website/docs: Fix version picker.

2025-05-06 16:13:44 +02:00
882 changed files with 24179 additions and 46786 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.1
+current_version = 2025.4.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.dockerignore
+++ b/.dockerignore
@ -5,10 +5,8 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
 **/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
 .venv
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -36,7 +36,7 @@ runs:
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
+      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,13 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
-      - "/web/packages/sfe"
+      - "/web/sfe"
      - "/web/packages/core"
      - "/web/packages/esbuild-plugin-live-reload"
      - "/packages/prettier-config"
      - "/packages/tsconfig"
      - "/packages/docusaurus-config"
      - "/packages/eslint-config"
    schedule:
      interval: daily
      time: "04:00"
@ -74,9 +68,6 @@ updates:
      wdio:
        patterns:
          - "@wdio/*"
      goauthentik:
        patterns:
          - "@goauthentik/*"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@ -97,16 +88,6 @@ updates:
          - "swc-*"
          - "lightningcss*"
          - "@rspack/binding*"
      goauthentik:
        patterns:
          - "@goauthentik/*"
      eslint:
        patterns:
          - "@eslint/*"
          - "@typescript-eslint/*"
          - "eslint-*"
          - "eslint"
          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -53,7 +53,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -62,7 +62,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -117,7 +116,6 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -202,7 +200,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -210,7 +208,6 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -41,60 +41,32 @@ jobs:
      - name: test
        working-directory: website/
        run: npm test
-  build-container:
+  build:
    runs-on: ubuntu-latest
-    permissions:
+    name: ${{ matrix.job }}
-      # Needed to upload container images to ghcr.io
+    strategy:
-      packages: write
+      fail-fast: false
-      # Needed for attestation
+      matrix:
-      id-token: write
+        job:
-      attestations: write
+          - build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          node-version-file: website/package.json
-      - name: Set up QEMU
+          cache: "npm"
-        uses: docker/setup-qemu-action@v3.6.0
+          cache-dependency-path: website/package-lock.json
-      - name: Set up Docker Buildx
+      - working-directory: website/
-        uses: docker/setup-buildx-action@v3
+        run: npm ci
-      - name: prepare variables
+      - name: build
-        uses: ./.github/actions/docker-push-variables
+        working-directory: website/
-        id: ev
+        run: npm run ${{ matrix.job }}
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
      - uses: actions/attest-build-provenance@v2
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  ci-website-mark:
    if: always()
    needs:
      - lint
      - test
-      - build-container
+      - build
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -37,7 +37,6 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -53,7 +53,6 @@ jobs:
          body: ${{ steps.compress.outputs.markdown }}
          delete-branch: true
          signoff: true
          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -7,7 +7,6 @@ on:
      - packages/eslint-config/**
      - packages/prettier-config/**
      - packages/tsconfig/**
      - web/packages/esbuild-plugin-live-reload/**
  workflow_dispatch:
 jobs:
  publish:
@ -17,28 +16,27 @@ jobs:
      fail-fast: false
      matrix:
        package:
-          - packages/docusaurus-config
+          - docusaurus-config
-          - packages/eslint-config
+          - eslint-config
-          - packages/prettier-config
+          - prettier-config
-          - packages/tsconfig
+          - tsconfig
          - web/packages/esbuild-plugin-live-reload
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v4
        with:
-          node-version-file: ${{ matrix.package }}/package.json
+          node-version-file: packages/${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
-            ${{ matrix.package }}/package.json
+            packages/${{ matrix.package }}/package.json
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: ${{ matrix.package }}
+        working-directory: packages/${{ matrix.package}}
        run: |
          npm ci
          npm run build
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -20,49 +20,6 @@ jobs:
      release: true
      registry_dockerhub: true
      registry_ghcr: true
  build-docs:
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/docs
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: true
          platforms: linux/amd64,linux/arm64
          context: .
      - uses: actions/attest-build-provenance@v2
        id: attest
        if: true
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
@ -236,6 +193,6 @@ jobs:
          SENTRY_ORG: authentik-security-inc
          SENTRY_PROJECT: authentik
        with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
          sourcemaps: "./web/dist"
          url_prefix: "~/static/dist"
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -52,6 +52,3 @@ jobs:
          body: "core, web: update translations"
          delete-branch: true
          signoff: true
          labels: dependencies
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -15,7 +15,6 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
      - uses: actions/checkout@v4
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
@ -26,13 +25,23 @@ jobs:
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
          echo "title=${title}" >> "$GITHUB_OUTPUT"
      - name: Rename
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
+          curl -L \
            -X PATCH \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${GH_TOKEN}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/53
+++ b/53
@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1
-# Stage 1: Build webui
+# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
 ENV NODE_ENV=production
 WORKDIR /work/website
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
    npm ci --include=dev
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
 COPY ./schema.yml /work/
 COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@ -13,7 +32,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
    npm ci --include=dev
 COPY ./package.json /work
@ -21,10 +40,9 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
-RUN npm run build && \
+RUN npm run build
    npm run build:sfe
-# Stage 2: Build go proxy
+# Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 ARG TARGETOS
@ -49,8 +67,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@ -61,7 +79,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server
-# Stage 3: MaxMind GeoIP
+# Stage 4: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@ -74,10 +92,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
-# Stage 4: Download uv
+# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
-# Stage 5: Base python image
+# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@ -90,7 +108,7 @@ WORKDIR /ak-root/
 COPY --from=uv /uv /uvx /bin/
-# Stage 6: Python dependencies
+# Stage 7: Python dependencies
 FROM python-base AS python-deps
 ARG TARGETARCH
@ -125,7 +143,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev
-# Stage 7: Run
+# Stage 8: Run
 FROM python-base AS final-image
 ARG VERSION
@ -168,8 +186,9 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=node-builder /work/web/authentik/ /web/authentik/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 USER 1000
--- a/51
+++ b/51
@ -1,7 +1,6 @@
 .PHONY: gen dev-reset all clean test web website
-SHELL := /usr/bin/env bash
+.SHELLFLAGS += ${SHELLFLAGS} -e
 .SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
@ -9,9 +8,9 @@ NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
-GEN_API_TS = gen-ts-api
+GEN_API_TS = "gen-ts-api"
-GEN_API_PY = gen-py-api
+GEN_API_PY = "gen-py-api"
-GEN_API_GO = gen-go-api
+GEN_API_GO = "gen-go-api"
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
@ -118,19 +117,14 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md
 gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ${PWD}/${GEN_API_TS}/
+	rm -rf ./${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+	rm -rf ./web/node_modules/@goauthentik/api/
 gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/
 ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	make -C ${PWD}/${GEN_API_GO} clean
 else
 	rm -rf ${PWD}/${GEN_API_GO}
 endif
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ./${GEN_API_PY}/
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
@ -147,8 +141,8 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	mkdir -p web/node_modules/@goauthentik/api
-	cd ${PWD}/${GEN_API_TS} && npm i
+	cd ./${GEN_API_TS} && npm i
-	\cp -rf ${PWD}/${GEN_API_TS}/* web/node_modules/@goauthentik/api
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
@ -162,17 +156,24 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 	pip install ./${GEN_API_PY}
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-else
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
-	cd ${PWD}/${GEN_API_GO} && git pull
+	cp schema.yml ./${GEN_API_GO}/
-endif
+	docker run \
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
-	make -C ${PWD}/${GEN_API_GO} build
+		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/ \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 gen-dev-config:  ## Generate a local development config file
 	uv run scripts/generate_config.py
@ -243,7 +244,7 @@ docker:  ## Build a docker image of the current source tree
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
+	BUILD=true ./scripts/test_docker.sh
 #########################
 ## CI
--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 ## Adoption and Contributions
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
 | 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
 | 2025.6.x  | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.6.1"
+__version__ = "2025.4.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -0,0 +1,79 @@
 """authentik administration metrics"""
 from datetime import timedelta
 from django.db.models.functions import ExtractHour
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import EventAction
 class CoordinateSerializer(PassiveSerializer):
    """Coordinates for diagrams"""
    x_cord = IntegerField(read_only=True)
    y_cord = IntegerField(read_only=True)
 class LoginMetricsSerializer(PassiveSerializer):
    """Login Metrics per 1h"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get successful authorizations per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class AdministrationMetricsViewSet(APIView):
    """Login Metrics per 1h"""
    permission_classes = [IsAuthenticated]
    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Login Metrics per 1h"""
        serializer = LoginMetricsSerializer(True)
        serializer.context["user"] = request.user
        return Response(serializer.data)
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -1,7 +1,6 @@
 """authentik administration overview"""
 from django.core.cache import cache
 from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@ -14,7 +13,6 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
 from authentik.tenants.utils import get_current_tenant
 class VersionSerializer(PassiveSerializer):
@ -37,8 +35,6 @@ class VersionSerializer(PassiveSerializer):
    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
        if get_current_tenant().schema_name == get_public_schema_name():
            return __version__
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
            update_latest_version.delay()
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -14,19 +14,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
    label = "authentik_admin"
    verbose_name = "authentik Admin"
    default = True
    @ManagedAppConfig.reconcile_global
    def clear_update_notifications(self):
        """Clear update notifications on startup if the notification was for the version
        we're running now."""
        from packaging.version import parse
        from authentik.admin.tasks import LOCAL_VERSION
        from authentik.events.models import EventAction, Notification
        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
            if "new_version" not in notification.event.context:
                continue
            notification_version = notification.event.context["new_version"]
            if LOCAL_VERSION >= parse(notification_version):
                notification.delete()
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -1,7 +1,6 @@
 """authentik admin settings"""
 from celery.schedules import crontab
 from django_tenants.utils import get_public_schema_name
 from authentik.lib.utils.time import fqdn_rand
@ -9,7 +8,6 @@ CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
        "tenant_schemas": [get_public_schema_name()],
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,6 +1,7 @@
 """authentik admin tasks"""
 from django.core.cache import cache
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
@ -8,7 +9,7 @@ from structlog.stdlib import get_logger
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
@ -32,6 +33,20 @@ def _set_prom_info():
    )
@CELERY_APP.task(
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
 def clear_update_notifications():
    """Clear update notifications on startup if the notification was for the version
    we're running now."""
