07f6552f2b504812501d56c41bd85b02afeef6c23ab8baf41ed6c70e/twilio-9.6.2.tar.gz", hash = "sha256:5da13bb497e39ece34cb9f2b3bc911f3288928612748f7688b3bda262c2767a1", size = 1041300, upload-time = "2025-05-29T12:25:04.59Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/02/f4/36fe2566a3ad7f71a89fd28ea2ebb6b2aa05c3a4d5a55b3ca6c358768c6b/twilio-9.6.1-py2.py3-none-any.whl", hash = "sha256:441fdab61b9a204eef770368380b962cbf08dc0fe9f757fe4b1d63ced37ddeed", size = 1859407, upload-time = "2025-05-13T09:56:53.094Z" },
+    { url = "https://files.pythonhosted.org/packages/67/91/382e83e5d205a7ae4325b66d40cd2fa6ce85526f2ed8fc553265e19abbe4/twilio-9.6.2-py2.py3-none-any.whl", hash = "sha256:8d4af6f42850734a921857df42940f7fed84e3e4a508d0d6bef5b9fb7dc08357", size = 1909253, upload-time = "2025-05-29T12:25:02.521Z" },
 ]
 
 [[package]]
@@ -3301,15 +3298,15 @@ socks = [
 
 [[package]]
 name = "uvicorn"
-version = "0.34.2"
+version = "0.34.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "click" },
     { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a6/ae/9bbb19b9e1c450cf9ecaef06463e40234d98d95bf572fab11b4f19ae5ded/uvicorn-0.34.2.tar.gz", hash = "sha256:0e929828f6186353a80b58ea719861d2629d766293b6d19baf086ba31d4f3328", size = 76815, upload-time = "2025-04-19T06:02:50.101Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/de/ad/713be230bcda622eaa35c28f0d328c3675c371238470abdea52417f17a8e/uvicorn-0.34.3.tar.gz", hash = "sha256:35919a9a979d7a59334b6b10e05d77c1d0d574c50e0fc98b8b1a0f165708b55a", size = 76631, upload-time = "2025-06-01T07:48:17.531Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b1/4b/4cef6ce21a2aaca9d852a6e84ef4f135d99fcd74fa75105e2fc0c8308acd/uvicorn-0.34.2-py3-none-any.whl", hash = "sha256:deb49af569084536d269fe0a6d67e3754f104cf03aba7c11c40f01aadf33c403", size = 62483, upload-time = "2025-04-19T06:02:48.42Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/0d/8adfeaa62945f90d19ddc461c55f4a50c258af7662d34b6a3d5d1f8646f6/uvicorn-0.34.3-py3-none-any.whl", hash = "sha256:16246631db62bdfbf069b0645177d6e8a77ba950cfedbfd093acef9444e4d885", size = 62431, upload-time = "2025-06-01T07:48:15.664Z" },
 ]
 
 [package.optional-dependencies]

