fix ci

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.2
+current_version = 2025.4.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -21,8 +21,6 @@ optional_value = final
 
 [bumpversion:file:package.json]
 
-[bumpversion:file:package-lock.json]
-
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]
@@ -33,4 +31,6 @@ optional_value = final
 
 [bumpversion:file:internal/constants/constants.go]
 
+[bumpversion:file:web/src/common/constants.ts]
+
 [bumpversion:file:lifecycle/aws/template.yaml]

.dockerignore

@@ -5,10 +5,8 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
-**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
-.venv

.editorconfig

@@ -7,9 +7,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[*.toml]
-indent_size = 2
-
 [*.html]
 indent_size = 2
 

.github/actions/setup/action.yml

@@ -36,7 +36,7 @@ runs:
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
-      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
+      uses: ScribeMD/docker-cache@0.5.0
       with:
         key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
@@ -48,7 +48,7 @@ runs:
     - name: Generate config
       shell: uv run python {0}
       run: |
-        from authentik.lib.generators import generate_id
+        from authentik.crypto.generators import generate_id
         from yaml import safe_dump
 
         with open("local.env.yml", "w") as _config:

.github/dependabot.yml

@@ -23,13 +23,7 @@ updates:
   - package-ecosystem: npm
     directories:
       - "/web"
-      - "/web/packages/sfe"
-      - "/web/packages/core"
-      - "/web/packages/esbuild-plugin-live-reload"
-      - "/packages/prettier-config"
-      - "/packages/tsconfig"
-      - "/packages/docusaurus-config"
-      - "/packages/eslint-config"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -74,9 +68,6 @@ updates:
       wdio:
         patterns:
           - "@wdio/*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
   - package-ecosystem: npm
     directory: "/website"
     schedule:
@@ -97,16 +88,6 @@ updates:
           - "swc-*"
           - "lightningcss*"
           - "@rspack/binding*"
-      goauthentik:
-        patterns:
-          - "@goauthentik/*"
-      eslint:
-        patterns:
-          - "@eslint/*"
-          - "@typescript-eslint/*"
-          - "eslint-*"
-          - "eslint"
-          - "typescript-eslint"
   - package-ecosystem: npm
     directory: "/lifecycle/aws"
     schedule:

.github/workflows/api-ts-publish.yml

@@ -53,7 +53,6 @@ jobs:
           signoff: true
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-main-daily.yml

@@ -15,8 +15,8 @@ jobs:
       matrix:
         version:
           - docs
-          - version-2025-4
           - version-2025-2
+          - version-2024-12
     steps:
       - uses: actions/checkout@v4
       - run: |

.github/workflows/ci-main.yml

@@ -62,7 +62,6 @@ jobs:
         psql:
           - 15-alpine
           - 16-alpine
-          - 17-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
@@ -71,7 +70,7 @@ jobs:
       - name: checkout stable
         run: |
           # Copy current, latest config to local
-          cp authentik/lib/default.yml local.env.yml
+          cp authentik/common/config/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
           git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
@@ -117,7 +116,6 @@ jobs:
         psql:
           - 15-alpine
           - 16-alpine
-          - 17-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
@@ -202,7 +200,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
         working-directory: web
@@ -210,7 +208,6 @@ jobs:
           npm ci
           make -C .. gen-client-ts
           npm run build
-          npm run build:sfe
       - name: run e2e
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}

.github/workflows/ci-website.yml

@@ -49,7 +49,6 @@ jobs:
       matrix:
         job:
           - build
-          - build:integrations
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -62,61 +61,12 @@ jobs:
       - name: build
         working-directory: website/
         run: npm run ${{ matrix.job }}
-  build-container:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-docs
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          platforms: linux/amd64,linux/arm64
-          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   ci-website-mark:
     if: always()
     needs:
       - lint
       - test
       - build
-      - build-container
     runs-on: ubuntu-latest
     steps:
       - uses: re-actors/alls-green@release/v1

.github/workflows/codeql-analysis.yml

@@ -2,7 +2,7 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
   pull_request:
     branches: [main]
   schedule:

.github/workflows/gen-update-webauthn-mds.yml

@@ -37,7 +37,6 @@ jobs:
           signoff: true
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-          labels: dependencies
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/image-compress.yml

@@ -53,7 +53,6 @@ jobs:
           body: ${{ steps.compress.outputs.markdown }}
           delete-branch: true
           signoff: true
-          labels: dependencies
       - uses: peter-evans/enable-pull-request-automerge@v3
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         with:

.github/workflows/packages-npm-publish.yml

@@ -7,7 +7,6 @@ on:
       - packages/eslint-config/**
       - packages/prettier-config/**
       - packages/tsconfig/**
-      - web/packages/esbuild-plugin-live-reload/**
   workflow_dispatch:
 jobs:
   publish:
@@ -17,28 +16,27 @@ jobs:
       fail-fast: false
       matrix:
         package:
-          - packages/docusaurus-config
-          - packages/eslint-config
-          - packages/prettier-config
-          - packages/tsconfig
-          - web/packages/esbuild-plugin-live-reload
+          - docusaurus-config
+          - eslint-config
+          - prettier-config
+          - tsconfig
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 2
       - uses: actions/setup-node@v4
         with:
-          node-version-file: ${{ matrix.package }}/package.json
+          node-version-file: packages/${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files: |
-            ${{ matrix.package }}/package.json
+            packages/${{ matrix.package }}/package.json
       - name: Publish package
         if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: ${{ matrix.package }}
+        working-directory: packages/${{ matrix.package}}
         run: |
           npm ci
           npm run build

.github/workflows/release-publish.yml

@@ -20,49 +20,6 @@ jobs:
       release: true
       registry_dockerhub: true
       registry_ghcr: true
-  build-docs:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/docs
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
-          context: .
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: true
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
@@ -236,6 +193,6 @@ jobs:
           SENTRY_ORG: authentik-security-inc
           SENTRY_PROJECT: authentik
         with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
           sourcemaps: "./web/dist"
           url_prefix: "~/static/dist"

.github/workflows/translation-extract-compile.yml

@@ -52,6 +52,3 @@ jobs:
           body: "core, web: update translations"
           delete-branch: true
           signoff: true
-          labels: dependencies
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>

.github/workflows/translation-rename.yml

@@ -15,7 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:
-      - uses: actions/checkout@v4
       - id: generate_token
         uses: tibdex/github-app-token@v2
         with:
@@ -26,13 +25,23 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
+          title=$(curl -q -L \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
           echo "title=${title}" >> "$GITHUB_OUTPUT"
       - name: Rename
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
+          curl -L \
+            -X PATCH \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
+            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
       - uses: peter-evans/enable-pull-request-automerge@v3
         with:
           token: ${{ steps.generate_token.outputs.token }}