    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
        if "new_version" not in notification.event.context:
            continue
        notification_version = notification.event.context["new_version"]
        if LOCAL_VERSION >= parse(notification_version):
            notification.delete()
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def update_latest_version(self: SystemTask):
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -36,6 +36,11 @@ class TestAdminAPI(TestCase):
        body = loads(response.content)
        self.assertEqual(len(body), 0)
    def test_metrics(self):
        """Test metrics API"""
        response = self.client.get(reverse("authentik_api:admin_metrics"))
        self.assertEqual(response.status_code, 200)
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -1,12 +1,12 @@
 """test admin tasks"""
 from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 from authentik.admin.tasks import (
    VERSION_CACHE_KEY,
    clear_update_notifications,
    update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@ -72,13 +72,12 @@ class TestAdminTasks(TestCase):
    def test_clear_update_notifications(self):
        """Test clear of previous notification"""
        admin_config = apps.get_app_config("authentik_admin")
        Event.objects.create(
            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
        )
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -3,6 +3,7 @@
 from django.urls import path
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@ -11,6 +12,11 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
    path(
        "admin/metrics/",
        AdministrationMetricsViewSet.as_view(),
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -1,13 +1,12 @@
 """authentik API AppConfig"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
    """authentik API Config"""
    name = "authentik.api"
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
    default = True
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -1,12 +1,9 @@
 """API Authentication"""
 from hmac import compare_digest
 from pathlib import Path
 from tempfile import gettempdir
 from typing import Any
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@ -14,17 +11,11 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger
 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 LOGGER = get_logger()
 _tmp = Path(gettempdir())
 try:
    with open(_tmp / "authentik-core-ipc.key") as _f:
        ipc_key = _f.read()
 except OSError:
    ipc_key = None
 def validate_auth(header: bytes) -> str | None:
@ -82,11 +73,6 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
    if user:
        CTX_AUTH_VIA.set("secret_key")
        return user
    # then try to auth via secret key (for embedded outpost/etc)
    user = token_ipc(auth_credentials)
    if user:
        CTX_AUTH_VIA.set("ipc")
        return user
    raise AuthenticationFailed("Token invalid/expired")
@ -104,43 +90,6 @@ def token_secret_key(value: str) -> User | None:
    return outpost.user
 class IPCUser(AnonymousUser):
    """'Virtual' user for IPC communication between authentik core and the authentik router"""
    username = "authentik:system"
    is_active = True
    is_superuser = True
    @property
    def type(self):
        return UserTypes.INTERNAL_SERVICE_ACCOUNT
    def has_perm(self, perm, obj=None):
        return True
    def has_perms(self, perm_list, obj=None):
        return True
    def has_module_perms(self, module):
        return True
    @property
    def is_anonymous(self):
        return False
    @property
    def is_authenticated(self):
        return True
 def token_ipc(value: str) -> User | None:
    """Check if the token is the secret key
    and return the service account for the managed outpost"""
    if not ipc_key or not compare_digest(value, ipc_key):
        return None
    return IPCUser()
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -134,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@ -205,7 +205,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/tests/test_managed_app_config.py
+++ b/authentik/blueprints/tests/test_managed_app_config.py
@ -1,14 +0,0 @@
 from django.test import TestCase
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.utils.reflection import get_apps
 class TestManagedAppConfig(TestCase):
    def test_apps_use_managed_app_config(self):
        for app in get_apps():
            if app.name.startswith("authentik.enterprise"):
                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
            else:
                self.assertIn(ManagedAppConfig, app.__class__.__bases__)
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models
    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -59,7 +59,6 @@ class BrandSerializer(ModelSerializer):
            "flow_device_code",
            "default_application",
            "web_certificate",
            "client_certificates",
            "attributes",
        ]
        extra_kwargs = {
@ -121,7 +120,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "domain",
        "branding_title",
        "web_certificate__name",
        "client_certificates__name",
    ]
    filterset_fields = [
        "brand_uuid",
@ -138,7 +136,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "flow_user_settings",
        "flow_device_code",
        "web_certificate",
        "client_certificates",
    ]
    ordering = ["domain"]
--- a/authentik/brands/apps.py
+++ b/authentik/brands/apps.py
@ -1,9 +1,9 @@
 """authentik brands app"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
    """authentik Brand app"""
    name = "authentik.brands"
@ -12,4 +12,3 @@ class AuthentikBrandsConfig(ManagedAppConfig):
    mountpoints = {
        "authentik.brands.urls_root": "",
    }
    default = True
--- a/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
+++ b/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
@ -1,37 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-19 15:09
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_brands", "0009_brand_branding_default_flow_background"),
        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
    ]
    operations = [
        migrations.AddField(
            model_name="brand",
            name="client_certificates",
            field=models.ManyToManyField(
                blank=True,
                default=None,
                help_text="Certificates used for client authentication.",
                to="authentik_crypto.certificatekeypair",
            ),
        ),
        migrations.AlterField(
            model_name="brand",
            name="web_certificate",
            field=models.ForeignKey(
                default=None,
                help_text="Web Certificate used by the authentik Core webserver.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="+",
                to="authentik_crypto.certificatekeypair",
            ),
        ),
    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -73,13 +73,6 @@ class Brand(SerializerModel):
        default=None,
        on_delete=models.SET_DEFAULT,
        help_text=_("Web Certificate used by the authentik Core webserver."),
        related_name="+",
    )
    client_certificates = models.ManyToManyField(
        CertificateKeyPair,
        default=None,
        blank=True,
        help_text=_("Certificates used for client authentication."),
    )
    attributes = models.JSONField(default=dict, blank=True)
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
    def test_custom_css(self):
        """Test custom_css"""
        brand = create_test_brand()
        brand.branding_custom_css = """* {
            font-family: "Foo bar";
        }"""
        brand.save()
        res = self.client.get(reverse("authentik_core:if-user"))
        self.assertEqual(res.status_code, 200)
        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,12 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
+from sentry_sdk import get_current_span
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
 from authentik.brands.models import Brand
 from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
 _q_default = Q(default=True)
@ -34,14 +32,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
+    trace = ""
-    # only directly exposes this as a function that also wraps it in a <script> tag
+    span = get_current_span()
-    # which we dont want for CSS
+    if span:
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
+        trace = span.to_traceparent()
    return {
        "brand": brand,
        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
-        "html_meta": {**get_http_meta()},
+        "sentry_trace": trace,
        "version": get_full_version(),
    }
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -2,9 +2,11 @@
 from collections.abc import Iterator
 from copy import copy
 from datetime import timedelta
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@ -18,6 +20,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@ -25,6 +28,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -317,3 +321,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        return set_file_url(request, app, "meta_icon")
    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @extend_schema(responses={200: CoordinateSerializer(many=True)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    def metrics(self, request: Request, slug: str):
        """Metrics for application logins"""
        app = self.get_object()
        return Response(
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION,
                context__authorized_application__pk=app.pk.hex,
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -99,17 +99,18 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        if self.instance or superuser:
+        has_perm = user.has_perm(perm)
-            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
+        if self.instance and not has_perm:
-            if not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
-                raise ValidationError(
+        if not has_perm:
-                    _(
+            raise ValidationError(
-                        (
+                _(
-                            "User does not have permission to set "
+                    (
-                            "superuser status to {superuser_status}."
+                        "User does not have permission to set "
-                        ).format_map({"superuser_status": superuser})
+                        "superuser status to {superuser_status}."
-                    )
+                    ).format_map({"superuser_status": superuser})
                )
            )
        return superuser
    class Meta:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,6 +6,7 @@ from typing import Any
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@ -51,6 +52,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@ -82,7 +84,6 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -315,6 +316,53 @@ class SessionUserSerializer(PassiveSerializer):
    original = UserSelfSerializer(required=False)
 class UserMetricsSerializer(PassiveSerializer):
    """User Metrics"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED, context__username=user.username
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class UsersFilter(FilterSet):
    """Filter for users"""
@ -403,7 +451,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)
-    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
+    def _create_recovery_link(self) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
        brand: Brand = self.request._request.brand
@ -425,16 +473,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            raise ValidationError(
                {"non_field_errors": "Recovery flow not applicable to user"}
            ) from None
        _plan = FlowToken.pickle(plan)
        if for_email:
            _plan = pickle_flow_token_for_email(plan)
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
                "user": user,
                "flow": flow,
-                "_plan": _plan,
+                "_plan": FlowToken.pickle(plan),
                "revoke_on_execution": not for_email,
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
@ -558,6 +602,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    def metrics(self, request: Request, pk: int) -> Response:
        """User metrics per 1h"""
        user: User = self.get_object()
        serializer = UserMetricsSerializer(instance={})
        serializer.context["user"] = user
        serializer.context["request"] = request
        return Response(serializer.data)
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        responses={
@ -593,7 +648,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if for_user.email == "":
            LOGGER.debug("User doesn't have an email address")
            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link(for_email=True)
+        link, token = self._create_recovery_link()
        # Lookup the email stage to assure the current user can access it
        stages = get_objects_for_user(
            request.user, "authentik_stages_email.view_emailstage"
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,7 +2,6 @@
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
 from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
@ -17,10 +16,6 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
                # See https://code.djangoproject.com/ticket/28417
                # Remove potential lingering old permissions
                call_command("remove_stale_contenttypes", "--no-input")
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -31,10 +31,7 @@ class PickleSerializer:
    def loads(self, data):
        """Unpickle data to be loaded from redis"""
-        try:
+        return pickle.loads(data)  # nosec
            return pickle.loads(data)  # nosec
        except Exception:
            return {}
 def _migrate_session(
@ -79,7 +76,6 @@ def _migrate_session(
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
            uuid=old_auth_session.uuid,
        )
--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -1,103 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15
 from django.apps.registry import Apps, apps as global_apps
 from django.db import migrations
 from django.contrib.contenttypes.management import create_contenttypes
 from django.contrib.auth.management import create_permissions
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
    db_alias = schema_editor.connection.alias
    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
    # real config for creating permissions and content types
    authentik_core_config = global_apps.get_app_config("authentik_core")