web/package-lock.json

@@ -22,7 +22,7 @@
                 "@floating-ui/dom": "^1.6.11",
                 "@formatjs/intl-listformat": "^7.7.11",
                 "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2025.4.1-1748431399",
+                "@goauthentik/api": "^2025.4.1-1748622869",
                 "@lit/context": "^1.1.2",
                 "@lit/localize": "^0.12.2",
                 "@lit/reactive-element": "^2.0.4",
@@ -31,7 +31,7 @@
                 "@open-wc/lit-helpers": "^0.7.0",
                 "@patternfly/elements": "^4.1.0",
                 "@patternfly/patternfly": "^4.224.2",
-                "@sentry/browser": "^9.22.0",
+                "@sentry/browser": "^9.24.0",
                 "@spotlightjs/spotlight": "^2.13.3",
                 "@webcomponents/webcomponentsjs": "^2.8.0",
                 "base64-js": "^1.5.1",
@@ -104,11 +104,11 @@
                 "@wdio/spec-reporter": "^9.1.2",
                 "@web/test-runner": "^0.20.2",
                 "chromedriver": "^136.0.3",
-                "esbuild": "^0.25.4",
+                "esbuild": "^0.25.5",
                 "esbuild-plugin-copy": "^2.1.1",
                 "esbuild-plugin-polyfill-node": "^0.3.0",
                 "esbuild-plugins-node-modules-polyfill": "^1.7.0",
-                "eslint": "^9.11.1",
+                "eslint": "^9.28.0",
                 "eslint-plugin-lit": "^2.1.1",
                 "eslint-plugin-wc": "^3.0.1",
                 "github-slugger": "^2.0.0",
@@ -123,7 +123,7 @@
                 "storybook-addon-mock": "^5.0.0",
                 "turnstile-types": "^1.2.3",
                 "typescript": "^5.8.3",
-                "typescript-eslint": "^8.32.1",
+                "typescript-eslint": "^8.33.0",
                 "vite-plugin-lit-css": "^2.0.0",
                 "vite-tsconfig-paths": "^5.0.1",
                 "wireit": "^0.14.12"
@@ -1025,9 +1025,9 @@
             }
         },
         "node_modules/@esbuild/aix-ppc64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.4.tgz",
-            "integrity": "sha512-1VCICWypeQKhVbE9oW/sJaAmjLxhVqacdkvPLEjwlttjfwENRSClS8EjBz0KzRyFSCPDIkuXW34Je/vk7zdB7Q==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.5.tgz",
+            "integrity": "sha512-9o3TMmpmftaCMepOdA5k/yDw8SfInyzWWTjYTFCX3kPSDJMROQTb8jg+h9Cnwnmm1vOzvxN7gIfB5V2ewpjtGA==",
             "cpu": [
                 "ppc64"
             ],
@@ -1042,9 +1042,9 @@
             }
         },
         "node_modules/@esbuild/android-arm": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.4.tgz",
-            "integrity": "sha512-QNdQEps7DfFwE3hXiU4BZeOV68HHzYwGd0Nthhd3uCkkEKK7/R6MTgM0P7H7FAs5pU/DIWsviMmEGxEoxIZ+ZQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.5.tgz",
+            "integrity": "sha512-AdJKSPeEHgi7/ZhuIPtcQKr5RQdo6OO2IL87JkianiMYMPbCtot9fxPbrMiBADOWWm3T2si9stAiVsGbTQFkbA==",
             "cpu": [
                 "arm"
             ],
@@ -1059,9 +1059,9 @@
             }
         },
         "node_modules/@esbuild/android-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.4.tgz",
-            "integrity": "sha512-bBy69pgfhMGtCnwpC/x5QhfxAz/cBgQ9enbtwjf6V9lnPI/hMyT9iWpR1arm0l3kttTr4L0KSLpKmLp/ilKS9A==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.5.tgz",
+            "integrity": "sha512-VGzGhj4lJO+TVGV1v8ntCZWJktV7SGCs3Pn1GRWI1SBFtRALoomm8k5E9Pmwg3HOAal2VDc2F9+PM/rEY6oIDg==",
             "cpu": [
                 "arm64"
             ],
@@ -1076,9 +1076,9 @@
             }
         },
         "node_modules/@esbuild/android-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.4.tgz",
-            "integrity": "sha512-TVhdVtQIFuVpIIR282btcGC2oGQoSfZfmBdTip2anCaVYcqWlZXGcdcKIUklfX2wj0JklNYgz39OBqh2cqXvcQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.5.tgz",
+            "integrity": "sha512-D2GyJT1kjvO//drbRT3Hib9XPwQeWd9vZoBJn+bu/lVsOZ13cqNdDeqIF/xQ5/VmWvMduP6AmXvylO/PIc2isw==",
             "cpu": [
                 "x64"
             ],
@@ -1093,9 +1093,9 @@
             }
         },
         "node_modules/@esbuild/darwin-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.4.tgz",
-            "integrity": "sha512-Y1giCfM4nlHDWEfSckMzeWNdQS31BQGs9/rouw6Ub91tkK79aIMTH3q9xHvzH8d0wDru5Ci0kWB8b3up/nl16g==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.5.tgz",
+            "integrity": "sha512-GtaBgammVvdF7aPIgH2jxMDdivezgFu6iKpmT+48+F8Hhg5J/sfnDieg0aeG/jfSvkYQU2/pceFPDKlqZzwnfQ==",
             "cpu": [
                 "arm64"
             ],
@@ -1109,9 +1109,9 @@
             }
         },
         "node_modules/@esbuild/darwin-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.4.tgz",
-            "integrity": "sha512-CJsry8ZGM5VFVeyUYB3cdKpd/H69PYez4eJh1W/t38vzutdjEjtP7hB6eLKBoOdxcAlCtEYHzQ/PJ/oU9I4u0A==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.5.tgz",
+            "integrity": "sha512-1iT4FVL0dJ76/q1wd7XDsXrSW+oLoquptvh4CLR4kITDtqi2e/xwXwdCVH8hVHU43wgJdsq7Gxuzcs6Iq/7bxQ==",
             "cpu": [
                 "x64"
             ],
@@ -1126,9 +1126,9 @@
             }
         },
         "node_modules/@esbuild/freebsd-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.4.tgz",
-            "integrity": "sha512-yYq+39NlTRzU2XmoPW4l5Ifpl9fqSk0nAJYM/V/WUGPEFfek1epLHJIkTQM6bBs1swApjO5nWgvr843g6TjxuQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.5.tgz",
+            "integrity": "sha512-nk4tGP3JThz4La38Uy/gzyXtpkPW8zSAmoUhK9xKKXdBCzKODMc2adkB2+8om9BDYugz+uGV7sLmpTYzvmz6Sw==",
             "cpu": [
                 "arm64"
             ],
@@ -1143,9 +1143,9 @@
             }
         },
         "node_modules/@esbuild/freebsd-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.4.tgz",
-            "integrity": "sha512-0FgvOJ6UUMflsHSPLzdfDnnBBVoCDtBTVyn/MrWloUNvq/5SFmh13l3dvgRPkDihRxb77Y17MbqbCAa2strMQQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.5.tgz",
+            "integrity": "sha512-PrikaNjiXdR2laW6OIjlbeuCPrPaAl0IwPIaRv+SMV8CiM8i2LqVUHFC1+8eORgWyY7yhQY+2U2fA55mBzReaw==",
             "cpu": [
                 "x64"
             ],
@@ -1160,9 +1160,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.4.tgz",
-            "integrity": "sha512-kro4c0P85GMfFYqW4TWOpvmF8rFShbWGnrLqlzp4X1TNWjRY3JMYUfDCtOxPKOIY8B0WC8HN51hGP4I4hz4AaQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.5.tgz",
+            "integrity": "sha512-cPzojwW2okgh7ZlRpcBEtsX7WBuqbLrNXqLU89GxWbNt6uIg78ET82qifUy3W6OVww6ZWobWub5oqZOVtwolfw==",
             "cpu": [
                 "arm"
             ],
@@ -1177,9 +1177,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.4.tgz",
-            "integrity": "sha512-+89UsQTfXdmjIvZS6nUnOOLoXnkUTB9hR5QAeLrQdzOSWZvNSAXAtcRDHWtqAUtAmv7ZM1WPOOeSxDzzzMogiQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.5.tgz",
+            "integrity": "sha512-Z9kfb1v6ZlGbWj8EJk9T6czVEjjq2ntSYLY2cw6pAZl4oKtfgQuS4HOq41M/BcoLPzrUbNd+R4BXFyH//nHxVg==",
             "cpu": [
                 "arm64"
             ],
@@ -1193,9 +1193,9 @@
             }
         },
         "node_modules/@esbuild/linux-ia32": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.4.tgz",
-            "integrity": "sha512-yTEjoapy8UP3rv8dB0ip3AfMpRbyhSN3+hY8mo/i4QXFeDxmiYbEKp3ZRjBKcOP862Ua4b1PDfwlvbuwY7hIGQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.5.tgz",
+            "integrity": "sha512-sQ7l00M8bSv36GLV95BVAdhJ2QsIbCuCjh/uYrWiMQSUuV+LpXwIqhgJDcvMTj+VsQmqAHL2yYaasENvJ7CDKA==",
             "cpu": [
                 "ia32"
             ],
@@ -1210,9 +1210,9 @@
             }
         },
         "node_modules/@esbuild/linux-loong64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.4.tgz",
-            "integrity": "sha512-NeqqYkrcGzFwi6CGRGNMOjWGGSYOpqwCjS9fvaUlX5s3zwOtn1qwg1s2iE2svBe4Q/YOG1q6875lcAoQK/F4VA==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.5.tgz",
+            "integrity": "sha512-0ur7ae16hDUC4OL5iEnDb0tZHDxYmuQyhKhsPBV8f99f6Z9KQM02g33f93rNH5A30agMS46u2HP6qTdEt6Q1kg==",
             "cpu": [
                 "loong64"
             ],
@@ -1227,9 +1227,9 @@
             }
         },
         "node_modules/@esbuild/linux-mips64el": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.4.tgz",
-            "integrity": "sha512-IcvTlF9dtLrfL/M8WgNI/qJYBENP3ekgsHbYUIzEzq5XJzzVEV/fXY9WFPfEEXmu3ck2qJP8LG/p3Q8f7Zc2Xg==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.5.tgz",
+            "integrity": "sha512-kB/66P1OsHO5zLz0i6X0RxlQ+3cu0mkxS3TKFvkb5lin6uwZ/ttOkP3Z8lfR9mJOBk14ZwZ9182SIIWFGNmqmg==",
             "cpu": [
                 "mips64el"
             ],
@@ -1244,9 +1244,9 @@
             }
         },
         "node_modules/@esbuild/linux-ppc64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.4.tgz",
-            "integrity": "sha512-HOy0aLTJTVtoTeGZh4HSXaO6M95qu4k5lJcH4gxv56iaycfz1S8GO/5Jh6X4Y1YiI0h7cRyLi+HixMR+88swag==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.5.tgz",
+            "integrity": "sha512-UZCmJ7r9X2fe2D6jBmkLBMQetXPXIsZjQJCjgwpVDz+YMcS6oFR27alkgGv3Oqkv07bxdvw7fyB71/olceJhkQ==",
             "cpu": [
                 "ppc64"
             ],
@@ -1261,9 +1261,9 @@
             }
         },
         "node_modules/@esbuild/linux-riscv64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.4.tgz",
-            "integrity": "sha512-i8JUDAufpz9jOzo4yIShCTcXzS07vEgWzyX3NH2G7LEFVgrLEhjwL3ajFE4fZI3I4ZgiM7JH3GQ7ReObROvSUA==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.5.tgz",
+            "integrity": "sha512-kTxwu4mLyeOlsVIFPfQo+fQJAV9mh24xL+y+Bm6ej067sYANjyEw1dNHmvoqxJUCMnkBdKpvOn0Ahql6+4VyeA==",
             "cpu": [
                 "riscv64"
             ],
@@ -1278,9 +1278,9 @@
             }
         },
         "node_modules/@esbuild/linux-s390x": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.4.tgz",
-            "integrity": "sha512-jFnu+6UbLlzIjPQpWCNh5QtrcNfMLjgIavnwPQAfoGx4q17ocOU9MsQ2QVvFxwQoWpZT8DvTLooTvmOQXkO51g==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.5.tgz",
+            "integrity": "sha512-K2dSKTKfmdh78uJ3NcWFiqyRrimfdinS5ErLSn3vluHNeHVnBAFWC8a4X5N+7FgVE1EjXS1QDZbpqZBjfrqMTQ==",
             "cpu": [
                 "s390x"
             ],
@@ -1295,9 +1295,9 @@
             }
         },
         "node_modules/@esbuild/linux-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.4.tgz",
-            "integrity": "sha512-6e0cvXwzOnVWJHq+mskP8DNSrKBr1bULBvnFLpc1KY+d+irZSgZ02TGse5FsafKS5jg2e4pbvK6TPXaF/A6+CA==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.5.tgz",
+            "integrity": "sha512-uhj8N2obKTE6pSZ+aMUbqq+1nXxNjZIIjCjGLfsWvVpy7gKCOL6rsY1MhRh9zLtUtAI7vpgLMK6DxjO8Qm9lJw==",
             "cpu": [
                 "x64"
             ],
@@ -1311,9 +1311,9 @@
             }
         },
         "node_modules/@esbuild/netbsd-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.4.tgz",
-            "integrity": "sha512-vUnkBYxZW4hL/ie91hSqaSNjulOnYXE1VSLusnvHg2u3jewJBz3YzB9+oCw8DABeVqZGg94t9tyZFoHma8gWZQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.5.tgz",
+            "integrity": "sha512-pwHtMP9viAy1oHPvgxtOv+OkduK5ugofNTVDilIzBLpoWAM16r7b/mxBvfpuQDpRQFMfuVr5aLcn4yveGvBZvw==",
             "cpu": [
                 "arm64"
             ],
@@ -1328,9 +1328,9 @@
             }
         },
         "node_modules/@esbuild/netbsd-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.4.tgz",
-            "integrity": "sha512-XAg8pIQn5CzhOB8odIcAm42QsOfa98SBeKUdo4xa8OvX8LbMZqEtgeWE9P/Wxt7MlG2QqvjGths+nq48TrUiKw==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.5.tgz",
+            "integrity": "sha512-WOb5fKrvVTRMfWFNCroYWWklbnXH0Q5rZppjq0vQIdlsQKuw6mdSihwSo4RV/YdQ5UCKKvBy7/0ZZYLBZKIbwQ==",
             "cpu": [
                 "x64"
             ],
@@ -1345,9 +1345,9 @@
             }
         },
         "node_modules/@esbuild/openbsd-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.4.tgz",
-            "integrity": "sha512-Ct2WcFEANlFDtp1nVAXSNBPDxyU+j7+tId//iHXU2f/lN5AmO4zLyhDcpR5Cz1r08mVxzt3Jpyt4PmXQ1O6+7A==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.5.tgz",
+            "integrity": "sha512-7A208+uQKgTxHd0G0uqZO8UjK2R0DDb4fDmERtARjSHWxqMTye4Erz4zZafx7Di9Cv+lNHYuncAkiGFySoD+Mw==",
             "cpu": [
                 "arm64"
             ],
@@ -1362,9 +1362,9 @@
             }
         },
         "node_modules/@esbuild/openbsd-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.4.tgz",
-            "integrity": "sha512-xAGGhyOQ9Otm1Xu8NT1ifGLnA6M3sJxZ6ixylb+vIUVzvvd6GOALpwQrYrtlPouMqd/vSbgehz6HaVk4+7Afhw==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.5.tgz",
+            "integrity": "sha512-G4hE405ErTWraiZ8UiSoesH8DaCsMm0Cay4fsFWOOUcz8b8rC6uCvnagr+gnioEjWn0wC+o1/TAHt+It+MpIMg==",
             "cpu": [
                 "x64"
             ],
@@ -1379,9 +1379,9 @@
             }
         },
         "node_modules/@esbuild/sunos-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.4.tgz",
-            "integrity": "sha512-Mw+tzy4pp6wZEK0+Lwr76pWLjrtjmJyUB23tHKqEDP74R3q95luY/bXqXZeYl4NYlvwOqoRKlInQialgCKy67Q==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.5.tgz",
+            "integrity": "sha512-l+azKShMy7FxzY0Rj4RCt5VD/q8mG/e+mDivgspo+yL8zW7qEwctQ6YqKX34DTEleFAvCIUviCFX1SDZRSyMQA==",
             "cpu": [
                 "x64"
             ],
@@ -1396,9 +1396,9 @@
             }
         },
         "node_modules/@esbuild/win32-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.4.tgz",
-            "integrity": "sha512-AVUP428VQTSddguz9dO9ngb+E5aScyg7nOeJDrF1HPYu555gmza3bDGMPhmVXL8svDSoqPCsCPjb265yG/kLKQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.5.tgz",
+            "integrity": "sha512-O2S7SNZzdcFG7eFKgvwUEZ2VG9D/sn/eIiz8XRZ1Q/DO5a3s76Xv0mdBzVM5j5R639lXQmPmSo0iRpHqUUrsxw==",
             "cpu": [
                 "arm64"
             ],
@@ -1413,9 +1413,9 @@
             }
         },
         "node_modules/@esbuild/win32-ia32": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.4.tgz",
-            "integrity": "sha512-i1sW+1i+oWvQzSgfRcxxG2k4I9n3O9NRqy8U+uugaT2Dy7kLO9Y7wI72haOahxceMX8hZAzgGou1FhndRldxRg==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.5.tgz",
+            "integrity": "sha512-onOJ02pqs9h1iMJ1PQphR+VZv8qBMQ77Klcsqv9CNW2w6yLqoURLcgERAIurY6QE63bbLuqgP9ATqajFLK5AMQ==",
             "cpu": [
                 "ia32"
             ],
@@ -1430,9 +1430,9 @@
             }
         },
         "node_modules/@esbuild/win32-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.4.tgz",
-            "integrity": "sha512-nOT2vZNw6hJ+z43oP1SPea/G/6AbN6X+bGNhNuq8NtRHy4wsMhw765IKLNmnjek7GvjWBYQ8Q5VBoYTFg9y1UQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.5.tgz",
+            "integrity": "sha512-TXv6YnJ8ZMVdX+SXWVBo/0p8LTcrUYngpWjvm91TMjjBQii7Oz11Lw5lbDV5Y0TzuhSJHwiH4hEtC1I42mMS0g==",
             "cpu": [
                 "x64"
             ],
@@ -1599,9 +1599,9 @@
             }
         },
         "node_modules/@eslint/js": {
-            "version": "9.27.0",
-            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.27.0.tgz",
-            "integrity": "sha512-G5JD9Tu5HJEu4z2Uo4aHY2sLV64B7CDMXxFzqzjl3NKd6RVzSXNoE80jk7Y0lJkTTkjiIhBAqmlYwjuBY3tvpA==",
+            "version": "9.28.0",
+            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.28.0.tgz",
+            "integrity": "sha512-fnqSjGWd/CoIp4EXIxWVK/sHA6DOHN4+8Ix2cX5ycOY7LG0UY8nHCU5pIp2eaE1Mc7Qd8kHspYNzYXT2ojPLzg==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -1721,9 +1721,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2025.4.1-1748431399",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.4.1-1748431399.tgz",
-            "integrity": "sha512-j4ygP36DXqzBCFi3v8KWFLPLUmV616POZb8zx35RaCskuZ5BFNDaArLDtGHvCkEV3qJouR2w43hD4cX18BFIQw=="
+            "version": "2025.4.1-1748622869",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.4.1-1748622869.tgz",
+            "integrity": "sha512-nH7+dQVA5yPoR4x0g3mct+M9VCwkBh/7ginUTwzb9O+Fj7HHGeAk/4xFC7Zy1oc6CIOHZbSMrOM5EdkEKE18Og=="
         },
         "node_modules/@goauthentik/core": {
             "resolved": "packages/core",
@@ -4470,75 +4470,75 @@
             "dev": true
         },
         "node_modules/@sentry-internal/browser-utils": {
-            "version": "9.22.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.22.0.tgz",
-            "integrity": "sha512-Ou1tBnVxFAIn8i9gvrWzRotNJQYiu3awNXpsFCw6qFwmiKAVPa6b13vCdolhXnrIiuR77jY1LQnKh9hXpoRzsg==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.24.0.tgz",
+            "integrity": "sha512-fWIrHyui8KKufnbqhGyDvvr+u9wiOEEzxXEjs/CKp+6fa+jej6Mk8K+su1f/mz7R3HVzhxvht/gZ+y193uK4qw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "9.22.0"
+                "@sentry/core": "9.24.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/feedback": {
-            "version": "9.22.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.22.0.tgz",
-            "integrity": "sha512-zgMVkoC61fgi41zLcSZA59vOtKxcLrKBo1ECYhPD1hxEaneNqY5fhXDwlQBw96P5l2yqkgfX6YZtSdU4ejI9yA==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.24.0.tgz",
+            "integrity": "sha512-Z9jQqKzRppwAEqiytLWNV8JOo52vlxcSGz52FjKx3KXG75PXwk0M3sBXh762WoGLisUIRLTp8LOk6304L/O8dg==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "9.22.0"
+                "@sentry/core": "9.24.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay": {
-            "version": "9.22.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.22.0.tgz",
-            "integrity": "sha512-9GOycoKbrclcRXfcbNV8svbmAsOS5R4wXBQmKF4pFLkmFA/lJv9kdZSNYkRvkrxdNfbMIJXP+DV9EqTZcryXig==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.24.0.tgz",
+            "integrity": "sha512-312wMPeQI8K2vO/lA/CF6Uv5UReoZC7RarsNUJEoOKa9Bq1BXWUq929oTHzu/2NDv194H2u3eqSGsSp6xiuKTw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "9.22.0",
-                "@sentry/core": "9.22.0"
+                "@sentry-internal/browser-utils": "9.24.0",
+                "@sentry/core": "9.24.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay-canvas": {
-            "version": "9.22.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.22.0.tgz",
-            "integrity": "sha512-EcG9IMSEalFe49kowBTJObWjof/iHteDwpyuAszsFDdQUYATrVUtwpwN7o52vDYWJud4arhjrQnMamIGxa79eQ==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.24.0.tgz",
+            "integrity": "sha512-506RdDF6iE8hMyzpzp9Vc0GM7kELxxs7UCoi/6KpvXFftcydWI3S2bru8dEZsxVoKh2hdle6SpbNgl+iPI0DSQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/replay": "9.22.0",
-                "@sentry/core": "9.22.0"
+                "@sentry-internal/replay": "9.24.0",
+                "@sentry/core": "9.24.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "9.22.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.22.0.tgz",
-            "integrity": "sha512-3TeRm74dvX0JdjX0AgkQa+22iUHwHnY+Q6M05NZ+tDeCNHGK/mEBTeqquS1oQX67jWyuvYmG3VV6RJUxtG9Paw==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.24.0.tgz",
+            "integrity": "sha512-RP+27/owvIqD4J0TibIHK1UcA7iObxLOXBEilDKjaJOZMLhv3JkpU8A+UI9pFzEYqeIGVDDaBzYgbCHrLWcoCA==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "9.22.0",
-                "@sentry-internal/feedback": "9.22.0",
-                "@sentry-internal/replay": "9.22.0",
-                "@sentry-internal/replay-canvas": "9.22.0",
-                "@sentry/core": "9.22.0"
+                "@sentry-internal/browser-utils": "9.24.0",
+                "@sentry-internal/feedback": "9.24.0",
+                "@sentry-internal/replay": "9.24.0",
+                "@sentry-internal/replay-canvas": "9.24.0",
+                "@sentry/core": "9.24.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/core": {
-            "version": "9.22.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.22.0.tgz",
-            "integrity": "sha512-ixvtKmPF42Y6ckGUbFlB54OWI75H2gO5UYHojO6eXFpS7xO3ZGgV/QH6wb40mWK+0w5XZ0233FuU9VpsuE6mKA==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.24.0.tgz",
+            "integrity": "sha512-uRWrB4Y49ZOWcDLCXqdjd2Fs6Onill0GQI+JgXMw7wa+i03+QRiQvUAUyde8O62jR4dvP3GDo9PDWnDNhi3z5A==",
             "license": "MIT",
             "engines": {
                 "node": ">=18"
@@ -7328,17 +7328,17 @@
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.32.1.tgz",
-            "integrity": "sha512-6u6Plg9nP/J1GRpe/vcjjabo6Uc5YQPAMxsgQyGC/I0RuukiG1wIe3+Vtg3IrSCVJDmqK3j8adrtzXSENRtFgg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.33.0.tgz",
+            "integrity": "sha512-CACyQuqSHt7ma3Ns601xykeBK/rDeZa3w6IS6UtMQbixO5DWy+8TilKkviGDH6jtWCo8FGRKEK5cLLkPvEammQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.32.1",
-                "@typescript-eslint/type-utils": "8.32.1",
-                "@typescript-eslint/utils": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/type-utils": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                 "graphemer": "^1.4.0",
                 "ignore": "^7.0.0",
                 "natural-compare": "^1.4.0",
@@ -7352,7 +7352,7 @@
                 "url": "https://opencollective.com/typescript-eslint"
             },
             "peerDependencies": {
-                "@typescript-eslint/parser": "^8.0.0 || ^8.0.0-alpha.0",
+                "@typescript-eslint/parser": "^8.33.0",
                 "eslint": "^8.57.0 || ^9.0.0",
                 "typescript": ">=4.8.4 <5.9.0"
             }
@@ -7368,16 +7368,16 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.32.1.tgz",
-            "integrity": "sha512-LKMrmwCPoLhM45Z00O1ulb6jwyVr2kr3XJp+G+tSEZcbauNnScewcQwtJqXDhXeYPDEjZ8C1SjXm015CirEmGg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.33.0.tgz",
+            "integrity": "sha512-JaehZvf6m0yqYp34+RVnihBAChkqeH+tqqhS0GuX1qgPpwLvmTPheKEs6OeCK6hVJgXZHJ2vbjnC9j119auStQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/scope-manager": "8.32.1",
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/typescript-estree": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -7392,15 +7392,16 @@
                 "typescript": ">=4.8.4 <5.9.0"
             }
         },
-        "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.32.1.tgz",
-            "integrity": "sha512-7IsIaIDeZn7kffk7qXC3o6Z4UblZJKV3UBpkvRNpr5NSyLji7tvTcvmnMNYuYLyh26mN8W723xpo3i4MlD33vA==",
+        "node_modules/@typescript-eslint/project-service": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.33.0.tgz",
+            "integrity": "sha512-d1hz0u9l6N+u/gcrk6s6gYdl7/+pp8yHheRTqP6X5hVDKALEaTn8WfGiit7G511yueBEL3OpOEpD+3/MBdoN+A==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1"
+                "@typescript-eslint/tsconfig-utils": "^8.33.0",
+                "@typescript-eslint/types": "^8.33.0",
+                "debug": "^4.3.4"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -7410,15 +7411,50 @@
                 "url": "https://opencollective.com/typescript-eslint"
             }
         },
-        "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.32.1.tgz",
-            "integrity": "sha512-mv9YpQGA8iIsl5KyUPi+FGLm7+bA4fgXaeRcFKRDRwDMu4iwrSHeDPipwueNXhdIIZltwCJv+NkxftECbIZWfA==",
+        "node_modules/@typescript-eslint/scope-manager": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.33.0.tgz",
+            "integrity": "sha512-LMi/oqrzpqxyO72ltP+dBSP6V0xiUb4saY7WLtxSfiNEBI8m321LLVFU9/QDJxjDQG9/tjSqKz/E3380TEqSTw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "8.32.1",
-                "@typescript-eslint/utils": "8.32.1",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0"
+            },
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            }
+        },
+        "node_modules/@typescript-eslint/tsconfig-utils": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.33.0.tgz",
+            "integrity": "sha512-sTkETlbqhEoiFmGr1gsdq5HyVbSOF0145SYDJ/EQmXHtKViCaGvnyLqWFFHtEXoS0J1yU8Wyou2UGmgW88fEug==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "typescript": ">=4.8.4 <5.9.0"
+            }
+        },
+        "node_modules/@typescript-eslint/type-utils": {
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.33.0.tgz",
+            "integrity": "sha512-lScnHNCBqL1QayuSrWeqAL5GmqNdVUQAAMTaCwdYEdWfIrSrOGzyLGRCHXcCixa5NK6i5l0AfSO2oBSjCjf4XQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^2.1.0"
             },
@@ -7435,9 +7471,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.32.1.tgz",
-            "integrity": "sha512-YmybwXUJcgGqgAp6bEsgpPXEg6dcCyPyCSr0CAAueacR/CCBi25G3V8gGQ2kRzQRBNol7VQknxMs9HvVa9Rvfg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.33.0.tgz",
+            "integrity": "sha512-DKuXOKpM5IDT1FA2g9x9x1Ug81YuKrzf4mYX8FAVSNu5Wo/LELHWQyM1pQaDkI42bX15PWl0vNPt1uGiIFUOpg==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -7449,14 +7485,16 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.32.1.tgz",
-            "integrity": "sha512-Y3AP9EIfYwBb4kWGb+simvPaqQoT5oJuzzj9m0i6FCY6SPvlomY2Ei4UEMm7+FXtlNJbor80ximyslzaQF6xhg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.33.0.tgz",
+            "integrity": "sha512-vegY4FQoB6jL97Tu/lWRsAiUUp8qJTqzAmENH2k59SJhw0Th1oszb9Idq/FyyONLuNqT1OADJPXfyUNOR8SzAQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/visitor-keys": "8.32.1",
+                "@typescript-eslint/project-service": "8.33.0",
+                "@typescript-eslint/tsconfig-utils": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                 "debug": "^4.3.4",
                 "fast-glob": "^3.3.2",
                 "is-glob": "^4.0.3",
@@ -7476,16 +7514,16 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.32.1.tgz",
-            "integrity": "sha512-DsSFNIgLSrc89gpq1LJB7Hm1YpuhK086DRDJSNrewcGvYloWW1vZLHBTIvarKZDcAORIy/uWNx8Gad+4oMpkSA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.33.0.tgz",
+            "integrity": "sha512-lPFuQaLA9aSNa7D5u2EpRiqdAUhzShwGg/nhpBlc4GR6kcTABttCuyjFs8BcEZ8VWrjCBof/bePhP3Q3fS+Yrw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.32.1",
-                "@typescript-eslint/types": "8.32.1",
-                "@typescript-eslint/typescript-estree": "8.32.1"
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -7500,13 +7538,13 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.32.1.tgz",
-            "integrity": "sha512-ar0tjQfObzhSaW3C3QNmTc5ofj0hDoNQ5XWrCy6zDyabdr0TWhCkClp+rywGNj/odAFBVzzJrK4tEq5M4Hmu4w==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.33.0.tgz",
+            "integrity": "sha512-7RW7CMYoskiz5OOGAWjJFxgb7c5UNjTG292gYhWeOAcFmYCtVCSqjqSBj5zMhxbXo2JOW95YYrUWJfU0zrpaGQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.32.1",
+                "@typescript-eslint/types": "8.33.0",
                 "eslint-visitor-keys": "^4.2.0"
             },
             "engines": {
@@ -14023,9 +14061,9 @@
             }
         },
         "node_modules/esbuild": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.4.tgz",
-            "integrity": "sha512-8pgjLUcUjcgDg+2Q4NYXnPbo/vncAY4UmyaCm0jZevERqCHZIaWwdJHkf8XQtu4AxSKCdvrUbT0XUr1IdZzI8Q==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.5.tgz",
+            "integrity": "sha512-P8OtKZRv/5J5hhz0cUAdu/cLuPIKXpQl1R9pZtvmHWQvrAUVd0UNIPT4IB4W3rNOqVO0rlqHmCIbSwxh/c9yUQ==",
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
@@ -14036,31 +14074,31 @@
                 "node": ">=18"
             },
             "optionalDependencies": {
-                "@esbuild/aix-ppc64": "0.25.4",
-                "@esbuild/android-arm": "0.25.4",
-                "@esbuild/android-arm64": "0.25.4",
-                "@esbuild/android-x64": "0.25.4",
-                "@esbuild/darwin-arm64": "0.25.4",
-                "@esbuild/darwin-x64": "0.25.4",
-                "@esbuild/freebsd-arm64": "0.25.4",
-                "@esbuild/freebsd-x64": "0.25.4",
-                "@esbuild/linux-arm": "0.25.4",
-                "@esbuild/linux-arm64": "0.25.4",
-                "@esbuild/linux-ia32": "0.25.4",
-                "@esbuild/linux-loong64": "0.25.4",
-                "@esbuild/linux-mips64el": "0.25.4",
-                "@esbuild/linux-ppc64": "0.25.4",
-                "@esbuild/linux-riscv64": "0.25.4",
-                "@esbuild/linux-s390x": "0.25.4",
-                "@esbuild/linux-x64": "0.25.4",
-                "@esbuild/netbsd-arm64": "0.25.4",
-                "@esbuild/netbsd-x64": "0.25.4",
-                "@esbuild/openbsd-arm64": "0.25.4",
-                "@esbuild/openbsd-x64": "0.25.4",
-                "@esbuild/sunos-x64": "0.25.4",
-                "@esbuild/win32-arm64": "0.25.4",
-                "@esbuild/win32-ia32": "0.25.4",
-                "@esbuild/win32-x64": "0.25.4"
+                "@esbuild/aix-ppc64": "0.25.5",
+                "@esbuild/android-arm": "0.25.5",
+                "@esbuild/android-arm64": "0.25.5",
+                "@esbuild/android-x64": "0.25.5",
+                "@esbuild/darwin-arm64": "0.25.5",
+                "@esbuild/darwin-x64": "0.25.5",
+                "@esbuild/freebsd-arm64": "0.25.5",
+                "@esbuild/freebsd-x64": "0.25.5",
+                "@esbuild/linux-arm": "0.25.5",
+                "@esbuild/linux-arm64": "0.25.5",
+                "@esbuild/linux-ia32": "0.25.5",
+                "@esbuild/linux-loong64": "0.25.5",
+                "@esbuild/linux-mips64el": "0.25.5",
+                "@esbuild/linux-ppc64": "0.25.5",
+                "@esbuild/linux-riscv64": "0.25.5",
+                "@esbuild/linux-s390x": "0.25.5",
+                "@esbuild/linux-x64": "0.25.5",
+                "@esbuild/netbsd-arm64": "0.25.5",
+                "@esbuild/netbsd-x64": "0.25.5",
+                "@esbuild/openbsd-arm64": "0.25.5",
+                "@esbuild/openbsd-x64": "0.25.5",
+                "@esbuild/sunos-x64": "0.25.5",
+                "@esbuild/win32-arm64": "0.25.5",
+                "@esbuild/win32-ia32": "0.25.5",
+                "@esbuild/win32-x64": "0.25.5"
             }
         },
         "node_modules/esbuild-android-64": {
@@ -14709,9 +14747,9 @@
             }
         },
         "node_modules/eslint": {
-            "version": "9.27.0",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.27.0.tgz",
-            "integrity": "sha512-ixRawFQuMB9DZ7fjU3iGGganFDp3+45bPOdaRurcFHSXO1e/sYwUX/FtQZpLZJR6SjMoJH8hR2pPEAfDyCoU2Q==",
+            "version": "9.28.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.28.0.tgz",
+            "integrity": "sha512-ocgh41VhRlf9+fVpe7QKzwLj9c92fDiqOj8Y3Sd4/ZmVA4Btx4PlUYPq4pp9JDyupkf1upbEXecxL2mwNV7jPQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -14721,7 +14759,7 @@
                 "@eslint/config-helpers": "^0.2.1",
                 "@eslint/core": "^0.14.0",
                 "@eslint/eslintrc": "^3.3.1",
-                "@eslint/js": "9.27.0",
+                "@eslint/js": "9.28.0",
                 "@eslint/plugin-kit": "^0.3.1",
                 "@humanfs/node": "^0.16.6",
                 "@humanwhocodes/module-importer": "^1.0.1",
@@ -25930,9 +25968,9 @@
             }
         },
         "node_modules/tar-fs": {
-            "version": "3.0.8",
-            "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.0.8.tgz",
-            "integrity": "sha512-ZoROL70jptorGAlgAYiLoBLItEKw/fUxg9BSYK/dF/GAGYFJOJJJMvjPAKDJraCXFwadD456FCuvLWgfhMsPwg==",
+            "version": "3.0.9",
+            "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.0.9.tgz",
+            "integrity": "sha512-XF4w9Xp+ZQgifKakjZYmFdkLoSWd34VGKcsTCwlNWM7QG3ZbaxnTsaBwnjFZqHRf/rROxaR8rXnbtwdvaDI+lA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
@@ -27016,15 +27054,15 @@
             }
         },
         "node_modules/typescript-eslint": {
-            "version": "8.32.1",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.32.1.tgz",
-            "integrity": "sha512-D7el+eaDHAmXvrZBy1zpzSNIRqnCOrkwTgZxTu3MUqRWk8k0q9m9Ho4+vPf7iHtgUfrK/o8IZaEApsxPlHTFCg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.33.0.tgz",
+            "integrity": "sha512-5YmNhF24ylCsvdNW2oJwMzTbaeO4bg90KeGtMjUw0AGtHksgEPLRTUil+coHwCfiu4QjVJFnjp94DmU6zV7DhQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.32.1",
-                "@typescript-eslint/parser": "8.32.1",
-                "@typescript-eslint/utils": "8.32.1"
+                "@typescript-eslint/eslint-plugin": "8.33.0",
+                "@typescript-eslint/parser": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -29327,7 +29365,7 @@
                 "@goauthentik/tsconfig": "^1.0.4",
                 "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                 "@types/node": "^22.15.21",
-                "esbuild": "^0.25.4",
+                "esbuild": "^0.25.5",
                 "prettier": "^3.5.3",
                 "prettier-plugin-packagejson": "^2.5.14",
                 "typedoc": "^0.28.5",
@@ -29338,7 +29376,7 @@
                 "node": ">=22"
             },
             "peerDependencies": {
-                "esbuild": "^0.25.4"
+                "esbuild": "^0.25.5"
             }
         },
         "packages/esbuild-plugin-live-reload/node_modules/@types/node": {

