release: 2025.6.1

root: fix bumpversion
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2025-06-06 16:55:05 +02:00 · 2025-06-06 16:53:26 +02:00 · 2025-06-06 15:27:10 +02:00 · 2025-06-05 23:36:40 +02:00 · 2025-06-05 15:15:34 +02:00 · 2025-06-04 18:46:58 +02:00
436 changed files with 9739 additions and 10396 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -21,6 +21,8 @@ optional_value = final
 [bumpversion:file:package.json]
 [bumpversion:file:package-lock.json]
 [bumpversion:file:docker-compose.yml]
 [bumpversion:file:schema.yml]
@ -31,6 +33,4 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/common/constants.ts]
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.dockerignore
+++ b/.dockerignore
@ -5,10 +5,8 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
 **/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
 .venv
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -100,13 +100,6 @@ updates:
      goauthentik:
        patterns:
          - "@goauthentik/*"
      eslint:
        patterns:
          - "@eslint/*"
          - "@typescript-eslint/*"
          - "eslint-*"
          - "eslint"
          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -41,60 +41,32 @@ jobs:
      - name: test
        working-directory: website/
        run: npm test
-  build-container:
+  build:
    runs-on: ubuntu-latest
-    permissions:
+    name: ${{ matrix.job }}
-      # Needed to upload container images to ghcr.io
+    strategy:
-      packages: write
+      fail-fast: false
-      # Needed for attestation
+      matrix:
-      id-token: write
+        job:
-      attestations: write
+          - build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          node-version-file: website/package.json
-      - name: Set up QEMU
+          cache: "npm"
-        uses: docker/setup-qemu-action@v3.6.0
+          cache-dependency-path: website/package-lock.json
-      - name: Set up Docker Buildx
+      - working-directory: website/
-        uses: docker/setup-buildx-action@v3
+        run: npm ci
-      - name: prepare variables
+      - name: build
-        uses: ./.github/actions/docker-push-variables
+        working-directory: website/
-        id: ev
+        run: npm run ${{ matrix.job }}
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
      - uses: actions/attest-build-provenance@v2
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  ci-website-mark:
    if: always()
    needs:
      - lint
      - test
-      - build-container
+      - build
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -20,49 +20,6 @@ jobs:
      release: true
      registry_dockerhub: true
      registry_ghcr: true
  build-docs:
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/docs
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
        uses: docker/build-push-action@v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: true
          platforms: linux/amd64,linux/arm64
          context: .
      - uses: actions/attest-build-provenance@v2
        id: attest
        if: true
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
@ -236,6 +193,6 @@ jobs:
          SENTRY_ORG: authentik-security-inc
          SENTRY_PROJECT: authentik
        with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
          sourcemaps: "./web/dist"
          url_prefix: "~/static/dist"
--- a/50
+++ b/50
@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1
-# Stage 1: Build webui
+# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS website-builder
 ENV NODE_ENV=production
 WORKDIR /work/website
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
    npm ci --include=dev
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
 COPY ./schema.yml /work/
 COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS web-builder
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@ -13,7 +32,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
    npm ci --include=dev
 COPY ./package.json /work
@ -24,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build && \
    npm run build:sfe
-# Stage 2: Build go proxy
+# Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 ARG TARGETOS
@ -49,8 +68,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@ -61,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server
-# Stage 3: MaxMind GeoIP
+# Stage 4: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@ -74,10 +93,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
-# Stage 4: Download uv
+# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.8 AS uv
-# Stage 5: Base python image
+# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@ -90,7 +109,7 @@ WORKDIR /ak-root/
 COPY --from=uv /uv /uvx /bin/
-# Stage 6: Python dependencies
+# Stage 7: Python dependencies
 FROM python-base AS python-deps
 ARG TARGETARCH
@ -125,7 +144,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev
-# Stage 7: Run
+# Stage 8: Run
 FROM python-base AS final-image
 ARG VERSION
@ -168,8 +187,9 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=node-builder /work/web/authentik/ /web/authentik/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 USER 1000
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -0,0 +1,79 @@
 """authentik administration metrics"""
 from datetime import timedelta
 from django.db.models.functions import ExtractHour
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import EventAction
 class CoordinateSerializer(PassiveSerializer):
    """Coordinates for diagrams"""
    x_cord = IntegerField(read_only=True)
    y_cord = IntegerField(read_only=True)
 class LoginMetricsSerializer(PassiveSerializer):
    """Login Metrics per 1h"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get successful authorizations per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class AdministrationMetricsViewSet(APIView):
    """Login Metrics per 1h"""
    permission_classes = [IsAuthenticated]
    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Login Metrics per 1h"""
        serializer = LoginMetricsSerializer(True)
        serializer.context["user"] = request.user
        return Response(serializer.data)
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -1,7 +1,6 @@
 """authentik administration overview"""
 from django.core.cache import cache
 from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@ -14,7 +13,6 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
 from authentik.tenants.utils import get_current_tenant
 class VersionSerializer(PassiveSerializer):
@ -37,8 +35,6 @@ class VersionSerializer(PassiveSerializer):
    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
        if get_current_tenant().schema_name == get_public_schema_name():
            return __version__
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
            update_latest_version.delay()
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -14,19 +14,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
    label = "authentik_admin"
    verbose_name = "authentik Admin"
    default = True
    @ManagedAppConfig.reconcile_global
    def clear_update_notifications(self):
        """Clear update notifications on startup if the notification was for the version
        we're running now."""
        from packaging.version import parse
        from authentik.admin.tasks import LOCAL_VERSION
        from authentik.events.models import EventAction, Notification
        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
            if "new_version" not in notification.event.context:
                continue
            notification_version = notification.event.context["new_version"]
            if LOCAL_VERSION >= parse(notification_version):
                notification.delete()
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -1,7 +1,6 @@
 """authentik admin settings"""
 from celery.schedules import crontab
 from django_tenants.utils import get_public_schema_name
 from authentik.lib.utils.time import fqdn_rand
@ -9,7 +8,6 @@ CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
        "tenant_schemas": [get_public_schema_name()],
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,6 +1,7 @@
 """authentik admin tasks"""
 from django.core.cache import cache
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
@ -8,7 +9,7 @@ from structlog.stdlib import get_logger
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
@ -32,6 +33,20 @@ def _set_prom_info():
    )
@CELERY_APP.task(
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
 def clear_update_notifications():
    """Clear update notifications on startup if the notification was for the version
    we're running now."""
    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
        if "new_version" not in notification.event.context:
            continue
        notification_version = notification.event.context["new_version"]
        if LOCAL_VERSION >= parse(notification_version):
            notification.delete()
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def update_latest_version(self: SystemTask):
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -36,6 +36,11 @@ class TestAdminAPI(TestCase):
        body = loads(response.content)
        self.assertEqual(len(body), 0)
    def test_metrics(self):
        """Test metrics API"""
        response = self.client.get(reverse("authentik_api:admin_metrics"))
        self.assertEqual(response.status_code, 200)
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -1,12 +1,12 @@
 """test admin tasks"""
 from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 from authentik.admin.tasks import (
    VERSION_CACHE_KEY,
    clear_update_notifications,
    update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@ -72,13 +72,12 @@ class TestAdminTasks(TestCase):
    def test_clear_update_notifications(self):
        """Test clear of previous notification"""
        admin_config = apps.get_app_config("authentik_admin")
        Event.objects.create(
            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
        )
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -3,6 +3,7 @@
 from django.urls import path
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@ -11,6 +12,11 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
    path(
        "admin/metrics/",
        AdministrationMetricsViewSet.as_view(),
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -1,13 +1,12 @@
 """authentik API AppConfig"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
    """authentik API Config"""
    name = "authentik.api"
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
    default = True
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -134,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@ -205,7 +205,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/tests/test_managed_app_config.py
+++ b/authentik/blueprints/tests/test_managed_app_config.py
@ -1,14 +0,0 @@
 from django.test import TestCase
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.enterprise.apps import EnterpriseConfig
 from authentik.lib.utils.reflection import get_apps
 class TestManagedAppConfig(TestCase):
    def test_apps_use_managed_app_config(self):
        for app in get_apps():
            if app.name.startswith("authentik.enterprise"):
                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
            else:
                self.assertIn(ManagedAppConfig, app.__class__.__bases__)
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models
    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/brands/apps.py
+++ b/authentik/brands/apps.py
@ -1,9 +1,9 @@
 """authentik brands app"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
    """authentik Brand app"""
    name = "authentik.brands"
@ -12,4 +12,3 @@ class AuthentikBrandsConfig(ManagedAppConfig):
    mountpoints = {
        "authentik.brands.urls_root": "",
    }
    default = True
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
    def test_custom_css(self):
        """Test custom_css"""
        brand = create_test_brand()
        brand.branding_custom_css = """* {
            font-family: "Foo bar";
        }"""
        brand.save()
        res = self.client.get(reverse("authentik_core:if-user"))
        self.assertEqual(res.status_code, 200)
        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,8 +5,6 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
 from authentik.brands.models import Brand
@ -34,13 +32,8 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
    # similarly to `json_script` we escape everything HTML-related, however django
    # only directly exposes this as a function that also wraps it in a <script> tag
    # which we dont want for CSS
    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
    return {
        "brand": brand,
        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -2,9 +2,11 @@
 from collections.abc import Iterator
 from copy import copy
 from datetime import timedelta
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@ -18,6 +20,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@ -25,6 +28,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -317,3 +321,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        return set_file_url(request, app, "meta_icon")
    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @extend_schema(responses={200: CoordinateSerializer(many=True)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    def metrics(self, request: Request, slug: str):
        """Metrics for application logins"""
        app = self.get_object()
        return Response(
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION,
                context__authorized_application__pk=app.pk.hex,
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,6 +6,7 @@ from typing import Any
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@ -51,6 +52,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@ -315,6 +317,53 @@ class SessionUserSerializer(PassiveSerializer):
    original = UserSelfSerializer(required=False)
 class UserMetricsSerializer(PassiveSerializer):
    """User Metrics"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED, context__username=user.username
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class UsersFilter(FilterSet):
    """Filter for users"""
@ -558,6 +607,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    def metrics(self, request: Request, pk: int) -> Response:
        """User metrics per 1h"""
        user: User = self.get_object()
        serializer = UserMetricsSerializer(instance={})
        serializer.context["user"] = user