    # These are only ran by django after all migrations, but we need them right now.
    # `global_apps` is needed,
    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
    # But from now on, this is just a regular migration, so use `apps`
    Permission = apps.get_model("auth", "Permission")
    ContentType = apps.get_model("contenttypes", "ContentType")
    try:
        old_ct = ContentType.objects.using(db_alias).get(
            app_label="authentik_core", model="oldauthenticatedsession"
        )
        new_ct = ContentType.objects.using(db_alias).get(
            app_label="authentik_core", model="authenticatedsession"
        )
    except ContentType.DoesNotExist:
        # This should exist at this point, but if not, let's cut our losses
        return
    # Get all permissions for the old content type
    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
    # Create equivalent permissions for the new content type
    for old_perm in old_perms:
        new_perm = (
            Permission.objects.using(db_alias)
            .filter(
                content_type=new_ct,
                codename=old_perm.codename,
            )
            .first()
        )
        if not new_perm:
            # This should exist at this point, but if not, let's cut our losses
            continue
        # Global user permissions
        User = apps.get_model("authentik_core", "User")
        User.user_permissions.through.objects.using(db_alias).filter(
            permission=old_perm
        ).all().update(permission=new_perm)
        # Global role permissions
        DjangoGroup = apps.get_model("auth", "Group")
        DjangoGroup.permissions.through.objects.using(db_alias).filter(
            permission=old_perm
        ).all().update(permission=new_perm)
        # Object user permissions
        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
            permission=new_perm, content_type=new_ct
        )
        # Object role permissions
        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
            permission=new_perm, content_type=new_ct
        )
 def remove_old_authenticated_session_content_type(
    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
    db_alias = schema_editor.connection.alias
    ContentType = apps.get_model("contenttypes", "ContentType")
    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0047_delete_oldauthenticatedsession"),
    ]
    operations = [
        migrations.RunPython(
            code=migrate_authenticated_session_permissions,
            reverse_code=migrations.RunPython.noop,
        ),
        migrations.RunPython(
            code=remove_old_authenticated_session_content_type,
            reverse_code=migrations.RunPython.noop,
        ),
    ]
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,14 +16,12 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
-        {% for key, value in html_meta.items %}
+        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <meta name="{{key}}" content="{{ value }}" />
        {% endfor %}
    </head>
    <body>
        {% block body %}
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -10,7 +10,7 @@
 {% endblock %}
 {% block body %}
-<ak-message-container alignment="bottom"></ak-message-container>
+<ak-message-container></ak-message-container>
 <ak-interface-admin>
    <ak-loading></ak-loading>
 </ak-interface-admin>
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -124,16 +124,6 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )
    def test_superuser_no_perm_no_superuser(self):
        """Test creating a group without permission and without superuser flag"""
        assign_perm("authentik_core.add_group", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": False},
        )
        self.assertEqual(res.status_code, 201)
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -81,6 +81,22 @@ class TestUsersAPI(APITestCase):
        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
        self.assertEqual(response.status_code, 200)
    def test_metrics(self):
        """Test user's metrics"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 200)
    def test_metrics_denied(self):
        """Test user's metrics (non-superuser)"""
        self.client.force_login(self.user)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 403)
    def test_recovery_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -30,7 +30,6 @@ from structlog.stdlib import get_logger
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
@ -273,12 +272,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def view_certificate(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs certificate and log access"""
        certificate: CertificateKeyPair = self.get_object()
-        if request.user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
+        Event.new(  # noqa # nosec
-            Event.new(  # noqa # nosec
+            EventAction.SECRET_VIEW,
-                EventAction.SECRET_VIEW,
+            secret=certificate,
-                secret=certificate,
+            type="certificate",
-                type="certificate",
+        ).from_http(request)
            ).from_http(request)
        if "download" in request.query_params:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(
@ -304,12 +302,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def view_private_key(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs private key and log access"""
        certificate: CertificateKeyPair = self.get_object()
-        if request.user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
+        Event.new(  # noqa # nosec
-            Event.new(  # noqa # nosec
+            EventAction.SECRET_VIEW,
-                EventAction.SECRET_VIEW,
+            secret=certificate,
-                secret=certificate,
+            type="private_key",
-                type="private_key",
+        ).from_http(request)
            ).from_http(request)
        if "download" in request.query_params:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(certificate.key_data, content_type="application/x-pem-file")
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,14 +132,13 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            if lic.is_valid:
+            total.internal_users += lic.internal_users
-                total.internal_users += lic.internal_users
+            total.external_users += lic.external_users
                total.external_users += lic.external_users
                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
            total.license_flags.extend(lic.status.license_flags)
        return total
    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,10 +39,6 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()
    @property
    def is_valid(self) -> bool:
        return self.expiry >= now()
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/providers/google_workspace/clients/groups.py
+++ b/authentik/enterprise/providers/google_workspace/clients/groups.py
@ -25,7 +25,7 @@ class GoogleWorkspaceGroupClient(
    """Google client for groups"""
    connection_type = GoogleWorkspaceProviderGroup
-    connection_attr = "googleworkspaceprovidergroup_set"
+    connection_type_query = "group"
    can_discover = True
    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
--- a/authentik/enterprise/providers/google_workspace/clients/users.py
+++ b/authentik/enterprise/providers/google_workspace/clients/users.py
@ -20,7 +20,7 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
    """Sync authentik users into google workspace"""
    connection_type = GoogleWorkspaceProviderUser
-    connection_attr = "googleworkspaceprovideruser_set"
+    connection_type_query = "user"
    can_discover = True
    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@ -132,11 +132,7 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
        if type == User:
            # Get queryset of all users with consistent ordering
            # according to the provider's settings
-            base = (
+            base = User.objects.all().exclude_anonymous()
                User.objects.prefetch_related("googleworkspaceprovideruser_set")
                .all()
                .exclude_anonymous()
            )
            if self.exclude_users_service_account:
                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@ -146,11 +142,7 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
            return base.order_by("pk")
        if type == Group:
            # Get queryset of all groups with consistent ordering
-            return (
+            return Group.objects.all().order_by("pk")
                Group.objects.prefetch_related("googleworkspaceprovidergroup_set")
                .all()
                .order_by("pk")
            )
        raise ValueError(f"Invalid type {type}")
    def google_credentials(self):
--- a/authentik/enterprise/providers/microsoft_entra/clients/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/groups.py
@ -29,7 +29,7 @@ class MicrosoftEntraGroupClient(
    """Microsoft client for groups"""
    connection_type = MicrosoftEntraProviderGroup
-    connection_attr = "microsoftentraprovidergroup_set"
+    connection_type_query = "group"
    can_discover = True
    def __init__(self, provider: MicrosoftEntraProvider) -> None:
--- a/authentik/enterprise/providers/microsoft_entra/clients/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/users.py
@ -24,7 +24,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
    """Sync authentik users into microsoft entra"""
    connection_type = MicrosoftEntraProviderUser
-    connection_attr = "microsoftentraprovideruser_set"
+    connection_type_query = "user"
    can_discover = True
    def __init__(self, provider: MicrosoftEntraProvider) -> None:
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@ -121,11 +121,7 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
        if type == User:
            # Get queryset of all users with consistent ordering
            # according to the provider's settings
-            base = (
+            base = User.objects.all().exclude_anonymous()
                User.objects.prefetch_related("microsoftentraprovideruser_set")
                .all()
                .exclude_anonymous()
            )
            if self.exclude_users_service_account:
                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@ -135,11 +131,7 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
            return base.order_by("pk")
        if type == Group:
            # Get queryset of all groups with consistent ordering
-            return (
+            return Group.objects.all().order_by("pk")
                Group.objects.prefetch_related("microsoftentraprovidergroup_set")
                .all()
                .order_by("pk")
            )
        raise ValueError(f"Invalid type {type}")
    def microsoft_credentials(self):
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -19,7 +19,6 @@ TENANT_APPS = [
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.ssf",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.mtls",
    "authentik.enterprise.stages.source",
 ]
--- a/authentik/enterprise/stages/mtls/init.py
+++ b/authentik/enterprise/stages/mtls/init.py
--- a/authentik/enterprise/stages/mtls/api.py
+++ b/authentik/enterprise/stages/mtls/api.py
@ -1,31 +0,0 @@
 """Mutual TLS Stage API Views"""
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.mtls.models import MutualTLSStage
 from authentik.flows.api.stages import StageSerializer
 class MutualTLSStageSerializer(EnterpriseRequiredMixin, StageSerializer):
    """MutualTLSStage Serializer"""
    class Meta:
        model = MutualTLSStage
        fields = StageSerializer.Meta.fields + [
            "mode",
            "certificate_authorities",
            "cert_attribute",
            "user_attribute",
        ]
 class MutualTLSStageViewSet(UsedByMixin, ModelViewSet):
    """MutualTLSStage Viewset"""
    queryset = MutualTLSStage.objects.all()
    serializer_class = MutualTLSStageSerializer
    filterset_fields = "__all__"
    ordering = ["name"]
    search_fields = ["name"]
--- a/authentik/enterprise/stages/mtls/apps.py
+++ b/authentik/enterprise/stages/mtls/apps.py
@ -1,12 +0,0 @@
 """authentik stage app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikEnterpriseStageMTLSConfig(EnterpriseConfig):
    """authentik MTLS stage config"""
    name = "authentik.enterprise.stages.mtls"
    label = "authentik_stages_mtls"
    verbose_name = "authentik Enterprise.Stages.MTLS"
    default = True
--- a/authentik/enterprise/stages/mtls/migrations/0001_initial.py
+++ b/authentik/enterprise/stages/mtls/migrations/0001_initial.py
@ -1,68 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-19 18:29
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.CreateModel(
            name="MutualTLSStage",
            fields=[
                (
                    "stage_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_flows.stage",
                    ),
                ),
                (
                    "mode",
                    models.TextField(choices=[("optional", "Optional"), ("required", "Required")]),
                ),
                (
                    "cert_attribute",
                    models.TextField(
                        choices=[
                            ("subject", "Subject"),
                            ("common_name", "Common Name"),
                            ("email", "Email"),
                        ]
                    ),
                ),
                (
                    "user_attribute",
                    models.TextField(choices=[("username", "Username"), ("email", "Email")]),
                ),
                (
                    "certificate_authorities",
                    models.ManyToManyField(
                        blank=True,
                        default=None,
                        help_text="Configure certificate authorities to validate the certificate against. This option has a higher priority than the `client_certificate` option on `Brand`.",
                        to="authentik_crypto.certificatekeypair",
                    ),
                ),
            ],
            options={
                "verbose_name": "Mutual TLS Stage",
                "verbose_name_plural": "Mutual TLS Stages",
                "permissions": [
                    ("pass_outpost_certificate", "Permissions to pass Certificates for outposts.")
                ],
            },
            bases=("authentik_flows.stage",),
        ),
    ]
--- a/authentik/enterprise/stages/mtls/migrations/init.py
+++ b/authentik/enterprise/stages/mtls/migrations/init.py
--- a/authentik/enterprise/stages/mtls/models.py
+++ b/authentik/enterprise/stages/mtls/models.py
@ -1,71 +0,0 @@
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Stage
 from authentik.flows.stage import StageView
 class TLSMode(models.TextChoices):
    """Modes the TLS Stage can operate in"""
    OPTIONAL = "optional"
    REQUIRED = "required"
 class CertAttributes(models.TextChoices):
    """Certificate attribute used for user matching"""
    SUBJECT = "subject"
    COMMON_NAME = "common_name"
    EMAIL = "email"
 class UserAttributes(models.TextChoices):
    """User attribute for user matching"""
    USERNAME = "username"
    EMAIL = "email"
 class MutualTLSStage(Stage):
    """Authenticate/enroll users using a client-certificate."""
    mode = models.TextField(choices=TLSMode.choices)
    certificate_authorities = models.ManyToManyField(
        CertificateKeyPair,
        default=None,
        blank=True,
        help_text=_(
            "Configure certificate authorities to validate the certificate against. "
            "This option has a higher priority than the `client_certificate` option on `Brand`."