web/package.json

@@ -93,7 +93,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.7.11",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.4.1-1748431399",
+        "@goauthentik/api": "^2025.4.1-1748622869",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
         "@lit/reactive-element": "^2.0.4",
@@ -102,7 +102,7 @@
         "@open-wc/lit-helpers": "^0.7.0",
         "@patternfly/elements": "^4.1.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^9.22.0",
+        "@sentry/browser": "^9.24.0",
         "@spotlightjs/spotlight": "^2.13.3",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
@@ -175,11 +175,11 @@
         "@wdio/spec-reporter": "^9.1.2",
         "@web/test-runner": "^0.20.2",
         "chromedriver": "^136.0.3",
-        "esbuild": "^0.25.4",
+        "esbuild": "^0.25.5",
         "esbuild-plugin-copy": "^2.1.1",
         "esbuild-plugin-polyfill-node": "^0.3.0",
         "esbuild-plugins-node-modules-polyfill": "^1.7.0",
-        "eslint": "^9.11.1",
+        "eslint": "^9.28.0",
         "eslint-plugin-lit": "^2.1.1",
         "eslint-plugin-wc": "^3.0.1",
         "github-slugger": "^2.0.0",
@@ -194,7 +194,7 @@
         "storybook-addon-mock": "^5.0.0",
         "turnstile-types": "^1.2.3",
         "typescript": "^5.8.3",
-        "typescript-eslint": "^8.32.1",
+        "typescript-eslint": "^8.33.0",
         "vite-plugin-lit-css": "^2.0.0",
         "vite-tsconfig-paths": "^5.0.1",
         "wireit": "^0.14.12"