.vscode/settings.json

@@ -6,15 +6,13 @@
         "!Context scalar",
         "!Enumerate sequence",
         "!Env scalar",
-        "!Env sequence",
         "!Find sequence",
         "!Format sequence",
         "!If sequence",
         "!Index scalar",
         "!KeyOf scalar",
         "!Value scalar",
-        "!AtIndex scalar",
-        "!ParseJSON scalar"
+        "!AtIndex scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",

Dockerfile

@@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+# Stage 1: Build website
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/website
+
+RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
+    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    npm ci --include=dev
+
+COPY ./website /work/website/
+COPY ./blueprints /work/blueprints/
+COPY ./schema.yml /work/
+COPY ./SECURITY.md /work/
+
+RUN npm run build-bundled
+
+# Stage 2: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -13,7 +32,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -21,10 +40,9 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build && \
-    npm run build:sfe
+RUN npm run build
 
-# Stage 2: Build go proxy
+# Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 
 ARG TARGETOS
@@ -49,8 +67,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -61,7 +79,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
     go build -o /go/authentik ./cmd/server
 
-# Stage 3: MaxMind GeoIP
+# Stage 4: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@@ -74,10 +92,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.15 AS uv
-# Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
+# Stage 5: Download uv
+FROM ghcr.io/astral-sh/uv:0.7.3 AS uv
+# Stage 6: Base python image
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -90,7 +108,7 @@ WORKDIR /ak-root/
 
 COPY --from=uv /uv /uvx /bin/
 
-# Stage 6: Python dependencies
+# Stage 7: Python dependencies
 FROM python-base AS python-deps
 
 ARG TARGETARCH
@@ -125,7 +143,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-install-project --no-dev
 
-# Stage 7: Run
+# Stage 8: Run
 FROM python-base AS final-image
 
 ARG VERSION
@@ -168,8 +186,9 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /web/dist/
-COPY --from=node-builder /work/web/authentik/ /web/authentik/
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

Makefile

@@ -1,7 +1,6 @@
 .PHONY: gen dev-reset all clean test web website
 
-SHELL := /usr/bin/env bash
-.SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
+.SHELLFLAGS += ${SHELLFLAGS} -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
@@ -9,13 +8,13 @@ NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 
-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
+GEN_API_TS = "gen-ts-api"
+GEN_API_PY = "gen-py-api"
+GEN_API_GO = "gen-go-api"
 
-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell uv run python -m authentik.common.config postgresql.user 2>/dev/null)
+pg_host := $(shell uv run python -m authentik.common.config postgresql.host 2>/dev/null)
+pg_name := $(shell uv run python -m authentik.common.config postgresql.name 2>/dev/null)
 
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 
@@ -86,10 +85,6 @@ dev-create-db:
 
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 
-update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
-	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
-
 #########################
 ## API Schema
 #########################
@@ -98,7 +93,7 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		uv run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
@@ -122,19 +117,14 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md
 
 gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+	rm -rf ./${GEN_API_TS}/
+	rm -rf ./web/node_modules/@goauthentik/api/
 
 gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	make -C ${PWD}/${GEN_API_GO} clean
-else
-	rm -rf ${PWD}/${GEN_API_GO}
-endif
+	rm -rf ./${GEN_API_GO}/
 
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ./${GEN_API_PY}/
 
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
@@ -150,9 +140,9 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
+	mkdir -p web/node_modules/@goauthentik/api
+	cd ./${GEN_API_TS} && npm i
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
@@ -166,17 +156,24 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
+	pip install ./${GEN_API_PY}
 
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-else
-	cd ${PWD}/${GEN_API_GO} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+	cp schema.yml ./${GEN_API_GO}/
+	docker run \
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/ \
+		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
 	uv run scripts/generate_config.py
@@ -247,7 +244,7 @@ docker:  ## Build a docker image of the current source tree
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
 test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
+	BUILD=true ./scripts/test_docker.sh
 
 #########################
 ## CI

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
+| 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
-| 2025.6.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.6.2"
+__version__ = "2025.4.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/meta.py

@@ -7,8 +7,8 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
+from authentik.common.utils.reflection import get_apps
 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.utils.reflection import get_apps
 from authentik.policies.event_matcher.models import model_choices
 
 

authentik/admin/api/metrics.py

@@ -0,0 +1,79 @@
+"""authentik administration metrics"""
+
+from datetime import timedelta
+
+from django.db.models.functions import ExtractHour
+from drf_spectacular.utils import extend_schema, extend_schema_field
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.fields import IntegerField, SerializerMethodField
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.models import EventAction
+
+
+class CoordinateSerializer(PassiveSerializer):
+    """Coordinates for diagrams"""
+
+    x_cord = IntegerField(read_only=True)
+    y_cord = IntegerField(read_only=True)
+
+
+class LoginMetricsSerializer(PassiveSerializer):
+    """Login Metrics per 1h"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get successful authorizations per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
+class AdministrationMetricsViewSet(APIView):
+    """Login Metrics per 1h"""
+
+    permission_classes = [IsAuthenticated]
+
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Login Metrics per 1h"""
+        serializer = LoginMetricsSerializer(True)
+        serializer.context["user"] = request.user
+        return Response(serializer.data)

authentik/admin/api/system.py

@@ -7,6 +7,7 @@ from sys import version as python_version
 from typing import TypedDict
 
 from cryptography.hazmat.backends.openssl.backend import backend
+from django.apps import apps
 from django.conf import settings
 from django.utils.timezone import now
 from django.views.debug import SafeExceptionReporterFilter
@@ -17,12 +18,10 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik import get_full_version
+from authentik.common.config import CONFIG
+from authentik.common.utils.reflection import get_env
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
-from authentik.lib.config import CONFIG
-from authentik.lib.utils.reflection import get_env
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.models import Outpost
 from authentik.rbac.permissions import HasPermission
 