        serializer.context["request"] = request
        return Response(serializer.data)
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        responses={
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -10,7 +10,7 @@
 {% endblock %}
 {% block body %}
-<ak-message-container alignment="bottom"></ak-message-container>
+<ak-message-container></ak-message-container>
 <ak-interface-admin>
    <ak-loading></ak-loading>
 </ak-interface-admin>
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -81,6 +81,22 @@ class TestUsersAPI(APITestCase):
        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
        self.assertEqual(response.status_code, 200)
    def test_metrics(self):
        """Test user's metrics"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 200)
    def test_metrics_denied(self):
        """Test user's metrics (non-superuser)"""
        self.client.force_login(self.user)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 403)
    def test_recovery_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -1,36 +1,28 @@
 """Events API Views"""
 from datetime import timedelta
 from json import loads
 import django_filters
-from django.db.models import Count, ExpressionWrapper, F, QuerySet
+from django.db.models.aggregates import Count
 from django.db.models import DateTimeField as DjangoDateTimeField
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
-from django.db.models.functions import TruncHour
+from django.db.models.functions import ExtractDay, ExtractHour
 from django.db.models.query_utils import Q
 from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ChoiceField, DateTimeField, DictField, IntegerField
+from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction
 class EventVolumeSerializer(PassiveSerializer):
    """Count of events of action created on day"""
    action = ChoiceField(choices=EventAction.choices)
    time = DateTimeField()
    count = IntegerField()
 class EventSerializer(ModelSerializer):
    """Event Serializer"""
@ -61,7 +53,7 @@ class EventsFilter(django_filters.FilterSet):
    """Filter for events"""
    username = django_filters.CharFilter(
-        field_name="user", label="Username", method="filter_username"
+        field_name="user", lookup_expr="username", label="Username"
    )
    context_model_pk = django_filters.CharFilter(
        field_name="context",
@ -86,19 +78,12 @@ class EventsFilter(django_filters.FilterSet):
        field_name="action",
        lookup_expr="icontains",
    )
    actions = django_filters.MultipleChoiceFilter(
        field_name="action",
        choices=EventAction.choices,
    )
    brand_name = django_filters.CharFilter(
        field_name="brand",
        lookup_expr="name",
        label="Brand name",
    )
    def filter_username(self, queryset, name, value):
        return queryset.filter(Q(user__username=value) | Q(context__username=value))
    def filter_context_model_pk(self, queryset, name, value):
        """Because we store the PK as UUID.hex,
        we need to remove the dashes that a client may send. We can't use a
@ -171,37 +156,45 @@ class EventViewSet(ModelViewSet):
        return Response(EventTopPerUserSerializer(instance=events, many=True).data)
    @extend_schema(
-        responses={200: EventVolumeSerializer(many=True)},
+        responses={200: CoordinateSerializer(many=True)},
        parameters=[
            OpenApiParameter(
                "history_days",
                type=OpenApiTypes.NUMBER,
                location=OpenApiParameter.QUERY,
                required=False,
                default=7,
            ),
        ],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def volume(self, request: Request) -> Response:
        """Get event volume for specified filters and timeframe"""
-        queryset: QuerySet[Event] = self.filter_queryset(self.get_queryset())
+        queryset = self.filter_queryset(self.get_queryset())
-        delta = timedelta(days=7)
+        return Response(queryset.get_events_per(timedelta(days=7), ExtractHour, 7 * 3))
-        time_delta = request.query_params.get("history_days", 7)
+
-        if time_delta:
+    @extend_schema(
-            delta = timedelta(days=min(int(time_delta), 60))
+        responses={200: CoordinateSerializer(many=True)},
        filters=[],
        parameters=[
            OpenApiParameter(
                "action",
                type=OpenApiTypes.STR,
                location=OpenApiParameter.QUERY,
                required=False,
            ),
            OpenApiParameter(
                "query",
                type=OpenApiTypes.STR,
                location=OpenApiParameter.QUERY,
                required=False,
            ),
        ],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def per_month(self, request: Request):
        """Get the count of events per month"""
        filtered_action = request.query_params.get("action", EventAction.LOGIN)
        try:
            query = loads(request.query_params.get("query", "{}"))
        except ValueError:
            return Response(status=400)
        return Response(
-            queryset.filter(created__gte=now() - delta)
+            get_objects_for_user(request.user, "authentik_events.view_event")
-            .annotate(hour=TruncHour("created"))
+            .filter(action=filtered_action)
-            .annotate(
+            .filter(**query)
-                time=ExpressionWrapper(
+            .get_events_per(timedelta(weeks=4), ExtractDay, 30)
                    F("hour") - (F("hour__hour") % 6) * timedelta(hours=1),
                    output_field=DjangoDateTimeField(),
                )
            )
            .values("time", "action")
            .annotate(count=Count("pk"))
            .order_by("time", "action")
        )
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -1,5 +1,7 @@
 """authentik events models"""
 import time
 from collections import Counter
 from datetime import timedelta
 from difflib import get_close_matches
 from functools import lru_cache
@ -9,6 +11,11 @@ from uuid import uuid4
 from django.apps import apps
 from django.db import connection, models
 from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import Extract
 from django.db.models.manager import Manager
 from django.db.models.query import QuerySet
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@ -117,6 +124,60 @@ class EventAction(models.TextChoices):
    CUSTOM_PREFIX = "custom_"
 class EventQuerySet(QuerySet):
    """Custom events query set with helper functions"""
    def get_events_per(
        self,
        time_since: timedelta,
        extract: Extract,
        data_points: int,
    ) -> list[dict[str, int]]:
        """Get event count by hour in the last day, fill with zeros"""
        _now = now()
        max_since = timedelta(days=60)
        # Allow maximum of 60 days to limit load
        if time_since.total_seconds() > max_since.total_seconds():
            time_since = max_since
        date_from = _now - time_since
        result = (
            self.filter(created__gte=date_from)
            .annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
            .annotate(age_interval=extract("age"))
            .values("age_interval")
            .annotate(count=Count("pk"))
            .order_by("age_interval")
        )
        data = Counter({int(d["age_interval"]): d["count"] for d in result})
        results = []
        interval_delta = time_since / data_points
        for interval in range(1, -data_points, -1):
            results.append(
                {
                    "x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
                    "y_cord": data[interval * -1],
                }
            )
        return results
 class EventManager(Manager):
    """Custom helper methods for Events"""
    def get_queryset(self) -> QuerySet:
        """use custom queryset"""
        return EventQuerySet(self.model, using=self._db)
    def get_events_per(
        self,
        time_since: timedelta,
        extract: Extract,
        data_points: int,
    ) -> list[dict[str, int]]:
        """Wrap method from queryset"""
        return self.get_queryset().get_events_per(time_since, extract, data_points)
 class Event(SerializerModel, ExpiringModel):
    """An individual Audit/Metrics/Notification/Error Event"""
@ -132,6 +193,8 @@ class Event(SerializerModel, ExpiringModel):
    # Shadow the expires attribute from ExpiringModel to override the default duration
    expires = models.DateTimeField(default=default_event_duration)
    objects = EventManager()
    @staticmethod
    def _get_app_from_request(request: HttpRequest) -> str:
        if not isinstance(request, HttpRequest):
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -69,7 +69,6 @@ SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
 SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
 SESSION_KEY_AUTH_STARTED = "authentik/flows/auth_started"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"
@ -455,7 +454,6 @@ class FlowExecutorView(APIView):
            SESSION_KEY_APPLICATION_PRE,
            SESSION_KEY_PLAN,
            SESSION_KEY_GET,
            SESSION_KEY_AUTH_STARTED,
            # We might need the initial POST payloads for later requests
            # SESSION_KEY_POST,
            # We don't delete the history on purpose, as a user might
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -6,8 +6,7 @@ from django.shortcuts import get_object_or_404
 from ua_parser.user_agent_parser import Parse
 from authentik.core.views.interface import InterfaceView
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.models import Flow
 from authentik.flows.views.executor import SESSION_KEY_AUTH_STARTED
 class FlowInterfaceView(InterfaceView):
@ -15,12 +14,6 @@ class FlowInterfaceView(InterfaceView):
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        if (
            not self.request.user.is_authenticated
            and flow.designation == FlowDesignation.AUTHENTICATION
        ):
            self.request.session[SESSION_KEY_AUTH_STARTED] = True
            self.request.session.save()
        kwargs["flow"] = flow
        kwargs["flow_background_url"] = flow.background_url(self.request)
        kwargs["inspector"] = "inspector" in self.request.GET
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -37,9 +37,6 @@ class WebsocketMessageInstruction(IntEnum):
    # Provider specific message
    PROVIDER_SPECIFIC = 3
    # Session ended
    SESSION_END = 4
@dataclass(slots=True)
 class WebsocketMessage:
@ -148,14 +145,6 @@ class OutpostConsumer(JsonWebsocketConsumer):
            asdict(WebsocketMessage(instruction=WebsocketMessageInstruction.TRIGGER_UPDATE))
        )
    def event_session_end(self, event):
        """Event handler which is called when a session is ended"""
        self.send_json(
            asdict(
                WebsocketMessage(instruction=WebsocketMessageInstruction.SESSION_END, args=event)
            )
        )
    def event_provider_specific(self, event):
        """Event handler which can be called by provider-specific
        implementations to send specific messages to the outpost"""
--- a/authentik/outposts/signals.py
+++ b/authentik/outposts/signals.py
@ -1,24 +1,17 @@
 """authentik outpost signals"""
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
 from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete, pre_save
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
 from authentik.brands.models import Brand
-from authentik.core.models import AuthenticatedSession, Provider, User
+from authentik.core.models import Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.models import Outpost, OutpostServiceConnection
-from authentik.outposts.tasks import (
+from authentik.outposts.tasks import CACHE_KEY_OUTPOST_DOWN, outpost_controller, outpost_post_save
    CACHE_KEY_OUTPOST_DOWN,
    outpost_controller,
    outpost_post_save,
    outpost_session_end,
 )
 LOGGER = get_logger()
 UPDATE_TRIGGERING_MODELS = (
@ -80,17 +73,3 @@ def pre_delete_cleanup(sender, instance: Outpost, **_):
    instance.user.delete()
    cache.set(CACHE_KEY_OUTPOST_DOWN % instance.pk.hex, instance)
    outpost_controller.delay(instance.pk.hex, action="down", from_cache=True)
@receiver(user_logged_out)
 def logout_revoke_direct(sender: type[User], request: HttpRequest, **_):
    """Catch logout by direct logout and forward to providers"""
    if not request.session or not request.session.session_key:
        return
    outpost_session_end.delay(request.session.session_key)
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
    outpost_session_end.delay(instance.session.session_key)
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -1,6 +1,5 @@
 """outpost tasks"""
 from hashlib import sha256
 from os import R_OK, access
 from pathlib import Path
 from socket import gethostname
@ -50,11 +49,6 @@ LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "goauthentik.io/outposts/teardown/%s"
 def hash_session_key(session_key: str) -> str:
    """Hash the session key for sending session end signals"""
    return sha256(session_key.encode("ascii")).hexdigest()
 def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
    """Get a controller for the outpost, when a service connection is defined"""
    if not outpost.service_connection:
@ -295,20 +289,3 @@ def outpost_connection_discovery(self: SystemTask):
                url=unix_socket_path,
            )
    self.set_status(TaskStatus.SUCCESSFUL, *messages)
@CELERY_APP.task()
 def outpost_session_end(session_id: str):
    """Update outpost instances connected to a single outpost"""
    layer = get_channel_layer()
    hashed_session_id = hash_session_key(session_id)
    for outpost in Outpost.objects.all():
        LOGGER.info("Sending session end signal to outpost", outpost=outpost)
        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
        async_to_sync(layer.group_send)(
            group,
            {
                "type": "event.session.end",
                "session_id": hashed_session_id,
            },
        )
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -1,9 +1,11 @@
 """Websocket tests"""
 from dataclasses import asdict
 from unittest.mock import patch
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase
 from authentik import __version__
@ -14,6 +16,12 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket
 def patched__get_ct_cached(app_label, codename):
    """Caches `ContentType` instances like its `QuerySet` does."""