web/packages/esbuild-plugin-live-reload/package-lock.json

@@ -147,9 +147,9 @@
             }
         },
         "node_modules/@esbuild/aix-ppc64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.4.tgz",
-            "integrity": "sha512-1VCICWypeQKhVbE9oW/sJaAmjLxhVqacdkvPLEjwlttjfwENRSClS8EjBz0KzRyFSCPDIkuXW34Je/vk7zdB7Q==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.5.tgz",
+            "integrity": "sha512-9o3TMmpmftaCMepOdA5k/yDw8SfInyzWWTjYTFCX3kPSDJMROQTb8jg+h9Cnwnmm1vOzvxN7gIfB5V2ewpjtGA==",
             "cpu": [
                 "ppc64"
             ],
@@ -164,9 +164,9 @@
             }
         },
         "node_modules/@esbuild/android-arm": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.4.tgz",
-            "integrity": "sha512-QNdQEps7DfFwE3hXiU4BZeOV68HHzYwGd0Nthhd3uCkkEKK7/R6MTgM0P7H7FAs5pU/DIWsviMmEGxEoxIZ+ZQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.5.tgz",
+            "integrity": "sha512-AdJKSPeEHgi7/ZhuIPtcQKr5RQdo6OO2IL87JkianiMYMPbCtot9fxPbrMiBADOWWm3T2si9stAiVsGbTQFkbA==",
             "cpu": [
                 "arm"
             ],
@@ -181,9 +181,9 @@
             }
         },
         "node_modules/@esbuild/android-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.4.tgz",
-            "integrity": "sha512-bBy69pgfhMGtCnwpC/x5QhfxAz/cBgQ9enbtwjf6V9lnPI/hMyT9iWpR1arm0l3kttTr4L0KSLpKmLp/ilKS9A==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.5.tgz",
+            "integrity": "sha512-VGzGhj4lJO+TVGV1v8ntCZWJktV7SGCs3Pn1GRWI1SBFtRALoomm8k5E9Pmwg3HOAal2VDc2F9+PM/rEY6oIDg==",
             "cpu": [
                 "arm64"
             ],
@@ -198,9 +198,9 @@
             }
         },
         "node_modules/@esbuild/android-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.4.tgz",
-            "integrity": "sha512-TVhdVtQIFuVpIIR282btcGC2oGQoSfZfmBdTip2anCaVYcqWlZXGcdcKIUklfX2wj0JklNYgz39OBqh2cqXvcQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.5.tgz",
+            "integrity": "sha512-D2GyJT1kjvO//drbRT3Hib9XPwQeWd9vZoBJn+bu/lVsOZ13cqNdDeqIF/xQ5/VmWvMduP6AmXvylO/PIc2isw==",
             "cpu": [
                 "x64"
             ],
@@ -215,9 +215,9 @@
             }
         },
         "node_modules/@esbuild/darwin-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.4.tgz",
-            "integrity": "sha512-Y1giCfM4nlHDWEfSckMzeWNdQS31BQGs9/rouw6Ub91tkK79aIMTH3q9xHvzH8d0wDru5Ci0kWB8b3up/nl16g==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.5.tgz",
+            "integrity": "sha512-GtaBgammVvdF7aPIgH2jxMDdivezgFu6iKpmT+48+F8Hhg5J/sfnDieg0aeG/jfSvkYQU2/pceFPDKlqZzwnfQ==",
             "cpu": [
                 "arm64"
             ],
@@ -232,9 +232,9 @@
             }
         },
         "node_modules/@esbuild/darwin-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.4.tgz",
-            "integrity": "sha512-CJsry8ZGM5VFVeyUYB3cdKpd/H69PYez4eJh1W/t38vzutdjEjtP7hB6eLKBoOdxcAlCtEYHzQ/PJ/oU9I4u0A==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.5.tgz",
+            "integrity": "sha512-1iT4FVL0dJ76/q1wd7XDsXrSW+oLoquptvh4CLR4kITDtqi2e/xwXwdCVH8hVHU43wgJdsq7Gxuzcs6Iq/7bxQ==",
             "cpu": [
                 "x64"
             ],
@@ -249,9 +249,9 @@
             }
         },
         "node_modules/@esbuild/freebsd-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.4.tgz",
-            "integrity": "sha512-yYq+39NlTRzU2XmoPW4l5Ifpl9fqSk0nAJYM/V/WUGPEFfek1epLHJIkTQM6bBs1swApjO5nWgvr843g6TjxuQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.5.tgz",
+            "integrity": "sha512-nk4tGP3JThz4La38Uy/gzyXtpkPW8zSAmoUhK9xKKXdBCzKODMc2adkB2+8om9BDYugz+uGV7sLmpTYzvmz6Sw==",
             "cpu": [
                 "arm64"
             ],
@@ -266,9 +266,9 @@
             }
         },
         "node_modules/@esbuild/freebsd-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.4.tgz",
-            "integrity": "sha512-0FgvOJ6UUMflsHSPLzdfDnnBBVoCDtBTVyn/MrWloUNvq/5SFmh13l3dvgRPkDihRxb77Y17MbqbCAa2strMQQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.5.tgz",
+            "integrity": "sha512-PrikaNjiXdR2laW6OIjlbeuCPrPaAl0IwPIaRv+SMV8CiM8i2LqVUHFC1+8eORgWyY7yhQY+2U2fA55mBzReaw==",
             "cpu": [
                 "x64"
             ],
@@ -283,9 +283,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.4.tgz",
-            "integrity": "sha512-kro4c0P85GMfFYqW4TWOpvmF8rFShbWGnrLqlzp4X1TNWjRY3JMYUfDCtOxPKOIY8B0WC8HN51hGP4I4hz4AaQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.5.tgz",
+            "integrity": "sha512-cPzojwW2okgh7ZlRpcBEtsX7WBuqbLrNXqLU89GxWbNt6uIg78ET82qifUy3W6OVww6ZWobWub5oqZOVtwolfw==",
             "cpu": [
                 "arm"
             ],
@@ -300,9 +300,9 @@
             }
         },
         "node_modules/@esbuild/linux-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.4.tgz",
-            "integrity": "sha512-+89UsQTfXdmjIvZS6nUnOOLoXnkUTB9hR5QAeLrQdzOSWZvNSAXAtcRDHWtqAUtAmv7ZM1WPOOeSxDzzzMogiQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.5.tgz",
+            "integrity": "sha512-Z9kfb1v6ZlGbWj8EJk9T6czVEjjq2ntSYLY2cw6pAZl4oKtfgQuS4HOq41M/BcoLPzrUbNd+R4BXFyH//nHxVg==",
             "cpu": [
                 "arm64"
             ],
@@ -317,9 +317,9 @@
             }
         },
         "node_modules/@esbuild/linux-ia32": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.4.tgz",
-            "integrity": "sha512-yTEjoapy8UP3rv8dB0ip3AfMpRbyhSN3+hY8mo/i4QXFeDxmiYbEKp3ZRjBKcOP862Ua4b1PDfwlvbuwY7hIGQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.5.tgz",
+            "integrity": "sha512-sQ7l00M8bSv36GLV95BVAdhJ2QsIbCuCjh/uYrWiMQSUuV+LpXwIqhgJDcvMTj+VsQmqAHL2yYaasENvJ7CDKA==",
             "cpu": [
                 "ia32"
             ],
@@ -334,9 +334,9 @@
             }
         },
         "node_modules/@esbuild/linux-loong64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.4.tgz",
-            "integrity": "sha512-NeqqYkrcGzFwi6CGRGNMOjWGGSYOpqwCjS9fvaUlX5s3zwOtn1qwg1s2iE2svBe4Q/YOG1q6875lcAoQK/F4VA==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.5.tgz",
+            "integrity": "sha512-0ur7ae16hDUC4OL5iEnDb0tZHDxYmuQyhKhsPBV8f99f6Z9KQM02g33f93rNH5A30agMS46u2HP6qTdEt6Q1kg==",
             "cpu": [
                 "loong64"
             ],
@@ -351,9 +351,9 @@
             }
         },
         "node_modules/@esbuild/linux-mips64el": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.4.tgz",
-            "integrity": "sha512-IcvTlF9dtLrfL/M8WgNI/qJYBENP3ekgsHbYUIzEzq5XJzzVEV/fXY9WFPfEEXmu3ck2qJP8LG/p3Q8f7Zc2Xg==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.5.tgz",
+            "integrity": "sha512-kB/66P1OsHO5zLz0i6X0RxlQ+3cu0mkxS3TKFvkb5lin6uwZ/ttOkP3Z8lfR9mJOBk14ZwZ9182SIIWFGNmqmg==",
             "cpu": [
                 "mips64el"
             ],
@@ -368,9 +368,9 @@
             }
         },
         "node_modules/@esbuild/linux-ppc64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.4.tgz",
-            "integrity": "sha512-HOy0aLTJTVtoTeGZh4HSXaO6M95qu4k5lJcH4gxv56iaycfz1S8GO/5Jh6X4Y1YiI0h7cRyLi+HixMR+88swag==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.5.tgz",
+            "integrity": "sha512-UZCmJ7r9X2fe2D6jBmkLBMQetXPXIsZjQJCjgwpVDz+YMcS6oFR27alkgGv3Oqkv07bxdvw7fyB71/olceJhkQ==",
             "cpu": [
                 "ppc64"
             ],
@@ -385,9 +385,9 @@
             }
         },
         "node_modules/@esbuild/linux-riscv64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.4.tgz",
-            "integrity": "sha512-i8JUDAufpz9jOzo4yIShCTcXzS07vEgWzyX3NH2G7LEFVgrLEhjwL3ajFE4fZI3I4ZgiM7JH3GQ7ReObROvSUA==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.5.tgz",
+            "integrity": "sha512-kTxwu4mLyeOlsVIFPfQo+fQJAV9mh24xL+y+Bm6ej067sYANjyEw1dNHmvoqxJUCMnkBdKpvOn0Ahql6+4VyeA==",
             "cpu": [
                 "riscv64"
             ],
@@ -402,9 +402,9 @@
             }
         },
         "node_modules/@esbuild/linux-s390x": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.4.tgz",
-            "integrity": "sha512-jFnu+6UbLlzIjPQpWCNh5QtrcNfMLjgIavnwPQAfoGx4q17ocOU9MsQ2QVvFxwQoWpZT8DvTLooTvmOQXkO51g==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.5.tgz",
+            "integrity": "sha512-K2dSKTKfmdh78uJ3NcWFiqyRrimfdinS5ErLSn3vluHNeHVnBAFWC8a4X5N+7FgVE1EjXS1QDZbpqZBjfrqMTQ==",
             "cpu": [
                 "s390x"
             ],
@@ -419,9 +419,9 @@
             }
         },
         "node_modules/@esbuild/linux-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.4.tgz",
-            "integrity": "sha512-6e0cvXwzOnVWJHq+mskP8DNSrKBr1bULBvnFLpc1KY+d+irZSgZ02TGse5FsafKS5jg2e4pbvK6TPXaF/A6+CA==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.5.tgz",
+            "integrity": "sha512-uhj8N2obKTE6pSZ+aMUbqq+1nXxNjZIIjCjGLfsWvVpy7gKCOL6rsY1MhRh9zLtUtAI7vpgLMK6DxjO8Qm9lJw==",
             "cpu": [
                 "x64"
             ],
@@ -436,9 +436,9 @@
             }
         },
         "node_modules/@esbuild/netbsd-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.4.tgz",
-            "integrity": "sha512-vUnkBYxZW4hL/ie91hSqaSNjulOnYXE1VSLusnvHg2u3jewJBz3YzB9+oCw8DABeVqZGg94t9tyZFoHma8gWZQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.5.tgz",
+            "integrity": "sha512-pwHtMP9viAy1oHPvgxtOv+OkduK5ugofNTVDilIzBLpoWAM16r7b/mxBvfpuQDpRQFMfuVr5aLcn4yveGvBZvw==",
             "cpu": [
                 "arm64"
             ],
@@ -453,9 +453,9 @@
             }
         },
         "node_modules/@esbuild/netbsd-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.4.tgz",
-            "integrity": "sha512-XAg8pIQn5CzhOB8odIcAm42QsOfa98SBeKUdo4xa8OvX8LbMZqEtgeWE9P/Wxt7MlG2QqvjGths+nq48TrUiKw==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.5.tgz",
+            "integrity": "sha512-WOb5fKrvVTRMfWFNCroYWWklbnXH0Q5rZppjq0vQIdlsQKuw6mdSihwSo4RV/YdQ5UCKKvBy7/0ZZYLBZKIbwQ==",
             "cpu": [
                 "x64"
             ],
@@ -470,9 +470,9 @@
             }
         },
         "node_modules/@esbuild/openbsd-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.4.tgz",
-            "integrity": "sha512-Ct2WcFEANlFDtp1nVAXSNBPDxyU+j7+tId//iHXU2f/lN5AmO4zLyhDcpR5Cz1r08mVxzt3Jpyt4PmXQ1O6+7A==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.5.tgz",
+            "integrity": "sha512-7A208+uQKgTxHd0G0uqZO8UjK2R0DDb4fDmERtARjSHWxqMTye4Erz4zZafx7Di9Cv+lNHYuncAkiGFySoD+Mw==",
             "cpu": [
                 "arm64"
             ],
@@ -487,9 +487,9 @@
             }
         },
         "node_modules/@esbuild/openbsd-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.4.tgz",
-            "integrity": "sha512-xAGGhyOQ9Otm1Xu8NT1ifGLnA6M3sJxZ6ixylb+vIUVzvvd6GOALpwQrYrtlPouMqd/vSbgehz6HaVk4+7Afhw==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.5.tgz",
+            "integrity": "sha512-G4hE405ErTWraiZ8UiSoesH8DaCsMm0Cay4fsFWOOUcz8b8rC6uCvnagr+gnioEjWn0wC+o1/TAHt+It+MpIMg==",
             "cpu": [
                 "x64"
             ],
@@ -504,9 +504,9 @@
             }
         },
         "node_modules/@esbuild/sunos-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.4.tgz",
-            "integrity": "sha512-Mw+tzy4pp6wZEK0+Lwr76pWLjrtjmJyUB23tHKqEDP74R3q95luY/bXqXZeYl4NYlvwOqoRKlInQialgCKy67Q==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.5.tgz",
+            "integrity": "sha512-l+azKShMy7FxzY0Rj4RCt5VD/q8mG/e+mDivgspo+yL8zW7qEwctQ6YqKX34DTEleFAvCIUviCFX1SDZRSyMQA==",
             "cpu": [
                 "x64"
             ],
@@ -521,9 +521,9 @@
             }
         },
         "node_modules/@esbuild/win32-arm64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.4.tgz",
-            "integrity": "sha512-AVUP428VQTSddguz9dO9ngb+E5aScyg7nOeJDrF1HPYu555gmza3bDGMPhmVXL8svDSoqPCsCPjb265yG/kLKQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.5.tgz",
+            "integrity": "sha512-O2S7SNZzdcFG7eFKgvwUEZ2VG9D/sn/eIiz8XRZ1Q/DO5a3s76Xv0mdBzVM5j5R639lXQmPmSo0iRpHqUUrsxw==",
             "cpu": [
                 "arm64"
             ],
@@ -538,9 +538,9 @@
             }
         },
         "node_modules/@esbuild/win32-ia32": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.4.tgz",
-            "integrity": "sha512-i1sW+1i+oWvQzSgfRcxxG2k4I9n3O9NRqy8U+uugaT2Dy7kLO9Y7wI72haOahxceMX8hZAzgGou1FhndRldxRg==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.5.tgz",
+            "integrity": "sha512-onOJ02pqs9h1iMJ1PQphR+VZv8qBMQ77Klcsqv9CNW2w6yLqoURLcgERAIurY6QE63bbLuqgP9ATqajFLK5AMQ==",
             "cpu": [
                 "ia32"
             ],
@@ -555,9 +555,9 @@
             }
         },
         "node_modules/@esbuild/win32-x64": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.4.tgz",
-            "integrity": "sha512-nOT2vZNw6hJ+z43oP1SPea/G/6AbN6X+bGNhNuq8NtRHy4wsMhw765IKLNmnjek7GvjWBYQ8Q5VBoYTFg9y1UQ==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.5.tgz",
+            "integrity": "sha512-TXv6YnJ8ZMVdX+SXWVBo/0p8LTcrUYngpWjvm91TMjjBQii7Oz11Lw5lbDV5Y0TzuhSJHwiH4hEtC1I42mMS0g==",
             "cpu": [
                 "x64"
             ],
@@ -865,9 +865,9 @@
             }
         },
         "node_modules/esbuild": {
-            "version": "0.25.4",
-            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.4.tgz",
-            "integrity": "sha512-8pgjLUcUjcgDg+2Q4NYXnPbo/vncAY4UmyaCm0jZevERqCHZIaWwdJHkf8XQtu4AxSKCdvrUbT0XUr1IdZzI8Q==",
+            "version": "0.25.5",
+            "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.5.tgz",
+            "integrity": "sha512-P8OtKZRv/5J5hhz0cUAdu/cLuPIKXpQl1R9pZtvmHWQvrAUVd0UNIPT4IB4W3rNOqVO0rlqHmCIbSwxh/c9yUQ==",
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
@@ -878,31 +878,31 @@
                 "node": ">=18"
             },
             "optionalDependencies": {
-                "@esbuild/aix-ppc64": "0.25.4",
-                "@esbuild/android-arm": "0.25.4",
-                "@esbuild/android-arm64": "0.25.4",
-                "@esbuild/android-x64": "0.25.4",
-                "@esbuild/darwin-arm64": "0.25.4",
-                "@esbuild/darwin-x64": "0.25.4",
-                "@esbuild/freebsd-arm64": "0.25.4",
-                "@esbuild/freebsd-x64": "0.25.4",
-                "@esbuild/linux-arm": "0.25.4",
-                "@esbuild/linux-arm64": "0.25.4",
-                "@esbuild/linux-ia32": "0.25.4",
-                "@esbuild/linux-loong64": "0.25.4",
-                "@esbuild/linux-mips64el": "0.25.4",
-                "@esbuild/linux-ppc64": "0.25.4",
-                "@esbuild/linux-riscv64": "0.25.4",
-                "@esbuild/linux-s390x": "0.25.4",
-                "@esbuild/linux-x64": "0.25.4",
-                "@esbuild/netbsd-arm64": "0.25.4",
-                "@esbuild/netbsd-x64": "0.25.4",
-                "@esbuild/openbsd-arm64": "0.25.4",
-                "@esbuild/openbsd-x64": "0.25.4",
-                "@esbuild/sunos-x64": "0.25.4",
-                "@esbuild/win32-arm64": "0.25.4",
-                "@esbuild/win32-ia32": "0.25.4",
-                "@esbuild/win32-x64": "0.25.4"
+                "@esbuild/aix-ppc64": "0.25.5",
+                "@esbuild/android-arm": "0.25.5",
+                "@esbuild/android-arm64": "0.25.5",
+                "@esbuild/android-x64": "0.25.5",
+                "@esbuild/darwin-arm64": "0.25.5",
+                "@esbuild/darwin-x64": "0.25.5",
+                "@esbuild/freebsd-arm64": "0.25.5",
+                "@esbuild/freebsd-x64": "0.25.5",
+                "@esbuild/linux-arm": "0.25.5",
+                "@esbuild/linux-arm64": "0.25.5",
+                "@esbuild/linux-ia32": "0.25.5",
+                "@esbuild/linux-loong64": "0.25.5",
+                "@esbuild/linux-mips64el": "0.25.5",
+                "@esbuild/linux-ppc64": "0.25.5",
+                "@esbuild/linux-riscv64": "0.25.5",
+                "@esbuild/linux-s390x": "0.25.5",
+                "@esbuild/linux-x64": "0.25.5",
+                "@esbuild/netbsd-arm64": "0.25.5",
+                "@esbuild/netbsd-x64": "0.25.5",
+                "@esbuild/openbsd-arm64": "0.25.5",
+                "@esbuild/openbsd-x64": "0.25.5",
+                "@esbuild/sunos-x64": "0.25.5",
+                "@esbuild/win32-arm64": "0.25.5",
+                "@esbuild/win32-ia32": "0.25.5",
+                "@esbuild/win32-x64": "0.25.5"
             }
         },
         "node_modules/fdir": {

web/packages/esbuild-plugin-live-reload/package.json

@@ -35,7 +35,7 @@
         "@goauthentik/tsconfig": "^1.0.4",
         "@trivago/prettier-plugin-sort-imports": "^5.2.2",
         "@types/node": "^22.15.21",
-        "esbuild": "^0.25.4",
+        "esbuild": "^0.25.5",
         "prettier": "^3.5.3",
         "prettier-plugin-packagejson": "^2.5.14",
         "typedoc": "^0.28.5",
@@ -43,7 +43,7 @@
         "typescript": "^5.8.3"
     },
     "peerDependencies": {
-        "esbuild": "^0.25.4"
+        "esbuild": "^0.25.5"
     },
     "engines": {
         "node": ">=22"

web/src/admin/admin-overview/AdminOverviewPage.ts

@@ -85,8 +85,8 @@ export class AdminOverviewPage extends AdminOverviewBase {
     render(): TemplateResult {
         const username = this.user?.user.name || this.user?.user.username;
 
-        return html` <ak-page-header
-                header=${msg(str`Welcome, ${username || ""}.`)}
+        return html`<ak-page-header
+                header=${this.user ? msg(str`Welcome, ${username || ""}.`) : msg("Welcome.")}
                 description=${msg("General system status")}
                 ?hasIcon=${false}
             >

web/src/admin/brands/Certificates.ts

@@ -1,26 +1,38 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { DEFAULT_CONFIG } from "#common/api/config";
+import {
+    DataProvision,
+    DualSelectPair,
+    DualSelectPairSource,
+} from "#elements/ak-dual-select/types";
 
 import { CertificateKeyPair, CryptoApi } from "@goauthentik/api";
 
-const certToSelect = (s: CertificateKeyPair) => [s.pk, s.name, s.name, s];
+const certToSelect = (cert: CertificateKeyPair): DualSelectPair<CertificateKeyPair> => {
+    return [cert.pk, cert.name, cert.name, cert];
+};
 
-export async function certificateProvider(page = 1, search = "") {
-    const certificates = await new CryptoApi(DEFAULT_CONFIG).cryptoCertificatekeypairsList({
-        ordering: "name",
-        pageSize: 20,
-        search: search.trim(),
-        page,
-        hasKey: undefined,
-    });
-    return {
-        pagination: certificates.pagination,
-        options: certificates.results.map(certToSelect),
-    };
+export async function certificateProvider(page = 1, search = ""): Promise<DataProvision> {
+    return new CryptoApi(DEFAULT_CONFIG)
+        .cryptoCertificatekeypairsList({
+            ordering: "name",
+            pageSize: 20,
+            search: search.trim(),
+            page,
+            hasKey: undefined,
+        })
+        .then(({ pagination, results }) => {
+            return {
+                pagination,
+                options: results.map(certToSelect),
+            };
+        });
 }
 
-export function certificateSelector(instanceMappings?: string[]) {
+export function certificateSelector(
+    instanceMappings?: string[],
+): DualSelectPairSource<CertificateKeyPair> {
     if (!instanceMappings) {
-        return [];
+        return () => Promise.resolve([]);
     }
 
     return async () => {

web/src/admin/sources/ldap/LDAPSourceForm.ts

@@ -361,7 +361,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                         <p class="pf-c-form__helper-text">${placeholderHelperText}</p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
-                        label=${msg("Addition User DN")}
+                        label=${msg("Additional User DN")}
                         name="additionalUserDn"
                     >
                         <input
@@ -374,7 +374,7 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                         </p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal
-                        label=${msg("Addition Group DN")}
+                        label=${msg("Additional Group DN")}
                         name="additionalGroupDn"
                     >
                         <input
@@ -429,10 +429,25 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                         />
                         <p class="pf-c-form__helper-text">
                             ${msg(
-                                "Field which contains members of a group. Note that if using the \"memberUid\" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.",
+                                "Field which contains members of a group. The value of this field is matched against User membership attribute.",
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("User membership attribute")}
+                        ?required=${true}
+                        name="userMembershipAttribute"
+                    >
+                        <input
+                            type="text"
+                            value="${this.instance?.userMembershipAttribute || "distinguishedName"}"
+                            class="pf-c-form-control"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Attribute which matches the value of Group membership field.")}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal name="lookupGroupsFromUser">
                         <label class="pf-c-switch">
                             <input

web/src/components/ak-page-navbar.ts

@@ -147,7 +147,7 @@ export class AKPageNavbar
                         }
 
                         .accent-icon {
-                            height: 1em;
+                            height: 1.2em;
                             width: 1em;
 
                             @media (max-width: 768px) {
@@ -157,6 +157,7 @@ export class AKPageNavbar
                     }
 
                     &.page-description {
+                        padding-top: 0.3em;
                         grid-area: description;
                         margin-block-end: var(--pf-global--spacer--md);
 

web/src/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.ts

@@ -4,7 +4,7 @@ import { ref } from "lit/directives/ref.js";
 
 import { AkDualSelectProvider } from "./ak-dual-select-provider.js";
 import "./ak-dual-select.js";
-import type { DualSelectPair } from "./types.js";
+import type { DualSelectPair, DualSelectPairSource } from "./types.js";
 
 /**
  * @element ak-dual-select-dynamic-provider
@@ -22,7 +22,7 @@ export class AkDualSelectDynamic extends AkDualSelectProvider {
      * @attr
      */
     @property({ attribute: false })
-    selector: (_: DualSelectPair[]) => Promise<DualSelectPair[]> = () => Promise.resolve([]);
+    selector?: DualSelectPairSource;
 
     #didFirstUpdate = false;
 
@@ -37,7 +37,7 @@ export class AkDualSelectDynamic extends AkDualSelectProvider {
 
         this.#didFirstUpdate = true;
 
-        this.selector(this.options).then((selected) => {
+        this.selector?.(this.options).then((selected) => {
             this.selected = selected;
         });
     }

web/src/elements/ak-dual-select/types.ts

@@ -43,15 +43,19 @@ export type DualSelectPair<T = unknown> = [
     localMapping?: T,
 ];
 
+export type DualSelectPairSource<T = unknown> = (
+    sourceInit: DualSelectPair<T>[],
+) => Promise<DualSelectPair<T>[]>;
+
 export type BasePagination = Pick<
     Pagination,
     "startIndex" | "endIndex" | "count" | "previous" | "next"
 >;
 