 
@@ -103,6 +102,12 @@ class SystemInfoSerializer(PassiveSerializer):
 
     def get_embedded_outpost_host(self, request: Request) -> str:
         """Get the FQDN configured on the embedded outpost"""
+        if not apps.is_installed("authentik.outposts"):
+            return ""
+
+        from authentik.outposts.apps import MANAGED_OUTPOST
+        from authentik.outposts.models import Outpost
+
         outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
         if not outposts.exists():  # pragma: no cover
             return ""

authentik/admin/api/version.py

@@ -1,7 +1,6 @@
 """authentik administration overview"""
 
 from django.core.cache import cache
-from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -14,7 +13,6 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
-from authentik.tenants.utils import get_current_tenant
 
 
 class VersionSerializer(PassiveSerializer):
@@ -37,8 +35,6 @@ class VersionSerializer(PassiveSerializer):
 
     def get_version_latest(self, _) -> str:
         """Get latest version from cache"""
-        if get_current_tenant().schema_name == get_public_schema_name():
-            return __version__
         version_in_cache = cache.get(VERSION_CACHE_KEY)
         if not version_in_cache:  # pragma: no cover
             update_latest_version.delay()

authentik/admin/apps.py

@@ -14,19 +14,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
     label = "authentik_admin"
     verbose_name = "authentik Admin"
     default = True
-
-    @ManagedAppConfig.reconcile_global
-    def clear_update_notifications(self):
-        """Clear update notifications on startup if the notification was for the version
-        we're running now."""
-        from packaging.version import parse
-
-        from authentik.admin.tasks import LOCAL_VERSION
-        from authentik.events.models import EventAction, Notification
-
-        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-            if "new_version" not in notification.event.context:
-                continue
-            notification_version = notification.event.context["new_version"]
-            if LOCAL_VERSION >= parse(notification_version):
-                notification.delete()

authentik/admin/settings.py

@@ -1,15 +1,13 @@
 """authentik admin settings"""
 
 from celery.schedules import crontab
-from django_tenants.utils import get_public_schema_name
 
-from authentik.lib.utils.time import fqdn_rand
+from authentik.common.utils.time import fqdn_rand
 
 CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {
         "task": "authentik.admin.tasks.update_latest_version",
         "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
-        "tenant_schemas": [get_public_schema_name()],
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/admin/tasks.py

@@ -1,6 +1,7 @@
 """authentik admin tasks"""
 
 from django.core.cache import cache
+from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
@@ -8,10 +9,10 @@ from structlog.stdlib import get_logger
 
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.common.config import CONFIG
+from authentik.common.utils.http import get_http_session
+from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
-from authentik.lib.config import CONFIG
-from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -32,6 +33,20 @@ def _set_prom_info():
     )
 
 
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
+def clear_update_notifications():
+    """Clear update notifications on startup if the notification was for the version
+    we're running now."""
+    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+        if "new_version" not in notification.event.context:
+            continue
+        notification_version = notification.event.context["new_version"]
+        if LOCAL_VERSION >= parse(notification_version):
+            notification.delete()
+
+
 @CELERY_APP.task(bind=True, base=SystemTask)
 @prefill_task
 def update_latest_version(self: SystemTask):

authentik/admin/tests/test_api.py

@@ -8,7 +8,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
-from authentik.lib.generators import generate_id
+from authentik.crypto.generators import generate_id
 
 
 class TestAdminAPI(TestCase):
@@ -36,6 +36,11 @@ class TestAdminAPI(TestCase):
         body = loads(response.content)
         self.assertEqual(len(body), 0)
 
+    def test_metrics(self):
+        """Test metrics API"""
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
+        self.assertEqual(response.status_code, 200)
+
     def test_apps(self):
         """Test apps API"""
         response = self.client.get(reverse("authentik_api:apps-list"))

authentik/admin/tests/test_tasks.py

@@ -1,16 +1,16 @@
 """test admin tasks"""
 
-from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 
 from authentik.admin.tasks import (
     VERSION_CACHE_KEY,
+    clear_update_notifications,
     update_latest_version,
 )
+from authentik.common.config import CONFIG
 from authentik.events.models import Event, EventAction
-from authentik.lib.config import CONFIG
 
 RESPONSE_VALID = {
     "$schema": "https://version.goauthentik.io/schema.json",
@@ -72,13 +72,12 @@ class TestAdminTasks(TestCase):
 
     def test_clear_update_notifications(self):
         """Test clear of previous notification"""
-        admin_config = apps.get_app_config("authentik_admin")
         Event.objects.create(
             action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
         )
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
         self.assertFalse(
             Event.objects.filter(
                 action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"

authentik/admin/urls.py

@@ -3,6 +3,7 @@
 from django.urls import path
 
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
+from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@@ -11,6 +12,11 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
     ("admin/apps", AppsViewSet, "apps"),
     ("admin/models", ModelViewSet, "models"),
+    path(
+        "admin/metrics/",
+        AdministrationMetricsViewSet.as_view(),
+        name="admin_metrics",
+    ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
     ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),

authentik/api/apps.py

@@ -1,13 +1,12 @@
 """authentik API AppConfig"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
     """authentik API Config"""
 
     name = "authentik.api"
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
-    default = True

authentik/api/authentication.py

@@ -1,30 +1,18 @@
 """API Authentication"""
 
-from hmac import compare_digest
-from pathlib import Path
-from tempfile import gettempdir
 from typing import Any
 
-from django.conf import settings
-from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User, UserTypes
-from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
+from authentik.core.models import Token, TokenIntents, User
 
 LOGGER = get_logger()
-_tmp = Path(gettempdir())
-try:
-    with open(_tmp / "authentik-core-ipc.key") as _f:
-        ipc_key = _f.read()
-except OSError:
-    ipc_key = None
 
 
 def validate_auth(header: bytes) -> str | None:
@@ -77,70 +65,9 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
             raise AuthenticationFailed("Token invalid/expired")
         CTX_AUTH_VIA.set("jwt")
         return jwt_token.user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_secret_key(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("secret_key")
-        return user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_ipc(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("ipc")
-        return user
     raise AuthenticationFailed("Token invalid/expired")
 
 
-def token_secret_key(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    from authentik.outposts.apps import MANAGED_OUTPOST
-
-    if not compare_digest(value, settings.SECRET_KEY):
-        return None
-    outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
-    if not outposts:
-        return None
-    outpost = outposts.first()
-    return outpost.user
-
-
-class IPCUser(AnonymousUser):
-    """'Virtual' user for IPC communication between authentik core and the authentik router"""
-
-    username = "authentik:system"
-    is_active = True
-    is_superuser = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    def has_perm(self, perm, obj=None):
-        return True
-
-    def has_perms(self, perm_list, obj=None):
-        return True
-
-    def has_module_perms(self, module):
-        return True
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-
-def token_ipc(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    if not ipc_key or not compare_digest(value, ipc_key):
-        return None
-    return IPCUser()
-
-
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""
 

authentik/api/tests/test_auth.py

@@ -3,19 +3,15 @@
 import json
 from base64 import b64encode
 
-from django.conf import settings
 from django.test import TestCase
 from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed
 
 from authentik.api.authentication import bearer_auth
-from authentik.blueprints.tests import reconcile_app
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
+from authentik.core.models import Token, TokenIntents
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.lib.generators import generate_id
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.models import Outpost
-from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
+from authentik.crypto.generators import generate_id
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 
 