    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
    """Websocket tests"""
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@ -39,4 +39,3 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
    label = "authentik_policies"
    verbose_name = "authentik Policies"
    default = True
    mountpoint = "policy/"
--- a/authentik/policies/dummy/apps.py
+++ b/authentik/policies/dummy/apps.py
@ -1,12 +1,11 @@
 """Authentik policy dummy app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyDummyConfig(ManagedAppConfig):
+class AuthentikPolicyDummyConfig(AppConfig):
    """Authentik policy_dummy app config"""
    name = "authentik.policies.dummy"
    label = "authentik_policies_dummy"
    verbose_name = "authentik Policies.Dummy"
    default = True
--- a/authentik/policies/event_matcher/apps.py
+++ b/authentik/policies/event_matcher/apps.py
@ -1,12 +1,11 @@
 """authentik Event Matcher policy app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPoliciesEventMatcherConfig(ManagedAppConfig):
+class AuthentikPoliciesEventMatcherConfig(AppConfig):
    """authentik Event Matcher policy app config"""
    name = "authentik.policies.event_matcher"
    label = "authentik_policies_event_matcher"
    verbose_name = "authentik Policies.Event Matcher"
    default = True
--- a/authentik/policies/expiry/apps.py
+++ b/authentik/policies/expiry/apps.py
@ -1,12 +1,11 @@
 """Authentik policy_expiry app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyExpiryConfig(ManagedAppConfig):
+class AuthentikPolicyExpiryConfig(AppConfig):
    """Authentik policy_expiry app config"""
    name = "authentik.policies.expiry"
    label = "authentik_policies_expiry"
    verbose_name = "authentik Policies.Expiry"
    default = True
--- a/authentik/policies/expression/apps.py
+++ b/authentik/policies/expression/apps.py
@ -1,12 +1,11 @@
 """Authentik policy_expression app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyExpressionConfig(ManagedAppConfig):
+class AuthentikPolicyExpressionConfig(AppConfig):
    """Authentik policy_expression app config"""
    name = "authentik.policies.expression"
    label = "authentik_policies_expression"
    verbose_name = "authentik Policies.Expression"
    default = True
--- a/authentik/policies/geoip/apps.py
+++ b/authentik/policies/geoip/apps.py
@ -1,12 +1,11 @@
 """Authentik policy geoip app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPolicyGeoIPConfig(ManagedAppConfig):
+class AuthentikPolicyGeoIPConfig(AppConfig):
    """Authentik policy_geoip app config"""
    name = "authentik.policies.geoip"
    label = "authentik_policies_geoip"
    verbose_name = "authentik Policies.GeoIP"
    default = True
--- a/authentik/policies/password/apps.py
+++ b/authentik/policies/password/apps.py
@ -1,12 +1,11 @@
 """authentik Password policy app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikPoliciesPasswordConfig(ManagedAppConfig):
+class AuthentikPoliciesPasswordConfig(AppConfig):
    """authentik Password policy app config"""
    name = "authentik.policies.password"
    label = "authentik_policies_password"
    verbose_name = "authentik Policies.Password"
    default = True
--- a/authentik/policies/templates/policies/buffer.html
+++ b/authentik/policies/templates/policies/buffer.html
@ -1,89 +0,0 @@
 {% extends 'login/base_full.html' %}
 {% load static %}
 {% load i18n %}
 {% block head %}
 {{ block.super }}
 <script>
  let redirecting = false;
  const checkAuth = async () => {
    if (redirecting) return true;
    const url = "{{ check_auth_url }}";
    console.debug("authentik/policies/buffer: Checking authentication...");
    try {
      const result = await fetch(url, {
        method: "HEAD",
      });
      if (result.status >= 400) {
        return false
      }
      console.debug("authentik/policies/buffer: Continuing");
      redirecting = true;
      if ("{{ auth_req_method }}" === "post") {
        document.querySelector("form").submit();
      } else {
        window.location.assign("{{ continue_url|escapejs }}");
      }
    } catch {
      return false;
    }
  };
  let timeout = 100;
  let offset = 20;
  let attempt = 0;
  const main = async () => {
    attempt += 1;
    await checkAuth();
    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
    setTimeout(main, timeout);
    timeout += (offset * attempt);
    if (timeout >= 2000) {
      timeout = 2000;
    }
  }
  document.addEventListener("visibilitychange", async () => {
    if (document.hidden) return;
    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
    await checkAuth();
  });
  main();
 </script>
 {% endblock %}
 {% block title %}
 {% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
 {% endblock %}
 {% block card_title %}
 {% trans 'Waiting for authentication...' %}
 {% endblock %}
 {% block card %}
 <form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
  {% if auth_req_method == "post" %}
    {% for key, value in auth_req_body.items %}
      <input type="hidden" name="{{ key }}" value="{{ value }}" />
    {% endfor %}
  {% endif %}
  <div class="pf-c-empty-state">
    <div class="pf-c-empty-state__content">
      <div class="pf-c-empty-state__icon">
        <span class="pf-c-spinner pf-m-xl" role="progressbar">
          <span class="pf-c-spinner__clipper"></span>
          <span class="pf-c-spinner__lead-ball"></span>
          <span class="pf-c-spinner__tail-ball"></span>
        </span>
      </div>
      <h1 class="pf-c-title pf-m-lg">
        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
      </h1>
    </div>
  </div>
  <div class="pf-c-form__group pf-m-action">
    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
      {% trans "Authenticate in this tab" %}
    </a>
  </div>
 </form>
 {% endblock %}
--- a/authentik/policies/tests/test_views.py
+++ b/authentik/policies/tests/test_views.py
@ -1,121 +0,0 @@
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http import HttpResponse
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from authentik.core.models import Application, Provider
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.views import (
    QS_BUFFER_ID,
    SESSION_KEY_BUFFER,
    BufferedPolicyAccessView,
    BufferView,
    PolicyAccessView,
 )
 class TestPolicyViews(TestCase):
    """Test PolicyAccessView"""
    def setUp(self):
        super().setUp()
        self.factory = RequestFactory()
        self.user = create_test_user()
    def test_pav(self):
        """Test simple policy access view"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        class TestView(PolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/")
        req.user = self.user
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 200)
        self.assertEqual(res.content, b"foo")
    def test_pav_buffer(self):
        """Test simple policy access view"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        class TestView(BufferedPolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
        req.session.save()
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 302)
        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
    def test_pav_buffer_skip(self):
        """Test simple policy access view (skip buffer)"""
        provider = Provider.objects.create(
            name=generate_id(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        class TestView(BufferedPolicyAccessView):
            def resolve_provider_application(self):
                self.provider = provider
                self.application = app
            def get(self, *args, **kwargs):
                return HttpResponse("foo")
        req = self.factory.get("/?skip_buffer=true")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
        req.session.save()
        res = TestView.as_view()(req)
        self.assertEqual(res.status_code, 302)
        self.assertTrue(res.url.startswith(reverse("authentik_flows:default-authentication")))
    def test_buffer(self):
        """Test buffer view"""
        uid = generate_id()
        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
        req.user = AnonymousUser()
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(req)
        ts = generate_id()
        req.session[SESSION_KEY_BUFFER % uid] = {
            "method": "get",
            "body": {},
            "url": f"/{ts}",
        }
        req.session.save()
        res = BufferView.as_view()(req)
        self.assertEqual(res.status_code, 200)
        self.assertIn(ts, res.render().content.decode())
--- a/authentik/policies/urls.py
+++ b/authentik/policies/urls.py
@ -1,14 +1,7 @@
 """API URLs"""
 from django.urls import path
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.views import BufferView
 urlpatterns = [
    path("buffer", BufferView.as_view(), name="buffer"),
 ]
 api_urlpatterns = [
    ("policies/all", PolicyViewSet),
--- a/authentik/policies/views.py
+++ b/authentik/policies/views.py
@ -1,37 +1,23 @@
 """authentik access helper classes"""
 from typing import Any
 from uuid import uuid4
 from django.contrib import messages
 from django.contrib.auth.mixins import AccessMixin
 from django.contrib.auth.views import redirect_to_login
-from django.http import HttpRequest, HttpResponse, QueryDict
+from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.http import urlencode
 from django.utils.translation import gettext as _
-from django.views.generic.base import TemplateView, View
+from django.views.generic.base import View
 from structlog.stdlib import get_logger
 from authentik.core.models import Application, Provider, User
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_POST
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import (
    SESSION_KEY_APPLICATION_PRE,
    SESSION_KEY_AUTH_STARTED,
    SESSION_KEY_PLAN,
    SESSION_KEY_POST,
 )
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyRequest, PolicyResult
 LOGGER = get_logger()
 QS_BUFFER_ID = "af_bf_id"
 QS_SKIP_BUFFER = "skip_buffer"
 SESSION_KEY_BUFFER = "authentik/policies/pav_buffer/%s"
 class RequestValidationError(SentryIgnoredException):
@ -139,65 +125,3 @@ class PolicyAccessView(AccessMixin, View):
            for message in result.messages:
                messages.error(self.request, _(message))
        return result
 def url_with_qs(url: str, **kwargs):
    """Update/set querystring of `url` with the parameters in `kwargs`. Original query string
    parameters are retained"""
    if "?" not in url:
        return url + f"?{urlencode(kwargs)}"
    url, _, qs = url.partition("?")
    qs = QueryDict(qs, mutable=True)
    qs.update(kwargs)
    return url + f"?{urlencode(qs.items())}"
 class BufferView(TemplateView):
    """Buffer view"""
    template_name = "policies/buffer.html"
    def get_context_data(self, **kwargs):
        buf_id = self.request.GET.get(QS_BUFFER_ID)
        buffer: dict = self.request.session.get(SESSION_KEY_BUFFER % buf_id)
        kwargs["auth_req_method"] = buffer["method"]
        kwargs["auth_req_body"] = buffer["body"]
        kwargs["auth_req_url"] = url_with_qs(buffer["url"], **{QS_SKIP_BUFFER: True})
        kwargs["check_auth_url"] = reverse("authentik_api:user-me")
        kwargs["continue_url"] = url_with_qs(buffer["url"], **{QS_BUFFER_ID: buf_id})
        return super().get_context_data(**kwargs)
 class BufferedPolicyAccessView(PolicyAccessView):
    """PolicyAccessView which buffers access requests in case the user is not logged in"""
    def handle_no_permission(self):
        plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
        authenticating = self.request.session.get(SESSION_KEY_AUTH_STARTED)
        if plan:
            flow = Flow.objects.filter(pk=plan.flow_pk).first()
            if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
                LOGGER.debug("Not buffering request, no flow or flow not for authentication")
                return super().handle_no_permission()
        if not plan and authenticating is None:
            LOGGER.debug("Not buffering request, no flow plan active")
            return super().handle_no_permission()
        if self.request.GET.get(QS_SKIP_BUFFER):
            LOGGER.debug("Not buffering request, explicit skip")
            return super().handle_no_permission()
        buffer_id = str(uuid4())
        LOGGER.debug("Buffering access request", bf_id=buffer_id)
        self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
            "body": self.request.POST,
            "url": self.request.build_absolute_uri(self.request.get_full_path()),
            "method": self.request.method.lower(),
        }
        return redirect(
            url_with_qs(reverse("authentik_policies:buffer"), **{QS_BUFFER_ID: buffer_id})
        )
    def dispatch(self, request, *args, **kwargs):
        response = super().dispatch(request, *args, **kwargs)
        if QS_BUFFER_ID in self.request.GET:
            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
        return response
--- a/authentik/providers/ldap/apps.py
+++ b/authentik/providers/ldap/apps.py
@ -1,12 +1,11 @@
 """authentik ldap provider app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikProviderLDAPConfig(ManagedAppConfig):
+class AuthentikProviderLDAPConfig(AppConfig):
    """authentik ldap provider app config"""
    name = "authentik.providers.ldap"
    label = "authentik_providers_ldap"
    verbose_name = "authentik Providers.LDAP"
    default = True
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -30,7 +30,7 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
-from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
+from authentik.policies.views import PolicyAccessView, RequestValidationError
 from authentik.providers.oauth2.constants import (
    PKCE_METHOD_PLAIN,
    PKCE_METHOD_S256,
@ -326,7 +326,7 @@ class OAuthAuthorizationParams:
        return code
-class AuthorizationFlowInitView(BufferedPolicyAccessView):
+class AuthorizationFlowInitView(PolicyAccessView):
    """OAuth2 Flow initializer, checks access to application and starts flow"""
    params: OAuthAuthorizationParams
--- a/authentik/providers/proxy/apps.py
+++ b/authentik/providers/proxy/apps.py
@ -10,11 +10,3 @@ class AuthentikProviderProxyConfig(ManagedAppConfig):
    label = "authentik_providers_proxy"
    verbose_name = "authentik Providers.Proxy"
    default = True
    @ManagedAppConfig.reconcile_tenant
    def proxy_set_defaults(self):
        from authentik.providers.proxy.models import ProxyProvider
        for provider in ProxyProvider.objects.all():
            provider.set_oauth_defaults()
            provider.save()
--- a/authentik/providers/proxy/signals.py
+++ b/authentik/providers/proxy/signals.py
@ -0,0 +1,23 @@
 """Proxy provider signals"""
 from django.contrib.auth.signals import user_logged_out
 from django.db.models.signals import pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.proxy.tasks import proxy_on_logout
@receiver(user_logged_out)
 def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
    """Catch logout by direct logout and forward to proxy providers"""
    if not request.session or not request.session.session_key:
        return
    proxy_on_logout.delay(request.session.session_key)
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
    proxy_on_logout.delay(instance.session.session_key)
--- a/authentik/providers/proxy/tasks.py
+++ b/authentik/providers/proxy/tasks.py
@ -0,0 +1,38 @@
 """proxy provider tasks"""
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
 from authentik.outposts.consumer import OUTPOST_GROUP
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.root.celery import CELERY_APP
@CELERY_APP.task(
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
 def proxy_set_defaults():
    """Ensure correct defaults are set for all providers"""
    for provider in ProxyProvider.objects.all():
        provider.set_oauth_defaults()
        provider.save()
@CELERY_APP.task()
 def proxy_on_logout(session_id: str):
    """Update outpost instances connected to a single outpost"""
    layer = get_channel_layer()
    hashed_session_id = hash_session_key(session_id)
    for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
        async_to_sync(layer.group_send)(
            group,
            {
                "type": "event.provider.specific",
                "sub_type": "logout",