-export type DataProvision = {
+export interface DataProvision<T = unknown> {
     pagination?: Pagination;
-    options: DualSelectPair[];
-};
+    options: DualSelectPair<T>[];
+}
 
 export type DataProvider = (page: number, search?: string) => Promise<DataProvision>;
 

web/xliff/de.xlf

@@ -2812,21 +2812,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>Nutzerpfad</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Zusatz Benutzer-DN</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>Zusätzlicher Benutzer-DN, dem Basis-DN vorangestellt.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Zusatz Gruppen-DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9106,9 +9096,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9246,6 +9233,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -2259,18 +2259,10 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>User path</target>
       </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Addition User DN</target>
-      </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>Additional user DN, prepended to the Base DN.</target>
       </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Addition Group DN</target>
-      </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
         <target>Additional group DN, prepended to the Base DN.</target>
@@ -7608,9 +7600,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -7748,6 +7737,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -2792,21 +2792,11 @@ no se aprueba cuando una o ambas de las opciones seleccionadas son iguales o sup
         <source>User path</source>
         <target>Ruta de usuario</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>DN de usuario adicional</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>DN de usuario adicional, antepuesto al DN base.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>DN de grupo de adición</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9167,9 +9157,6 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9307,6 +9294,24 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -2816,21 +2816,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>Chemin utilisateur</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Préfixe DN utilisateurs</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>DN à préfixer au DN de base pour les utilisateurs</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Préfixe DN groupes</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9690,10 +9680,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>Failed to preview prompt</source>
   <target>Échec de la prévisualisation de l'invite</target>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-  <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ "memberUid", la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'. Lorsque "Recherche avec un attribut utilisateur" est sélectionné, cet attribut doit être un attribut utilisateur, sinon un attribut de groupe.</target>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
   <target>Recherche avec un attribut utilisateur</target>
@@ -9877,6 +9863,24 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
   <target>Supprimer les utilisateurs et les groupes authentik qui étaient auparavant fournis par cette source, mais qui en sont maintenant absents.</target>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -2817,21 +2817,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>Percorso utente</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Aggiunta DN utente</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>DN utente aggiuntivo, anteposto al DN di base.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Aggiunta DN gruppo</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9690,10 +9680,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Failed to preview prompt</source>
   <target>Impossibile visualizzare l'anteprima del prompt</target>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-  <target>Campo che contiene i membri di un gruppo. Si noti che se si utilizza il campo "memberUid", si presume che il valore contenga un nome relativo distinto. Ad esempio, "memberUid=some-user" invece di "memberUid=cn=some-user,ou=groups,...". Quando si seleziona "Cerca utilizzando un attributo utente", questo dovrebbe essere un attributo utente, altrimenti un attributo di gruppo.</target>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
   <target>Ricerca tramite attributo utente</target>
@@ -9860,6 +9846,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -2779,21 +2779,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>사용자 경로</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>사용자 DN 추가</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>기본 DN 앞에 추가 사용자 DN을 추가합니다.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>추가 그룹 DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9075,9 +9065,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9215,6 +9202,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -2792,21 +2792,11 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
         <source>User path</source>
         <target>Gebruikerspad</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Aanvullende gebruikers-DN</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>Aanvullende gebruikers-DN, toegevoegd aan de basale DN.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Aanvullende groeps-DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -8977,9 +8967,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9117,6 +9104,24 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -2818,21 +2818,11 @@ nie przechodzi, gdy jedna lub obie wybrane opcje są równe lub wyższe od progu
         <source>User path</source>
         <target>Ścieżka użytkownika</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Dodatkowa nazwa wyróżniająca użytkownika</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>Dodatkowa nazwa wyróżniająca użytkownika poprzedzona podstawową nazwą wyróżniającą.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>DN grupy dodawania</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9402,9 +9392,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9542,6 +9529,24 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -2795,21 +2795,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
   <target>Ũśēŕ ƥàţĥ</target>
 
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-  <target>Àďďĩţĩōń Ũśēŕ ĎŃ</target>
-
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
   <target>Àďďĩţĩōńàĺ ũśēŕ ĎŃ, ƥŕēƥēńďēď ţō ţĥē ßàśē ĎŃ.</target>
 
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-  <target>Àďďĩţĩōń Ĝŕōũƥ ĎŃ</target>
-
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9409,9 +9399,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9550,4 +9537,22 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
 </trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
+</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -2817,21 +2817,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>Путь пользователя</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Дополнение User DN</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>Дополнительный DN пользователя, добавляемый к базовому DN.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Дополнение Group DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9494,9 +9484,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9634,6 +9621,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -2795,21 +2795,11 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
         <source>User path</source>
         <target>Kullanıcı yolu</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>Ekleme Kullanıcı DN</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>Ek kullanıcı DN, temel DN'ye eklenmiş.</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>Toplama Grubu DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9465,9 +9455,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9605,6 +9592,24 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -2008,15 +2008,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="sfbc59ff17a73503d">
   <source>User path</source>
 </trans-unit>
-<trans-unit id="sd18170637295bace">
-  <source>Addition User DN</source>
-</trans-unit>
 <trans-unit id="s9ae089fd248e72db">
   <source>Additional user DN, prepended to the Base DN.</source>
 </trans-unit>
-<trans-unit id="s5944355d69db1fb8">
-  <source>Addition Group DN</source>
-</trans-unit>
 <trans-unit id="sfae9f4ea5749a36b">
   <source>Additional group DN, prepended to the Base DN.</source>
 </trans-unit>
@@ -6215,9 +6209,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -6356,6 +6347,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
 </trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -2817,21 +2817,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>用户路径</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>额外的用户 DN</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>额外的用户 DN，添加到 Base DN 起始处。</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>额外的组 DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9691,10 +9681,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Failed to preview prompt</source>
   <target>预览输入失败</target>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-  <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'。当选中“使用用户属性查询”时，此配置应该为用户属性，否则为组属性。</target>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
   <target>使用用户属性查询</target>
@@ -9873,9 +9859,29 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s42b57339ad2f3ac7">
   <source>Delete Not Found Objects</source>
+  <target>删除不存在对象</target>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+  <target>删除之前由此源提供，但现已缺失的用户和组。</target>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -2146,18 +2146,10 @@ doesn't pass when either or both of the selected options are equal or above the
       <trans-unit id="sfbc59ff17a73503d">
         <source>User path</source>
       </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>额外的用户 DN</target>
-      </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>额外的User DN，优先于Base DN。</target>
       </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>额外的 Group DN</target>
-      </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
         <target>额外的Group DN，优先于Base DN。</target>
@@ -7308,9 +7300,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -7448,6 +7437,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_CN.xlf

@@ -9873,9 +9873,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s42b57339ad2f3ac7">
   <source>Delete Not Found Objects</source>
+  <target>删除不存在对象</target>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+  <target>删除之前由此源提供，但现已缺失的用户和组。</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -2777,21 +2777,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>User path</source>
         <target>使用者路徑</target>
         
-      </trans-unit>
-      <trans-unit id="sd18170637295bace">
-        <source>Addition User DN</source>
-        <target>額外的使用者 DN</target>
-        
       </trans-unit>
       <trans-unit id="s9ae089fd248e72db">
         <source>Additional user DN, prepended to the Base DN.</source>
         <target>額外的使用者 DN，將優先於 Base DN。</target>
         
-      </trans-unit>
-      <trans-unit id="s5944355d69db1fb8">
-        <source>Addition Group DN</source>
-        <target>額外的群組 DN</target>
-        
       </trans-unit>
       <trans-unit id="sfae9f4ea5749a36b">
         <source>Additional group DN, prepended to the Base DN.</source>
@@ -9052,9 +9042,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sc7524ea24eeeb019">
   <source>Failed to preview prompt</source>
 </trans-unit>
-<trans-unit id="s783964a224796865">
-  <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'. When selecting 'Lookup using a user attribute', this should be a user attribute, otherwise a group attribute.</source>
-</trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
   <source>Lookup using user attribute</source>
 </trans-unit>
@@ -9192,6 +9179,24 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se3b26b762110bda0">
   <source>Delete authentik users and groups which were previously supplied by this source, but are now missing from it.</source>
+</trans-unit>
+<trans-unit id="s0a2cb398b54a6207">
+  <source>Welcome.</source>
+</trans-unit>
+<trans-unit id="s4e1d2cb86cf5ecd0">
+  <source>Field which contains members of a group. The value of this field is matched against User membership attribute.</source>
+</trans-unit>
+<trans-unit id="s6478025f3e0174fa">
+  <source>User membership attribute</source>
+</trans-unit>
+<trans-unit id="s344be99cf5d36407">
+  <source>Attribute which matches the value of Group membership field.</source>
+</trans-unit>
+<trans-unit id="sfa6b7b105640e457">
+  <source>Additional User DN</source>
+</trans-unit>
+<trans-unit id="s04bb32ec9f359507">
+  <source>Additional Group DN</source>
 </trans-unit>
     </body>
   </file>

website/docs/add-secure-apps/applications/manage_apps.mdx

@@ -8,7 +8,7 @@ Managing the applications that your team uses involves several tasks, from initi
 
 To add an application to authentik and have it display on users' **My applications** page, follow these steps:
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 
 2. Navigate to **Applications -> Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create.)**
 

website/docs/add-secure-apps/flows-stages/flow/context/index.mdx

@@ -1,5 +1,6 @@
 ---
 title: Flow Context
+toc_max_heading_level: 5
 ---
 
 Each flow execution has an independent _context_. This context holds all of the arbitrary data about that specific flow, data which can then be used and transformed by stages and policies.
@@ -156,6 +157,7 @@ Possible options:
 - `auth_mfa` (Authentication via MFA device without password)
 - `auth_webauthn_pwl` (Passwordless authentication via WebAuthn with Passkeys)
 - `jwt` ([M2M](../../../providers/oauth2/client_credentials.mdx) authentication via an existing JWT)
+- `mtls` (Authentication via Certificate, see [Mutual TLS Stage](../../stages/mtls/index.md))
 