        ),
    )
    cert_attribute = models.TextField(choices=CertAttributes.choices)
    user_attribute = models.TextField(choices=UserAttributes.choices)
    @property
    def view(self) -> type[StageView]:
        from authentik.enterprise.stages.mtls.stage import MTLSStageView
        return MTLSStageView
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.enterprise.stages.mtls.api import MutualTLSStageSerializer
        return MutualTLSStageSerializer
    @property
    def component(self) -> str:
        return "ak-stage-mtls-form"
    class Meta:
        verbose_name = _("Mutual TLS Stage")
        verbose_name_plural = _("Mutual TLS Stages")
        permissions = [
            ("pass_outpost_certificate", _("Permissions to pass Certificates for outposts.")),
        ]
--- a/authentik/enterprise/stages/mtls/stage.py
+++ b/authentik/enterprise/stages/mtls/stage.py
@ -1,230 +0,0 @@
 from binascii import hexlify
 from urllib.parse import unquote_plus
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives import hashes
 from cryptography.x509 import (
    Certificate,
    NameOID,
    ObjectIdentifier,
    UnsupportedGeneralNameType,
    load_pem_x509_certificate,
 )
 from cryptography.x509.verification import PolicyBuilder, Store, VerificationError
 from django.utils.translation import gettext_lazy as _
 from authentik.brands.models import Brand
 from authentik.core.models import User
 from authentik.crypto.models import CertificateKeyPair
 from authentik.enterprise.stages.mtls.models import (
    CertAttributes,
    MutualTLSStage,
    TLSMode,
    UserAttributes,
 )
 from authentik.flows.challenge import AccessDeniedChallenge
 from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 # All of these headers must only be accepted from "trusted" reverse proxies
 # See internal/web/proxy.go:39
 HEADER_PROXY_FORWARDED = "X-Forwarded-Client-Cert"
 HEADER_NGINX_FORWARDED = "SSL-Client-Cert"
 HEADER_TRAEFIK_FORWARDED = "X-Forwarded-TLS-Client-Cert"
 HEADER_OUTPOST_FORWARDED = "X-Authentik-Outpost-Certificate"
 PLAN_CONTEXT_CERTIFICATE = "certificate"
 class MTLSStageView(ChallengeStageView):
    def __parse_single_cert(self, raw: str | None) -> list[Certificate]:
        """Helper to parse a single certificate"""
        if not raw:
            return []
        try:
            cert = load_pem_x509_certificate(unquote_plus(raw).encode())
            return [cert]
        except ValueError as exc:
            self.logger.info("Failed to parse certificate", exc=exc)
            return []
    def _parse_cert_xfcc(self) -> list[Certificate]:
        """Parse certificates in the format given to us in
        the format of the authentik router/envoy"""
        xfcc_raw = self.request.headers.get(HEADER_PROXY_FORWARDED)
        if not xfcc_raw:
            return []
        certs = []
        for r_cert in xfcc_raw.split(","):
            el = r_cert.split(";")
            raw_cert = {k.split("=")[0]: k.split("=")[1] for k in el}
            if "Cert" not in raw_cert:
                continue
            certs.extend(self.__parse_single_cert(raw_cert["Cert"]))
        return certs
    def _parse_cert_nginx(self) -> list[Certificate]:
        """Parse certificates in the format nginx-ingress gives to us"""
        sslcc_raw = self.request.headers.get(HEADER_NGINX_FORWARDED)
        return self.__parse_single_cert(sslcc_raw)
    def _parse_cert_traefik(self) -> list[Certificate]:
        """Parse certificates in the format traefik gives to us"""
        ftcc_raw = self.request.headers.get(HEADER_TRAEFIK_FORWARDED)
        return self.__parse_single_cert(ftcc_raw)
    def _parse_cert_outpost(self) -> list[Certificate]:
        """Parse certificates in the format outposts give to us. Also authenticates
        the outpost to ensure it has the permission to do so"""
        user = ClientIPMiddleware.get_outpost_user(self.request)
        if not user:
            return []
        if not user.has_perm(
            "pass_outpost_certificate", self.executor.current_stage
        ) and not user.has_perm("authentik_stages_mtls.pass_outpost_certificate"):
            return []
        outpost_raw = self.request.headers.get(HEADER_OUTPOST_FORWARDED)
        return self.__parse_single_cert(outpost_raw)
    def get_authorities(self) -> list[CertificateKeyPair] | None:
        # We can't access `certificate_authorities` on `self.executor.current_stage`, as that would
        # load the certificate into the directly referenced foreign key, which we have to pickle
        # as part of the flow plan, and cryptography certs can't be pickled
        stage: MutualTLSStage = (
            MutualTLSStage.objects.filter(pk=self.executor.current_stage.pk)
            .prefetch_related("certificate_authorities")
            .first()
        )
        if stage.certificate_authorities.exists():
            return stage.certificate_authorities.order_by("name")
        brand: Brand = self.request.brand
        if brand.client_certificates.exists():
            return brand.client_certificates.order_by("name")
        return None
    def validate_cert(self, authorities: list[CertificateKeyPair], certs: list[Certificate]):
        authorities_cert = [x.certificate for x in authorities]
        for _cert in certs:
            try:
                PolicyBuilder().store(Store(authorities_cert)).build_client_verifier().verify(
                    _cert, []
                )
                return _cert
            except (
                InvalidSignature,
                TypeError,
                ValueError,
                VerificationError,
                UnsupportedGeneralNameType,
            ) as exc:
                self.logger.warning("Discarding invalid certificate", cert=_cert, exc=exc)
                continue
        return None
    def check_if_user(self, cert: Certificate):
        stage: MutualTLSStage = self.executor.current_stage
        cert_attr = None
        user_attr = None
        match stage.cert_attribute:
            case CertAttributes.SUBJECT:
                cert_attr = cert.subject.rfc4514_string()
            case CertAttributes.COMMON_NAME:
                cert_attr = self.get_cert_attribute(cert, NameOID.COMMON_NAME)
            case CertAttributes.EMAIL:
                cert_attr = self.get_cert_attribute(cert, NameOID.EMAIL_ADDRESS)
        match stage.user_attribute:
            case UserAttributes.USERNAME:
                user_attr = "username"
            case UserAttributes.EMAIL:
                user_attr = "email"
        if not user_attr or not cert_attr:
            return None
        return User.objects.filter(**{user_attr: cert_attr}).first()
    def _cert_to_dict(self, cert: Certificate) -> dict:
        """Represent a certificate in a dictionary, as certificate objects cannot be pickled"""
        return {
            "serial_number": str(cert.serial_number),
            "subject": cert.subject.rfc4514_string(),
            "issuer": cert.issuer.rfc4514_string(),
            "fingerprint_sha256": hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8"),
            "fingerprint_sha1": hexlify(cert.fingerprint(hashes.SHA1()), ":").decode(  # nosec
                "utf-8"
            ),
        }
    def auth_user(self, user: User, cert: Certificate):
        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
        self.executor.plan.context.setdefault(PLAN_CONTEXT_METHOD, "mtls")
        self.executor.plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
        self.executor.plan.context[PLAN_CONTEXT_METHOD_ARGS].update(
            {"certificate": self._cert_to_dict(cert)}
        )
    def enroll_prepare_user(self, cert: Certificate):
        self.executor.plan.context.setdefault(PLAN_CONTEXT_PROMPT, {})
        self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(
            {
                "email": self.get_cert_attribute(cert, NameOID.EMAIL_ADDRESS),
                "name": self.get_cert_attribute(cert, NameOID.COMMON_NAME),
            }
        )
        self.executor.plan.context[PLAN_CONTEXT_CERTIFICATE] = self._cert_to_dict(cert)
    def get_cert_attribute(self, cert: Certificate, oid: ObjectIdentifier) -> str | None:
        attr = cert.subject.get_attributes_for_oid(oid)
        if len(attr) < 1:
            return None
        return str(attr[0].value)
    def dispatch(self, request, *args, **kwargs):
        stage: MutualTLSStage = self.executor.current_stage
        certs = [
            *self._parse_cert_xfcc(),
            *self._parse_cert_nginx(),
            *self._parse_cert_traefik(),
            *self._parse_cert_outpost(),
        ]
        authorities = self.get_authorities()
        if not authorities:
            self.logger.warning("No Certificate authority found")
            if stage.mode == TLSMode.OPTIONAL:
                return self.executor.stage_ok()
            if stage.mode == TLSMode.REQUIRED:
                return super().dispatch(request, *args, **kwargs)
        cert = self.validate_cert(authorities, certs)
        if not cert and stage.mode == TLSMode.REQUIRED:
            self.logger.warning("Client certificate required but no certificates given")
            return super().dispatch(
                request,
                *args,
                error_message=_("Certificate required but no certificate was given."),
                **kwargs,
            )
        if not cert and stage.mode == TLSMode.OPTIONAL:
            self.logger.info("No certificate given, continuing")
            return self.executor.stage_ok()
        existing_user = self.check_if_user(cert)
        if self.executor.flow.designation == FlowDesignation.ENROLLMENT:
            self.enroll_prepare_user(cert)
        elif existing_user:
            self.auth_user(existing_user, cert)
        else:
            return super().dispatch(
                request, *args, error_message=_("No user found for certificate."), **kwargs
            )
        return self.executor.stage_ok()
    def get_challenge(self, *args, error_message: str | None = None, **kwargs):
        return AccessDeniedChallenge(
            data={
                "component": "ak-stage-access-denied",
                "error_message": str(error_message or "Unknown error"),
            }
        )
--- a/authentik/enterprise/stages/mtls/tests/init.py
+++ b/authentik/enterprise/stages/mtls/tests/init.py
--- a/authentik/enterprise/stages/mtls/tests/fixtures/ca.pem
+++ b/authentik/enterprise/stages/mtls/tests/fixtures/ca.pem
@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFXDCCA0SgAwIBAgIUBmV7zREyC1SPr72/75/L9zpwV18wDQYJKoZIhvcNAQEL
 BQAwRjEaMBgGA1UEAwwRYXV0aGVudGlrIFRlc3QgQ0ExEjAQBgNVBAoMCWF1dGhl
 bnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwHhcNMjUwNDI3MTgzMDUwWhcNMzUw
 MzA3MTgzMDUwWjBGMRowGAYDVQQDDBFhdXRoZW50aWsgVGVzdCBDQTESMBAGA1UE
 CgwJYXV0aGVudGlrMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCAiIwDQYJKoZIhvcN
 AQEBBQADggIPADCCAgoCggIBAMc0NxZj7j1mPu0aRToo8oMPdC3T99xgxnqdr18x
 LV4pWyi/YLghgZHqNQY2xNP6JIlSeUZD6KFUYT2sPL4Av/zSg5zO8bl+/lf7ckje
 O1/Bt5A8xtL0CpmpMDGiI6ibdDElaywM6AohisbxrV29pygSKGq2wugF/urqGtE+
 5z4y5Kt6qMdKkd0iXT+WagbQTIUlykFKgB0+qqTLzDl01lVDa/DoLl8Hqp45mVx2
 pqrGsSa3TCErLIv9hUlZklF7A8UV4ZB4JL20UKcP8dKzQClviNie17tpsUpOuy3A
 SQ6+guWTHTLJNCSdLn1xIqc5q+f5wd2dIDf8zXCTHj+Xp0bJE3Vgaq5R31K9+b+1
 2dDWz1KcNJaLEnw2+b0O8M64wTMLxhqOv7QfLUr6Pmg1ZymghjLcZ6bnU9e31Vza
 hlPKhxjqYQUC4Kq+oaYF6qdUeJy+dsYf0iDv5tTC+eReZDWIjxTPrNpwA773ZwT7
 WVmL7ULGpuP2g9rNvFBcZiN+i6d7CUoN+jd/iRdo79lrI0dfXiyy4bYgW/2HeZfF
 HaOsc1xsoqnJdWbWkX/ooyaCjAfm07kS3HiOzz4q3QW4wgGrwV8lEraLPxYYeOQu
 YcGMOM8NfnVkjc8gmyXUxedCje5Vz/Tu5fKrQEInnCmXxVsWbwr/LzEjMKAM/ivY
 0TXxAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0G
 A1UdDgQWBBTa+Ns6QzqlNvnTGszkouQQtZnVJDANBgkqhkiG9w0BAQsFAAOCAgEA
 NpJEDMXjuEIzSzafkxSshvjnt5sMYmzmvjNoRlkxgN2YcWvPoxbalGAYzcpyggT2
 6xZY8R4tvB1oNTCArqwf860kkofUoJCr88D/pU3Cv4JhjCWs4pmXTsvSqlBSlJbo
 +jPBZwbn6it/6jcit6Be3rW2PtHe8tASd9Lf8/2r1ZvupXwPzcR84R4Z10ve2lqV
 xxcWlMmBh51CaYI0b1/WTe9Ua+wgkCVkxbf9zNcDQXjxw2ICWK+nR/4ld4nmqVm2
 C7nhvXwU8FAHl7ZgR2Z3PLrwPuhd+kd6NXQqNkS9A+n+1vSRLbRjmV8pwIPpdPEq
 nslUAGJJBHDUBArxC3gOJSB+WtmaCfzDu2gepMf9Ng1H2ZhwSF/FH3v3fsJqZkzz
 NBstT9KuNGQRYiCmAPJaoVAc9BoLa+BFML1govtWtpdmbFk8PZEcuUsP7iAZqFF1
 uuldPyZ8huGpQSR6Oq2bILRHowfGY0npTZAyxg0Vs8UMy1HTwNOp9OuRtArMZmsJ
 jFIx1QzRf9S1i6bYpOzOudoXj4ARkS1KmVExGjJFcIT0xlFSSERie2fEKSeEYOyG
 G+PA2qRt/F51FGOMm1ZscjPXqk2kt3C4BFbz6Vvxsq7D3lmhvFLn4jVA8+OidsM0
 YUrVMtWET/RkjEIbADbgRXxNUNo+jtQZDU9C1IiAdfk=
 -----END CERTIFICATE-----
--- a/authentik/enterprise/stages/mtls/tests/fixtures/cert_client.pem
+++ b/authentik/enterprise/stages/mtls/tests/fixtures/cert_client.pem
@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFWTCCA0GgAwIBAgIUDEnKCSmIXG/akySGes7bhOGrN/8wDQYJKoZIhvcNAQEL
 BQAwRjEaMBgGA1UEAwwRYXV0aGVudGlrIFRlc3QgQ0ExEjAQBgNVBAoMCWF1dGhl
 bnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwHhcNMjUwNTE5MTIzODQ2WhcNMjYw
 NTE1MTIzODQ2WjARMQ8wDQYDVQQDDAZjbGllbnQwggIiMA0GCSqGSIb3DQEBAQUA
 A4ICDwAwggIKAoICAQCkPkS1V6l0gj0ulxMznkxkgrw4p9Tjd8teSsGZt02A2Eo6
 7D8FbJ7pp3d5fYW/TWuEKVBLWTID6rijW5EGcdgTM5Jxf/QR+aZTEK6umQxUd4yO
 mOtp+xVS3KlcsSej2dFpeE5h5VkZizHpvh5xkoAP8W5VtQLOVF0hIeumHnJmaeLj
 +mhK9PBFpO7k9SFrYYhd/uLrYbIdANihbIO2Q74rNEJHewhFNM7oNSjjEWzRd/7S
 qNdQij9JGrVG7u8YJJscEQHqyHMYFVCEMjxmsge5BO6Vx5OWmUE3wXPzb5TbyTS4
 +yg88g9rYTUXrzz+poCyKpaur45qBsdw35lJ8nq69VJj2xJLGQDwoTgGSXRuPciC
 3OilQI+Ma+j8qQGJxJ8WJxISlf1cuhp+V4ZUd1lawlM5hAXyXmHRlH4pun4y+g7O
 O34+fE3pK25JjVCicMT/rC2A/sb95j/fHTzzJpbB70U0I50maTcIsOkyw6aiF//E
 0ShTDz14x22SCMolUc6hxTDZvBB6yrcJHd7d9CCnFH2Sgo13QrtNJ/atXgm13HGh
 wBzRwK38XUGl/J4pJaxAupTVCPriStUM3m0EYHNelRRUE91pbyeGT0rvOuv00uLw
 Rj7K7hJZR8avTKWmKrVBVpq+gSojGW1DwBS0NiDNkZs0d/IjB1wkzczEgdZjXwID
 AQABo3QwcjAfBgNVHSMEGDAWgBTa+Ns6QzqlNvnTGszkouQQtZnVJDAdBgNVHSUE
 FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEQYDVR0RBAowCIIGY2xpZW50MB0GA1Ud
 DgQWBBT1xg5sXkypRBwvCxBuyfoanaiZ5jANBgkqhkiG9w0BAQsFAAOCAgEAvUAz
 YwIjxY/0KHZDU8owdILVqKChzfLcy9OHNPyEI3TSOI8X6gNtBO+HE6r8aWGcC9vw
 zzeIsNQ3UEjvRWi2r+vUVbiPTbFdZboNDSZv6ZmGHxwd85VsjXRGoXV6koCT/9zi
 9/lCM1DwqwYSwBphMJdRVFRUMluSYk1oHflGeA18xgGuts4eFivJwhabGm1AdVVQ
 /CYvqCuTxd/DCzWZBdyxYpDru64i/kyeJCt1pThKEFDWmpumFdBI4CxJ0OhxVSGp
 dOXzK+Y6ULepxCvi6/OpSog52jQ6PnNd1ghiYtq7yO1T4GQz65M1vtHHVvQ3gfBE
 AuKYQp6io7ypitRx+LpjsBQenyP4FFGfrq7pm90nLluOBOArfSdF0N+CP2wo/YFV
 9BGf89OtvRi3BXCm2NXkE/Sc4We26tY8x7xNLOmNs8YOT0O3r/EQ690W9GIwRMx0
 m0r/RXWn5V3o4Jib9r8eH9NzaDstD8g9dECcGfM4fHoM/DAGFaRrNcjMsS1APP3L
 jp7+BfBSXtrz9V6rVJ3CBLXlLK0AuSm7bqd1MJsGA9uMLpsVZIUA+KawcmPGdPU+
 NxdpBCtzyurQSUyaTLtVqSeP35gMAwaNzUDph8Uh+vHz+kRwgXS19OQvTaud5LJu
 nQe4JNS+u5e2VDEBWUxt8NTpu6eShDN0iIEHtxA=
 -----END CERTIFICATE-----
--- a/authentik/enterprise/stages/mtls/tests/test_stage.py
+++ b/authentik/enterprise/stages/mtls/tests/test_stage.py
@ -1,228 +0,0 @@
 from unittest.mock import MagicMock, patch
 from urllib.parse import quote_plus
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from authentik.core.models import User
 from authentik.core.tests.utils import (
    create_test_brand,
    create_test_cert,
    create_test_flow,
    create_test_user,
 )
 from authentik.crypto.models import CertificateKeyPair
 from authentik.enterprise.stages.mtls.models import (
    CertAttributes,
    MutualTLSStage,
    TLSMode,
    UserAttributes,
 )
 from authentik.enterprise.stages.mtls.stage import PLAN_CONTEXT_CERTIFICATE
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 class MTLSStageTests(FlowTestCase):
    def setUp(self):
        super().setUp()
        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        self.ca = CertificateKeyPair.objects.create(
            name=generate_id(),
            certificate_data=load_fixture("fixtures/ca.pem"),
        )
        self.stage = MutualTLSStage.objects.create(
            name=generate_id(),
            mode=TLSMode.REQUIRED,
            cert_attribute=CertAttributes.COMMON_NAME,
            user_attribute=UserAttributes.USERNAME,
        )
        self.stage.certificate_authorities.add(self.ca)
        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=0)
        self.client_cert = load_fixture("fixtures/cert_client.pem")
        # User matching the certificate
        User.objects.filter(username="client").delete()
        self.cert_user = create_test_user(username="client")
    def test_parse_xfcc(self):
        """Test authentik Proxy/Envoy's XFCC format"""
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-Client-Cert": f"Cert={quote_plus(self.client_cert)}"},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_nginx(self):
        """Test nginx's format"""
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"SSL-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_traefik(self):
        """Test traefik's format"""
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_outpost_object(self):
        """Test outposts's format"""
        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
        assign_perm("pass_outpost_certificate", outpost.user, self.stage)
        with patch(
            "authentik.root.middleware.ClientIPMiddleware.get_outpost_user",
            MagicMock(return_value=outpost.user),
        ):
            with self.assertFlowFinishes() as plan:
                res = self.client.get(
                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                    headers={"X-Authentik-Outpost-Certificate": quote_plus(self.client_cert)},
                )
                self.assertEqual(res.status_code, 200)
                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
            self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_outpost_global(self):
        """Test outposts's format"""
        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
        assign_perm("authentik_stages_mtls.pass_outpost_certificate", outpost.user)
        with patch(
            "authentik.root.middleware.ClientIPMiddleware.get_outpost_user",
            MagicMock(return_value=outpost.user),
        ):
            with self.assertFlowFinishes() as plan:
                res = self.client.get(
                    reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                    headers={"X-Authentik-Outpost-Certificate": quote_plus(self.client_cert)},
                )
                self.assertEqual(res.status_code, 200)
                self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
            self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_parse_outpost_no_perm(self):
        """Test outposts's format"""
        outpost = Outpost.objects.create(name=generate_id(), type=OutpostType.PROXY)
        with patch(
            "authentik.root.middleware.ClientIPMiddleware.get_outpost_user",
            MagicMock(return_value=outpost.user),
        ):
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Authentik-Outpost-Certificate": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
    def test_invalid_cert(self):
        """Test invalid certificate"""
        cert = create_test_cert()
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(cert.certificate_data)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
        self.assertNotIn(PLAN_CONTEXT_PENDING_USER, plan().context)
    def test_auth_no_user(self):
        """Test auth with no user"""
        User.objects.filter(username="client").delete()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
    def test_brand_ca(self):
        """Test using a CA from the brand"""
        self.stage.certificate_authorities.clear()
        brand = create_test_brand()
        brand.client_certificates.add(self.ca)
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PENDING_USER], self.cert_user)
    def test_no_ca_optional(self):
        """Test using no CA Set"""
        self.stage.mode = TLSMode.OPTIONAL
        self.stage.certificate_authorities.clear()
        self.stage.save()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
    def test_no_ca_required(self):
        """Test using no CA Set"""
        self.stage.certificate_authorities.clear()
        self.stage.save()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageResponse(res, self.flow, component="ak-stage-access-denied")
    def test_no_cert_optional(self):
        """Test using no cert Set"""
        self.stage.mode = TLSMode.OPTIONAL
        self.stage.save()
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
        )
        self.assertEqual(res.status_code, 200)
        self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
    def test_enroll(self):
        """Test Enrollment flow"""
        self.flow.designation = FlowDesignation.ENROLLMENT
        self.flow.save()
        with self.assertFlowFinishes() as plan:
            res = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
                headers={"X-Forwarded-TLS-Client-Cert": quote_plus(self.client_cert)},
            )
            self.assertEqual(res.status_code, 200)
            self.assertStageRedirects(res, reverse("authentik_core:root-redirect"))
        self.assertEqual(plan().context[PLAN_CONTEXT_PROMPT], {"email": None, "name": "client"})
        self.assertEqual(
            plan().context[PLAN_CONTEXT_CERTIFICATE],
            {
                "fingerprint_sha1": "52:39:ca:1e:3a:1f:78:3a:9f:26:3b:c2:84:99:48:68:99:99:81:8a",
                "fingerprint_sha256": (
                    "c1:07:8b:7c:e9:02:57:87:1e:92:e5:81:83:21:bc:92:c7:47:65:e3:97:fb:05:97:6f:36:9e:b5:31:77:98:b7"
                ),
                "issuer": "OU=Self-signed,O=authentik,CN=authentik Test CA",
                "serial_number": "70153443448884702681996102271549704759327537151",
                "subject": "CN=client",
            },
        )
--- a/authentik/enterprise/stages/mtls/urls.py
+++ b/authentik/enterprise/stages/mtls/urls.py
@ -1,5 +0,0 @@
 """API URLs"""
 from authentik.enterprise.stages.mtls.api import MutualTLSStageViewSet
 api_urlpatterns = [("stages/mtls", MutualTLSStageViewSet)]
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -8,7 +8,6 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@ -72,9 +71,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic2 = License.objects.create(key=generate_id())
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@ -233,9 +232,7 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        User.objects.all().delete()
+        License.objects.create(key=generate_id())
        License.objects.all().delete()
        License.objects.create(key=generate_id(), expiry=expiry_expired)
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
    @patch(
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -1,36 +1,28 @@
 """Events API Views"""
 from datetime import timedelta
 from json import loads
 import django_filters
-from django.db.models import Count, ExpressionWrapper, F, QuerySet
+from django.db.models.aggregates import Count
 from django.db.models import DateTimeField as DjangoDateTimeField
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
-from django.db.models.functions import TruncHour
+from django.db.models.functions import ExtractDay, ExtractHour
 from django.db.models.query_utils import Q
 from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ChoiceField, DateTimeField, DictField, IntegerField
+from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction
 class EventVolumeSerializer(PassiveSerializer):
    """Count of events of action created on day"""
    action = ChoiceField(choices=EventAction.choices)
    time = DateTimeField()
    count = IntegerField()
 class EventSerializer(ModelSerializer):
    """Event Serializer"""
@ -61,7 +53,7 @@ class EventsFilter(django_filters.FilterSet):
    """Filter for events"""
    username = django_filters.CharFilter(
-        field_name="user", label="Username", method="filter_username"
+        field_name="user", lookup_expr="username", label="Username"
    )
    context_model_pk = django_filters.CharFilter(
        field_name="context",
@ -86,19 +78,12 @@ class EventsFilter(django_filters.FilterSet):
        field_name="action",
        lookup_expr="icontains",
    )
    actions = django_filters.MultipleChoiceFilter(
        field_name="action",
        choices=EventAction.choices,
    )
    brand_name = django_filters.CharFilter(
        field_name="brand",
        lookup_expr="name",
        label="Brand name",
    )
    def filter_username(self, queryset, name, value):
        return queryset.filter(Q(user__username=value) | Q(context__username=value))
    def filter_context_model_pk(self, queryset, name, value):
        """Because we store the PK as UUID.hex,
        we need to remove the dashes that a client may send. We can't use a
@ -171,37 +156,45 @@ class EventViewSet(ModelViewSet):
        return Response(EventTopPerUserSerializer(instance=events, many=True).data)
    @extend_schema(
-        responses={200: EventVolumeSerializer(many=True)},
+        responses={200: CoordinateSerializer(many=True)},
        parameters=[
            OpenApiParameter(
                "history_days",
                type=OpenApiTypes.NUMBER,
                location=OpenApiParameter.QUERY,
                required=False,
                default=7,
            ),
        ],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def volume(self, request: Request) -> Response:
        """Get event volume for specified filters and timeframe"""
-        queryset: QuerySet[Event] = self.filter_queryset(self.get_queryset())
+        queryset = self.filter_queryset(self.get_queryset())
-        delta = timedelta(days=7)
+        return Response(queryset.get_events_per(timedelta(days=7), ExtractHour, 7 * 3))
-        time_delta = request.query_params.get("history_days", 7)
+
-        if time_delta:
+    @extend_schema(
-            delta = timedelta(days=min(int(time_delta), 60))
+        responses={200: CoordinateSerializer(many=True)},
        filters=[],
        parameters=[
            OpenApiParameter(
                "action",
                type=OpenApiTypes.STR,
                location=OpenApiParameter.QUERY,
                required=False,
            ),
            OpenApiParameter(
                "query",
                type=OpenApiTypes.STR,
                location=OpenApiParameter.QUERY,
                required=False,
            ),
        ],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def per_month(self, request: Request):
        """Get the count of events per month"""
        filtered_action = request.query_params.get("action", EventAction.LOGIN)
        try:
            query = loads(request.query_params.get("query", "{}"))
        except ValueError:
            return Response(status=400)
        return Response(
-            queryset.filter(created__gte=now() - delta)
+            get_objects_for_user(request.user, "authentik_events.view_event")
-            .annotate(hour=TruncHour("created"))
+            .filter(action=filtered_action)
-            .annotate(
+            .filter(**query)
-                time=ExpressionWrapper(
+            .get_events_per(timedelta(weeks=4), ExtractDay, 30)
                    F("hour") - (F("hour__hour") % 6) * timedelta(hours=1),
                    output_field=DjangoDateTimeField(),
                )
            )
            .values("time", "action")
            .annotate(count=Count("pk"))
            .order_by("time", "action")
        )
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -1,5 +1,7 @@
 """authentik events models"""
 import time
 from collections import Counter
 from datetime import timedelta
 from difflib import get_close_matches
 from functools import lru_cache
@ -9,6 +11,11 @@ from uuid import uuid4
 from django.apps import apps
 from django.db import connection, models
 from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import Extract
 from django.db.models.manager import Manager
 from django.db.models.query import QuerySet
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@ -117,6 +124,60 @@ class EventAction(models.TextChoices):
    CUSTOM_PREFIX = "custom_"
 class EventQuerySet(QuerySet):
    """Custom events query set with helper functions"""
    def get_events_per(
        self,
        time_since: timedelta,
        extract: Extract,
        data_points: int,
    ) -> list[dict[str, int]]:
        """Get event count by hour in the last day, fill with zeros"""
        _now = now()
        max_since = timedelta(days=60)
        # Allow maximum of 60 days to limit load
        if time_since.total_seconds() > max_since.total_seconds():
            time_since = max_since
        date_from = _now - time_since
        result = (
            self.filter(created__gte=date_from)
            .annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
            .annotate(age_interval=extract("age"))
            .values("age_interval")
            .annotate(count=Count("pk"))
            .order_by("age_interval")
        )
        data = Counter({int(d["age_interval"]): d["count"] for d in result})
        results = []
        interval_delta = time_since / data_points
        for interval in range(1, -data_points, -1):
            results.append(
                {
                    "x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
                    "y_cord": data[interval * -1],
                }
            )
        return results
 class EventManager(Manager):
    """Custom helper methods for Events"""
    def get_queryset(self) -> QuerySet:
        """use custom queryset"""
        return EventQuerySet(self.model, using=self._db)
    def get_events_per(
        self,
        time_since: timedelta,
        extract: Extract,
        data_points: int,
    ) -> list[dict[str, int]]:
        """Wrap method from queryset"""
        return self.get_queryset().get_events_per(time_since, extract, data_points)
 class Event(SerializerModel, ExpiringModel):
    """An individual Audit/Metrics/Notification/Error Event"""
@ -132,6 +193,8 @@ class Event(SerializerModel, ExpiringModel):
    # Shadow the expires attribute from ExpiringModel to override the default duration
    expires = models.DateTimeField(default=default_event_duration)
    objects = EventManager()
    @staticmethod
    def _get_app_from_request(request: HttpRequest) -> str:
        if not isinstance(request, HttpRequest):
--- a/authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py
+++ b/authentik/flows/migrations/0028_flowtoken_revoke_on_execution.py
@ -1,18 +0,0 @@
 # Generated by Django 5.1.9 on 2025-05-27 12:52
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.AddField(
            model_name="flowtoken",
            name="revoke_on_execution",
            field=models.BooleanField(default=True),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -303,10 +303,9 @@ class FlowToken(Token):
    flow = models.ForeignKey(Flow, on_delete=models.CASCADE)
    _plan = models.TextField()
    revoke_on_execution = models.BooleanField(default=True)
    @staticmethod
-    def pickle(plan: "FlowPlan") -> str:
+    def pickle(plan) -> str:
        """Pickle into string"""
        data = dumps(plan)
        return b64encode(data).decode()
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -99,10 +99,9 @@ class ChallengeStageView(StageView):
            self.logger.debug("Got StageInvalidException", exc=exc)
            return self.executor.stage_invalid()
        if not challenge.is_valid():
-            self.logger.error(
+            self.logger.warning(
                "f(ch): Invalid challenge",
                errors=challenge.errors,
                challenge=challenge.data,
            )
        return HttpChallengeResponse(challenge)
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -15,7 +15,6 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@ -23,7 +22,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow_background_url }}");
+            background-image: url("{{ flow.background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -5,9 +5,9 @@
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow_background_url }}" />
+<link rel="prefetch" href="{{ flow.background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: true };</script>
+<script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 {% include "base/header_js.html" %}
 <script>
@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow_background_url }}");
+    --ak-flow-background: url("{{ flow.background_url }}");
 }
 </style>
 {% endblock %}
--- a/authentik/flows/tests/init.py
+++ b/authentik/flows/tests/init.py
@ -1,10 +1,7 @@
 """Test helpers"""
 from collections.abc import Callable, Generator
 from contextlib import contextmanager
 from json import loads
 from typing import Any
 from unittest.mock import MagicMock, patch
 from django.http.response import HttpResponse
 from django.urls.base import reverse
@ -12,8 +9,6 @@ from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.models import Flow
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 class FlowTestCase(APITestCase):
@ -49,12 +44,3 @@ class FlowTestCase(APITestCase):
    def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
        """Wrapper around assertStageResponse that checks for a redirect"""
        return self.assertStageResponse(response, component="xak-flow-redirect", to=to)
    @contextmanager
    def assertFlowFinishes(self) -> Generator[Callable[[], FlowPlan]]:
        """Capture the flow plan before the flow finishes and return it"""
        try:
            with patch("authentik.flows.views.executor.FlowExecutorView.cancel", MagicMock()):
                yield lambda: self.client.session.get(SESSION_KEY_PLAN)
        finally:
            pass
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -69,7 +69,6 @@ SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
 SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
 SESSION_KEY_AUTH_STARTED = "authentik/flows/auth_started"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"
@ -147,8 +146,7 @@ class FlowExecutorView(APIView):
        except (AttributeError, EOFError, ImportError, IndexError) as exc:
            LOGGER.warning("f(exec): Failed to restore token plan", exc=exc)
        finally:
-            if token.revoke_on_execution:
+            token.delete()
                token.delete()
        if not isinstance(plan, FlowPlan):
            return None
        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
@ -455,7 +453,6 @@ class FlowExecutorView(APIView):
            SESSION_KEY_APPLICATION_PRE,
            SESSION_KEY_PLAN,
            SESSION_KEY_GET,
            SESSION_KEY_AUTH_STARTED,
            # We might need the initial POST payloads for later requests
            # SESSION_KEY_POST,
            # We don't delete the history on purpose, as a user might
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -6,23 +6,14 @@ from django.shortcuts import get_object_or_404
 from ua_parser.user_agent_parser import Parse
 from authentik.core.views.interface import InterfaceView
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.models import Flow
 from authentik.flows.views.executor import SESSION_KEY_AUTH_STARTED
 class FlowInterfaceView(InterfaceView):
    """Flow interface"""
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        if (
            not self.request.user.is_authenticated
            and flow.designation == FlowDesignation.AUTHENTICATION
        ):
            self.request.session[SESSION_KEY_AUTH_STARTED] = True
            self.request.session.save()
        kwargs["flow"] = flow
        kwargs["flow_background_url"] = flow.background_url(self.request)
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -363,9 +363,6 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
        if not pool_options:
            pool_options = True
    # FIXME: Temporarily force pool to be deactivated.
    # See https://github.com/goauthentik/authentik/issues/14320
    pool_options = False
    db = {
        "default": {
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -81,6 +81,7 @@ debugger: false
 log_level: info
 session_storage: cache
 sessions:
  unauthenticated_age: days=1
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -17,7 +17,7 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import HttpTransport, get_current_scope
+from sentry_sdk import HttpTransport
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
@ -27,7 +27,6 @@ from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
 from sentry_sdk.tracing import BAGGAGE_HEADER_NAME, SENTRY_TRACE_HEADER_NAME
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException
@ -96,8 +95,6 @@ def traces_sampler(sampling_context: dict) -> float:
        return 0
    if _type == "websocket":
        return 0
    if CONFIG.get_bool("debug"):
        return 1
    return float(CONFIG.get("error_reporting.sample_rate", 0.1))
@ -170,14 +167,3 @@ def before_send(event: dict, hint: dict) -> dict | None:
    if settings.DEBUG:
        return None
    return event
 def get_http_meta():
    """Get sentry-related meta key-values"""
    scope = get_current_scope()
    meta = {
        SENTRY_TRACE_HEADER_NAME: scope.get_traceparent() or "",
    }
    if bag := scope.get_baggage():
        meta[BAGGAGE_HEADER_NAME] = bag.serialize()
    return meta
--- a/authentik/lib/sync/outgoing/base.py
+++ b/authentik/lib/sync/outgoing/base.py
@ -23,6 +23,7 @@ if TYPE_CHECKING:
 class Direction(StrEnum):
    add = "add"
    remove = "remove"
@ -36,16 +37,13 @@ SAFE_METHODS = [
 class BaseOutgoingSyncClient[
-    TModel: "Model",
+    TModel: "Model", TConnection: "Model", TSchema: dict, TProvider: "OutgoingSyncProvider"
    TConnection: "Model",
    TSchema: dict,
    TProvider: "OutgoingSyncProvider",
 ]:
    """Basic Outgoing sync client Client"""
    provider: TProvider
    connection_type: type[TConnection]
-    connection_attr: str
+    connection_type_query: str
    mapper: PropertyMappingManager
    can_discover = False
@ -65,7 +63,9 @@ class BaseOutgoingSyncClient[
    def write(self, obj: TModel) -> tuple[TConnection, bool]:
        """Write object to destination. Uses self.create and self.update, but
        can be overwritten for further logic"""
-        connection = getattr(obj, self.connection_attr).filter(provider=self.provider).first()
+        connection = self.connection_type.objects.filter(
            provider=self.provider, **{self.connection_type_query: obj}
        ).first()
        try:
            if not connection:
                connection = self.create(obj)
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -1,7 +1,6 @@
 from collections.abc import Callable
 from dataclasses import asdict
 from celery import group
 from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
@ -83,41 +82,21 @@ class SyncTasks:
                self.logger.debug("Failed to acquire sync lock, skipping", provider=provider.name)
                return
            try:
-                messages.append(_("Syncing users"))
+                for page in users_paginator.page_range:
-                user_results = (
+                    messages.append(_("Syncing page {page} of users".format(page=page)))
-                    group(
+                    for msg in sync_objects.apply_async(
-                        [
+                        args=(class_to_path(User), page, provider_pk),
-                            sync_objects.signature(
+                        time_limit=PAGE_TIMEOUT,
-                                args=(class_to_path(User), page, provider_pk),
+                        soft_time_limit=PAGE_TIMEOUT,
-                                time_limit=PAGE_TIMEOUT,
+                    ).get():
                                soft_time_limit=PAGE_TIMEOUT,
                            )
                            for page in users_paginator.page_range
                        ]
                    )
                    .apply_async()
                    .get()
                )
                for result in user_results:
                    for msg in result:
                        messages.append(LogEvent(**msg))
-                messages.append(_("Syncing groups"))
+                for page in groups_paginator.page_range:
-                group_results = (
+                    messages.append(_("Syncing page {page} of groups".format(page=page)))
-                    group(
+                    for msg in sync_objects.apply_async(
-                        [
+                        args=(class_to_path(Group), page, provider_pk),
-                            sync_objects.signature(
+                        time_limit=PAGE_TIMEOUT,
-                                args=(class_to_path(Group), page, provider_pk),
+                        soft_time_limit=PAGE_TIMEOUT,
-                                time_limit=PAGE_TIMEOUT,
+                    ).get():
                                soft_time_limit=PAGE_TIMEOUT,
                            )
                            for page in groups_paginator.page_range
                        ]
                    )
                    .apply_async()
                    .get()
                )
                for result in group_results:
                    for msg in result:
                        messages.append(LogEvent(**msg))
            except TransientSyncException as exc:
                self.logger.warning("transient sync exception", exc=exc)
@ -130,7 +109,7 @@ class SyncTasks:
    def sync_objects(
        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
    ):
-        _object_type: type[Model] = path_to_class(object_type)
+        _object_type = path_to_class(object_type)
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
            provider_pk=provider_pk,
@ -153,19 +132,6 @@ class SyncTasks:
            self.logger.debug("starting discover")
            client.discover()
        self.logger.debug("starting sync for page", page=page)
        messages.append(
            asdict(
                LogEvent(
                    _(
                        "Syncing page {page} of {object_type}".format(
                            page=page, object_type=_object_type._meta.verbose_name_plural
                        )
                    ),
                    log_level="info",
                    logger=f"{provider._meta.verbose_name}@{object_type}",
                )
            )
        )
        for obj in paginator.page(page).object_list:
            obj: Model
            try:
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -494,88 +494,86 @@ class TestConfig(TestCase):
            },
        )
-    # FIXME: Temporarily force pool to be deactivated.
+    def test_db_pool(self):
-    # See https://github.com/goauthentik/authentik/issues/14320
+        """Test DB Config with pool"""
-    # def test_db_pool(self):
+        config = ConfigLoader()
-    #     """Test DB Config with pool"""
+        config.set("postgresql.host", "foo")
-    #     config = ConfigLoader()
+        config.set("postgresql.name", "foo")
-    #     config.set("postgresql.host", "foo")
+        config.set("postgresql.user", "foo")
-    #     config.set("postgresql.name", "foo")
+        config.set("postgresql.password", "foo")
-    #     config.set("postgresql.user", "foo")
+        config.set("postgresql.port", "foo")
-    #     config.set("postgresql.password", "foo")
+        config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.port", "foo")
+        config.set("postgresql.use_pool", True)
-    #     config.set("postgresql.test.name", "foo")
+        conf = django_db_config(config)
-    #     config.set("postgresql.use_pool", True)
+        self.assertEqual(
-    #     conf = django_db_config(config)
+            conf,
-    #     self.assertEqual(
+            {
-    #         conf,
+                "default": {
-    #         {
+                    "ENGINE": "authentik.root.db",
-    #             "default": {
+                    "HOST": "foo",
-    #                 "ENGINE": "authentik.root.db",
+                    "NAME": "foo",
-    #                 "HOST": "foo",
+                    "OPTIONS": {
-    #                 "NAME": "foo",
+                        "pool": True,
-    #                 "OPTIONS": {
+                        "sslcert": None,
-    #                     "pool": True,
+                        "sslkey": None,
-    #                     "sslcert": None,
+                        "sslmode": None,
-    #                     "sslkey": None,
+                        "sslrootcert": None,
-    #                     "sslmode": None,
+                    },
-    #                     "sslrootcert": None,
+                    "PASSWORD": "foo",
-    #                 },
+                    "PORT": "foo",
-    #                 "PASSWORD": "foo",
+                    "TEST": {"NAME": "foo"},
-    #                 "PORT": "foo",
+                    "USER": "foo",
-    #                 "TEST": {"NAME": "foo"},
+                    "CONN_MAX_AGE": 0,
-    #                 "USER": "foo",
+                    "CONN_HEALTH_CHECKS": False,
-    #                 "CONN_MAX_AGE": 0,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
-    #                 "CONN_HEALTH_CHECKS": False,
+                }
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+            },
-    #             }
+        )
    #         },
    #     )
-    # def test_db_pool_options(self):
+    def test_db_pool_options(self):
-    #     """Test DB Config with pool"""
+        """Test DB Config with pool"""
-    #     config = ConfigLoader()
+        config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
+        config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
+        config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
+        config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
+        config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
+        config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
+        config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
+        config.set("postgresql.use_pool", True)
-    #     config.set(
+        config.set(
-    #         "postgresql.pool_options",
+            "postgresql.pool_options",
-    #         base64.b64encode(
+            base64.b64encode(
-    #             dumps(
+                dumps(
-    #                 {
+                    {
-    #                     "max_size": 15,
+                        "max_size": 15,
-    #                 }
+                    }
-    #             ).encode()
+                ).encode()
-    #         ).decode(),
+            ).decode(),
-    #     )
+        )
-    #     conf = django_db_config(config)
+        conf = django_db_config(config)
-    #     self.assertEqual(
+        self.assertEqual(
-    #         conf,
+            conf,
-    #         {
+            {
-    #             "default": {
+                "default": {
-    #                 "ENGINE": "authentik.root.db",
+                    "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
+                    "HOST": "foo",
-    #                 "NAME": "foo",
+                    "NAME": "foo",
-    #                 "OPTIONS": {
+                    "OPTIONS": {
-    #                     "pool": {
+                        "pool": {
-    #                         "max_size": 15,
+                            "max_size": 15,
-    #                     },
+                        },
-    #                     "sslcert": None,
+                        "sslcert": None,
-    #                     "sslkey": None,
+                        "sslkey": None,
-    #                     "sslmode": None,
+                        "sslmode": None,
-    #                     "sslrootcert": None,
+                        "sslrootcert": None,
-    #                 },
+                    },
-    #                 "PASSWORD": "foo",
+                    "PASSWORD": "foo",
-    #                 "PORT": "foo",
+                    "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
+                    "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
+                    "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
+                    "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
+                    "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
+                }
-    #         },
+            },
-    #     )
+        )
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -37,9 +37,6 @@ class WebsocketMessageInstruction(IntEnum):
    # Provider specific message
    PROVIDER_SPECIFIC = 3
    # Session ended
    SESSION_END = 4
@dataclass(slots=True)
 class WebsocketMessage:
@ -148,14 +145,6 @@ class OutpostConsumer(JsonWebsocketConsumer):
            asdict(WebsocketMessage(instruction=WebsocketMessageInstruction.TRIGGER_UPDATE))
        )
    def event_session_end(self, event):
        """Event handler which is called when a session is ended"""
        self.send_json(
            asdict(
                WebsocketMessage(instruction=WebsocketMessageInstruction.SESSION_END, args=event)
            )
        )
    def event_provider_specific(self, event):
        """Event handler which can be called by provider-specific
        implementations to send specific messages to the outpost"""
--- a/authentik/outposts/signals.py
+++ b/authentik/outposts/signals.py
@ -1,24 +1,17 @@
 """authentik outpost signals"""
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
 from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
 from authentik.brands.models import Brand
-from authentik.core.models import AuthenticatedSession, Provider, User
+from authentik.core.models import Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.models import Outpost, OutpostServiceConnection
-from authentik.outposts.tasks import (
+from authentik.outposts.tasks import CACHE_KEY_OUTPOST_DOWN, outpost_controller, outpost_post_save
    CACHE_KEY_OUTPOST_DOWN,
    outpost_controller,
    outpost_post_save,
    outpost_session_end,
 )
 LOGGER = get_logger()
 UPDATE_TRIGGERING_MODELS = (
@ -80,17 +73,3 @@ def pre_delete_cleanup(sender, instance: Outpost, **_):
    instance.user.delete()
    cache.set(CACHE_KEY_OUTPOST_DOWN % instance.pk.hex, instance)
    outpost_controller.delay(instance.pk.hex, action="down", from_cache=True)
@receiver(user_logged_out)
 def logout_revoke_direct(sender: type[User], request: HttpRequest, **_):
    """Catch logout by direct logout and forward to providers"""
    if not request.session or not request.session.session_key:
        return
    outpost_session_end.delay(request.session.session_key)
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
    outpost_session_end.delay(instance.session.session_key)
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -1,6 +1,5 @@
 """outpost tasks"""
 from hashlib import sha256
 from os import R_OK, access
 from pathlib import Path
 from socket import gethostname
@ -50,11 +49,6 @@ LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "goauthentik.io/outposts/teardown/%s"
 def hash_session_key(session_key: str) -> str:
    """Hash the session key for sending session end signals"""
    return sha256(session_key.encode("ascii")).hexdigest()
 def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
    """Get a controller for the outpost, when a service connection is defined"""
    if not outpost.service_connection:
@ -295,20 +289,3 @@ def outpost_connection_discovery(self: SystemTask):
                url=unix_socket_path,
            )
    self.set_status(TaskStatus.SUCCESSFUL, *messages)
@CELERY_APP.task()
 def outpost_session_end(session_id: str):
    """Update outpost instances connected to a single outpost"""
    layer = get_channel_layer()
    hashed_session_id = hash_session_key(session_id)
    for outpost in Outpost.objects.all():
        LOGGER.info("Sending session end signal to outpost", outpost=outpost)
        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
        async_to_sync(layer.group_send)(
            group,
            {
                "type": "event.session.end",
                "session_id": hashed_session_id,
            },
        )
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -38,7 +38,6 @@ class TestOutpostWS(TransactionTestCase):
        )
        connected, _ = await communicator.connect()
        self.assertFalse(connected)
        await communicator.disconnect()
    async def test_auth_valid(self):
        """Test auth with token"""
@ -49,7 +48,6 @@ class TestOutpostWS(TransactionTestCase):
        )
        connected, _ = await communicator.connect()
        self.assertTrue(connected)
        await communicator.disconnect()
    async def test_send(self):
        """Test sending of Hello"""
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@ -39,4 +39,3 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
    label = "authentik_policies"
    verbose_name = "authentik Policies"
    default = True
    mountpoint = "policy/"
--- a/authentik/policies/dummy/apps.py
+++ b/authentik/policies/dummy/apps.py
@ -1,12 +1,11 @@
 """Authentik policy dummy app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyDummyConfig(ManagedAppConfig):
+class AuthentikPolicyDummyConfig(AppConfig):
    """Authentik policy_dummy app config"""
    name = "authentik.policies.dummy"
    label = "authentik_policies_dummy"
    verbose_name = "authentik Policies.Dummy"
    default = True
--- a/authentik/policies/event_matcher/apps.py
+++ b/authentik/policies/event_matcher/apps.py
@ -1,12 +1,11 @@
 """authentik Event Matcher policy app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPoliciesEventMatcherConfig(ManagedAppConfig):
+class AuthentikPoliciesEventMatcherConfig(AppConfig):
    """authentik Event Matcher policy app config"""
    name = "authentik.policies.event_matcher"
    label = "authentik_policies_event_matcher"
    verbose_name = "authentik Policies.Event Matcher"
    default = True
--- a/authentik/policies/expiry/apps.py
+++ b/authentik/policies/expiry/apps.py
@ -1,12 +1,11 @@
 """Authentik policy_expiry app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyExpiryConfig(ManagedAppConfig):
+class AuthentikPolicyExpiryConfig(AppConfig):
    """Authentik policy_expiry app config"""
    name = "authentik.policies.expiry"
    label = "authentik_policies_expiry"
    verbose_name = "authentik Policies.Expiry"
    default = True
--- a/authentik/policies/expression/apps.py
+++ b/authentik/policies/expression/apps.py
@ -1,12 +1,11 @@
 """Authentik policy_expression app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyExpressionConfig(ManagedAppConfig):
+class AuthentikPolicyExpressionConfig(AppConfig):
    """Authentik policy_expression app config"""
    name = "authentik.policies.expression"
    label = "authentik_policies_expression"
    verbose_name = "authentik Policies.Expression"
    default = True
--- a/authentik/policies/geoip/apps.py
+++ b/authentik/policies/geoip/apps.py
@ -1,12 +1,11 @@
 """Authentik policy geoip app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyGeoIPConfig(ManagedAppConfig):
+class AuthentikPolicyGeoIPConfig(AppConfig):
    """Authentik policy_geoip app config"""
    name = "authentik.policies.geoip"
    label = "authentik_policies_geoip"
    verbose_name = "authentik Policies.GeoIP"
    default = True
--- a/authentik/policies/password/apps.py
+++ b/authentik/policies/password/apps.py
@ -1,12 +1,11 @@
 """authentik Password policy app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPoliciesPasswordConfig(ManagedAppConfig):
+class AuthentikPoliciesPasswordConfig(AppConfig):
    """authentik Password policy app config"""
    name = "authentik.policies.password"
    label = "authentik_policies_password"
    verbose_name = "authentik Policies.Password"
    default = True
--- a/authentik/policies/templates/policies/buffer.html
+++ b/authentik/policies/templates/policies/buffer.html
@ -1,89 +0,0 @@
 {% extends 'login/base_full.html' %}
 {% load static %}
 {% load i18n %}
 {% block head %}
 {{ block.super }}
 <script>
  let redirecting = false;
  const checkAuth = async () => {
    if (redirecting) return true;
    const url = "{{ check_auth_url }}";
    console.debug("authentik/policies/buffer: Checking authentication...");
    try {
      const result = await fetch(url, {
        method: "HEAD",
      });
      if (result.status >= 400) {
        return false
      }
      console.debug("authentik/policies/buffer: Continuing");
      redirecting = true;
      if ("{{ auth_req_method }}" === "post") {
        document.querySelector("form").submit();
      } else {
        window.location.assign("{{ continue_url|escapejs }}");
      }
    } catch {
      return false;
    }
  };
  let timeout = 100;
  let offset = 20;
  let attempt = 0;
  const main = async () => {
    attempt += 1;
    await checkAuth();
    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
    setTimeout(main, timeout);
    timeout += (offset * attempt);
    if (timeout >= 2000) {
      timeout = 2000;
    }
  }
  document.addEventListener("visibilitychange", async () => {
    if (document.hidden) return;
    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
    await checkAuth();
  });
  main();
 </script>
 {% endblock %}
 {% block title %}
 {% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
 {% endblock %}
 {% block card_title %}
 {% trans 'Waiting for authentication...' %}
 {% endblock %}
 {% block card %}
 <form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
  {% if auth_req_method == "post" %}
    {% for key, value in auth_req_body.items %}
      <input type="hidden" name="{{ key }}" value="{{ value }}" />
    {% endfor %}
  {% endif %}
  <div class="pf-c-empty-state">
    <div class="pf-c-empty-state__content">
      <div class="pf-c-empty-state__icon">
        <span class="pf-c-spinner pf-m-xl" role="progressbar">
          <span class="pf-c-spinner__clipper"></span>
          <span class="pf-c-spinner__lead-ball"></span>
          <span class="pf-c-spinner__tail-ball"></span>
        </span>
      </div>
      <h1 class="pf-c-title pf-m-lg">
        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
      </h1>
    </div>
  </div>
  <div class="pf-c-form__group pf-m-action">
    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
      {% trans "Authenticate in this tab" %}
    </a>
  </div>
 </form>
 {% endblock %}
--- a/authentik/policies/tests/test_views.py
+++ b/authentik/policies/tests/test_views.py
@ -1,121 +0,0 @@
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http import HttpResponse
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from authentik.core.models import Application, Provider
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.views import (
    QS_BUFFER_ID,
    SESSION_KEY_BUFFER,
    BufferedPolicyAccessView,
    BufferView,
    PolicyAccessView,
 )
 class TestPolicyViews(TestCase):
    """Test PolicyAccessView"""
    def setUp(self):
        super().setUp()
        self.factory = RequestFactory()
        self.user = create_test_user()
    def test_pav(self):
        """Test simple policy access view"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        class TestView(PolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/")
        req.user = self.user
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 200)
        self.assertEqual(res.content, b"foo")
    def test_pav_buffer(self):
        """Test simple policy access view"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        class TestView(BufferedPolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
        req.session.save()
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 302)
        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
    def test_pav_buffer_skip(self):
        """Test simple policy access view (skip buffer)"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        class TestView(BufferedPolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/?skip_buffer=true")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
        req.session.save()
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 302)
        self.assertTrue(res.url.startswith(reverse("authentik_flows:default-authentication")))
    def test_buffer(self):
        """Test buffer view"""
        uid = generate_id()
        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        ts = generate_id()
        req.session[SESSION_KEY_BUFFER % uid] = {
            "method": "get",
            "body": {},
            "url": f"/{ts}",
        }
        req.session.save()
        res = BufferView.as_view()(req)
        self.assertEqual(res.status_code, 200)
        self.assertIn(ts, res.render().content.decode())
--- a/authentik/policies/urls.py
+++ b/authentik/policies/urls.py
@ -1,14 +1,7 @@
 """API URLs"""
 from django.urls import path
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.views import BufferView
 urlpatterns = [
    path("buffer", BufferView.as_view(), name="buffer"),
 ]
 api_urlpatterns = [
    ("policies/all", PolicyViewSet),
--- a/Show More
+++ b/Show More
`@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)`

	`## Adoption and Contributions`	`## Adoption and Contributions`

	`Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).`	`Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).`