@@ -52,21 +48,6 @@ class TestAPIAuth(TestCase):
         with self.assertRaises(AuthenticationFailed):
             bearer_auth(f"Bearer {token.key}".encode())
 
-    @reconcile_app("authentik_outposts")
-    def test_managed_outpost_fail(self):
-        """Test managed outpost"""
-        outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
-        outpost.user.delete()
-        outpost.delete()
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
-
-    @reconcile_app("authentik_outposts")
-    def test_managed_outpost_success(self):
-        """Test managed outpost"""
-        user: User = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
-        self.assertEqual(user.type, UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
     def test_jwt_valid(self):
         """Test valid JWT"""
         provider = OAuth2Provider.objects.create(

authentik/api/v3/config.py

@@ -19,9 +19,9 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from authentik.common.config import CONFIG
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.context_processors.base import get_context_processors
-from authentik.lib.config import CONFIG
 
 capabilities = Signal()
 

authentik/api/v3/urls.py

@@ -11,7 +11,7 @@ from structlog.stdlib import get_logger
 
 from authentik.api.v3.config import ConfigView
 from authentik.api.views import APIBrowserView
-from authentik.lib.utils.reflection import get_apps
+from authentik.common.utils.reflection import get_apps
 
 LOGGER = get_logger()
 

authentik/blueprints/management/commands/blueprint_shell.py

@@ -12,8 +12,8 @@ from structlog.stdlib import get_logger
 from yaml import load
 
 from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
+from authentik.common.utils.errors import exception_to_string
 from authentik.core.management.commands.shell import get_banner_text
-from authentik.lib.utils.errors import exception_to_string
 
 LOGGER = get_logger()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -15,7 +15,7 @@ from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
-from authentik.lib.models import SerializerModel
+from authentik.common.models import SerializerModel
 
 LOGGER = get_logger()
 
@@ -72,33 +72,20 @@ class Command(BaseCommand):
                     "additionalProperties": True,
                 },
                 "entries": {
-                    "anyOf": [
-                        {
-                            "type": "array",
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
-                        },
-                        {
-                            "type": "object",
-                            "additionalProperties": {
-                                "type": "array",
-                                "items": {"$ref": "#/$defs/blueprint_entry"},
-                            },
-                        },
-                    ],
+                    "type": "array",
+                    "items": {
+                        "oneOf": [],
+                    },
                 },
             },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
         }
 
-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
     @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
         """Generate JSON Schema for blueprints"""
         self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
 
     @staticmethod
     def json_default(value: Any) -> Any:
@@ -125,7 +112,7 @@ class Command(BaseCommand):
                 }
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                 self.template_entry(model_path, model, serializer)
             )
 
@@ -147,7 +134,7 @@ class Command(BaseCommand):
                 "id": {"type": "string"},
                 "state": {
                     "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
@@ -218,7 +205,7 @@ class Command(BaseCommand):
                 "type": "object",
                 "required": ["permission"],
                 "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                     "user": {"type": "integer"},
                     "role": {"type": "string"},
                 },

authentik/blueprints/migrations/0001_initial.py

@@ -11,7 +11,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from yaml import load
 
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
-from authentik.lib.config import CONFIG
+from authentik.common.config import CONFIG
 
 
 def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):

authentik/blueprints/migrations/0003_alter_blueprintinstance_name.py

@@ -2,7 +2,7 @@
 
 from django.db import migrations, models
 
-from authentik.lib.migrations import fallback_names
+from authentik.common.migrations import fallback_names
 
 
 class Migration(migrations.Migration):

authentik/blueprints/models.py

@@ -10,14 +10,14 @@ from rest_framework.serializers import Serializer
 from structlog import get_logger
 
 from authentik.blueprints.v1.oci import OCI_PREFIX, BlueprintOCIClient, OCIException
-from authentik.lib.config import CONFIG
-from authentik.lib.models import CreatedUpdatedModel, SerializerModel
-from authentik.lib.sentry import SentryIgnoredException
+from authentik.common.config import CONFIG
+from authentik.common.exceptions import NotReportedException
+from authentik.common.models import CreatedUpdatedModel, SerializerModel
 
 LOGGER = get_logger()
 
 
-class BlueprintRetrievalFailed(SentryIgnoredException):
+class BlueprintRetrievalFailed(NotReportedException):
     """Error raised when we are unable to fetch the blueprint contents, whether it be HTTP files
     not being accessible or local files not being readable"""
 

authentik/blueprints/settings.py

@@ -2,7 +2,7 @@
 
 from celery.schedules import crontab
 
-from authentik.lib.utils.time import fqdn_rand
+from authentik.common.utils.time import fqdn_rand
 
 CELERY_BEAT_SCHEDULE = {
     "blueprints_v1_discover": {

authentik/blueprints/tests/fixtures/state_present.yaml

@@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
-      - identifiers:
-            name: "%(id)s"
-            slug: "%(id)s"
-        model: authentik_flows.flow
-        state: present
-        attrs:
-            designation: stage_configuration
-            title: foo
+    - identifiers:
+          name: "%(id)s"
+          slug: "%(id)s"
+      model: authentik_flows.flow
+      state: present
+      attrs:
+          designation: stage_configuration
+          title: foo

authentik/blueprints/tests/fixtures/tags.yaml

@@ -37,7 +37,6 @@ entries:
     - attrs:
           attributes:
               env_null: !Env [bar-baz, null]
-              json_parse: !ParseJSON '{"foo": "bar"}'
               policy_pk1:
                   !Format [
                       "%s-%s",

authentik/blueprints/tests/test_managed_app_config.py

@@ -1,14 +0,0 @@
-from django.test import TestCase
-
-from authentik.blueprints.apps import ManagedAppConfig
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestManagedAppConfig(TestCase):
-    def test_apps_use_managed_app_config(self):
-        for app in get_apps():
-            if app.name.startswith("authentik.enterprise"):
-                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
-            else:
-                self.assertIn(ManagedAppConfig, app.__class__.__bases__)

authentik/blueprints/tests/test_models.py

@@ -3,7 +3,7 @@
 from django.test import TestCase
 
 from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed
-from authentik.lib.generators import generate_id
+from authentik.crypto.generators import generate_id
 
 
 class TestModels(TestCase):

authentik/blueprints/tests/test_packaged.py

@@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:
 