 ##### `auth_method_args` (dictionary)
 
@@ -176,7 +178,10 @@ Example:
     // JWT information when `auth_method` `jwt` was used
     "jwt": {},
     "source": null,
-    "provider": null
+    "provider": null,
+    // Certificate used for authentication
+    // applies for `auth_method` `mtls`
+    "certificate": {}
 }
 ```
 
@@ -203,3 +208,22 @@ If _Show matched user_ is disabled, this key will be set to the user identifier
 [Set this key](../../../../customize/policies/expression/managing_flow_context_keys.md) in an Expression Policy to override [Redirect stage](../../stages/redirect/index.md) to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically.
 
 Use the format `ak-flow://{slug}` to use the Redirect stage in Flow mode. Any other format will result in the Redirect stage running in Static mode.
+
+#### Mutual TLS Stage
+
+##### `certificate` (dictionary):ak-version[2025.6]
+
+This key is set by the Mutual TLS Stage during enrollment and contains data about the certificate supplied by the browser.
+
+Example:
+
+```json
+{
+    "serial_number": "1234",
+    "subject": "CN=client",
+    "issuer": "CN=authentik Test CA, O=authentik, OU=Self-signed",
+    "fingerprint_sha256": "08:D4:A4:79:25:CA:C3:51:28:88:BB:30:C2:96:C3:44:5A:EB:18:07:84:CA:B4:75:27:74:61:19:8A:6A:AF:FC",
+    "fingerprint_sha1": "5D:14:0D:5F:A2:7E:14:B0:F1:1D:6F:CD:E3:4B:81:68:71:24:1A:70",
+    "raw": "-----BEGIN CERTIFICATE-----...."
+}
+```

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx

@@ -1,8 +1,12 @@
 ---
-title: WebAuthn / Passkeys Authenticator setup stage
+title: WebAuthn / FIDO2 / Passkeys Authenticator setup stage
 ---
 
-This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
+This stage configures an authenticator stage for using WebAuthn, FIDO2, Passkeys. This stage supports:
+
+- **Security Keys**: Physical devices like YubiKey, Google Titan, etc.
+- **Platform Authenticators**: Built-in authenticators like Windows Hello, Touch ID, Face ID
+- **Mobile Devices**: Using device biometrics or security keys via mobile browsers
 
 ### Options
 

website/docs/add-secure-apps/flows-stages/stages/mtls/index.md

@@ -0,0 +1,124 @@
+---
+title: Mutual TLS stage
+authentik_version: "2025.6"
+authentik_preview: true
+authentik_enterprise: true
+toc_max_heading_level: 5
+---
+
+The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc.
+
+Management of client certificates is out of the scope of this document.
+
+## Reverse-proxy configuration
+
+Using the Mutual TLS stage requires special configuration of any reverse proxy that is used in front of authentik, because the reverse-proxy interacts directly with the browser.
+
+- nginx
+    - [Standalone nginx](#nginx-standalone)
+    - [nginx kubernetes ingress](#nginx-ingress)
+- Traefik
+    - [Standalone Traefik](#traefik-standalone)
+    - [Traefik kubernetes ingress](#traefik-ingress)
+- [envoy](#envoy)
+- [No reverse proxy](#no-reverse-proxy)
+
+#### nginx Standalone
+
+Add this configuration snippet in your authentik virtual host:
+
+```nginx
+# server {
+    ssl_client_certificate /etc/ssl/path-to-my-ca.pem;
+    ssl_verify_client on;
+
+    # location / {
+        proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
+    # }
+# }
+```
+
+See [nginx documentation](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate) for reference.
+
+#### nginx Ingress
+
+Add these annotations to your authentik ingress object:
+
+```yaml
+nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
+# This secret needs to contain `ca.crt` which is the certificate authority to validate against.
+nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName
+```
+
+See [ingress-nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/) for reference.
+
+#### Traefik Standalone
+
+Add this snippet to your traefik configuration:
+
+```yaml
+tls:
+    options:
+        default:
+            clientAuth:
+                # in PEM format. each file can contain multiple CAs.
+                caFiles:
+                    - tests/clientca1.crt
+                    - tests/clientca2.crt
+                clientAuthType: RequireAndVerifyClientCert
+```
+
+See the [Traefik mTLS documentation](https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls) for reference.
+
+#### Traefik Ingress
+
+Create a middleware object with these options:
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+    name: test-passtlsclientcert
+spec:
+    passTLSClientCert:
+        pem: true
+```
+
+See the [Traefik PassTLSClientCert documentation](https://doc.traefik.io/traefik/middlewares/http/passtlsclientcert/) for reference.
+
+#### Envoy
+
+See the [Envoy mTLS documentation](https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing#use-mutual-tls-mtls-to-enforce-client-certificate-authentication) and [Envoy header documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert) for configuration.
+
+#### No reverse proxy
+
+When using authentik without a reverse proxy, select the certificate authorities in the corresponding [brand](../../../../sys-mgmt/brands.md#client-certificates) for the domain, under **Other global settings**.
+
+## Stage configuration
+
+1. Log in as an admin to authentik, and go to the Admin interface.
+
+2. In the Admin interface, navigate to **System -> Certificates**
+
+3. Create a new certificate for the Certificate Authority used to sign client certificates.
+
+4. In the Admin interface, navigate to **Flows -> Stages**.
+
+5. Click **Create**, and select **Mutual TLS Stage**, and in the **New stage** box, define the following fields:
+
+    - **Name**: define a descriptive name, such as "chrome-device-trust".
+
+    - **Stage-specific settings**
+
+        - **Mode**: Configure the mode this stage operates in.
+
+            - **Certificate optional**: When no certificate is provided by the user or the reverse proxy, the flow will continue to the next stage.
+            - **Certificate required**: When no certificate is provided, the flow ends with an error message.
+
+        - **Certificate authorities**: Select the certificate authorities used to sign client certificates.
+
+        - **Certificate attribute**: Select the attribute of the certificate to be used to find a user for authentication.
+
+        - **User attribute**: Select the attribute of the user the certificate should be compared against.
+
+6. Click **Finish**.

website/docs/add-secure-apps/providers/entra/setup-entra.md

@@ -9,7 +9,7 @@ For detailed instructions, refer to Microsoft Entra ID documentation.
 
 ## Configure Entra ID
 
-1. Log into the Azure portal and on the Home page, under Azure services, click on or search for **App registrations**.
+1. Log in to the Azure portal and on the Home page, under Azure services, click on or search for **App registrations**.
 2. On the **App registrations** page, click **New registration**.
 3. On the **Register an application** page, define the **Name** of the app, and under **Supported account types** select **Accounts in this organizational directory only**. Leave **Redirect URI** empty.
 4. Click **Register**.

website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md

@@ -4,7 +4,7 @@ title: Create an OAuth2 provider
 
 To add a provider (and the application that uses the provider for authentication) use the ** Create with provider** option, which creates both the new application and the required provider at the same time. For typical scenarios, authentik recommends that you create both the application and the provider together. (Alternatively, use our legacy process: navigate to **Applications --> Providers**, and then click **Create**.)
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 
 2. Navigate to **Applications -> Applications** and click **Create with provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 

website/docs/add-secure-apps/providers/oauth2/device_code.md

@@ -52,7 +52,7 @@ If the user _has_ finished the authentication and authorization, the response wi
 
 ### Create and apply a device code flow
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
 3. Set the following required configurations:
     - **Name**: provide a name (e.g. `default-device-code-flow`)

website/docs/add-secure-apps/providers/rac/how-to-rac.md

@@ -26,7 +26,7 @@ Depending on whether you are connecting using RDP, SSH, or VNC, the exact config
 
 The first step is to create the RAC application and provider pair.
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with provider**.
 3. Follow these [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.
 
@@ -34,7 +34,7 @@ The first step is to create the RAC application and provider pair.
 
 Next, you need to add property mappings for each remote machine you want to access. Property mappings allow you to pass information to external applications, and with RAC they are used to pass the host name, IP address, and access credentials of the remote machine.
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Customization > Property Mappings** and click **Create**.
 
     - **Select Type**: RAC Property Mappings
@@ -57,7 +57,7 @@ Next, you need to add property mappings for each remote machine you want to acce
 
 Finally, you need to create an endpoint for each remote machine. Endpoints are defined within providers; connections between the remote machine and authentik are enabled through communication between the provider's endpoint and the remote machine.
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications > Providers**.
 3. Click the **Edit** button on the RAC provider that you previously created.
 4. On the Provider page, under **Endpoints**, click **Create**, and provide the following settings:

website/docs/add-secure-apps/providers/rac/index.md

@@ -36,11 +36,12 @@ The _Endpoint_ object specifies the hostname/IP of the machine to connect to, as
 
 Configuration details such as credentials can be specified through _settings_, which can be specified on different levels and are all merged together when connecting:
 
-1. Provider settings
-2. Endpoint settings
-3. Connection settings
+1. Default settings
+2. Provider settings
+3. Endpoint settings
 4. Provider property mapping settings
 5. Endpoint property mapping settings
+6. Connection settings
 
 ### Connection settings
 

website/docs/add-secure-apps/providers/ssf/create-ssf-provider.md

@@ -16,7 +16,7 @@ The workflow to implement an SSF provider as a [backchannel provider](../../appl
 
 ## Create the SSF provider
 
-1. Log in to authentik as an admin, and in the Admin interface navigate to **Applications -> Providers**.
+1. Log in to authentik as an administrator and in the Admin interface navigate to **Applications -> Providers**.
 
 2. Click **Create**.
 
@@ -28,7 +28,7 @@ The workflow to implement an SSF provider as a [backchannel provider](../../appl
 
 ## Create the OIDC provider
 
-1. Log in to authentik as an admin, and in the Admin interface navigate to **Applications -> Providers**.
+1. Log in to authentik as an administrator and in the Admin interface navigate to **Applications -> Providers**.
 
 2. Click **Create**.
 
@@ -38,7 +38,7 @@ The workflow to implement an SSF provider as a [backchannel provider](../../appl
 
 ## Create the application
 
-1. Log in to authentik as an admin, and in the Admin interface navigate to **Applications -> Applications**.
+1. Log in to authentik as an administrator and in the Admin interface navigate to **Applications -> Applications**.
 
 2. Click **Create**.
 

website/docs/developer-docs/docs/style-guide.mdx

@@ -15,6 +15,9 @@ We appreciate all contributions to our documentation — whether it's fixing a t
 - [Error Message Formatting and Troubleshooting](#error-message-formatting-and-troubleshooting)
 - [Accessibility Best Practices](#accessibility-best-practices)
 - [Notes and Warnings](#notes-and-warnings)
+- [Inclusive Language](#inclusive-language)
+- [Images and Media](#images-and-media)
+- [Document Structure and Metadata](#document-structure-and-metadata)
 
 ---
 
@@ -32,7 +35,7 @@ Use headings (sub-titles) to break up large blocks of text, making it easier for
 
 ### Look and feel of the docs
 
-In general, the visual, aesthetics of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large call0outs or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only.
+In general, the visual, aesthetics of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only.
 
 ### Cross-references
 
@@ -50,11 +53,13 @@ The standard file type for documentation is `.md`. Use `.mdx` only if React comp
 
 Try to write procedural (How To) docs generically enough that it does not endorse or force a specific operating system. If it is necessary to specify a specific OS be sure to label it clearly. Consider using tabs (with MDX) to show the different OSes.
 
+---
+
 ## Terminology
 
 ### authentik product name and terms
 
-- The product name **authentik** should always be written with a lowercase "a" and a "k" at the end, even if it begins a sentence. This consistent style should be followed throughout the documentation.
+- The product name **authentik** should always be written with a lowercase "a" and a "k" at the end, even if it begins a sentence.
 
 - The company name is **Authentik Security, Inc.**, but for non-legal documentation, you may shorten it to **Authentik Security**.
 
@@ -64,7 +69,15 @@ Try to write procedural (How To) docs generically enough that it does not endors
 
 - When referring to external tools or industry terms, always use the exact capitalization and naming conventions that the product or company uses. Refer to their website or official documentation for the proper formatting. For example, use "OAuth", "SAML", or "Docker" as per the official conventions.
 - Avoid abbreviations unless they are well-known and widely recognized (e.g., SSO, MFA, RBAC).
-- If an acronym is used less frequently, spell out its full meaning when first mentioned, followed by the acronym in parentheses. For instance, "Security Assertion Markup Language (SAML)". In some cases the acronym can come first, followed by the full term in parentheses.
+- If an acronym is used less frequently, spell out its full meaning when first mentioned on the page, followed by the acronym in parentheses. In some cases the acronym can come first, followed by the full term in parentheses.
+
+### Trademarks and Legal Terms
+
+- Respect third-party trademarks. Use the correct symbols (™, ®) where applicable (e.g., "GitHub®", "Okta™") in the _first_ instance of the name.
+- When mentioning third-party products, follow their branding guidelines (e.g., "GitHub", not "Github").
+- Where appropriate, include required legal disclaimers when referencing external services or integrations.
+
+---
 
 ## Writing style
 
@@ -92,18 +105,22 @@ Avoid phrasing that blames the user. Be subjective and polite when providing ins
 
 ### Punctuation
 
-For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the Oxford comma.
+For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the [Serial comma](https://en.wikipedia.org/wiki/Serial_comma) (also known as the Oxford comma).
+
+In [lists](#lists), add a period at the end of a bulleted item if it is a complete sentence. Try not to mix incomplete and complete sentences in the same list.
 
 ### Capitalization
 
 #### Titles and headers
 
-Titles and headers (H1, H2, H3, etc.) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names.For more information, see [below](#titles-and-headers)
+Titles and headers (H1, H2, H3, etc.) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names. For more information, see [below](#titles-and-headers).
 
 #### Following a colon
 
 Whether to capitalize after a colon depends on the context. Typically, we do not capitalize the first word after a colon _unless_ it's a proper noun or if it is the start of a complete sentence. If the colon introduces a list, do not capitalize the first word unless it's a proper noun. In headings and titles, capitalize the first word after the colon.
 
+---
+
 ## Word choices
 
 ### "May" versus "Might" versus "Can"
@@ -130,20 +147,22 @@ It's important to use "that" as a conjunction to introduce a dependent clause, o
 
 ### "which" vs "that"
 
-Th easiest way to remember when to use "which" versus "that" is:
+The easiest way to remember when to use "which" versus "that" is:
 
-- if the second part (clause) of the sentence is required to understand the first part, use "that." If the second clause is only additional info, then you should use "which".
+- If the second part (clause) of the sentence is required to understand the first part, use "that." If the second clause is only additional info, use "which".
 
-For more information, see https://www.grammarly.com/blog/which-vs-that/.
+For more information, see [this guide](https://www.grammarly.com/blog/which-vs-that/).
 
-### “since” (time-based) vs “because” (causal)
+### "since" (time-based) vs "because" (causal)
 
 When writing about a status or anything that is causal ("this happened because of that"), use the word "because". Use the word "since" for time-based topics (this will be rare in technical writing).
 
-### Avoid using “once” (numeric) to mean “after” (time-based).
+### Avoid using "once" (numeric) to mean "after" (time-based).
 
 When writing out steps in a procedural topic, avoid starting with "Once...". Instead, you can say "After you have created the scope mapping...".
 
+---
+
 ## Formatting guidelines
 
 ### Fonts and font styling
@@ -159,22 +178,36 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins
 
 - Use _italic_ for:
 
-    - Emphasis, but sparingly, to avoid overuse. For example, you can use italics for important terms or concepts on first mention in a section.
+    - Emphasis, but sparingly, to avoid overuse. For example, you can use italics for important terms or concepts on first mention in a section. Do not use italics to indicate a variable or placeholder; instead use angle brackets as described under [Variables](#variables).
 
 - Use `code formatting` for:
 
-    - Commands (e.g., `docker run`).
+    - Commands (e.g., `kubectl get nodes`).
     - File paths, file names, and directory names (e.g., `/usr/local/bin/`).
     - Inline code snippets (e.g., `.env`).
 
-- When handling URLs:
+### Lists
 
-    - For URLs entered as values or defined in fields, enclose any variables inside angle brackets (`< >`) to clearly indicate that these are placeholders that require user input.
+Add a period at the end of a bulleted item if it is a complete sentence. Try not to mix incomplete and complete sentences in the same list.
 
-        For example: `https://authentik.company/application/o/<slug>/.well-known/openid-configuration`
+If there is a [colon](#following-a-colon) used in a bulleted list item, follow the capitalization rules.
+
+### URLs
 
     - When mentioning URLs in text or within procedural instructions, omit code formatting. For instance: "In your browser, go to https://example.com."
 
+    - For URLs entered as values or defined in fields, enclose any variables inside angle brackets (`< >`) and use underscores between words. See more about variables below (#variables).
+
+### Variables
+
+To clearly indicate terms or values that are placeholders and require user input, enclose any variables inside angle brackets (`< >`) and use underscores between words to clearly indicate that these are placeholders that require user input.
+
+        Examples:
+
+        `https://authentik.company/application/o/<slug>/.well-known/openid-configuration`
+
+        "Add the configuration setting: `<first_name>`."
+
 ### Titles and headers
 
 - Titles and headers (H1, H2, H3) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names.
@@ -183,24 +216,24 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins
     - **DON'T:** "CONFIGURE THE GOOGLE WORKSPACE PROVIDER"
     - **DON'T:** "Configure The Google Workspace Provider"
 
-- Ensure titles and headers are descriptive and clearly convey the purpose of the section. Avoid vague titles like "Overview." Instead, opt for something more specific, like "About authentik policies."
+- Ensure that titles and headers are descriptive and clearly convey the purpose of the section. Avoid vague titles like "Overview." Instead, opt for something more specific, like "About authentik policies."
 
 - Use the **imperative verb form** in procedural topics, not gerunds. For example, use "Configure your instance" instead of "Configuring your instance."
 
 ### Examples
 
-When you want to show an example (say, a code snippet), start on a new line, use bold text for the word "Example", and a semi-colon, like this:
+When you want to show an example (say, a code snippet), start on a new line, use bold text for the word "Example", and a colon, like this:
 
-    **Example**:
+**Example**:
 
     This expression policy uses an expression based on the user's name:
-        ```
-        if request.context["pending_user"].username == "marie":
-            return True
-            return False
-        ```
+    ```python
+    if request.context["pending_user"].username == "marie":
+        return True
+    return False
+    ```
 
-## Code blocks
+### Code blocks
 
 When you want to show sections of code use **Code blocks** to provide syntax highlighting, a copy button, line numbering and line highlighting:
 
@@ -234,25 +267,35 @@ and_backend_roles: []
 description: "Maps admin to all_access"
 ```
 
-- `` ` ` ` yaml `` defines the language used for syntax highlighting. Other languages can be used such as; `jsx`, `python`, `bash` and `text`.
+- ` ` ` `yaml `defines the language used for syntax highlighting. Other languages can be used such as`jsx`, `python`, `bash`, and `text`.
 
 Optional configurations:
 
-- `showLineNumbers`: enables the line numbering on the left-hand side of the code block.
-- `title=" "`: defines the title displayed at the top of the code block. This is useful for defining filenames and paths.
-- `{5}`: defines the line number that will be highlighted. Ranges and lists can also be used (e.g. `{5, 7, 9-11}`).
-- `// highlight-next-line`: is used within a code block to highlight the next line.
-- `// highlight-start` and `// highlight-end`: are used within a code block to highlight one or more lines.
+- `showLineNumbers`: enables line numbering.
+- `title=" "`: defines the title displayed at the top (e.g., filenames).
+- `{5}`: highlights specific lines. Ranges and lists are allowed (e.g., `{5, 7, 9-11}`).
+- `// highlight-next-line`: highlights the next line within a code block.
+- `// highlight-start` and `// highlight-end`: highlight multiple lines.
 
-More information on codeblocks can be found in the [Docusaurus code block documentation](https://docusaurus.io/docs/markdown-features/code-blocks).
+For more details, see the [Docusaurus code block documentation](https://docusaurus.io/docs/markdown-features/code-blocks).
+
+### Tables
+
+Use tables to compare options, list parameters, or summarize information. Ensure tables are concise and avoid nesting complex content. Only use a table when there are 4 or more items. For only 2 or 3 items, use a bullet list.
+
+### Lists
+
+- Use bullet points for unordered lists.
+- Use numbered lists for sequential steps.
+- Keep list items parallel in structure.
+
+---
 
 ## Component-based formatting
 
-This section covers the usage of React components within our documentation. Files that use component-based formatting must use the `.mdx` extension.
-
 ### Tabs for multiple configurations
 
-Use **Tabs** to display different configurations (e.g., setting up authentication with OIDC vs. SAML) to help users navigate between options. Default to the easier or more common option. Insert the following lines wherever you want the code block to appear:
+Use **Tabs** to display different configurations (e.g., setting up authentication with OIDC vs. SAML) to help users navigate between options. Default to the easier or more common option. For example:
 
 ```jsx
 import TabItem from "@theme/TabItem";
@@ -270,60 +313,126 @@ import Tabs from "@theme/Tabs";
 </Tabs>;
 ```
 
-Tabs improve readability when presenting different configurations or setup options.
+---
 
 ## Error message formatting and troubleshooting
 
-When documenting error messages:
+When documenting errors, follow this structure:
 
-- Display the error message
-- Explain possible causes
-- Offer solutions
+1. **Error Message**: Display the error in a code block.
+2. **Possible Causes**: List common reasons for the error.
+3. **Solutions**: Provide step-by-step fixes or a work-around if there is one.
 
-Example:
+**Example**:
 
-- **Error message:**
+- **Error message**:
 
     ```sh
     Error: Authentication failed. Invalid credentials.
     ```
 
-- **Possible causes:**
+- **Possible causes**:
 
-    - Incorrect username or password
-    - Account is locked due to too many failed login attempts
+    - Incorrect username or password.
+    - Account locked due to multiple failed attempts.
 
-- **Solution:**
+- **Solutions**:
+    - Verify your credentials.
+    - Reset your password using the **Forgot Password** link.
+    - Contact your administrator if the account is locked.
 
-    - Verify your username and password
-    - Reset your password if necessary
-    - Contact an administrator if your account is locked
+---
 
 ## Accessibility best practices
 
-- Avoid using color as the sole method of conveying information (e.g., "Click the red button"). Instead, use descriptive labels to ensure accessibility.
-- Provide **descriptive link text**. Avoid using generic terms like "Click here". Be specific about where the link will take the user.
+- **Alt text for images**: Describe the purpose of the image, not just its appearance. For example, use "Screenshot of the login form" instead of "Image of a form."
+- **Heading hierarchy**: Use headings in order (H1 → H2 → H3) to support screen readers.
+- **Color usage**: Avoid using color as the sole method of conveying information (e.g., "Click the red button"). Instead, use descriptive labels to ensure accessibility.
+- **Descriptive link text**: Provide descriptive link text. Avoid using generic terms like "Click here". Be specific about where the link will take the user.
     - **DON'T:** "Click here."
     - **DO:** "See the [Authentication Settings](/) for more details."
 
+---
+
 ## Notes and warnings
 
-For notes and important information:
+Use the following components to highlight important information:
 
-**Notes** are formatted using:
+**Info notes**:
 
-```
+```md
 :::info
-Write your note here.
+This is a tip or general note.
 :::
 ```
 
-**Warnings** are formatted using:
+**Warnings**:
 
-```
+```md
 :::warning
-Write your warning here.
+This level is for more serious situations: an action cannot be undone, a process might be canceled, etc..
 :::
 ```
 
-Use these conventions to ensure that the reader's attention is drawn to crucial information.
+**Critical warnings** (for irreversible actions):
+
+```md
+:::danger
+This level is for extremely serious situations, such as an action permanently removing data.
+:::
+```
+
+---
+
+## Inclusive Language
+
+- Use **gender-neutral pronouns** like "they/them" instead of "he/she" (e.g., "The user should check their settings").
+- Avoid **ableist terms** such as "dumb" or "lame"; use "non-functional" or "unavailable" instead.
+- **Avoid idioms** that may not translate well (e.g., instead of "hit a home run" use "achieve success").
+
+---
+
+## Images and Media
+
+- **Screenshots**:
+    - Use screenshots very sparingly, only for very complex UIs. If there are screenshots, update any existing ones if the UI changes.
+    - Crop to focus on relevant elements, use red arrows or circles to call out the important element.
+    - Add descriptive alt text (e.g., "Screenshot of the Provider configuration page").
+- **Diagrams**:
+    - Use [Mermaid](https://mermaid.js.org/) for creating diagrams directly in markdown. Mermaid is our preferred tool for documentation diagrams as it allows for version control and easy updates.
+    - For more complex diagrams, you can use tools like [Draw.io](https://draw.io). Ensure high contrast and text descriptions.
+
+---
+
+## Document Structure and Metadata
+
+- **Front matter**: Include a title and optional summary. You can also add badge metadata in the front matter:
+
+    ```md
+    ---
+    title: Getting Started
+    description: Install and configure authentik in 5 minutes.
+    authentik_version: "2025.4" # Semantic version when feature was introduced (Optional)
+    authentik_preview: true # For preview features (Optional)
+    authentik_enterprise: true # For enterprise features (Optional)
+    support_level: "authentik" # For integrations: Support level: "authentik" (tested by team) or "community" (community maintained)
+    ---
+    ```
+
+    Note: Badges should be defined in the front matter, not in the markdown content. The system will automatically display the appropriate badges based on the front matter metadata.
+
+- **Directives**: You can also use directives in your markdown content to add badges inline:
+
+    - `:ak-version[2025.4]` - Shows when a feature was introduced (requires semantic version)
+    - `:ak-preview` - Indicates preview features
+    - `:ak-enterprise` - Indicates features in our Enterprise offering
+
+    Example usage in a heading:
+
+    ```md
+    # New Feature :ak-version[2025.4] :ak-preview
+    ```
+
+    Note: When using directives, they should be placed at the end of the heading or paragraph where they apply.
+
+- **SEO**: Use keywords in titles and headings to improve searchability. Include relevant terms that users might search for, but avoid keyword stuffing. Focus on natural, descriptive language that accurately represents the content.

website/docs/install-config/configuration/configuration.mdx

@@ -357,7 +357,11 @@ Defaults to `86400`.
 