                "session_id": hashed_session_id,
            },
        )
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -18,11 +18,11 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
-class RACStartView(BufferedPolicyAccessView):
+class RACStartView(PolicyAccessView):
    """Start a RAC connection by checking access and creating a connection token"""
    endpoint: Endpoint
--- a/authentik/providers/radius/apps.py
+++ b/authentik/providers/radius/apps.py
@ -1,12 +1,11 @@
 """authentik radius provider app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikProviderRadiusConfig(ManagedAppConfig):
+class AuthentikProviderRadiusConfig(AppConfig):
    """authentik radius provider app config"""
    name = "authentik.providers.radius"
    label = "authentik_providers_radius"
    verbose_name = "authentik Providers.Radius"
    default = True
--- a/authentik/providers/saml/apps.py
+++ b/authentik/providers/saml/apps.py
@ -1,13 +1,12 @@
 """authentik SAML IdP app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikProviderSAMLConfig(ManagedAppConfig):
+class AuthentikProviderSAMLConfig(AppConfig):
    """authentik SAML IdP app config"""
    name = "authentik.providers.saml"
    label = "authentik_providers_saml"
    verbose_name = "authentik Providers.SAML"
    mountpoint = "application/saml/"
    default = True
--- a/authentik/providers/saml/views/flows.py
+++ b/authentik/providers/saml/views/flows.py
@ -35,8 +35,8 @@ REQUEST_KEY_SAML_SIG_ALG = "SigAlg"
 REQUEST_KEY_SAML_RESPONSE = "SAMLResponse"
 REQUEST_KEY_RELAY_STATE = "RelayState"
-PLAN_CONTEXT_SAML_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
+SESSION_KEY_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
-PLAN_CONTEXT_SAML_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
+SESSION_KEY_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
 # This View doesn't have a URL on purpose, as its called by the FlowExecutor
@ -50,11 +50,10 @@ class SAMLFlowFinalView(ChallengeStageView):
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        application: Application = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
        provider: SAMLProvider = get_object_or_404(SAMLProvider, pk=application.provider_id)
-        if PLAN_CONTEXT_SAML_AUTH_N_REQUEST not in self.executor.plan.context:
+        if SESSION_KEY_AUTH_N_REQUEST not in self.request.session:
            self.logger.warning("No AuthNRequest in context")
            return self.executor.stage_invalid()
-        auth_n_request: AuthNRequest = self.executor.plan.context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST]
+        auth_n_request: AuthNRequest = self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST)
        try:
            response = AssertionProcessor(provider, request, auth_n_request).build_response()
        except SAMLException as exc:
@ -107,3 +106,6 @@ class SAMLFlowFinalView(ChallengeStageView):
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        # We'll never get here since the challenge redirects to the SP
        return HttpResponseBadRequest()
    def cleanup(self):
        self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST, None)
--- a/authentik/providers/saml/views/slo.py
+++ b/authentik/providers/saml/views/slo.py
@ -19,9 +19,9 @@ from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.providers.saml.views.flows import (
    PLAN_CONTEXT_SAML_LOGOUT_REQUEST,
    REQUEST_KEY_RELAY_STATE,
    REQUEST_KEY_SAML_REQUEST,
    SESSION_KEY_LOGOUT_REQUEST,
 )
 LOGGER = get_logger()
@ -33,10 +33,6 @@ class SAMLSLOView(PolicyAccessView):
    flow: Flow
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.plan_context = {}
    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
        self.provider: SAMLProvider = get_object_or_404(
@ -63,7 +59,6 @@ class SAMLSLOView(PolicyAccessView):
            request,
            {
                PLAN_CONTEXT_APPLICATION: self.application,
                **self.plan_context,
            },
        )
        plan.append_stage(in_memory_stage(SessionEndStage))
@ -88,7 +83,7 @@ class SAMLSLOBindingRedirectView(SAMLSLOView):
                self.request.GET[REQUEST_KEY_SAML_REQUEST],
                relay_state=self.request.GET.get(REQUEST_KEY_RELAY_STATE, None),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
+            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
        except CannotHandleAssertion as exc:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
@ -116,7 +111,7 @@ class SAMLSLOBindingPOSTView(SAMLSLOView):
                payload[REQUEST_KEY_SAML_REQUEST],
                relay_state=payload.get(REQUEST_KEY_RELAY_STATE, None),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
+            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
        except CannotHandleAssertion as exc:
            LOGGER.info(str(exc))
            return bad_request_message(self.request, str(exc))
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@ -15,16 +15,16 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_POST
 from authentik.lib.views import bad_request_message
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (
    PLAN_CONTEXT_SAML_AUTH_N_REQUEST,
    REQUEST_KEY_RELAY_STATE,
    REQUEST_KEY_SAML_REQUEST,
    REQUEST_KEY_SAML_SIG_ALG,
    REQUEST_KEY_SAML_SIGNATURE,
    SESSION_KEY_AUTH_N_REQUEST,
    SAMLFlowFinalView,
 )
 from authentik.stages.consent.stage import (
@ -35,14 +35,10 @@ from authentik.stages.consent.stage import (
 LOGGER = get_logger()
-class SAMLSSOView(BufferedPolicyAccessView):
+class SAMLSSOView(PolicyAccessView):
    """SAML SSO Base View, which plans a flow and injects our final stage.
    Calls get/post handler."""
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.plan_context = {}
    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
        self.provider: SAMLProvider = get_object_or_404(
@ -72,7 +68,6 @@ class SAMLSSOView(BufferedPolicyAccessView):
                    PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
                    % {"application": self.application.name},
                    PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
                    **self.plan_context,
                },
            )
        except FlowNonApplicableException:
@ -88,7 +83,7 @@ class SAMLSSOView(BufferedPolicyAccessView):
    def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
        """GET and POST use the same handler, but we can't
-        override .dispatch easily because BufferedPolicyAccessView's dispatch"""
+        override .dispatch easily because PolicyAccessView's dispatch"""
        return self.get(request, application_slug)
@ -108,7 +103,7 @@ class SAMLSSOBindingRedirectView(SAMLSSOView):
                self.request.GET.get(REQUEST_KEY_SAML_SIGNATURE),
                self.request.GET.get(REQUEST_KEY_SAML_SIG_ALG),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
        except CannotHandleAssertion as exc:
            Event.new(
                EventAction.CONFIGURATION_ERROR,
@ -142,7 +137,7 @@ class SAMLSSOBindingPOSTView(SAMLSSOView):
                payload[REQUEST_KEY_SAML_REQUEST],
                payload.get(REQUEST_KEY_RELAY_STATE),
            )
-            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
        except CannotHandleAssertion as exc:
            LOGGER.info(str(exc))
            return bad_request_message(self.request, str(exc))
@ -156,4 +151,4 @@ class SAMLSSOBindingInitView(SAMLSSOView):
        """Create SAML Response from scratch"""
        LOGGER.debug("No SAML Request, using IdP-initiated flow.")
        auth_n_request = AuthNRequestParser(self.provider).idp_initiated()
-        self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+        self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
--- a/authentik/rbac/tests/test_decorators.py
+++ b/authentik/rbac/tests/test_decorators.py
@ -1,29 +1,12 @@
 """test decorators api"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.decorators import action
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.test import APITestCase
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.rbac.decorators import permission_required
 class MVS(ModelViewSet):
    queryset = Application.objects.all()
    lookup_field = "slug"
    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @action(detail=True, pagination_class=None, filter_backends=[])
    def test(self, request: Request, slug: str):
        self.get_object()
        return Response(status=200)
 class TestAPIDecorators(APITestCase):
@ -35,33 +18,41 @@ class TestAPIDecorators(APITestCase):
    def test_obj_perm_denied(self):
        """Test object perm denied"""
-        request = get_request("", user=self.user)
+        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        response = self.client.get(
            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
        self.assertEqual(response.status_code, 403)
    def test_obj_perm_global(self):
        """Test object perm successful (global)"""
        assign_perm("authentik_core.view_application", self.user)
        assign_perm("authentik_events.view_event", self.user)
        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
-        request = get_request("", user=self.user)
+        response = self.client.get(
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        self.assertEqual(response.status_code, 200, response.data)
+        )
        self.assertEqual(response.status_code, 200)
    def test_obj_perm_scoped(self):
        """Test object perm successful (scoped)"""
        assign_perm("authentik_events.view_event", self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
-        request = get_request("", user=self.user)
+        self.client.force_login(self.user)
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        response = self.client.get(
            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
        self.assertEqual(response.status_code, 200)
    def test_other_perm_denied(self):
        """Test other perm denied"""
        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
-        request = get_request("", user=self.user)
+        response = self.client.get(
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
        self.assertEqual(response.status_code, 403)
--- a/authentik/recovery/apps.py
+++ b/authentik/recovery/apps.py
@ -1,13 +1,12 @@
 """authentik Recovery app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikRecoveryConfig(ManagedAppConfig):
+class AuthentikRecoveryConfig(AppConfig):
    """authentik Recovery app config"""
    name = "authentik.recovery"
    label = "authentik_recovery"
    verbose_name = "authentik Recovery"
    mountpoint = "recovery/"
    default = True
--- a/authentik/root/celery.py
+++ b/authentik/root/celery.py
@ -98,7 +98,13 @@ def _get_startup_tasks_default_tenant() -> list[Callable]:
 def _get_startup_tasks_all_tenants() -> list[Callable]:
    """Get all tasks to be run on startup for all tenants"""
-    return []
+    from authentik.admin.tasks import clear_update_notifications
    from authentik.providers.proxy.tasks import proxy_set_defaults
    return [
        clear_update_notifications,
        proxy_set_defaults,
    ]
@worker_ready.connect
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -3,44 +3,25 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
 from unittest.mock import patch
 import pytest
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
 from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
 from tests.e2e.utils import get_docker_tag
 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
 def get_docker_tag() -> str:
    """Get docker-tag based off of CI variables"""
    env_pr_branch = "GITHUB_HEAD_REF"
    default_branch = "GITHUB_REF"
    branch_name = os.environ.get(default_branch, "main")
    if os.environ.get(env_pr_branch, "") != "":
        branch_name = os.environ[env_pr_branch]
    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
    return f"gh-{branch_name}"
 def patched__get_ct_cached(app_label, codename):
    """Caches `ContentType` instances like its `QuerySet` does."""
    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    """Runs pytest to discover and run tests."""
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.logger = get_logger().bind(runner="pytest")
        self.args = []
        if self.failfast:
@ -53,33 +34,22 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        if kwargs.get("no_capture", False):
            self.args.append("--capture=no")
        self._setup_test_environment()
    def _setup_test_environment(self):
        """Configure test environment settings"""
        settings.TEST = True
        settings.CELERY["task_always_eager"] = True
-
+        CONFIG.set("events.context_processors.geoip", "tests/GeoLite2-City-Test.mmdb")
-        # Test-specific configuration
+        CONFIG.set("events.context_processors.asn", "tests/GeoLite2-ASN-Test.mmdb")
-        test_config = {
+        CONFIG.set("blueprints_dir", "./blueprints")
-            "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
+        CONFIG.set(
-            "events.context_processors.asn": "tests/GeoLite2-ASN-Test.mmdb",
+            "outposts.container_image_base",
-            "blueprints_dir": "./blueprints",
+            f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
-            "outposts.container_image_base": f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
+        )
-            "tenants.enabled": False,
+        CONFIG.set("tenants.enabled", False)
-            "outposts.disable_embedded_outpost": False,
+        CONFIG.set("outposts.disable_embedded_outpost", False)
-            "error_reporting.sample_rate": 0,
+        CONFIG.set("error_reporting.sample_rate", 0)
-            "error_reporting.environment": "testing",
+        CONFIG.set("error_reporting.environment", "testing")
-            "error_reporting.send_pii": True,
+        CONFIG.set("error_reporting.send_pii", True)
        }
        for key, value in test_config.items():
            CONFIG.set(key, value)
        sentry_init()
        self.logger.debug("Test environment configured")
        # Send startup signals
        pre_startup.send(sender=self, mode="test")
        startup.send(sender=self, mode="test")
        post_startup.send(sender=self, mode="test")
@ -102,21 +72,7 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            help="Disable any capturing of stdout/stderr during tests.",
        )
-    def _validate_test_label(self, label: str) -> bool:
+    def run_tests(self, test_labels, extra_tests=None, **kwargs):
        """Validate test label format"""
        if not label:
            return False
        # Check for invalid characters, but allow forward slashes and colons
        # for paths and pytest markers
        invalid_chars = set('\\*?"<>|')
        if any(c in label for c in invalid_chars):
            self.logger.error("Invalid characters in test label", label=label)
            return False
        return True
    def run_tests(self, test_labels: list[str], extra_tests=None, **kwargs):
        """Run pytest and return the exitcode.
        It translates some of Django's test command option to pytest's.
@ -126,17 +82,10 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        The extra_tests argument has been deprecated since Django 5.x
        It is kept for compatibility with PyCharm's Django test runner.
        """
        if not test_labels:
            self.logger.error("No test files specified")
            return 1
        for label in test_labels:
            if not self._validate_test_label(label):
                return 1
            valid_label_found = False
            label_as_path = os.path.abspath(label)
            # File path has been specified
            if os.path.exists(label_as_path):
                self.args.append(label_as_path)
@ -144,31 +93,24 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            elif "::" in label:
                self.args.append(label)
                valid_label_found = True
            # Convert dotted module path to file_path::class::method
            else:
                # Check if the label is a dotted module path
                path_pieces = label.split(".")
                # Check whether only class or class and method are specified
                for i in range(-1, -3, -1):
-                    try:
+                    path = os.path.join(*path_pieces[:i]) + ".py"
-                        path = os.path.join(*path_pieces[:i]) + ".py"
+                    label_as_path = os.path.abspath(path)
-                        if os.path.exists(path):
+                    if os.path.exists(label_as_path):
-                            if i < -1:
+                        path_method = label_as_path + "::" + "::".join(path_pieces[i:])
-                                path_method = path + "::" + "::".join(path_pieces[i:])
+                        self.args.append(path_method)
-                                self.args.append(path_method)
+                        valid_label_found = True
-                            else:
+                        break
                                self.args.append(path)
                            valid_label_found = True
                            break
                    except (TypeError, IndexError):
                        continue
            if not valid_label_found:
-                self.logger.error("Test file not found", label=label)
+                raise RuntimeError(
-                return 1
+                    f"One of the test labels: {label!r}, "
                    f"is not supported. Use a dotted module name or "
                    f"path instead."
                )
-        self.logger.info("Running tests", test_files=self.args)
+        return pytest.main(self.args)
        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
            try:
                return pytest.main(self.args)
            except Exception as e:
                self.logger.error("Error running tests", error=str(e), test_files=self.args)
                return 1
--- a/authentik/sources/plex/apps.py
+++ b/authentik/sources/plex/apps.py
@ -1,12 +1,11 @@
 """authentik plex config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikSourcePlexConfig(ManagedAppConfig):
+class AuthentikSourcePlexConfig(AppConfig):
    """authentik source plex config"""
    name = "authentik.sources.plex"
    label = "authentik_sources_plex"
    verbose_name = "authentik Sources.Plex"
    default = True
--- a/authentik/stages/authenticator/apps.py
+++ b/authentik/stages/authenticator/apps.py
@ -1,12 +1,11 @@
 """Authenticator"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageAuthenticatorConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorConfig(AppConfig):
    """Authenticator App config"""
    name = "authentik.stages.authenticator"
    label = "authentik_stages_authenticator"
    verbose_name = "authentik Stages.Authenticator"
    default = True
--- a/authentik/stages/authenticator_sms/apps.py
+++ b/authentik/stages/authenticator_sms/apps.py
@ -1,12 +1,11 @@
 """SMS"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageAuthenticatorSMSConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorSMSConfig(AppConfig):
    """SMS App config"""
    name = "authentik.stages.authenticator_sms"
    label = "authentik_stages_authenticator_sms"
    verbose_name = "authentik Stages.Authenticator.SMS"
    default = True
--- a/authentik/stages/authenticator_totp/apps.py
+++ b/authentik/stages/authenticator_totp/apps.py
@ -1,12 +1,11 @@
 """TOTP"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageAuthenticatorTOTPConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorTOTPConfig(AppConfig):
    """TOTP App config"""
    name = "authentik.stages.authenticator_totp"
    label = "authentik_stages_authenticator_totp"
    verbose_name = "authentik Stages.Authenticator.TOTP"
    default = True
--- a/authentik/stages/authenticator_validate/apps.py
+++ b/authentik/stages/authenticator_validate/apps.py
@ -1,12 +1,11 @@
 """Authenticator Validation Stage"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageAuthenticatorValidateConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorValidateConfig(AppConfig):
    """Authenticator Validation Stage"""
    name = "authentik.stages.authenticator_validate"
    label = "authentik_stages_authenticator_validate"
    verbose_name = "authentik Stages.Authenticator.Validate"
    default = True
--- a/authentik/stages/captcha/apps.py
+++ b/authentik/stages/captcha/apps.py
@ -1,12 +1,11 @@
 """authentik captcha app"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageCaptchaConfig(ManagedAppConfig):
+class AuthentikStageCaptchaConfig(AppConfig):
    """authentik captcha app"""
    name = "authentik.stages.captcha"
    label = "authentik_stages_captcha"
    verbose_name = "authentik Stages.Captcha"
    default = True
--- a/authentik/stages/consent/apps.py
+++ b/authentik/stages/consent/apps.py
@ -1,12 +1,11 @@
 """authentik consent app"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageConsentConfig(ManagedAppConfig):
+class AuthentikStageConsentConfig(AppConfig):
    """authentik consent app"""
    name = "authentik.stages.consent"
    label = "authentik_stages_consent"
    verbose_name = "authentik Stages.Consent"
    default = True
--- a/authentik/stages/deny/apps.py
+++ b/authentik/stages/deny/apps.py
@ -1,12 +1,11 @@
 """authentik deny stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageDenyConfig(ManagedAppConfig):
+class AuthentikStageDenyConfig(AppConfig):
    """authentik deny stage config"""
    name = "authentik.stages.deny"
    label = "authentik_stages_deny"
    verbose_name = "authentik Stages.Deny"
    default = True
--- a/authentik/stages/dummy/apps.py
+++ b/authentik/stages/dummy/apps.py
@ -1,12 +1,11 @@
 """authentik dummy stage config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageDummyConfig(ManagedAppConfig):
+class AuthentikStageDummyConfig(AppConfig):
    """authentik dummy stage config"""
    name = "authentik.stages.dummy"
    label = "authentik_stages_dummy"
    verbose_name = "authentik Stages.Dummy"
    default = True
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -100,11 +100,9 @@ def send_mail(
        # Because we use the Message-ID as UID for the task, manually assign it
        message_object.extra_headers["Message-ID"] = message_id
-        # Add the logo if it is used in the email body (we can't add it in the
+        # Add the logo (we can't add it in the previous message since MIMEImage
-        # previous message since MIMEImage can't be converted to json)
+        # can't be converted to json)
-        body = get_email_body(message_object)
+        message_object.attach(logo_data())
        if "cid:logo" in body:
            message_object.attach(logo_data())
        if (
            message_object.to
--- a/authentik/stages/email/templates/email/base.html
+++ b/authentik/stages/email/templates/email/base.html
@ -96,7 +96,7 @@
                <table width="100%" style="background-color: #FFFFFF; border-spacing: 0; margin-top: 15px;">
                  <tr height="80">
                    <td align="center" style="padding: 20px 0;">
-                      <img src="{% block logo_url %}cid:logo{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
+                      <img src="{% block logo_url %}cid:logo.png{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
                    </td>
                  </tr>
                  {% block content %}
--- a/authentik/stages/email/utils.py
+++ b/authentik/stages/email/utils.py
@ -19,8 +19,7 @@ def logo_data() -> MIMEImage:
        path = Path("web/dist/assets/icons/icon_left_brand.png")
    with open(path, "rb") as _logo_file:
        logo = MIMEImage(_logo_file.read())
-    logo.add_header("Content-ID", "<logo>")
+    logo.add_header("Content-ID", "logo.png")
    logo.add_header("Content-Disposition", "inline", filename="logo.png")
    return logo
--- a/authentik/stages/identification/apps.py
+++ b/authentik/stages/identification/apps.py
@ -1,12 +1,11 @@
 """authentik identification stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageIdentificationConfig(ManagedAppConfig):
+class AuthentikStageIdentificationConfig(AppConfig):
    """authentik identification stage config"""
    name = "authentik.stages.identification"
    label = "authentik_stages_identification"
    verbose_name = "authentik Stages.Identification"
    default = True
--- a/authentik/stages/invitation/apps.py
+++ b/authentik/stages/invitation/apps.py
@ -1,12 +1,11 @@
 """authentik invitation stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageInvitationConfig(ManagedAppConfig):
+class AuthentikStageInvitationConfig(AppConfig):
    """authentik invitation stage config"""
    name = "authentik.stages.invitation"
    label = "authentik_stages_invitation"
    verbose_name = "authentik Stages.Invitation"
    default = True
--- a/authentik/stages/password/apps.py
+++ b/authentik/stages/password/apps.py
@ -1,12 +1,11 @@
 """authentik core app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStagePasswordConfig(ManagedAppConfig):
+class AuthentikStagePasswordConfig(AppConfig):
    """authentik password stage config"""
    name = "authentik.stages.password"
    label = "authentik_stages_password"
    verbose_name = "authentik Stages.Password"
    default = True
--- a/authentik/stages/prompt/apps.py
+++ b/authentik/stages/prompt/apps.py
@ -1,12 +1,11 @@
 """authentik prompt stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStagePromptConfig(ManagedAppConfig):
+class AuthentikStagePromptConfig(AppConfig):
    """authentik prompt stage config"""
    name = "authentik.stages.prompt"
    label = "authentik_stages_prompt"
    verbose_name = "authentik Stages.Prompt"
    default = True
--- a/authentik/stages/redirect/apps.py
+++ b/authentik/stages/redirect/apps.py
@ -1,12 +1,11 @@
 """authentik redirect app"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageRedirectConfig(ManagedAppConfig):
+class AuthentikStageRedirectConfig(AppConfig):
    """authentik redirect app"""
    name = "authentik.stages.redirect"
    label = "authentik_stages_redirect"
    verbose_name = "authentik Stages.Redirect"
    default = True
--- a/authentik/stages/user_delete/apps.py
+++ b/authentik/stages/user_delete/apps.py
@ -1,12 +1,11 @@
 """authentik delete stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageUserDeleteConfig(ManagedAppConfig):
+class AuthentikStageUserDeleteConfig(AppConfig):
    """authentik delete stage config"""
    name = "authentik.stages.user_delete"
    label = "authentik_stages_user_delete"
    verbose_name = "authentik Stages.User Delete"
    default = True
--- a/authentik/stages/user_login/apps.py
+++ b/authentik/stages/user_login/apps.py
@ -1,12 +1,11 @@
 """authentik login stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageUserLoginConfig(ManagedAppConfig):
+class AuthentikStageUserLoginConfig(AppConfig):
    """authentik login stage config"""
    name = "authentik.stages.user_login"
    label = "authentik_stages_user_login"
    verbose_name = "authentik Stages.User Login"
    default = True
--- a/authentik/stages/user_logout/apps.py
+++ b/authentik/stages/user_logout/apps.py
@ -1,12 +1,11 @@
 """authentik logout stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageUserLogoutConfig(ManagedAppConfig):
+class AuthentikStageUserLogoutConfig(AppConfig):
    """authentik logout stage config"""
    name = "authentik.stages.user_logout"
    label = "authentik_stages_user_logout"
    verbose_name = "authentik Stages.User Logout"
    default = True
--- a/authentik/stages/user_write/apps.py
+++ b/authentik/stages/user_write/apps.py
@ -1,12 +1,11 @@
 """authentik write stage app config"""
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
-class AuthentikStageUserWriteConfig(ManagedAppConfig):
+class AuthentikStageUserWriteConfig(AppConfig):
    """authentik write stage config"""
    name = "authentik.stages.user_write"
    label = "authentik_stages_user_write"
    verbose_name = "authentik Stages.User Write"
    default = True
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
--- a/cmd/ldap/main.go
+++ b/cmd/ldap/main.go
@ -2,13 +2,17 @@ package main
 import (
 	"fmt"
 	"net/url"
 	"os"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/ldap"
 )
@ -21,15 +25,65 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
+	Long:    helpMessage,
-	Version:          constants.FullVersion(),
+	Version: constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-	RunE: func(cmd *cobra.Command, args []string) error {
+		log.SetLevel(log.DebugLevel)
-		err := entrypoint.OutpostMain("authentik.outpost.ldap", ldap.NewServer)
+		log.SetFormatter(&log.JSONFormatter{
-		if err != nil {
+			FieldMap: log.FieldMap{
 				log.FieldKeyMsg:  "event",
 				log.FieldKeyTime: "timestamp",
 			},
 			DisableHTMLEscape: true,
 		})
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		debug.EnableDebugServer()
 		akURL := config.Get().AuthentikHost
 		if akURL == "" {
 			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akToken := config.Get().AuthentikToken
 		if akToken == "" {
 			fmt.Println("env AUTHENTIK_TOKEN not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akURLActual, err := url.Parse(akURL)
 		if err != nil {
 			fmt.Println(err)
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		ex := common.Init()
 		defer common.Defer()
 		go func() {
 			for {
 				<-ex
 				os.Exit(0)
 			}
 		}()
 		ac := ak.NewAPIController(*akURLActual, akToken)
 		if ac == nil {
 			os.Exit(1)
 		}
 		defer ac.Shutdown()
 		ac.Server = ldap.NewServer(ac)
 		err = ac.Start()
 		if err != nil {
 			log.WithError(err).Panic("Failed to run server")
 		}
 		for {
 			<-ex
 		}
 		return err
 	},
 }
--- a/cmd/proxy/main.go
+++ b/cmd/proxy/main.go
@ -2,13 +2,17 @@ package main
 import (
 	"fmt"
 	"net/url"
 	"os"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/proxyv2"
 )
@ -24,15 +28,65 @@ Optionally, you can set these:
 - AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
+	Long:    helpMessage,
-	Version:          constants.FullVersion(),
+	Version: constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-	RunE: func(cmd *cobra.Command, args []string) error {
+		log.SetLevel(log.DebugLevel)
-		err := entrypoint.OutpostMain("authentik.outpost.proxy", proxyv2.NewProxyServer)
+		log.SetFormatter(&log.JSONFormatter{
-		if err != nil {
+			FieldMap: log.FieldMap{
 				log.FieldKeyMsg:  "event",
 				log.FieldKeyTime: "timestamp",
 			},
 			DisableHTMLEscape: true,
 		})
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		debug.EnableDebugServer()
 		akURL := config.Get().AuthentikHost
 		if akURL == "" {
 			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akToken := config.Get().AuthentikToken
 		if akToken == "" {
 			fmt.Println("env AUTHENTIK_TOKEN not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akURLActual, err := url.Parse(akURL)
 		if err != nil {
 			fmt.Println(err)
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		ex := common.Init()
 		defer common.Defer()
 		go func() {
 			for {
 				<-ex
 				os.Exit(0)
 			}
 		}()
 		ac := ak.NewAPIController(*akURLActual, akToken)
 		if ac == nil {
 			os.Exit(1)
 		}
 		defer ac.Shutdown()
 		ac.Server = proxyv2.NewProxyServer(ac)
 		err = ac.Start()
 		if err != nil {
 			log.WithError(err).Panic("Failed to run server")
 		}
 		for {
 			<-ex
 		}
 		return err
 	},
 }
--- a/cmd/rac/main.go
+++ b/cmd/rac/main.go
@ -2,13 +2,16 @@ package main
 import (
 	"fmt"
 	"net/url"
 	"os"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/rac"
 )
@ -21,15 +24,65 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
+	Long:    helpMessage,
-	Version:          constants.FullVersion(),
+	Version: constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-	RunE: func(cmd *cobra.Command, args []string) error {
+		log.SetLevel(log.DebugLevel)
-		err := entrypoint.OutpostMain("authentik.outpost.rac", rac.NewServer)
+		log.SetFormatter(&log.JSONFormatter{
-		if err != nil {
+			FieldMap: log.FieldMap{
 				log.FieldKeyMsg:  "event",
 				log.FieldKeyTime: "timestamp",
 			},
 			DisableHTMLEscape: true,
 		})
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		debug.EnableDebugServer()
 		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
 		if !found {
 			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
 		if !found {
 			fmt.Println("env AUTHENTIK_TOKEN not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akURLActual, err := url.Parse(akURL)
 		if err != nil {
 			fmt.Println(err)
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		ex := common.Init()
 		defer common.Defer()
 		go func() {
 			for {
 				<-ex
 				os.Exit(0)
 			}
 		}()
 		ac := ak.NewAPIController(*akURLActual, akToken)
 		if ac == nil {
 			os.Exit(1)
 		}
 		defer ac.Shutdown()
 		ac.Server = rac.NewServer(ac)
 		err = ac.Start()
 		if err != nil {
 			log.WithError(err).Panic("Failed to run server")
 		}
 		for {
 			<-ex
 		}
 		return err
 	},
 }
--- a/cmd/radius/main.go
+++ b/cmd/radius/main.go
@ -2,13 +2,16 @@ package main
 import (
 	"fmt"
 	"net/url"
 	"os"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/radius"
 )
@ -21,15 +24,65 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
+	Long:    helpMessage,
-	Version:          constants.FullVersion(),
+	Version: constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-	RunE: func(cmd *cobra.Command, args []string) error {
+		log.SetLevel(log.DebugLevel)
-		err := entrypoint.OutpostMain("authentik.outpost.radius", radius.NewServer)
+		log.SetFormatter(&log.JSONFormatter{
-		if err != nil {
+			FieldMap: log.FieldMap{
 				log.FieldKeyMsg:  "event",
 				log.FieldKeyTime: "timestamp",
 			},
 			DisableHTMLEscape: true,
 		})
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		debug.EnableDebugServer()
 		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
 		if !found {
 			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
 		if !found {
 			fmt.Println("env AUTHENTIK_TOKEN not set!")
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		akURLActual, err := url.Parse(akURL)
 		if err != nil {
 			fmt.Println(err)
 			fmt.Println(helpMessage)
 			os.Exit(1)
 		}
 		ex := common.Init()
 		defer common.Defer()
 		go func() {
 			for {
 				<-ex
 				os.Exit(0)
 			}
 		}()
 		ac := ak.NewAPIController(*akURLActual, akToken)
 		if ac == nil {
 			os.Exit(1)
 		}
 		defer ac.Shutdown()
 		ac.Server = radius.NewServer(ac)
 		err = ac.Start()
 		if err != nil {
 			log.WithError(err).Panic("Failed to run server")
 		}
 		for {
 			<-ex
 		}
 		return err
 	},
 }
--- a/cmd/server/server.go
+++ b/cmd/server/server.go
@ -22,12 +22,21 @@ import (
 )
 var rootCmd = &cobra.Command{
-	Use:              "authentik",
+	Use:     "authentik",
-	Short:            "Start authentik instance",
+	Short:   "Start authentik instance",
-	Version:          constants.FullVersion(),
+	Version: constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
 		log.SetLevel(log.DebugLevel)
 		log.SetFormatter(&log.JSONFormatter{
 			FieldMap: log.FieldMap{
 				log.FieldKeyMsg:  "event",
 				log.FieldKeyTime: "timestamp",
 			},
 			DisableHTMLEscape: true,
 		})
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer("authentik.core")
+		debug.EnableDebugServer()
 		l := log.WithField("logger", "authentik.root")
 		if config.Get().ErrorReporting.Enabled {
@ -90,7 +99,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 		})
 		srv := proxyv2.NewProxyServer(ac)
-		ws.ProxyServer = srv.(*proxyv2.ProxyServer)
+		ws.ProxyServer = srv
 		ac.Server = srv
 		l.Debug("attempting to start outpost")
 		err := ac.StartBackgroundTasks()
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,6 @@ go 1.24.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/avast/retry-go/v4 v4.6.1
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/getsentry/sentry-go v0.33.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
@ -17,22 +16,21 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/grafana/pyroscope-go v1.2.2
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.10.0
+	github.com/redis/go-redis/v9 v9.8.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025061.2
+	goauthentik.io/api/v3 v3.2025041.4
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.15.0
+	golang.org/x/sync v0.14.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@ -60,10 +58,8 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -41,8 +41,6 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
 github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
@ -180,10 +178,6 @@ github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2e
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grafana/pyroscope-go v1.2.2 h1:uvKCyZMD724RkaCEMrSTC38Yn7AnFe8S2wiAIYdDPCE=
 github.com/grafana/pyroscope-go v1.2.2/go.mod h1:zzT9QXQAp2Iz2ZdS216UiV8y9uXJYQiGE1q8v1FyhqU=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
 github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@ -251,8 +245,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs=
+github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
-github.com/redis/go-redis/v9 v9.10.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@ -268,8 +262,6 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@ -298,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025061.2 h1:bKmrl82Gz6J8lz3f+QIH9g+MEkl3MvkMXF34GktesA0=
+goauthentik.io/api/v3 v3.2025041.4 h1:cGqzWYnUHrWDoaXWDpIL/kWnX9sFrIhkYDye0P0OEAo=
-goauthentik.io/api/v3 v3.2025061.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -384,8 +376,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/internal/common/prerun.go
+++ b/internal/common/prerun.go
@ -1,17 +0,0 @@
 package common
 import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 func PreRun(cmd *cobra.Command, args []string) {
 	log.SetLevel(log.DebugLevel)
 	log.SetFormatter(&log.JSONFormatter{
 		FieldMap: log.FieldMap{
 			log.FieldKeyMsg:  "event",
 			log.FieldKeyTime: "timestamp",
 		},
 		DisableHTMLEscape: true,
 	})
 }
--- a/internal/debug/debug.go
+++ b/internal/debug/debug.go
@ -5,24 +5,19 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/pprof"
 	"os"
 	"runtime"
 	"github.com/gorilla/mux"
 	"github.com/grafana/pyroscope-go"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/web"
 )
-var l = log.WithField("logger", "authentik.debugger.go")
+func EnableDebugServer() {
-
+	l := log.WithField("logger", "authentik.go_debugger")
 func EnableDebugServer(appName string) {
 	if !config.Get().Debug {
 		return
 	}
 	h := mux.NewRouter()
 	enablePyroscope(appName)
 	h.HandleFunc("/debug/pprof/", pprof.Index)
 	h.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	h.HandleFunc("/debug/pprof/profile", pprof.Profile)
@ -59,38 +54,3 @@ func EnableDebugServer(appName string) {
 		}
 	}()
 }
 func enablePyroscope(appName string) {
 	p, pok := os.LookupEnv("AUTHENTIK_PYROSCOPE_HOST")
 	if !pok {
 		return
 	}
 	l.Debug("Enabling pyroscope")
 	runtime.SetMutexProfileFraction(5)
 	runtime.SetBlockProfileRate(5)
 	hostname, err := os.Hostname()
 	if err != nil {
 		panic(err)
 	}
 	_, err = pyroscope.Start(pyroscope.Config{
 		ApplicationName: appName,
 		ServerAddress:   p,
 		Logger:          pyroscope.StandardLogger,
 		Tags:            map[string]string{"hostname": hostname},
 		ProfileTypes: []pyroscope.ProfileType{
 			pyroscope.ProfileCPU,
 			pyroscope.ProfileAllocObjects,
 			pyroscope.ProfileAllocSpace,
 			pyroscope.ProfileInuseObjects,
 			pyroscope.ProfileInuseSpace,
 			pyroscope.ProfileGoroutines,
 			pyroscope.ProfileMutexCount,
 			pyroscope.ProfileMutexDuration,
 			pyroscope.ProfileBlockCount,
 			pyroscope.ProfileBlockDuration,
 		},
 	})
 	if err != nil {
 		panic(err)
 	}
 }
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@ -13,7 +13,6 @@ import (
 	"syscall"
 	"time"
 	"github.com/avast/retry-go/v4"
 	"github.com/getsentry/sentry-go"
 	"github.com/google/uuid"
 	"github.com/gorilla/websocket"
@ -26,6 +25,8 @@ import (
 	"goauthentik.io/internal/utils/web"
 )
 type WSHandler func(ctx context.Context, args map[string]interface{})
 const ConfigLogLevel = "log_level"
 // APIController main controller which connects to the authentik api via http and ws
@ -42,11 +43,12 @@ type APIController struct {
 	reloadOffset time.Duration
-	eventConn        *websocket.Conn
+	wsConn              *websocket.Conn
-	lastWsReconnect  time.Time
+	lastWsReconnect     time.Time
-	wsIsReconnecting bool
+	wsIsReconnecting    bool
-	eventHandlers    []EventHandler
+	wsBackoffMultiplier int
-	refreshHandlers  []func()
+	wsHandlers          []WSHandler
 	refreshHandlers     []func()
 	instanceUUID uuid.UUID
 }
@ -81,19 +83,20 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	outposts, _ := retry.DoWithData[*api.PaginatedOutpostList](
+	var outposts *api.PaginatedOutpostList
-		func() (*api.PaginatedOutpostList, error) {
+	var err error
-			outposts, _, err := apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+	for {
-			return outposts, err
+		outposts, _, err = apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
-		},
+
-		retry.Attempts(0),
+		if err == nil {
-		retry.Delay(time.Second*3),
+			break
-		retry.OnRetry(func(attempt uint, err error) {
+		}
-			log.WithError(err).Error("Failed to fetch outpost configuration, retrying in 3 seconds")
+
-		}),
+		log.WithError(err).Error("Failed to fetch outpost configuration, retrying in 3 seconds")
-	)
+		time.Sleep(time.Second * 3)
 	}
 	if len(outposts.Results) < 1 {
-		log.Panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
+		panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
 	}
 	outpost := outposts.Results[0]
@ -116,25 +119,22 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 		token:  token,
 		logger: log,
-		reloadOffset:    time.Duration(rand.Intn(10)) * time.Second,
+		reloadOffset:        time.Duration(rand.Intn(10)) * time.Second,
-		instanceUUID:    uuid.New(),
+		instanceUUID:        uuid.New(),
-		Outpost:         outpost,
+		Outpost:             outpost,
-		eventHandlers:   []EventHandler{},
+		wsHandlers:          []WSHandler{},
-		refreshHandlers: make([]func(), 0),
+		wsBackoffMultiplier: 1,
 		refreshHandlers:     make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
-	err = ac.initEvent(akURL, outpost.Pk)
+	err = ac.initWS(akURL, outpost.Pk)
 	if err != nil {
-		go ac.recentEvents()
+		go ac.reconnectWS()
 	}
 	ac.configureRefreshSignal()
 	return ac
 }
 func (a *APIController) Log() *log.Entry {
 	return a.logger
 }
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()
@ -196,7 +196,7 @@ func (a *APIController) OnRefresh() error {
 	return err
 }
-func (a *APIController) getEventPingArgs() map[string]interface{} {
+func (a *APIController) getWebsocketPingArgs() map[string]interface{} {
 	args := map[string]interface{}{
 		"version":        constants.VERSION,
 		"buildHash":      constants.BUILD(""),
@ -222,12 +222,12 @@ func (a *APIController) StartBackgroundTasks() error {
 		"build":        constants.BUILD(""),
 	}).Set(1)
 	go func() {
-		a.logger.Debug("Starting Event Handler...")
+		a.logger.Debug("Starting WS Handler...")
-		a.startEventHandler()
+		a.startWSHandler()
 	}()
 	go func() {
-		a.logger.Debug("Starting Event health notifier...")
+		a.logger.Debug("Starting WS Health notifier...")
-		a.startEventHealth()
+		a.startWSHealth()
 	}()
 	go func() {
 		a.logger.Debug("Starting Interval updater...")
--- a/internal/outpost/ak/api_event_msg.go
+++ b/internal/outpost/ak/api_event_msg.go
@ -1,37 +0,0 @@
 package ak
 import (
 	"context"
 	"github.com/mitchellh/mapstructure"
 )
 type EventKind int
 const (
 	// Code used to acknowledge a previous message
 	EventKindAck EventKind = 0
 	// Code used to send a healthcheck keepalive
 	EventKindHello EventKind = 1
 	// Code received to trigger a config update
 	EventKindTriggerUpdate EventKind = 2
 	// Code received to trigger some provider specific function
 	EventKindProviderSpecific EventKind = 3
 	// Code received to identify the end of a session
 	EventKindSessionEnd EventKind = 4
 )
 type EventHandler func(ctx context.Context, msg Event) error
 type Event struct {
 	Instruction EventKind   `json:"instruction"`
 	Args        interface{} `json:"args"`
 }
 func (wm Event) ArgsAs(out interface{}) error {
 	return mapstructure.Decode(wm.Args, out)
 }
 type EventArgsSessionEnd struct {
 	SessionID string `mapstructure:"session_id"`
 }
--- a/internal/outpost/ak/api_event.go
+++ b/internal/outpost/ak/api_event.go
@ -11,7 +11,6 @@ import (
 	"strings"
 	"time"
 	"github.com/avast/retry-go/v4"
 	"github.com/gorilla/websocket"
 	"github.com/prometheus/client_golang/prometheus"
 	"goauthentik.io/internal/config"
@ -31,7 +30,7 @@ func (ac *APIController) getWebsocketURL(akURL url.URL, outpostUUID string, quer
 	return wsUrl
 }
-func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
+func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())
@ -58,19 +57,19 @@ func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
 		return err
 	}
-	ac.eventConn = ws
+	ac.wsConn = ws
 	// Send hello message with our version
-	msg := Event{
+	msg := websocketMessage{
-		Instruction: EventKindHello,
+		Instruction: WebsocketInstructionHello,
-		Args:        ac.getEventPingArgs(),
+		Args:        ac.getWebsocketPingArgs(),
 	}
 	err = ws.WriteJSON(msg)
 	if err != nil {
-		ac.logger.WithField("logger", "authentik.outpost.events").WithError(err).Warning("Failed to hello to authentik")
+		ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithError(err).Warning("Failed to hello to authentik")
 		return err
 	}
 	ac.lastWsReconnect = time.Now()
-	ac.logger.WithField("logger", "authentik.outpost.events").WithField("outpost", outpostUUID).Info("Successfully connected websocket")
+	ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID).Info("Successfully connected websocket")
 	return nil
 }
@ -78,19 +77,19 @@ func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
 func (ac *APIController) Shutdown() {
 	// Cleanly close the connection by sending a close message and then
 	// waiting (with timeout) for the server to close the connection.
-	err := ac.eventConn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+	err := ac.wsConn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to write close message")
 		return
 	}
-	err = ac.eventConn.Close()
+	err = ac.wsConn.Close()
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to close websocket")
 	}
 	ac.logger.Info("finished shutdown")
 }
-func (ac *APIController) recentEvents() {
+func (ac *APIController) reconnectWS() {
 	if ac.wsIsReconnecting {
 		return
 	}
@ -101,47 +100,46 @@ func (ac *APIController) recentEvents() {
 		Path:   strings.ReplaceAll(ac.Client.GetConfig().Servers[0].URL, "api/v3", ""),
 	}
 	attempt := 1
-	_ = retry.Do(
+	for {
-		func() error {
+		q := u.Query()
-			q := u.Query()
+		q.Set("attempt", strconv.Itoa(attempt))
-			q.Set("attempt", strconv.Itoa(attempt))
+		u.RawQuery = q.Encode()
-			u.RawQuery = q.Encode()
+		err := ac.initWS(u, ac.Outpost.Pk)
-			err := ac.initEvent(u, ac.Outpost.Pk)
+		attempt += 1
-			attempt += 1
+		if err != nil {
-			if err != nil {
+			ac.logger.Infof("waiting %d seconds to reconnect", ac.wsBackoffMultiplier)
-				return err
+			time.Sleep(time.Duration(ac.wsBackoffMultiplier) * time.Second)
 			ac.wsBackoffMultiplier = ac.wsBackoffMultiplier * 2
 			// Limit to 300 seconds (5m)
 			if ac.wsBackoffMultiplier >= 300 {
 				ac.wsBackoffMultiplier = 300
 			}
 		} else {
 			ac.wsIsReconnecting = false
-			return nil
+			ac.wsBackoffMultiplier = 1
-		},
+			return
-		retry.Delay(1*time.Second),
+		}
-		retry.MaxDelay(5*time.Minute),
+	}
 		retry.DelayType(retry.BackOffDelay),
 		retry.Attempts(0),
 		retry.OnRetry(func(attempt uint, err error) {
 			ac.logger.Infof("waiting %d seconds to reconnect", attempt)
 		}),
 	)
 }
-func (ac *APIController) startEventHandler() {
+func (ac *APIController) startWSHandler() {
-	logger := ac.logger.WithField("loop", "event-handler")
+	logger := ac.logger.WithField("loop", "ws-handler")
 	for {
-		var wsMsg Event
+		var wsMsg websocketMessage
-		if ac.eventConn == nil {
+		if ac.wsConn == nil {
-			go ac.recentEvents()
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		}
-		err := ac.eventConn.ReadJSON(&wsMsg)
+		err := ac.wsConn.ReadJSON(&wsMsg)
 		if err != nil {
 			ConnectionStatus.With(prometheus.Labels{
 				"outpost_name": ac.Outpost.Name,
 				"outpost_type": ac.Server.Type(),
 				"uuid":         ac.instanceUUID.String(),
 			}).Set(0)
-			logger.WithError(err).Warning("event read error")
+			logger.WithError(err).Warning("ws read error")
-			go ac.recentEvents()
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		}
@ -151,8 +149,7 @@ func (ac *APIController) startEventHandler() {
 			"uuid":         ac.instanceUUID.String(),
 		}).Set(1)
 		switch wsMsg.Instruction {
-		case EventKindAck:
+		case WebsocketInstructionTriggerUpdate:
 		case EventKindTriggerUpdate:
 			time.Sleep(ac.reloadOffset)
 			logger.Debug("Got update trigger...")
 			err := ac.OnRefresh()
@ -167,33 +164,30 @@ func (ac *APIController) startEventHandler() {
 					"build":        constants.BUILD(""),
 				}).SetToCurrentTime()
 			}
-		default:
+		case WebsocketInstructionProviderSpecific:
-			for _, h := range ac.eventHandlers {
+			for _, h := range ac.wsHandlers {
-				err := h(context.Background(), wsMsg)
+				h(context.Background(), wsMsg.Args)
 				if err != nil {
 					ac.logger.WithError(err).Warning("failed to run event handler")
 				}
 			}
 		}
 	}
 }
-func (ac *APIController) startEventHealth() {
+func (ac *APIController) startWSHealth() {
 	ticker := time.NewTicker(time.Second * 10)
 	for ; true; <-ticker.C {
-		if ac.eventConn == nil {
+		if ac.wsConn == nil {
-			go ac.recentEvents()
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		}
-		err := ac.SendEventHello(map[string]interface{}{})
+		err := ac.SendWSHello(map[string]interface{}{})
 		if err != nil {
-			ac.logger.WithField("loop", "event-health").WithError(err).Warning("event write error")
+			ac.logger.WithField("loop", "ws-health").WithError(err).Warning("ws write error")
-			go ac.recentEvents()
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		} else {
-			ac.logger.WithField("loop", "event-health").Trace("hello'd")
+			ac.logger.WithField("loop", "ws-health").Trace("hello'd")
 			ConnectionStatus.With(prometheus.Labels{
 				"outpost_name": ac.Outpost.Name,
 				"outpost_type": ac.Server.Type(),
@ -236,19 +230,19 @@ func (ac *APIController) startIntervalUpdater() {
 	}
 }
-func (a *APIController) AddEventHandler(handler EventHandler) {
+func (a *APIController) AddWSHandler(handler WSHandler) {
-	a.eventHandlers = append(a.eventHandlers, handler)
+	a.wsHandlers = append(a.wsHandlers, handler)
 }
-func (a *APIController) SendEventHello(args map[string]interface{}) error {
+func (a *APIController) SendWSHello(args map[string]interface{}) error {
-	allArgs := a.getEventPingArgs()
+	allArgs := a.getWebsocketPingArgs()
 	for key, value := range args {
 		allArgs[key] = value
 	}
-	aliveMsg := Event{
+	aliveMsg := websocketMessage{
-		Instruction: EventKindHello,
+		Instruction: WebsocketInstructionHello,
 		Args:        allArgs,
 	}
-	err := a.eventConn.WriteJSON(aliveMsg)
+	err := a.wsConn.WriteJSON(aliveMsg)
 	return err
 }
--- a/internal/outpost/ak/api_ws_msg.go
+++ b/internal/outpost/ak/api_ws_msg.go
@ -0,0 +1,19 @@
 package ak
 type websocketInstruction int
 const (
 	// WebsocketInstructionAck Code used to acknowledge a previous message
 	WebsocketInstructionAck websocketInstruction = 0
 	// WebsocketInstructionHello Code used to send a healthcheck keepalive
 	WebsocketInstructionHello websocketInstruction = 1
 	// WebsocketInstructionTriggerUpdate Code received to trigger a config update
 	WebsocketInstructionTriggerUpdate websocketInstruction = 2
 	// WebsocketInstructionProviderSpecific Code received to trigger some provider specific function
 	WebsocketInstructionProviderSpecific websocketInstruction = 3
 )
 type websocketMessage struct {
 	Instruction websocketInstruction   `json:"instruction"`
 	Args        map[string]interface{} `json:"args"`
 }
--- a/internal/outpost/ak/api_event_test.go
+++ b/internal/outpost/ak/api_event_test.go
@ -15,7 +15,7 @@ func URLMustParse(u string) *url.URL {
 	return ur
 }
-func TestEventWebsocketURL(t *testing.T) {
+func TestWebsocketURL(t *testing.T) {
 	u := URLMustParse("http://localhost:9000?foo=bar")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
@ -23,7 +23,7 @@ func TestEventWebsocketURL(t *testing.T) {
 	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?foo=bar", nu.String())
 }
-func TestEventWebsocketURL_Query(t *testing.T) {
+func TestWebsocketURL_Query(t *testing.T) {
 	u := URLMustParse("http://localhost:9000?foo=bar")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
@ -33,7 +33,7 @@ func TestEventWebsocketURL_Query(t *testing.T) {
 	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?bar=baz&foo=bar", nu.String())
 }
-func TestEventWebsocketURL_Subpath(t *testing.T) {
+func TestWebsocketURL_Subpath(t *testing.T) {
 	u := URLMustParse("http://localhost:9000/foo/bar/")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
--- a/internal/outpost/ak/entrypoint/entrypoint.go
+++ b/internal/outpost/ak/entrypoint/entrypoint.go
@ -1,51 +0,0 @@
 package entrypoint
 import (
 	"errors"
 	"net/url"
 	"os"
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 )
 func OutpostMain(appName string, server func(ac *ak.APIController) ak.Outpost) error {
 	debug.EnableDebugServer(appName)
 	akURL := config.Get().AuthentikHost
 	if akURL == "" {
 		return errors.New("environment variable `AUTHENTIK_HOST` not set")
 	}
 	akToken := config.Get().AuthentikToken
 	if akToken == "" {
 		return errors.New("environment variable `AUTHENTIK_TOKEN` not set")
 	}
 	akURLActual, err := url.Parse(akURL)
 	if err != nil {
 		return err
 	}
 	ex := common.Init()
 	defer common.Defer()
 	ac := ak.NewAPIController(*akURLActual, akToken)
 	if ac == nil {
 		os.Exit(1)
 	}
 	defer ac.Shutdown()
 	ac.Server = server(ac)
 	err = ac.Start()
 	if err != nil {
 		ac.Log().WithError(err).Panic("Failed to run server")
 		return err
 	}
 	for {
 		<-ex
 		return nil
 	}
 }
--- a/internal/outpost/ak/global.go
+++ b/internal/outpost/ak/global.go
@ -48,20 +48,20 @@ func doGlobalSetup(outpost api.Outpost, globalConfig *api.Config) {
 	if globalConfig.ErrorReporting.Enabled {
 		if !initialSetup {
 			l.WithField("env", globalConfig.ErrorReporting.Environment).Debug("Error reporting enabled")
-			err := sentry.Init(sentry.ClientOptions{
+		}
-				Dsn:           globalConfig.ErrorReporting.SentryDsn,
+		err := sentry.Init(sentry.ClientOptions{
-				Environment:   globalConfig.ErrorReporting.Environment,
+			Dsn:           globalConfig.ErrorReporting.SentryDsn,
-				EnableTracing: true,
+			Environment:   globalConfig.ErrorReporting.Environment,
-				TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
+			EnableTracing: true,
-				Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
+			TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
-				HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
+			Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
-				IgnoreErrors: []string{
+			HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
-					http.ErrAbortHandler.Error(),
+			IgnoreErrors: []string{
-				},
+				http.ErrAbortHandler.Error(),
-			})
+			},
-			if err != nil {
+		})
-				l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+		if err != nil {
-			}
+			l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
 		}
 	}
--- a/internal/outpost/ak/test.go
+++ b/internal/outpost/ak/test.go
@ -55,10 +55,11 @@ func MockAK(outpost api.Outpost, globalConfig api.Config) *APIController {
 		token:  token,
 		logger: log,
-		reloadOffset:    time.Duration(rand.Intn(10)) * time.Second,
+		reloadOffset:        time.Duration(rand.Intn(10)) * time.Second,
-		instanceUUID:    uuid.New(),
+		instanceUUID:        uuid.New(),
-		Outpost:         outpost,
+		Outpost:             outpost,
-		refreshHandlers: make([]func(), 0),
+		wsBackoffMultiplier: 1,
 		refreshHandlers:     make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
 	return ac
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -127,7 +127,7 @@ func (fe *FlowExecutor) getAnswer(stage StageComponent) string {
 	return ""
 }
-func (fe *FlowExecutor) SessionCookie() *http.Cookie {
+func (fe *FlowExecutor) GetSession() *http.Cookie {
 	return fe.session
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	e729e42595	release: 2025.6.1	2025-06-06 16:55:05 +02:00
Marc 'risson' Schmitt	01d591b84e	root: fix bumpversion Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-06-06 16:53:26 +02:00
gcp-cherry-pick-bot[bot]	dd08e1bf66	providers/proxy: add option to override host header with property mappings (cherry-pick #14927 ) (#14945 ) Co-authored-by: Jens L. <jens@goauthentik.io>	2025-06-06 15:27:10 +02:00
gcp-cherry-pick-bot[bot]	150705f221	web/user: fix user settings flow not loading (cherry-pick #14911 ) (#14930 ) web/user: fix user settings flow not loading (#14911) * web/user: fix user settings flow not loading * fix * unrelated fix: fix select caret color in dark theme --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-06-05 23:36:40 +02:00
Marc 'risson' Schmitt	6b39f6495e	tenants: fix tenant aware celery scheduler (cherry-pick #14921 )	2025-06-05 15:15:34 +02:00
gcp-cherry-pick-bot[bot]	639c57245b	website/docs: rotate supported versions: `2025.6` (cherry-pick #14856 ) (#14906 ) website/docs: rotate supported versions: `2025.6` (#14856) Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>	2025-06-04 18:46:58 +02:00
gcp-cherry-pick-bot[bot]	730600aea4	website/integrations: tailscale (cherry-pick #14499 ) (#14908 ) website/integrations: tailscale (#14499) * init * wording * lint * Update website/integrations/services/tailscale/index.md * Dewi's suggestions * still mention that its a placeholder * fix * Update website/integrations/services/tailscale/index.md * mv to end * indent * Update website/integrations/services/tailscale/index.md * Update website/integrations/services/tailscale/index.md * tweak to bump build * another tweak to bump build --------- Signed-off-by: Dominic R <dominic@sdko.org> Co-authored-by: Dominic R <dominic@sdko.org> Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Tana M Berry <tana@goauthentik.io>	2025-06-04 18:37:53 +02:00
gcp-cherry-pick-bot[bot]	e15ce5a3f0	website/release notes: add tailscale to new integrations (cherry-pick #14859 ) (#14877 ) website/release notes: add tailscale to new integrations (#14859) * website/release notes: add tailscale to new integrations ### What Adds Tailscale to the list of new integrations this release as it was merged like 5 minutes ago and technically 2025.6 isn't released just yet * tweaks to bump build --------- Signed-off-by: Dominic R <dominic@sdko.org> Co-authored-by: Dominic R <dominic@sdko.org> Co-authored-by: Tana M Berry <tana@goauthentik.io>	2025-06-04 17:06:01 +02:00
gcp-cherry-pick-bot[bot]	1fc91b004b	website/releases: order new integrations alphabetically (cherry-pick #14850 ) (#14876 ) website/releases: order new integrations alphabetically (#14850) ### What Orders the 2025.6 release note's new integrations alphabetically. It just bothers me. Signed-off-by: Dominic R <dominic@sdko.org> Co-authored-by: Dominic R <dominic@sdko.org>	2025-06-04 17:05:33 +02:00
Simonyi Gergő	644705e6fe	release: 2025.6.0	2025-06-03 22:04:09 +02:00
gcp-cherry-pick-bot[bot]	ff8ef523db	website/docs: finalize release notes for `2025.6` (cherry-pick #14854 ) (#14855 ) website/docs: finalize release notes for `2025.6` (#14854) * remove internal changes from release notes * add late additions to release notes * remove release candidate notice from `2025.6` * rotate supported versions * rotate releases in sidebar * Revert "rotate supported versions" This reverts commit `eea9d03e1d`. I'd like to do the release tonight, but I can't merge this because it needs a review from @teams/security. I'll open a separate PR for it. Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>	2025-06-03 22:01:40 +02:00
gcp-cherry-pick-bot[bot]	1051dd19ea	providers/rac: apply ConnectionToken scoped-settings last (cherry-pick #14838 ) (#14853 ) providers/rac: apply ConnectionToken scoped-settings last (#14838) * providers/rac: apply ConnectionToken scoped-settings last * fix tests --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-06-03 21:26:13 +02:00
gcp-cherry-pick-bot[bot]	04cb4fd267	lib/sync: fix static incorrect label of pages (cherry-pick #14851 ) (#14852 ) lib/sync: fix static incorrect label of pages (#14851) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-06-03 21:26:09 +02:00
gcp-cherry-pick-bot[bot]	da9508f839	website/docs: add LDAP docs for forward deletion and `memberUid` (cherry-pick #14814 ) (#14848 ) website/docs: add LDAP docs for forward deletion and `memberUid` (#14814) * website/docs: add LDAP docs for forward deletion and `memberUid` * reword LDAP docs --------- Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>	2025-06-03 19:31:04 +02:00
gcp-cherry-pick-bot[bot]	841a286a25	stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (cherry-pick #14801 ) (#14847 ) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#14801) * stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs * replace removed device type in tests Android Authenticator with SafetyNet Attestation was removed from blob.jwt in the previous commit --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Simonyi Gergő <gergo@goauthentik.io>	2025-06-03 19:30:56 +02:00
gcp-cherry-pick-bot[bot]	63c48d7b99	core: bump goauthentik.io/api/v3 from 3.2025041.2 to 3.2025041.4 (cherry-pick #14809 ) (#14846 ) core: bump goauthentik.io/api/v3 from 3.2025041.2 to 3.2025041.4 (#14809) Bumps [goauthentik.io/api/v3](https://github.com/goauthentik/client-go) from 3.2025041.2 to 3.2025041.4. - [Release notes](https://github.com/goauthentik/client-go/releases) - [Changelog](https://github.com/goauthentik/client-go/blob/main/model_version_history.go) - [Commits](https://github.com/goauthentik/client-go/compare/v3.2025041.2...v3.2025041.4) --- updated-dependencies: - dependency-name: goauthentik.io/api/v3 dependency-version: 3.2025041.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-06-03 19:30:14 +02:00
gcp-cherry-pick-bot[bot]	5994fd2c61	core, web: update translations (cherry-pick #14800 ) (#14845 ) core, web: update translations (#14800) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>	2025-06-03 19:30:06 +02:00
gcp-cherry-pick-bot[bot]	5f745e682e	website/integrations: Update Zammad SAML Instructions (cherry-pick #14774 ) (#14844 ) website/integrations: Update Zammad SAML Instructions (#14774) * Update Zammad SAML Instructions I just configured Zammad 6.4.1 to work with Authentik 2025.4.1. There seem to have been some changes since these instructions were written. The Name ID Format cannot be left blank. The SSO URL and the logout URL were incorrect. I was getting an Error 422 from Zammad until I turned on signing assertions, so I conclude that is required and I wrote instructions for that. I saw some discussion online elsewhere that the `----BEGIN` and `---END` lines should be removed. I tested it both ways and it worked both ways. I wrote the instructions to keep those lines in because it seemed simplest and most intuitive. * Incorporate separate instructions for certificate file * Incorporate simplified copy/paste instructions * Incoporate formatting change * Incorporate formatting changes * Removed reference to custom properties * Capitalisation * Formatting * Formatting * Updated language * Update website/integrations/services/zammad/index.md * Update website/integrations/services/zammad/index.md * tweak to bump build * bump build * use bold font for UI labels * my typo * capitalization fix --------- Signed-off-by: Paco Hope <pacohope@users.noreply.github.com> Co-authored-by: Paco Hope <pacohope@users.noreply.github.com> Co-authored-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Dominic R <dominic@sdko.org> Co-authored-by: Tana M Berry <tana@goauthentik.io>	2025-06-03 19:29:59 +02:00
gcp-cherry-pick-bot[bot]	6f1b16e7f9	website/integrations: remove trailing slash from budibase redirect (cherry-pick #14823 ) (#14843 ) website/integrations: remove trailing slash from budibase redirect (#14823) Removes trailing slash from redirect Co-authored-by: Dewi Roberts <dewi@goauthentik.io>	2025-06-03 19:29:51 +02:00
gcp-cherry-pick-bot[bot]	57bce19e7a	website/integrations: update cloudflare access callback url (cherry-pick #14807 ) (#14842 ) website/integrations: update cloudflare access callback url (#14807) Update CLoudflare Access index.md The callback URL had a trailing / that breaks the callback URL being matched by a strict policy. Signed-off-by: terafirmanz <53923271+terafirmanz@users.noreply.github.com> Co-authored-by: terafirmanz <53923271+terafirmanz@users.noreply.github.com>	2025-06-03 19:29:40 +02:00
gcp-cherry-pick-bot[bot]	850c5d5a45	website/docs: remove fluff from release notes 2025.6 (cherry-pick #14819 ) (#14820 ) remove fluff from release notes 2025.6 (#14819) Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>	2025-06-03 15:21:51 +02:00
gcp-cherry-pick-bot[bot]	8b7d11f94c	web: minor design tweaks (cherry-pick #14803 ) (#14804 ) web: minor design tweaks (#14803) * fix spacing between header and page desc * fix icon alignment * fallback text when we dont have a user yet --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-06-01 23:15:08 +02:00
Simonyi Gergő	45737909f6	release: 2025.6.0-rc1	2025-05-31 00:44:04 +02:00