 
 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
+    if "local" in str(blueprint_file):
         continue
     setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))

authentik/blueprints/tests/test_serializer_models.py

@@ -6,7 +6,7 @@ from django.apps import apps
 from django.test import TestCase
 
 from authentik.blueprints.v1.importer import is_model_allowed
-from authentik.lib.models import SerializerModel
+from authentik.common.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken
 
 

authentik/blueprints/tests/test_v1.py

@@ -6,10 +6,10 @@ from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
+from authentik.common.tests import load_fixture
 from authentik.core.models import Group
+from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource
@@ -215,7 +215,6 @@ class TestBlueprintsV1(TransactionTestCase):
                     },
                     "nested_context": "context-nested-value",
                     "env_null": None,
-                    "json_parse": {"foo": "bar"},
                     "at_index_sequence": "foo",
                     "at_index_sequence_default": "non existent",
                     "at_index_mapping": 2,

authentik/blueprints/tests/test_v1_api.py

@@ -7,8 +7,8 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump
 
+from authentik.common.config import CONFIG
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.config import CONFIG
 
 TMP = mkdtemp("authentik-blueprints")
 

authentik/blueprints/tests/test_v1_conditional_fields.py

@@ -3,11 +3,11 @@
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
+from authentik.common.tests import load_fixture
 from authentik.core.models import Application, Token, User
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
 from authentik.sources.oauth.models import OAuthSource
 
 

authentik/blueprints/tests/test_v1_conditions.py

@@ -3,9 +3,9 @@
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
+from authentik.common.tests import load_fixture
+from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
 
 
 class TestBlueprintsV1Conditions(TransactionTestCase):

authentik/blueprints/tests/test_v1_rbac.py

@@ -4,10 +4,10 @@ from django.test import TransactionTestCase
 from guardian.shortcuts import get_perms
 
 from authentik.blueprints.v1.importer import Importer
+from authentik.common.tests import load_fixture
 from authentik.core.models import User
+from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
 from authentik.rbac.models import Role
 
 

authentik/blueprints/tests/test_v1_state.py

@@ -3,9 +3,9 @@
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
+from authentik.common.tests import load_fixture
+from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
 
 
 class TestBlueprintsV1State(TransactionTestCase):

authentik/blueprints/tests/test_v1_tasks.py

@@ -8,8 +8,8 @@ from yaml import dump
 
 from authentik.blueprints.models import BlueprintInstance, BlueprintInstanceStatus
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discovery, blueprints_find
-from authentik.lib.config import CONFIG
-from authentik.lib.generators import generate_id
+from authentik.common.config import CONFIG
+from authentik.crypto.generators import generate_id
 
 TMP = mkdtemp("authentik-blueprints")
 

authentik/blueprints/v1/common.py

@@ -6,7 +6,6 @@ from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
-from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
 from typing import Any, Literal, Union
@@ -20,8 +19,8 @@ from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode
 
-from authentik.lib.models import SerializerModel
-from authentik.lib.sentry import SentryIgnoredException
+from authentik.common.exceptions import NotReportedException
+from authentik.common.models import SerializerModel
 from authentik.policies.models import PolicyBindingModel
 
 
@@ -192,18 +191,11 @@ class Blueprint:
     """Dataclass used for a full export"""
 
     version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
     context: dict = field(default_factory=dict)
 
     metadata: BlueprintMetadata | None = field(default=None)
 
-    def iter_entries(self) -> Iterable[BlueprintEntry]:
-        if isinstance(self.entries, dict):
-            for _section, entries in self.entries.items():
-                yield from entries
-        else:
-            yield from self.entries
-
 
 class YAMLTag:
     """Base class for all YAML Tags"""
@@ -234,7 +226,7 @@ class KeyOf(YAMLTag):
         self.id_from = node.value
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
             if _entry.id == self.id_from and _entry._state.instance:
                 # Special handling for PolicyBindingModels, as they'll have a different PK
                 # which is used when creating policy bindings
@@ -292,22 +284,6 @@ class Context(YAMLTag):
         return value
 
 
-class ParseJSON(YAMLTag):
-    """Parse JSON from context/env/etc value"""
-
-    raw: str
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
-        super().__init__()
-        self.raw = node.value
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        try:
-            return loads(self.raw)
-        except JSONDecodeError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
-
-
 class Format(YAMLTag):
     """Format a string"""
 
@@ -683,10 +659,9 @@ class BlueprintLoader(SafeLoader):
         self.add_constructor("!Value", Value)
         self.add_constructor("!Index", Index)
         self.add_constructor("!AtIndex", AtIndex)
-        self.add_constructor("!ParseJSON", ParseJSON)
 
 
-class EntryInvalidError(SentryIgnoredException):
+class EntryInvalidError(NotReportedException):
     """Error raised when an entry is invalid"""
 
     entry_model: str | None

authentik/blueprints/v1/importer.py

@@ -8,14 +8,11 @@ from dacite.config import Config
 from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
-from django.contrib.auth.models import Permission
-from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import FieldError
 from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
-from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
@@ -31,119 +28,26 @@ from authentik.blueprints.v1.common import (
     EntryInvalidError,
 )
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
-from authentik.core.models import (
-    AuthenticatedSession,
-    GroupSourceConnection,
-    PropertyMapping,
-    Provider,
-    Session,
-    Source,
-    User,
-    UserSourceConnection,
-)
+from authentik.common.exceptions import NotReportedException
+from authentik.common.models import SerializerModel, excluded_models
+from authentik.common.utils.reflection import get_apps
+from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import LicenseUsage
-from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProviderGroup,
-    GoogleWorkspaceProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderUser,
-)
-from authentik.enterprise.providers.ssf.models import StreamEvent
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    EndpointDevice,
-    EndpointDeviceConnection,
-)
 from authentik.events.logs import LogEvent, capture_logs
-from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
-from authentik.flows.models import FlowToken, Stage
-from authentik.lib.models import SerializerModel
-from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.reflection import get_apps
-from authentik.outposts.models import OutpostServiceConnection
-from authentik.policies.models import Policy, PolicyBindingModel
-from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    AuthorizationCode,
-    DeviceToken,
-    RefreshToken,
-)
-from authentik.providers.rac.models import ConnectionToken
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
-from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
-from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
-from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
 # Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
-def excluded_models() -> list[type[Model]]:
-    """Return a list of all excluded models that shouldn't be exposed via API
-    or other means (internal only, base classes, non-used objects, etc)"""
-
-    from django.contrib.auth.models import Group as DjangoGroup
-    from django.contrib.auth.models import User as DjangoUser
-
-    return (
-        # Django only classes
-        DjangoUser,
-        DjangoGroup,
-        ContentType,
-        Permission,
-        UserObjectPermission,
-        # Base classes
-        Provider,
-        Source,
-        PropertyMapping,
-        UserSourceConnection,
-        GroupSourceConnection,
-        Stage,
-        OutpostServiceConnection,
-        Policy,
-        PolicyBindingModel,
-        # Classes that have other dependencies
-        Session,
-        AuthenticatedSession,
-        # Classes which are only internally managed
-        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
-        FlowToken,
-        LicenseUsage,
-        SCIMProviderGroup,
-        SCIMProviderUser,
-        Tenant,
-        SystemTask,
-        ConnectionToken,
-        AuthorizationCode,
-        AccessToken,
-        RefreshToken,
-        Reputation,
-        WebAuthnDeviceType,
-        SCIMSourceUser,
-        SCIMSourceGroup,
-        GoogleWorkspaceProviderUser,
-        GoogleWorkspaceProviderGroup,
-        MicrosoftEntraProviderUser,
-        MicrosoftEntraProviderGroup,
-        EndpointDevice,
-        EndpointDeviceConnection,
-        DeviceToken,
-        StreamEvent,
-    )
-
-
 def is_model_allowed(model: type[Model]) -> bool:
     """Check if model is allowed"""
     return model not in excluded_models() and issubclass(model, SerializerModel | BaseMetaModel)
 