 ### `AUTHENTIK_SESSION_STORAGE`:ak-version[2024.4]
 
-Configure if the sessions are stored in the cache or the database. Defaults to `db`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
+:::info Deprecated
+This setting is removed as of version 2025.4. Sessions are now exclusively stored in the database. See our [2025.4 release notes](../../releases/2025.4#sessions-are-now-stored-in-the-database) for more information.
+:::
+
+If you are running a version earlier than 2025.4, you can configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
 ### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`:ak-version[2025.4]
 

website/docs/install-config/upgrade.mdx

@@ -14,7 +14,7 @@ authentik does not support downgrading. Make sure to back up your database in ca
 
 - Make a backup of your PostgreSQL database before upgrading. You can dump your existing database to get a backup file. For more information about dumping and backing up your database, refer to [Upgrade PostgreSQL on Docker Compose](../troubleshooting/postgres/upgrade_docker.md) or [Upgrade PostgreSQL on Kubernetes](../troubleshooting/postgres/upgrade_kubernetes.md).
 
-- You need to upgrade in sequence of the major releases; do not skip directly from an older major version to the most recent version. For example, if you are currently running 2023.10.3, you will need to first upgrade to 2024.2.x, then 2024.4.x, and then 2024.6.x, in sequence.
+- You need to upgrade in sequence of the major releases; do not skip directly from an older major version to the most recent version. For example, if you are currently running 2023.10.3, you should first upgrade to the latest 2024.2.x release, then to the latest 2024.4.x release, and finally to the latest 2024.6.x release, in sequence. Always use the latest available patch version (_x_ in this case being the latest patch release) for each major.minor release.
 
 - The version of the authentik instance and any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
 

website/docs/releases/2025/v2025.4.md

@@ -285,6 +285,12 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.4
 - root: temporarily deactivate database pool option (cherry-pick #14443) (#14479)
 - web/flows/sfe: fix global background image not being loaded (cherry-pick #14442) (#14450)
 
+## Fixed in 2025.4.2
+
+- core: Migrate permissions before deleting OldAuthenticatedSession (cherry-pick #14788) (#14791)
+- lifecycle: fix arguments not being passed to worker command (cherry-pick #14574) (#14620)
+- sources/scim: fix all users being added to group when no members are given (cherry-pick #14645) (#14666)
+
 ## API Changes
 
 #### What's New

website/docs/releases/2025/v2025.6.md

@@ -0,0 +1,576 @@
+---
+title: Release 2025.6
+slug: "/releases/2025.6"
+---
+
+## Highlights
+
+- **mTLS Stage**: :ak-enterprise The Mutual TLS stage provides support for mTLS, a standard protocol that uses certificates for mutual authentication between a client and a server.
+
+- **Email verification compatibility with link scanners**: We have improved compatibility for environments that have automated scanning software that inadvertently invalidated one-time links sent by authentik.
+
+- **LDAP source sync forward deletions**: This option synchronizes the deletion of users and groups from LDAP sources to authentik.
+
+## Breaking changes
+
+- **Helm chart dependencies upgrades**:
+
+    - The PostgreSQL chart has been updated to version 16.7.4. The PostgreSQL image is no longer pinned in authentik's default values and has been upgraded from version 15 to 17. Follow our [PostgreSQL upgrade instructions](../../troubleshooting/postgres/upgrade_kubernetes.md) to update to the latest PostgreSQL version.
+    - The Redis chart has been updated to version 21.1.6. There are no breaking changes and Redis has been upgraded from version 7 to 8.
+
+- **Deprecated and frozen `:latest` container image tag after 2025.2**
+
+    Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images, such as `:2025.6`.
+
+- **CSS**: We’ve made some improvements to our theming system. If your authentik instance uses custom CSS, you might need to review flow and user interfaces for any visual changes.
+
+## New features and improvements
+
+- **mTLS stage**: :ak-enterprise The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. For environments where certificates are already rolled out, this can make authentication a lot more seamless. Refer to our [technical documentation](../add-secure-apps/flows-stages/stages/mtls/) for more information.
+- **Email verification compatibility with link scanners**: We have improved compatibility for environments with automated scanning software that inadvertently invalidated one-time links sent by authentik.
+- **LDAP source sync forward deletions**: With this option enabled, users or groups created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our [LDAP source documentation](../users-sources/sources/protocols/ldap/).
+- **Provider sync performance**: We have implemented parallel scheduling for outgoing syncs to provide faster synchronization.
+- **Branding**: Custom branding should now be more consistent on initial load, without flickering.
+- **Remote Access Control (RAC) improved [documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/rac/)**: Added content about how to authenticate using a public key and improved the wording and formatting throughout the topic.
+
+## New integration guides
+
+An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added to our documentation:
+
+- [Atlassian Cloud (Jira, Confluence, etc)](../../../integrations/services/atlassian/)
+- [Coder](../../../integrations/services/coder/)
+- [FileRise](../../../integrations/services/filerise/)
+- [Komodo](../../../integrations/services/komodo/)
+- [Pangolin](../../../integrations/services/pangolin/)
+- [Push Security](../../../integrations/services/push-security/)
+- [Stripe](../../../integrations/services/stripe/)
+- [Tailscale](../../../integrations/services/tailscale/)
+- [YouTrack](../../../integrations/services/youtrack/)
+
+## Upgrading
+
+This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).
+
+:::warning
+When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
+:::
+
+### Docker Compose
+
+To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
+
+```shell
+wget -O docker-compose.yml https://goauthentik.io/version/2025.6/docker-compose.yml
+docker compose up -d
+```
+
+The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.
+
+### Kubernetes
+
+Upgrade the Helm Chart to the new version, using the following commands:
+
+```shell
+helm repo update
+helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6
+```
+
+## Minor changes/fixes
+
+- brands: fix CSS Migration not updating brands (#14306)
+- core: fix session migration when old session can't be loaded (#14466)
+- core: fix unable to create group if no enable_group_superuser permission is given (#14510)
+- core: Migrate permissions before deleting OldAuthenticatedSession (#14788)
+- core: Publish web packages. (#14648)
+- core: remove `OldAuthenticatedSession` content type (#14507)
+- enterprise: fix expired license's users being counted (#14451)
+- enterprise/stages: Add MTLS stage (#14296)
+- enterprise/stages/mtls: improve certificate validation (#14582)
+- enterprise/stages/mtls: update go & web client, fix py client generation (#14576)
+- lib/sync: fix static incorrect label of pages (#14851)
+- lib/sync/outgoing: reduce number of db queries made (#14177)
+- lib/sync/outgoing: sync in parallel (#14697)
+- lifecycle: fix ak dump_config (#14445)
+- lifecycle: fix test-all in docker (#14244)
+- outposts: fix tmpdir in containers not being set (#14444)
+- providers/ldap: retain binder and update users instead of re-creating (#14735)
+- providers/proxy: kubernetes outpost: fix reconcile when ingress class name changed (#14612)
+- providers/rac: apply ConnectionToken scoped-settings last (#14838)
+- rbac: add `name` to Permissions search (#14269)
+- rbac: fix RoleObjectPermissionTable not showing `add_user_to_group` (#14312)
+- root: backport SFE Build fix (#14495)
+- root: do not use /bin/bash directly (#14698)
+- root: improve sentry distributed tracing (#14468)
+- root: move forked dependencies to goauthentik org (#14590)
+- root: pin package version in pyproject for dependabot (#14469)
+- root: readme: use right contribution guide link (#14250)
+- root: replace raw.githubusercontent.com by checking out repo (#14567)
+- root: temporarily deactivate database pool option (#14443)
+- sources/kerberos: resolve logger warnings (#14540)
+- sources/ldap: add forward deletion option (#14718)
+- stages/email: fix email scanner voiding token (#14325)
+- tests/e2e: Add E2E tests for Flow SFE (#14484)
+- tests/e2e: add test for authentication flow in compatibility mode (#14392)
+- tests/e2e: fix flaky SAML Source test (#14708)
+- web, website: update browserslist (#14386)
+- web: Add specific Storybook dependency. (#14719)
+- web: Clean up browser-only module imports that crash WebDriverIO. (#14330)
+- web: cleanup/loading attribute always true (#14288)
+- web: Controller refinements, error handling (#14700)
+- Web: Controllers cleanup (#14616)
+- web: fix bug that was causing charts to be too tall (#14253)
+- web: fix description for signing responses in SAML provider (#14573)
+- web: Fix issue where dual select type is not specific. (#14783)
+- web: Fix issue where Storybook cannot resolve styles. (#14553)
+- web: Fix missing Enterprise sidebar entries. (#14615)
+- web: fix regression in subpath support (#14646)
+- web: NPM workspaces (#14274)
+- web: Type Tidy (#14647)
+- web: Use engine available on Github Actions. (#14699)
+- web: Use monorepo package utilities to build packages (#14159)
+- web/admin: Dual select state management, custom event dispatching. (#14490)
+- web/admin: fix enterprise menu display (#14447)
+- web/admin: fix permissions modal button missing for PolicyBindings and FlowStageBindings (#14619)
+- web/admin: Fix sidebar toggle synchronization. (#14487)
+- web/admin: prevent default logo flashing in admin interface (#13960)
+- web/flows: update default flow background (#14769)
+- web/flows/sfe: fix global background image not being loaded (#14442)
+
+## API Changes
+
+#### What's New
+
+---
+
+##### `GET` /stages/mtls/
+
+##### `POST` /stages/mtls/
+
+##### `GET` /stages/mtls/{stage_uuid}/
+
+##### `PUT` /stages/mtls/{stage_uuid}/
+
+##### `DELETE` /stages/mtls/{stage_uuid}/
+
+##### `PATCH` /stages/mtls/{stage_uuid}/
+
+##### `GET` /stages/mtls/{stage_uuid}/used_by/
+
+#### What's Changed
+
+---
+
+##### `GET` /core/brands/{brand_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+
+        > Certificates used for client authentication.
+
+        Items (string):
+
+##### `PUT` /core/brands/{brand_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `client_certificates` (array)
+    > Certificates used for client authentication.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+        > Certificates used for client authentication.
+
+##### `PATCH` /core/brands/{brand_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `client_certificates` (array)
+    > Certificates used for client authentication.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+        > Certificates used for client authentication.
+
+##### `GET` /policies/event_matcher/{policy_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PUT` /policies/event_matcher/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `app` (string)
+
+    > Match events created by selected application. When left empty, all applications are matched.
+
+    Added enum value:
+
+    - `authentik.enterprise.stages.mtls`
+
+- Changed property `model` (string)
+
+    > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PATCH` /policies/event_matcher/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `app` (string)
+
+    > Match events created by selected application. When left empty, all applications are matched.
+
+    Added enum value:
+
+    - `authentik.enterprise.stages.mtls`
+
+- Changed property `model` (string)
+
+    > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `POST` /core/brands/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `client_certificates` (array)
+    > Certificates used for client authentication.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+        > Certificates used for client authentication.
+
+##### `GET` /core/brands/
+
+###### Parameters:
+
+Added: `client_certificates` in `query`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `results` (array)
+
+        Changed items (object): > Brand Serializer
+
+        - Added property `client_certificates` (array)
+            > Certificates used for client authentication.
+
+##### `POST` /policies/event_matcher/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `app` (string)
+
+    > Match events created by selected application. When left empty, all applications are matched.
+
+    Added enum value:
+
+    - `authentik.enterprise.stages.mtls`
+
+- Changed property `model` (string)
+
+    > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `GET` /policies/event_matcher/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `results` (array)
+
+        Changed items (object): > Event Matcher Policy Serializer
+
+        - Changed property `app` (string)
+
+            > Match events created by selected application. When left empty, all applications are matched.
+
+            Added enum value:
+
+            - `authentik.enterprise.stages.mtls`
+
+        - Changed property `model` (string)
+
+            > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+            Added enum value:
+
+            - `authentik_stages_mtls.mutualtlsstage`
+
+##### `POST` /rbac/permissions/assigned_by_roles/{uuid}/assign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PATCH` /rbac/permissions/assigned_by_roles/{uuid}/unassign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `POST` /rbac/permissions/assigned_by_users/{id}/assign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PATCH` /rbac/permissions/assigned_by_users/{id}/unassign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `GET` /sources/ldap/{slug}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `PUT` /sources/ldap/{slug}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `delete_not_found_objects` (boolean)
+    > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `PATCH` /sources/ldap/{slug}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `delete_not_found_objects` (boolean)
+    > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `GET` /rbac/permissions/assigned_by_roles/
+
+###### Parameters:
+
+Changed: `model` in `query`
+
+##### `GET` /rbac/permissions/assigned_by_users/
+
+###### Parameters:
+
+Changed: `model` in `query`
+
+##### `POST` /sources/ldap/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `delete_not_found_objects` (boolean)
+    > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `GET` /sources/ldap/
+
+###### Parameters:
+
+Added: `delete_not_found_objects` in `query`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `results` (array)
+
+        Changed items (object): > LDAP Source Serializer
+
+        - Added property `delete_not_found_objects` (boolean)
+            > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

website/docs/security/cves/CVE-2025-29928.md

@@ -2,13 +2,17 @@
 
 ## Deletion of sessions did not revoke sessions when using database session storage
 
+### ADDENDUM May 30, 2025
+
+As of version 2025.4, the option to store sessions in cache has been removed; sessions are now exclusively stored in the database. See our [2025.4 release notes](../../releases/2025.4#sessions-are-now-stored-in-the-database) for more information.
+
 ### Summary
 
 When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
 
 This also affects automatic session deletion when a user is set to inactive or a user is deleted.
 
-The session backend is configured via [this](../../install-config/configuration/configuration.mdx#authentik_session_storage) setting; if this settings isn't set the sessions are stored in the cache (Redis), which is not affected by this.
+The session backend was configured via the `AUTHENTIK_SESSION_STORAGE` setting, which was removed in version 2025.4.
 
 ### Patches
 

website/docs/sys-mgmt/brands.md

@@ -3,7 +3,7 @@ title: Brands
 slug: /brands
 ---
 
-As an authentik admin, you can customize your instance's appearance and behavior using brands. While a single authentik instance supports only one brand per domain, you can apply a separate brand to each domain.
+As an authentik admin, you can customize your instance's appearance and behavior using brands. Brands apply to a single domain, a domain wildcard or can be set as default, in which case the brand will be used when no other brand matches the domain.
 
 For an overview of branding and other customization options in authentik refer to [Customize your instance](../customize/index.md).
 
@@ -61,4 +61,14 @@ This means that if you want to select a default flow based on policy, you can le
 
 ## Other global settings
 
-Under **Other global settings** you can specify an exact web certificate.
+#### Web Certificate
+
+The **Web Certificate** option can be used to configure which certificate authentik uses when its accessed directly via HTTPS (via port 9443).
+
+#### Client Certificates:ak-version[2025.4]
+
+When using the [Mutual TLS Stage](../add-secure-apps/flows-stages/stages/mtls/index.md) and accessing authentik directly, this option configures which certificate authorities clients' certificates can be issued by.
+
+#### Attributes
+
+Attributes such as locale, theme settings and custom attributes can be set to a per-brand default value here. Any custom attributes can be retrieved via [`group_attributes()`](../users-sources/user/user_ref.mdx#object-properties).

website/docs/troubleshooting/postgres/upgrade_kubernetes.md

@@ -1,98 +1,161 @@
 ---
-title: Upgrade PostgreSQL on Kubernetes
+title: Upgrading PostgreSQL on Kubernetes
 ---
 
-## Preparation
+This guide walks you through upgrading PostgreSQL in your authentik Kubernetes deployment. The process requires a brief downtime period while the database is migrated.
 