 
-class DoRollback(SentryIgnoredException):
+class DoRollback(NotReportedException):
     """Exception to trigger a rollback"""
 
 
@@ -384,7 +288,7 @@ class Importer:
     def _apply_models(self, raise_errors=False) -> bool:
         """Apply (create/update) models yaml"""
         self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
             model_app_label, model_name = entry.get_model(self._import).split(".")
             try:
                 model: type[SerializerModel] = registry.get_model(model_app_label, model_name)

authentik/blueprints/v1/meta/registry.py

@@ -47,7 +47,7 @@ class MetaModelRegistry:
         models = apps.get_models()
         for _, value in self.models.items():
             models.append(value)
-        return sorted(models, key=str)
+        return models
 
     def get_model(self, app_label: str, model_id: str) -> type[Model]:
         """Get model checks if any virtual models are registered, and falls back

authentik/blueprints/v1/oci.py

@@ -16,14 +16,14 @@ from requests.exceptions import RequestException
 from structlog import get_logger
 from structlog.stdlib import BoundLogger
 
-from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.http import authentik_user_agent
+from authentik.common.exceptions import NotReportedException
+from authentik.common.utils.http import authentik_user_agent
 
 OCI_MEDIA_TYPE = "application/vnd.goauthentik.blueprint.v1+yaml"
 OCI_PREFIX = "oci://"
 
 
-class OCIException(SentryIgnoredException):
+class OCIException(NotReportedException):
     """OCI-related errors"""
 
 

authentik/blueprints/v1/tasks.py

@@ -30,11 +30,11 @@ from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata, E
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
+from authentik.common.config import CONFIG
 from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant
 

authentik/brands/api.py

@@ -59,7 +59,6 @@ class BrandSerializer(ModelSerializer):
             "flow_device_code",
             "default_application",
             "web_certificate",
-            "client_certificates",
             "attributes",
         ]
         extra_kwargs = {
@@ -121,7 +120,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "domain",
         "branding_title",
         "web_certificate__name",
-        "client_certificates__name",
     ]
     filterset_fields = [
         "brand_uuid",
@@ -138,7 +136,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "flow_user_settings",
         "flow_device_code",
         "web_certificate",
-        "client_certificates",
     ]
     ordering = ["domain"]
 

authentik/brands/apps.py

@@ -1,9 +1,9 @@
 """authentik brands app"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
     """authentik Brand app"""
 
     name = "authentik.brands"
@@ -12,4 +12,3 @@ class AuthentikBrandsConfig(ManagedAppConfig):
     mountpoints = {
         "authentik.brands.urls_root": "",
     }
-    default = True

authentik/brands/migrations/0001_squashed_0005_tenant_web_certificate.py

@@ -5,7 +5,7 @@ import uuid
 import django.db.models.deletion
 from django.db import migrations, models
 
-import authentik.lib.utils.time
+import authentik.common.utils.time
 
 
 class Migration(migrations.Migration):
@@ -104,7 +104,7 @@ class Migration(migrations.Migration):
                     "Events will be deleted after this duration.(Format:"
                     " weeks=3;days=2;hours=3,seconds=2)."
                 ),
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
+                validators=[authentik.common.utils.time.timedelta_string_validator],
             ),
         ),
         migrations.AddField(

authentik/brands/migrations/0010_brand_client_certificates_and_more.py

@@ -1,37 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-19 15:09
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0009_brand_branding_default_flow_background"),
-        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="client_certificates",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                help_text="Certificates used for client authentication.",
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="brand",
-            name="web_certificate",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Web Certificate used by the authentik Core webserver.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="+",
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-    ]

authentik/brands/models.py

@@ -8,10 +8,10 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
+from authentik.common.config import CONFIG
+from authentik.common.models import SerializerModel
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.lib.config import CONFIG
-from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
 
@@ -73,13 +73,6 @@ class Brand(SerializerModel):
         default=None,
         on_delete=models.SET_DEFAULT,
         help_text=_("Web Certificate used by the authentik Core webserver."),
-        related_name="+",
-    )
-    client_certificates = models.ManyToManyField(
-        CertificateKeyPair,
-        default=None,
-        blank=True,
-        help_text=_("Certificates used for client authentication."),
     )
     attributes = models.JSONField(default=dict, blank=True)
 

authentik/brands/tests.py

@@ -7,7 +7,7 @@ from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
-from authentik.lib.generators import generate_id
+from authentik.crypto.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLProvider
 
@@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                 "default_locale": "",
             },
         )
-
-    def test_custom_css(self):
-        """Test custom_css"""
-        brand = create_test_brand()
-        brand.branding_custom_css = """* {
-            font-family: "Foo bar";
-        }"""
-        brand.save()
-        res = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(brand.branding_custom_css, res.content.decode())

authentik/brands/utils.py

@@ -5,12 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
-from django.utils.safestring import mark_safe
+from sentry_sdk import get_current_span
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
-from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
 
 _q_default = Q(default=True)
@@ -34,14 +32,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     """Context Processor that injects brand object into every template"""
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
-    # only directly exposes this as a function that also wraps it in a <script> tag
-    # which we dont want for CSS
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
+    trace = ""
+    span = get_current_span()
+    if span:
+        trace = span.to_traceparent()
     return {
         "brand": brand,
-        "brand_css": brand_css,
         "footer_links": tenant.footer_links,
-        "html_meta": {**get_http_meta()},
+        "sentry_trace": trace,
         "version": get_full_version(),
     }

authentik/common/config/__init__.py

@@ -18,11 +18,11 @@ from typing import Any
 from urllib.parse import quote_plus, urlparse
 
 import yaml
-from django.conf import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured
 
-from authentik.lib.utils.dict import get_path_from_dict, set_path_in_dict
+from authentik.common.utils.dict import get_path_from_dict, set_path_in_dict
 
-SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] + glob(
+SEARCH_PATHS = ["authentik/common/config/default.yml", "/etc/authentik/config.yml", ""] + glob(
     "/etc/authentik/config.d/*.yml", recursive=True
 )
 ENV_PREFIX = "AUTHENTIK"
@@ -100,7 +100,7 @@ class ConfigLoader:
     def __init__(self, **kwargs):
         super().__init__()
         self.__config = {}
-        base_dir = Path(__file__).parent.joinpath(Path("../..")).resolve()
+        base_dir = Path(__file__).parent.joinpath(Path("../../..")).resolve()
         for _path in SEARCH_PATHS:
             path = Path(_path)
             # Check if path is relative, and if so join with base_dir
@@ -363,9 +363,6 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
         pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
         if not pool_options:
             pool_options = True
-    # FIXME: Temporarily force pool to be deactivated.
-    # See https://github.com/goauthentik/authentik/issues/14320
-    pool_options = False
 
     db = {
         "default": {

authentik/common/config/config.go

@@ -1,4 +1,4 @@
-package lib
+package config
 
 import _ "embed"
 

authentik/common/config/default.yml

@@ -8,12 +8,12 @@
 # make gen-dev-config
 # ```
 #
-# You may edit the generated file to override the configuration below.  
+# You may edit the generated file to override the configuration below.
 #
-# When making modifying the default configuration file, 
+# When making modifying the default configuration file,
 # ensure that the corresponding documentation is updated to match.
 #
-# @see {@link ../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information.
+# @see {@link ../../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information.
 
 postgresql:
   host: localhost
@@ -81,6 +81,7 @@ debugger: false
 
 log_level: info
 
+session_storage: cache
 sessions:
   unauthenticated_age: days=1
 

authentik/common/config/tests.py

@@ -6,10 +6,10 @@ from os import chmod, environ, unlink, write
 from tempfile import mkstemp
 from unittest import mock
 
-from django.conf import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured
 from django.test import TestCase
 
-from authentik.lib.config import (
+from authentik.common.config import (
     ENV_PREFIX,
     UNSET,
     Attr,
@@ -494,88 +494,86 @@ class TestConfig(TestCase):
             },
         )
 
-    # FIXME: Temporarily force pool to be deactivated.
-    # See https://github.com/goauthentik/authentik/issues/14320
-    # def test_db_pool(self):
-    #     """Test DB Config with pool"""
-    #     config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
-    #     conf = django_db_config(config)
-    #     self.assertEqual(
-    #         conf,
-    #         {
-    #             "default": {
-    #                 "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
-    #                 "NAME": "foo",
-    #                 "OPTIONS": {
-    #                     "pool": True,
-    #                     "sslcert": None,
-    #                     "sslkey": None,
-    #                     "sslmode": None,
-    #                     "sslrootcert": None,
-    #                 },
-    #                 "PASSWORD": "foo",
-    #                 "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
-    #         },
-    #     )
+    def test_db_pool(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": True,
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
 
-    # def test_db_pool_options(self):
-    #     """Test DB Config with pool"""
-    #     config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
-    #     config.set(
-    #         "postgresql.pool_options",
-    #         base64.b64encode(
-    #             dumps(
-    #                 {
-    #                     "max_size": 15,
-    #                 }
-    #             ).encode()
-    #         ).decode(),
-    #     )
-    #     conf = django_db_config(config)
-    #     self.assertEqual(
-    #         conf,
-    #         {
-    #             "default": {
-    #                 "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
-    #                 "NAME": "foo",
-    #                 "OPTIONS": {
-    #                     "pool": {
-    #                         "max_size": 15,
-    #                     },
-    #                     "sslcert": None,
-    #                     "sslkey": None,
-    #                     "sslmode": None,
-    #                     "sslrootcert": None,
-    #                 },
-    #                 "PASSWORD": "foo",
-    #                 "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
-    #         },
-    #     )
+    def test_db_pool_options(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        config.set(
+            "postgresql.pool_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "max_size": 15,
+                    }
+                ).encode()
+            ).decode(),
+        )
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": {
+                            "max_size": 15,
+                        },
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )

authentik/common/exceptions/__init__.py

@@ -0,0 +1,7 @@
+class AuthentikException(Exception):
+    """Base class for authentik exceptions"""
+
+
+class NotReportedException(AuthentikException):
+    """Exception base class for all errors that are suppressed,
+    and not sent to any kind of monitoring."""

authentik/common/exceptions/tests.py

@@ -0,0 +1,18 @@
+"""test sentry integration"""
+
+from django.test import TestCase
+
+from authentik.common.exceptions import NotReportedException
+from authentik.root.sentry import before_send
+
+
+class TestSentry(TestCase):
+    """test sentry integration"""
+
+    def test_error_not_sent(self):
+        """Test SentryIgnoredError not sent"""
+        self.assertIsNone(before_send({}, {"exc_info": (0, NotReportedException(), 0)}))
+
+    def test_error_sent(self):
+        """Test error sent"""
+        self.assertEqual({}, before_send({}, {"exc_info": (0, ValueError(), 0)}))

authentik/common/expression/evaluator.py

@@ -18,11 +18,11 @@ from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
+from authentik.common.expression.exceptions import ControlFlowException
+from authentik.common.utils.http import get_http_session
+from authentik.common.utils.time import timedelta_from_string
 from authentik.core.models import User
 from authentik.events.models import Event
-from authentik.lib.expression.exceptions import ControlFlowException
-from authentik.lib.utils.http import get_http_session
-from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
 from authentik.policies.types import PolicyRequest, PolicyResult
@@ -234,7 +234,7 @@ class BaseEvaluator:
         """Parse and evaluate expression. If the syntax is incorrect, a SyntaxError is raised.
         If any exception is raised during execution, it is raised.
         The result is returned without any type-checking."""
-        with start_span(op="authentik.lib.evaluator.evaluate") as span:
+        with start_span(op="authentik.common.evaluator.evaluate") as span:
             span: Span
             span.description = self._filename
             span.set_data("expression", expression_source)