-- `authentik-postgresql-0` is the Kubernetes Pod running PostgreSQL.
+:::note
+For this guide, we assume the PostgreSQL pod is named `authentik-postgresql-0`, which is the default name in the authentik Helm chart.
+:::
 
-### Prerequisites
+## Prerequisites
 
-This migration requires some downtime, during which authentik must be stopped. To do this, run the following command:
+- `kubectl` access with permissions to `scale` deployments and `exec` into pods
+- Your existing `values.yaml` file used for authentik deployment
+- Basic understanding of Kubernetes and Helm commands
+
+## Overview of workflow
+
+The basic steps to upgrades PostgreSQL on Kubernetes are:
+
+1. Stop authentik services
+2. Back up the database
+3. Prepare the data directory
+4. Upgrade PostgreSQL
+5. Restore database content
+6. Restart authentik services
+
+## Stop authentik services
+
+Begin by scaling down authentik services to prevent database access during the migration:
 
 ```shell
 kubectl scale deploy --replicas 0 authentik-server
 kubectl scale deploy --replicas 0 authentik-worker
 ```
 
-### Dump the current database
+## Back up the database
 
-Run `kubectl exec -it authentik-postgresql-0 -- bash` to get a shell in the PostgreSQL pod.
-
-Run the following commands to dump the current data into a `.sql` file:
+Connect to your PostgreSQL pod:
 
 ```shell
-# This is the path where the PVC is mounted, so we'll place the dump here too
+kubectl exec -it authentik-postgresql-0 -- bash
+```
+
+After you are connected, execute these commands to create a database backup:
+
+```shell
+# Navigate to the PostgreSQL data directory
 cd /bitnami/postgresql/
-# Set the postgres password based on the `POSTGRES_POSTGRES_PASSWORD` environment variable
+
+# Set the PostgreSQL password from environment variable
 export PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD
-# Dump the authentik database into an sql file
-pg_dump -U $POSTGRES_USER $POSTGRES_DB > dump-11.sql
+
+# Create a full database dump
+pg_dump -U $POSTGRES_USER $POSTGRES_DB > /bitnami/postgresql/dump.sql
 ```
 
-### Stop PostgreSQL and start the upgrade
-
-To upgrade, change the following entries in your `values.yaml` used to deploy authentik:
-
-```yaml
-postgresql:
-    diagnosticMode:
-        enabled: true
-    image:
-        tag: 15.2.0-debian-11-r26
-```
-
-Now run `helm upgrade --install authentik authentik/authentik -f values.yaml` to apply these changes. Depending on your configuration, you might have to repeat the steps from [Prerequisites](#prerequisites).
-
-After the upgrade is finished, you should have a new PostgreSQL pod running with the updated image.
-
-### Remove the old data
-
-Because the PVC mounted by the PostgreSQL pod still contains the old data, we need to remove/rename that data, so that PostgreSQL can initialize it with the new version.
-
-Run `kubectl exec -it authentik-postgresql-0 -- bash` to get a shell in the PostgreSQL pod.
-
-Run the following commands to move the old data:
+:::tip
+Consider copying the dump file to a safe location outside the pod:
 
 ```shell
-# This is the path where the PVC is mounted
-cd /bitnami/postgresql/
-# Move Postgres' data folder to data-11, which is the version we're upgrading to.
-# The data folder can also be deleted; however it is recommended to rename it first
-# in case the upgrade fails.
-mv data data-11
+# From a separate terminal
+kubectl cp authentik-postgresql-0:/bitnami/postgresql/dump.sql ./authentik-db-backup.sql
 ```
 
-### Restart PostgreSQL
+This ensures you have a backup even if something goes wrong with the pod or storage.
+:::
 
-In the step [Stop PostgreSQL and start the upgrade](#stop-postgresql-and-start-the-upgrade), we enabled the _diagnostic mode_, which means the PostgreSQL pod is running, but the actual Postgres process isn't running. Now that we've removed the old data directory, we can disable the diagnostic mode.
+## Prepare the data directory
 
-Once again, change the following entries in your `values.yaml` used to deploy authentik:
+While still connected to the PostgreSQL pod, prepare the data directory for the upgrade:
+
+```shell
+# Ensure you're in the PostgreSQL data directory
+cd /bitnami/postgresql/
+
+# Verify the SQL dump exists and has content
+ls -lh dump.sql
+
+# Preserve the existing data by renaming the directory
+mv data data-old
+```
+
+:::caution
+Do not delete the old data directory immediately. Keeping it as `data-old` allows for recovery if the upgrade encounters issues.
+:::
+
+## Upgrade PostgreSQL
+
+Now update your `values.yaml` to specify the new PostgreSQL version:
 
 ```yaml
 postgresql:
     image:
-        tag: 15.2.0-debian-11-r26
+        tag: <NEW_VERSION>
 ```
 
-And once again run `helm upgrade --install authentik authentik/authentik -f values.yaml` to apply these changes. Depending on your configuration, you might have to repeat the steps from [Prerequisites](#prerequisites).
+Apply these changes using Helm to deploy the updated configuration.
 
-After the PostgreSQL pod is running again, we need to restore the data from the dump we created above.
+This will restart the PostgreSQL pod with the new image. When the pod starts, PostgreSQL will initialize a new, empty data directory since the previous directory was renamed.
 
-Run `kubectl exec -it authentik-postgresql-0 -- bash` to get a shell in the PostgreSQL pod.
+## Restore database content
 
-Run the following commands to restore the data:
+Connect to the PostgreSQL pod again:
 
 ```shell
-# This is the path where the PVC is mounted
-cd /bitnami/postgresql/
-# Set the Postgres password based on the `POSTGRES_POSTGRES_PASSWORD` environment variable.
-export PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD
-psql -U $POSTGRES_USER $POSTGRES_DB < dump-11.sql
+kubectl exec -it authentik-postgresql-0 -- bash
 ```
 
-After the last command finishes, all of the data is restored, and you can restart authentik.
+Restore your database from the backup:
 
-### Restarting authentik
+```shell
+# Navigate to the PostgreSQL directory
+cd /bitnami/postgresql/
 
-Run `helm upgrade --install authentik authentik/authentik -f values.yaml` once again, which will restart your authentik server and worker containers.
+# Verify your dump file is still there
+ls -lh dump.sql
+
+# Set the PostgreSQL password
+export PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD
+
+# Import the database dump
+psql -U $POSTGRES_USER $POSTGRES_DB < dump.sql
+```
+
+## Restart authentik services
+
+After the database restoration completes successfully, restart authentik using Helm with your updated configuration.
+
+This will scale your authentik server and worker deployments back to their original replica counts.
+
+## Troubleshooting
+
+If you encounter issues during the upgrade process:
+
+- Check PostgreSQL logs:
+    ```shell
+    kubectl logs authentik-postgresql-0
+    ```
+- Verify the values in your `values.yaml` file match the recommended settings
+- Ensure you have sufficient storage available for both the database dump and the database itself
+
+### Dump file not found
+
+If your dump file is missing after upgrading:
+
+- You may need to restore from the external backup if you copied it out of the pod
+- The volume might have been recreated if you're using ephemeral storage
+
+### Restoring the original database
+
+For persistent problems, you can restore from the `data-old` directory if needed:
+
+```shell
+kubectl exec -it authentik-postgresql-0 -- bash
+cd /bitnami/postgresql/
+mv data data-new-failed
+mv data-old data
+```
+
+Then restart PostgreSQL with the original version in your `values.yaml`.

website/docs/users-sources/sources/directory-sync/active-directory/index.md

@@ -42,7 +42,7 @@ To support the integration of Active Directory with authentik, you need to creat
 
 To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik.
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Directory** > **Federation & Social login**.
 3. Click **Create** and select **LDAP Source** as the type.
 4. Provide a name, slug, and the following required configurations:

website/docs/users-sources/sources/directory-sync/freeipa/index.md

@@ -13,7 +13,7 @@ The following placeholders are used in this guide:
 
 ## FreeIPA Setup
 
-1. Log into FreeIPA.
+1. Log in to FreeIPA.
 
 2. Create a user in FreeIPA, matching your naming scheme. Provide a strong password, example generation methods: `pwgen 64 1` or `openssl rand 36 | base64 -w 0`. After you are done click **Add and Edit**.
 

website/docs/users-sources/sources/index.md

@@ -19,7 +19,7 @@ For instructions to add a specific source, refer to the documentation links in t
 
 To have sources show on the default login screen you will need to add them to the flow. The process below assumes that you have not created or renamed the default stages and flows.
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Flows and Stages** > **Flows**.
 3. Click the **default-authentication-flow**.
 4. Click the **Stage Bindings** tab.

website/docs/users-sources/sources/protocols/kerberos/browser.md

@@ -26,7 +26,7 @@ To automate the deployment of this configuration use a [Group policy](https://su
 
 ## Windows / Internet Explorer
 
-Log into the Windows machine using an account of your Kerberos realm (or administrative domain).
+Log in to the Windows machine using an account of your Kerberos realm (or administrative domain).
 
 Open Internet Explorer, click **Tools** and then click **Internet Options**. You can also find **Internet Options** using the system search.
 

website/docs/users-sources/sources/protocols/ldap/index.md

@@ -12,14 +12,14 @@ For FreeIPA, follow the [FreeIPA Integration](../../directory-sync/freeipa/index
 
 ## Configuration options for LDAP sources
 
-To create or edit a source in authentik, open the Admin interface and navigate to **Directory > Ferderation and Social login**. There you can create a new LDAP source, or edit an existing one, using the following settings.
+To create or edit a source in authentik, open the Admin interface and navigate to **Directory > Federation and Social login**. There you can create a new LDAP source, or edit an existing one, using the following settings.
 
 - **Enabled**: Toggle this option on to allow authentik to use the defined LDAP source.
 - **Update internal password on login**: When the user logs in to authentik using the LDAP password backend, the password is stored as a hashed value in authentik. Toggle off (default setting) if you do not want to store the hashed passwords in authentik.
 - **Sync users**: Enable or disable user synchronization between authentik and the LDAP source.
 - **User password writeback**: Enable this option if you want to write password changes that are made in authentik back to LDAP.
-- **Sync groups**: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
-- **Parent group**: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
+- **Sync groups**: Enable/disable group synchronization between authentik and the LDAP source.
+- **Delete Not Found Objects**: :ak-version[2025.6] This option synchronizes user and group deletions from LDAP sources to authentik. User deletion requires enabling **Sync users** and group deletion requires enabling **Sync groups**.
 
 #### Connection settings
 
@@ -29,9 +29,9 @@ To create or edit a source in authentik, open the Admin interface and navigate t
     - **Use Server URI for SNI verification**: this setting is required for servers using TLS 1.3+
 
 - **TLS Verification Certificate**: Specify a keypair to validate the remote certificate.
-- **TLS Client authentication**: Client certificate keypair to authenticate against the LDAP Server's Certificate.
+- **TLS Client authentication certificate**: Client certificate keypair to authenticate against the LDAP Server's Certificate.
 - **Bind CN**: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`.
-- **Bind password**: Password used during the bind process.
+- **Bind Password**: Password used during the bind process.
 - **Base DN**: Base DN (distinguished name) used for all LDAP queries.
 
 #### LDAP Attribute mapping
@@ -44,14 +44,17 @@ To create or edit a source in authentik, open the Admin interface and navigate t
 
 #### Additional Settings
 
-- **Group**: Parent group for all the groups imported from LDAP.
+- **Parent Group**: Parent group for all the groups imported from LDAP. An example use case would be to import Active Directory groups under a root `imported-from-ad` group.
 - **User path**: Path template for all new users created.
-- **Addition User DN**: Prepended to the base DN for user queries.
-- **Addition Group DN**: Prepended to the base DN for group queries.
+- **Additional User DN**: Prepended to the base DN for user queries.
+- **Additional Group DN**: Prepended to the base DN for group queries.
 - **User object filter**: Consider objects matching this filter to be users.
 - **Group object filter**: Consider objects matching this filter to be groups.
 - **Lookup using a user attribute**: Acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories with nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field.
 - **Group membership field**: The user object attribute or the group object attribute that determines the group membership for a user. If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute.
+- **User membership attribute**: Attribute name on authentik user objects which is checked against the **Group membership field**. Two common cases are:
+    - If your groups have `member` attributes containing DNs, set this to `distinguishedName`. (The `distinguishedName` attribute for User objects in authentik is set automatically.)
+    - If your groups have `memberUid` attributes containing `uid`s, set this to `uid`. Make sure that you've created a property mapping that creates an attribute called `uid`.
 - **Object uniqueness field**: This field contains a unique identifier.
 
 ## LDAP source property mappings

website/docs/users-sources/sources/social-logins/apple/index.md

@@ -21,7 +21,7 @@ The following placeholders are used in this guide:
 
 ## Apple
 
-1. Log into your Apple developer account, and navigate to **Certificates, IDs & Profiles**, then click **Identifiers** in the sidebar.
+1. Log in to your Apple developer account, and navigate to **Certificates, IDs & Profiles**, then click **Identifiers** in the sidebar.
 2. Register a new Identifier with the type of **App IDs**, and the subtype **App**.
 3. Choose a name that users will recognise for the **Description** field.
 4. For your bundle ID, use the reverse domain of authentik, in this case `company.authentik`.

website/docs/users-sources/sources/social-logins/facebook/index.md

@@ -48,7 +48,7 @@ Finally, you need to publish the Facebook app.
 
 ## authentik configuration
 
-1. Log into authentik as admin, and then navigate to **Directory -> Federation & Social login**
+1. Log in to authentik as admin, and then navigate to **Directory -> Federation & Social login**
 2. Click **Create**.
 3. In the **New Source** box, for **Select type** select **Facebook OAuth Source** and then click **Next**.
 4. Define the following fields:

website/docs/users-sources/sources/social-logins/mailcow/index.md

@@ -14,7 +14,7 @@ The following placeholders are used in this guide:
 
 ## Mailcow
 
-1. Log into mailcow as an admin and navigate to the OAuth2 Apps settings
+1. Log in to mailcow as an admin and navigate to the OAuth2 Apps settings
 
 ![OAuth2 Apps menu](./mailcow1.png)
 

website/docs/users-sources/user/user_ref.mdx

@@ -25,7 +25,7 @@ These are examples of how User objects can be used within Policies and Property
 
 ### List a user's group memberships
 
-Use the following example to list all groups that a User object is a member of:
+Use the following example to list all groups that a user object is a member of:
 
 ```python
 for group in user.ak_groups.all():
@@ -34,12 +34,20 @@ for group in user.ak_groups.all():
 
 ### List a user's group memberships and filter based on group name
 
-Use the following example to list groups that a User object is a member of, but filter based on group name:
+Use the following example to list groups that a user object is a member of, but filter based on group name:
 
 ```python
 user.ak_groups.filter(name__startswith='test')
 ```
 
+### List a user's group memberships including parent groups
+
+Use the following example to list all groups that a user object is a member of, including parent groups:
+
+```python
+groups = [group.name for group in request.user.all_groups()]
+```
+
 :::info
 For Django field lookups, see the [Django documentation](https://docs.djangoproject.com/en/stable/ref/models/querysets/#id4).
 :::

website/integrations/services/actual-budget/index.mdx

@@ -30,7 +30,7 @@ To support the integration of Actual Budget with authentik, you need to create a
 
 ### Create an application and provider in authentik
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
@@ -102,10 +102,10 @@ The first user to log into Actual Budget via OpenID will become the owner and ad
 To do so, navigate to **Server online** > **User Directory**, and create users matching exiting authentik usernames. Then, grant access to the budget via the **User Access** tab.
 :::
 
-## Resources
-
-- [Official Actual Budget documentation on OpenID Connect integration](https://actualbudget.org/docs/experimental/oauth-auth/)
-
 ## Configuration verification
 
 To confirm that authentik is properly configured with Actual Budget, visit your Actual Budget installation, select the OpenID login method from the dropdown menu, and click **Sign in with OpenID**.
+
+## Resources
+
+- [Official Actual Budget documentation on OpenID Connect integration](https://actualbudget.org/docs/experimental/oauth-auth/)

website/integrations/services/adventurelog/index.mdx

@@ -27,7 +27,7 @@ To support the integration of AdventureLog with authentik, you need to create an
 
 ### Create an application and provider in authentik
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
@@ -73,10 +73,10 @@ Ensure the `https://adventurelog.company/accounts` path is routed to the backend
 
 Launch your authentik dashboard as an admin and find the AdventureLog app. Click **More details** then **Edit**. In the admin interface, click **Test** under **Check Access**. If you get a 403 error, you need to grant the user the correct permissions. This can be done by going to the user's profile and adding the correct permissions.
 
-## Resources
-
-- [AdventureLog's official documentation](https://adventurelog.app/docs/configuration/social_auth/authentik.html)
-
 ## Configuration verification
 
 To confirm authentik is correctly integrated with AdventureLog, log out and attempt to log back in using OpenID Connect by clicking the **authentik** button on the AdventureLog login page.
+
+## Resources
+
+- [AdventureLog's official documentation](https://adventurelog.app/docs/configuration/social_auth/authentik.html)

website/integrations/services/apache-guacamole/index.mdx

@@ -30,7 +30,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat
 
 ### Create an application and provider in authentik
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
@@ -188,10 +188,10 @@ This section depends on the operating system hosting Apache Guacamole.
 More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
 :::
 
-## Resources
-
-- [Apache Guacamole official documentation on OpenID Connect integrations](https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect)
-
 ## Configuration verification
 
 To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom left of the login page.
+
+## Resources
+
+- [Apache Guacamole official documentation on OpenID Connect integrations](https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect)

website/integrations/services/argocd/index.md

@@ -27,7 +27,7 @@ To support the integration of ArgoCD with authentik, you need to create an appli
 
 ### Create an application and provider in authentik
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.

website/integrations/services/aruba-orchestrator/index.md

@@ -27,7 +27,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
 
 ### Create property mappings
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
     - **Name**: Set an appropriate name
     - **SAML Attribute Name**: <kbd>sp-roles</kbd>
@@ -41,7 +41,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
 
 ### Create an application and provider in authentik
 
-1. Log in to authentik as an admin, and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.