authentik/common/expression/exceptions.py

@@ -0,0 +1,6 @@
+from authentik.common.exceptions import NotReportedException
+
+
+class ControlFlowException(NotReportedException):
+    """Exceptions used to control the flow from exceptions, not reported as a warning/
+    error in logs"""

authentik/common/expression/tests.py

@@ -5,10 +5,10 @@ from django.urls import reverse
 from jwt import decode
 
 from authentik.blueprints.tests import apply_blueprint
+from authentik.common.expression.evaluator import BaseEvaluator
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
+from authentik.crypto.generators import generate_id
 from authentik.events.models import Event
-from authentik.lib.expression.evaluator import BaseEvaluator
-from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 
 

authentik/common/ldap/constants.py

@@ -0,0 +1 @@
+LDAP_DISTINGUISHED_NAME = "distinguishedName"

authentik/common/models/__init__.py

@@ -2,11 +2,15 @@
 
 import re
 
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
 from django.core.validators import URLValidator
 from django.db import models
+from django.db.models import Model
 from django.utils.regex_helper import _lazy_re_compile
+from guardian.models import UserObjectPermission
 from model_utils.managers import InheritanceManager
-from rest_framework.serializers import BaseSerializer
+from rest_framework.serializers import Serializer
 
 
 class SerializerModel(models.Model):
@@ -16,17 +20,8 @@ class SerializerModel(models.Model):
         abstract = True
 
     @property
-    def serializer(self) -> type[BaseSerializer]:
-        """Get serializer for this model"""
-        # Special handling for built-in source
-        if (
-            hasattr(self, "managed")
-            and hasattr(self, "MANAGED_INBUILT")
-            and self.managed == self.MANAGED_INBUILT
-        ):
-            from authentik.core.api.sources import SourceSerializer
-
-            return SourceSerializer
+    def serializer(self) -> type[Serializer]:
+        """Get serializer type for this model"""
         raise NotImplementedError
 
 
@@ -103,3 +98,32 @@ class DomainlessFormattedURLValidator(DomainlessURLValidator):
             re.IGNORECASE,
         )
         self.schemes = ["http", "https", "blank"] + list(self.schemes)
+
+
+__internal_models = []
+
+
+def internal_model(cls):
+    """Mark a model class as an internal model, which means it cannot be
+    managed by blueprints, and creations/changes will not be logged in the events."""
+    __internal_models.append(cls)
+    return cls
+
+
+def excluded_models() -> list[type[Model]]:
+    """Return a list of all excluded models that shouldn't be exposed via API
+    or other means (internal only, base classes, non-used objects, etc)"""
+
+    from django.apps import apps
+    from django.contrib.auth.models import Group as DjangoGroup
+    from django.contrib.auth.models import User as DjangoUser
+
+    static = [
+        # Django only classes
+        DjangoUser,
+        DjangoGroup,
+        ContentType,
+        Permission,
+        UserObjectPermission,
+    ]
+    return tuple(static + [x for x in apps.get_models() if x in __internal_models])

authentik/common/models/tests.py

@@ -5,9 +5,9 @@ from collections.abc import Callable
 from django.test import TestCase
 from rest_framework.serializers import BaseSerializer
 
+from authentik.common.models import SerializerModel
+from authentik.common.utils.reflection import all_subclasses
 from authentik.flows.models import Stage
-from authentik.lib.models import SerializerModel
-from authentik.lib.utils.reflection import all_subclasses
 
 
 class TestModels(TestCase):

authentik/common/oauth/constants.py

@@ -50,4 +50,3 @@ AMR_PASSWORD = "pwd"  # nosec
 AMR_MFA = "mfa"
 AMR_OTP = "otp"
 AMR_WEBAUTHN = "user"
-AMR_SMART_CARD = "sc"

authentik/common/oauth/errors.py

@@ -4,13 +4,13 @@ from urllib.parse import quote, urlparse
 
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 
+from authentik.common.exceptions import NotReportedException
+from authentik.common.views import bad_request_message
 from authentik.events.models import Event, EventAction
-from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.views import bad_request_message
 from authentik.providers.oauth2.models import GrantTypes, RedirectURI
 
 
-class OAuth2Error(SentryIgnoredException):
+class OAuth2Error(NotReportedException):
     """Base class for all OAuth2 Errors"""
 
     error: str

authentik/common/saml/api.py

@@ -0,0 +1,10 @@
+from rest_framework.fields import CharField
+
+from authentik.core.api.utils import PassiveSerializer
+
+
+class SAMLMetadataSerializer(PassiveSerializer):
+    """SAML Provider Metadata serializer"""
+
+    metadata = CharField(read_only=True)
+    download_url = CharField(read_only=True, required=False)

authentik/common/saml/exceptions.py

@@ -1,9 +1,9 @@
 """authentik saml source exceptions"""
 
-from authentik.lib.sentry import SentryIgnoredException
+from authentik.common.exceptions import NotReportedException
 
 
-class SAMLException(SentryIgnoredException):
+class SAMLException(NotReportedException):
     """Base SAML Exception"""
 
 

authentik/common/scim/schema.py

@@ -1,7 +1,5 @@
 """Custom SCIM schemas"""
 
-from enum import Enum
-
 from pydantic import Field
 from pydanticscim.group import Group as BaseGroup
 from pydanticscim.responses import PatchOperation as BasePatchOperation
@@ -67,21 +65,6 @@ class ServiceProviderConfiguration(BaseServiceProviderConfiguration):
         )
 
 
-class PatchOp(str, Enum):
-
-    replace = "replace"
-    remove = "remove"
-    add = "add"
-
-    @classmethod
-    def _missing_(cls, value):
-        value = value.lower()
-        for member in cls:
-            if member.lower() == value:
-                return member
-        return None
-
-
 class PatchRequest(BasePatchRequest):
     """PatchRequest which correctly sets schemas"""
 
@@ -91,7 +74,6 @@ class PatchRequest(BasePatchRequest):
 class PatchOperation(BasePatchOperation):
     """PatchOperation with optional path"""
 
-    op: PatchOp
     path: str | None
 
 

authentik/common/sync/mapper.py

@@ -3,12 +3,12 @@ from collections.abc import Generator
 from django.db.models import QuerySet
 from django.http import HttpRequest
 
+from authentik.common.expression.exceptions import ControlFlowException
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
 from authentik.core.expression.exceptions import (
     PropertyMappingExpressionException,
 )
 from authentik.core.models import PropertyMapping, User
-from authentik.lib.expression.exceptions import ControlFlowException
 
 
 class PropertyMappingManager: