release: 2023.4.0

2023-04-14 13:28:57 +03:00
177 changed files with 1277 additions and 3496 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.4.1
+current_version = 2023.4.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.dockerignore
+++ b/.dockerignore
@ -6,4 +6,3 @@ dist/**
 build/**
 build_docs/**
 Dockerfile
-authentik/enterprise
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,9 +1,10 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-title: ""
+title: ''
 labels: bug
-assignees: ""
+assignees: ''
+
 ---

 **Describe the bug**
@ -11,7 +12,6 @@ A clear and concise description of what the bug is.

 **To Reproduce**
 Steps to reproduce the behavior:
-
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
@ -27,9 +27,8 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**
-
-   authentik version: [e.g. 2021.8.5]
-   Deployment: [e.g. docker-compose, helm]
+ - authentik version: [e.g. 2021.8.5]
+ - Deployment: [e.g. docker-compose, helm]

 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -1,9 +1,10 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-title: ""
+title: ''
 labels: enhancement
-assignees: ""
+assignees: ''
+
 ---

 **Is your feature request related to a problem? Please describe.**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -1,9 +1,10 @@
 ---
 name: Question
 about: Ask a question about a feature or specific configuration
-title: ""
+title: ''
 labels: question
-assignees: ""
+assignees: ''
+
 ---

 **Describe your question/**
@ -19,9 +20,8 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**
-
-   authentik version: [e.g. 2021.8.5]
-   Deployment: [e.g. docker-compose, helm]
+ - authentik version: [e.g. 2021.8.5]
+ - Deployment: [e.g. docker-compose, helm]

 **Additional context**
 Add any other context about the problem here.
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -1,5 +1,5 @@
-name: "Comment usage instructions on PRs"
-description: "Comment usage instructions on PRs"
+name: 'Comment usage instructions on PRs'
+description: 'Comment usage instructions on PRs'

 inputs:
  tag:
@ -17,7 +17,7 @@ runs:
      id: fc
      with:
        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: "github-actions[bot]"
+        comment-author: 'github-actions[bot]'
        body-includes: authentik PR Installation instructions
    - name: Create or update comment
      uses: peter-evans/create-or-update-comment@v2
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -1,5 +1,5 @@
-name: "Prepare docker environment variables"
-description: "Prepare docker environment variables"
+name: 'Prepare docker environment variables'
+description: 'Prepare docker environment variables'

 outputs:
  shouldBuild:
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -1,5 +1,5 @@
-name: "Setup authentik testing environment"
-description: "Setup authentik testing environment"
+name: 'Setup authentik testing environment'
+description: 'Setup authentik testing environment'

 inputs:
  postgresql_tag:
@ -18,13 +18,13 @@ runs:
    - name: Setup python and restore poetry
      uses: actions/setup-python@v3
      with:
-        python-version: "3.11"
-        cache: "poetry"
+        python-version: '3.11'
+        cache: 'poetry'
    - name: Setup node
      uses: actions/setup-node@v3.1.0
      with:
-        node-version: "20"
-        cache: "npm"
+        node-version: '18'
+        cache: 'npm'
        cache-dependency-path: web/package-lock.json
    - name: Setup dependencies
      shell: bash
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -1,23 +1,23 @@
-version: "3.7"
+version: '3.7'

 services:
  postgresql:
    container_name: postgres
    image: library/postgres:${PSQL_TAG:-12}
    volumes:
-      - db-data:/var/lib/postgresql/data
+    - db-data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
      POSTGRES_DB: authentik
    ports:
-      - 5432:5432
+    - 5432:5432
    restart: always
  redis:
    container_name: redis
    image: library/redis
    ports:
-      - 6379:6379
+    - 6379:6379
    restart: always

 volumes:
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,62 +1,62 @@
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "ci:"
-  - package-ecosystem: gomod
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "core:"
-  - package-ecosystem: npm
-    directory: "/web"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "web:"
-  - package-ecosystem: npm
-    directory: "/website"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "website:"
-  - package-ecosystem: pip
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "core:"
-  - package-ecosystem: docker
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "core:"
+    - package-ecosystem: "github-actions"
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "ci:"
+    - package-ecosystem: gomod
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
+    - package-ecosystem: npm
+      directory: "/web"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "web:"
+    - package-ecosystem: npm
+      directory: "/website"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "website:"
+    - package-ecosystem: pip
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
+    - package-ecosystem: docker
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -5,20 +5,15 @@ Please check the [Contributing guidelines](https://github.com/goauthentik/authen
 -->

 # Details
-
-   **Does this resolve an issue?**
-    Resolves #
+* **Does this resolve an issue?**
+Resolves #

 ## Changes
-
 ### New Features
-
-   Adds feature which does x, y, and z.
+* Adds feature which does x, y, and z.

 ### Breaking Changes
-
-   Adds breaking change which causes \<issue\>.
+* Adds breaking change which causes \<issue\>.

 ## Additional
-
 Any further notes or comments you want to make.
--- a/.github/transifex.yml
+++ b/.github/transifex.yml
@ -6,11 +6,11 @@ git:
      source_language: en
      source_file: web/src/locales/en.po
      # path expression to translation files, must contain <lang> placeholder
-      translation_files_expression: "web/src/locales/<lang>.po"
+      translation_files_expression: 'web/src/locales/<lang>.po'
    - filter_type: file
      # all supported i18n types: https://docs.transifex.com/formats
      file_format: PO
      source_language: en
      source_file: locale/en/LC_MESSAGES/django.po
      # path expression to translation files, must contain <lang> placeholder
-      translation_files_expression: "locale/<lang>/LC_MESSAGES/django.po"
+      translation_files_expression: 'locale/<lang>/LC_MESSAGES/django.po'
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -23,14 +23,13 @@ jobs:
      fail-fast: false
      matrix:
        job:
-          - bandit
-          - black
-          - codespell
-          - isort
-          - pending-migrations
          - pylint
+          - black
+          - isort
+          - bandit
          - pyright
-          - ruff
+          - pending-migrations
+          - codespell
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
@ -61,7 +60,7 @@ jobs:
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
          cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout $(git describe --abbrev=0 --match 'version/*')
          rm -rf .github/ scripts/
          mv ../.github ../scripts .
      - name: Setup authentik env (ensure stable deps are installed)
@ -212,7 +211,6 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
@ -254,7 +252,6 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-arm64
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}-arm64
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}-arm64
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -17,7 +17,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - name: Prepare and generate API
        run: |
          # Create folder structure for go embeds
@ -36,7 +36,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - name: Generate API
        run: make gen-client-go
      - name: Go unittests
@ -60,6 +60,8 @@ jobs:
          - proxy
          - ldap
          - radius
+        arch:
+          - "linux/amd64"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
@ -92,7 +94,7 @@ jobs:
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.arch }}
          context: .
  build-binary:
    timeout-minutes: 120
@ -112,10 +114,10 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
+          node-version: "18"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - name: Generate API
@ -131,3 +133,7 @@ jobs:
          export GOOS=${{ matrix.goos }}
          export GOARCH=${{ matrix.goarch }}
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
+      - uses: actions/upload-artifact@v3
+        with:
+          name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          path: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -17,8 +17,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
@ -33,8 +33,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
@ -49,8 +49,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
@ -65,8 +65,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: |
@ -97,8 +97,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -17,8 +17,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
@ -31,8 +31,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
@ -52,8 +52,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,12 +2,12 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, "*", next, version*]
+    branches: [ main, '*', next, version* ]
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: [main]
+    branches: [ main ]
  schedule:
-    - cron: "30 6 * * 5"
+    - cron: '30 6 * * 5'

 jobs:
  analyze:
@ -21,40 +21,40 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: ["go", "javascript", "python"]
+        language: [ 'go', 'javascript', 'python' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
        # Learn more:
        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed

    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+    - name: Checkout repository
+      uses: actions/checkout@v3

-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main

-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2

-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 https://git.io/JvXDl
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl

-      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-      #    and modify them (or add more) to build your code if your project
-      #    uses a compiled language
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language

-      #- run: |
-      #   make bootstrap
-      #   make release
+    #- run: |
+    #   make bootstrap
+    #   make release

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -2,7 +2,7 @@ name: ghcr-retention

 on:
  schedule:
-    - cron: "0 0 * * *" # every day at midnight
+    - cron: '0 0 * * *'  # every day at midnight
  workflow_dispatch:

 jobs:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -57,7 +57,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2.1.0
      - name: Set up Docker Buildx
@ -107,11 +107,11 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - name: Build web
        working-directory: web/
@ -173,5 +173,5 @@ jobs:
          SENTRY_PROJECT: authentik
        with:
          version: authentik@${{ steps.ev.outputs.version }}
-          sourcemaps: "./web/dist"
-          url_prefix: "~/static/dist"
+          sourcemaps: './web/dist'
+          url_prefix: '~/static/dist'
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -3,7 +3,7 @@ name: authentik-on-tag
 on:
  push:
    tags:
-      - "version/*"
+    - 'version/*'

 jobs:
  build:
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -1,12 +1,12 @@
 name: authentik-backend-translate-compile
 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
-      - "/locale/"
+      - '/locale/'
  pull_request:
    paths:
-      - "/locale/"
+      - '/locale/'
  workflow_dispatch:

 env:
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -1,9 +1,9 @@
 name: authentik-web-api-publish
 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
-      - "schema.yml"
+      - 'schema.yml'
  workflow_dispatch:
 jobs:
  build:
@ -14,8 +14,8 @@ jobs:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          registry-url: "https://registry.npmjs.org"
+          node-version: '18'
+          registry-url: 'https://registry.npmjs.org'
      - name: Generate API Client
        run: make gen-client-ts
      - name: Publish package
--- a/6
+++ b/6
@ -1,5 +1,5 @@
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder

 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
@ -10,7 +10,7 @@ WORKDIR /work/website
 RUN npm ci && npm run build-docs-only

 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:18 as web-builder

 COPY ./web /work/web/
 COPY ./website /work/website/
@ -83,7 +83,7 @@ RUN apt-get update && \
    # Required for runtime
    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
    # Required for bootstrap & healtcheck
-    apt-get install -y --no-install-recommends runit && \
+    apt-get install -y --no-install-recommends curl runit && \
    pip install --no-cache-dir -r /requirements.txt && \
    apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev && \
    apt-get autoremove --purge -y && \
--- a/9
+++ b/9
@ -1,11 +1,6 @@
-Copyright (c) 2023 Jens Langhammer
+MIT License

-Portions of this software are licensed as follows:
-* All content residing under the "website/" directory of this repository is licensed under "Creative Commons: CC BY-SA 4.0 license".
-* All content that resides under the "authentik/enterprise/" directory of this repository, if that directory exists, is licensed under the license defined in "authentik/enterprise/LICENSE".
-* All client-side JavaScript (when served directly or after being compiled, arranged, augmented, or combined), is licensed under the "MIT Expat" license.
-* All third party components incorporated into the authentik are licensed under the original license provided by the owner of the applicable component.
-* Content outside of the above mentioned directories or restrictions above is available under the "MIT" license as defined below.
+Copyright (c) 2022 Jens Langhammer

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/14
+++ b/14
@ -3,7 +3,6 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle

 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
@ -39,14 +38,13 @@ test:
 	coverage report

 lint-fix:
-	isort authentik $(PY_SOURCES)
-	black authentik $(PY_SOURCES)
-	ruff authentik $(PY_SOURCES)
+	isort authentik tests scripts lifecycle
+	black authentik tests scripts lifecycle
 	codespell -w $(CODESPELL_ARGS)

 lint:
-	pylint $(PY_SOURCES)
-	bandit -r $(PY_SOURCES) -x node_modules
+	pylint authentik tests lifecycle
+	bandit -r authentik tests lifecycle -x node_modules
 	golangci-lint run -v

 migrate:
@ -173,6 +171,7 @@ website-watch:

 # These targets are use by GitHub actions to allow usage of matrix
 # which makes the YAML File a lot smaller
+PY_SOURCES=authentik tests lifecycle
 ci--meta-debug:
 	python -V
 	node --version
@ -183,9 +182,6 @@ ci-pylint: ci--meta-debug
 ci-black: ci--meta-debug
 	black --check $(PY_SOURCES)

-ci-ruff: ci--meta-debug
-	ruff check $(PY_SOURCES)
-
 ci-codespell: ci--meta-debug
 	codespell $(CODESPELL_ARGS) -s

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional

-__version__ = "2023.4.1"
+__version__ = "2023.4.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -18,7 +18,6 @@ from authentik.core.api.utils import PassiveSerializer
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
-from authentik.tenants.utils import get_tenant


 class RuntimeDict(TypedDict):
@ -78,7 +77,7 @@ class SystemSerializer(PassiveSerializer):

    def get_tenant(self, request: Request) -> str:
        """Currently active tenant"""
-        return str(get_tenant(request))
+        return str(request._request.tenant)

    def get_server_time(self, request: Request) -> datetime:
        """Current server time"""
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -29,7 +29,6 @@ class Capabilities(models.TextChoices):
    CAN_GEO_IP = "can_geo_ip"
    CAN_IMPERSONATE = "can_impersonate"
    CAN_DEBUG = "can_debug"
-    IS_ENTERPRISE = "is_enterprise"


 class ErrorReportingConfigSerializer(PassiveSerializer):
@ -71,8 +70,6 @@ class ConfigView(APIView):
            caps.append(Capabilities.CAN_IMPERSONATE)
        if settings.DEBUG:  # pragma: no cover
            caps.append(Capabilities.CAN_DEBUG)
-        if "authentik.enterprise" in settings.INSTALLED_APPS:
-            caps.append(Capabilities.IS_ENTERPRISE)
        return caps

    def get_config(self) -> ConfigSerializer:
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -33,7 +33,6 @@ from authentik.flows.api.flows import FlowViewSet
 from authentik.flows.api.stages import StageViewSet
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.flows.views.inspector import FlowInspectorView
-from authentik.interfaces.api import InterfaceViewSet
 from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.outposts.api.service_connections import (
    DockerServiceConnectionViewSet,
@ -124,8 +123,6 @@ router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)
 router.register("core/tenants", TenantViewSet)

-router.register("interfaces", InterfaceViewSet)
-
 router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@ -6,6 +6,7 @@ from pathlib import Path
 import django.contrib.postgres.fields
 from dacite.core import from_dict
 from django.apps.registry import Apps
+from django.conf import settings
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from yaml import load
@ -14,7 +15,7 @@ from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
 from authentik.lib.config import CONFIG


-def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
+def check_blueprint_v1_file(BlueprintInstance: type["BlueprintInstance"], path: Path):
    """Check if blueprint should be imported"""
    from authentik.blueprints.models import BlueprintInstanceStatus
    from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -10,6 +10,7 @@ from django.db.models.functions import ExtractHour
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
+from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
@ -71,12 +72,10 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import reverse_interface
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
-from authentik.tenants.utils import get_tenant
+from authentik.tenants.models import Tenant

 LOGGER = get_logger()

@ -322,7 +321,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def _create_recovery_link(self) -> tuple[Optional[str], Optional[Token]]:
        """Create a recovery link (when the current tenant has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
-        tenant = get_tenant(self.request)
+        tenant: Tenant = self.request._request.tenant
        # Check that there is a recovery flow, if not return an error
        flow = tenant.flow_recovery
        if not flow:
@ -351,12 +350,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
        link = self.request.build_absolute_uri(
-            reverse_interface(
-                self.request,
-                InterfaceType.FLOW,
-                flow_slug=flow.slug,
-            ),
-            +f"?{querystring}",
+            reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+            + f"?{querystring}"
        )
        return link, token

--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -33,7 +33,6 @@ from authentik.lib.models import (
 )
 from authentik.lib.utils.http import get_client_ip
 from authentik.policies.models import PolicyBindingModel
-from authentik.tenants.utils import get_tenant

 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
@ -169,7 +168,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
        including the users attributes"""
        final_attributes = {}
        if request and hasattr(request, "tenant"):
-            always_merger.merge(final_attributes, get_tenant(request).attributes)
+            always_merger.merge(final_attributes, request.tenant.attributes)
        for group in self.ak_groups.all().order_by("name"):
            always_merger.merge(final_attributes, group.attributes)
        always_merger.merge(final_attributes, self.attributes)
@ -228,7 +227,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
        except Exception as exc:
            LOGGER.warning("Failed to get default locale", exc=exc)
        if request:
-            return get_tenant(request).default_locale
+            return request.tenant.locale
        return ""

    @property
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -25,8 +25,7 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_keys
@ -227,7 +226,7 @@ class SourceFlowManager:
        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:root-redirect"
+            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        kwargs.update(
            {
@ -254,9 +253,9 @@ class SourceFlowManager:
            for stage in stages:
                plan.append_stage(stage)
        self.request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(
-            self.request,
-            InterfaceType.FLOW,
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
            flow_slug=flow.slug,
        )

@ -300,9 +299,8 @@ class SourceFlowManager:
            _("Successfully linked %(source)s!" % {"source": self.source.name}),
        )
        return redirect(
-            # Not ideal that we don't directly redirect to the configured user interface
            reverse(
-                "authentik_core:root-redirect",
+                "authentik_core:if-user",
            )
            + f"#/settings;page-{self.source.slug}"
        )
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -59,6 +59,4 @@ class TestImpersonation(TestCase):
        self.client.force_login(self.other_user)

        response = self.client.get(reverse("authentik_core:impersonate-end"))
-        self.assertRedirects(
-            response, reverse("authentik_interfaces:if", kwargs={"if_name": "user"})
-        )
+        self.assertRedirects(response, reverse("authentik_core:if-user"))
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -3,30 +3,23 @@ from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
-from django.http import HttpRequest, HttpResponse
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
+from django.views.generic import RedirectView

 from authentik.core.views import apps, impersonate
 from authentik.core.views.debug import AccessDeniedView
+from authentik.core.views.interface import FlowInterfaceView, InterfaceView
 from authentik.core.views.session import EndSessionView
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import RedirectToInterface
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer

-
-def placeholder_view(request: HttpRequest, *args, **kwargs) -> HttpResponse:
-    """Empty view used as placeholder
-
-    (Mounted to websocket endpoints and used by e2e tests)"""
-    return HttpResponse(status_code=200)
-
-
 urlpatterns = [
    path(
        "",
-        login_required(RedirectToInterface.as_view(type=InterfaceType.USER)),
+        login_required(
+            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
+        ),
        name="root-redirect",
    ),
    path(
@ -47,16 +40,31 @@ urlpatterns = [
        name="impersonate-end",
    ),
    # Interfaces
+    path(
+        "if/admin/",
+        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        name="if-admin",
+    ),
+    path(
+        "if/user/",
+        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        name="if-user",
+    ),
+    path(
+        "if/flow/<slug:flow_slug>/",
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
+        name="if-flow",
+    ),
    path(
        "if/session-end/<slug:application_slug>/",
        ensure_csrf_cookie(EndSessionView.as_view()),
        name="if-session-end",
    ),
    # Fallback for WS
-    path("ws/outpost/<uuid:pk>/", placeholder_view),
+    path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
    path(
        "ws/client/",
-        placeholder_view,
+        InterfaceView.as_view(template_name="if/admin.html"),
    ),
 ]

--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -20,13 +20,11 @@ from authentik.flows.views.executor import (
    SESSION_KEY_PLAN,
    ToDefaultFlow,
 )
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
    PLAN_CONTEXT_CONSENT_HEADER,
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
 )
-from authentik.tenants.utils import get_tenant


 class RedirectToAppLaunch(View):
@ -61,7 +59,7 @@ class RedirectToAppLaunch(View):
            raise Http404
        plan.insert_stage(in_memory_stage(RedirectToAppStage))
        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(request, InterfaceType.FLOW, flow_slug=flow.slug)
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)


 class RedirectToAppStage(ChallengeStageView):
--- a/authentik/core/views/impersonate.py
+++ b/authentik/core/views/impersonate.py
@ -35,7 +35,7 @@ class ImpersonateInitView(View):

        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)

-        return redirect("authentik_core:root-redirect")
+        return redirect("authentik_core:if-user")


 class ImpersonateEndView(View):
@ -48,7 +48,7 @@ class ImpersonateEndView(View):
            or SESSION_KEY_IMPERSONATE_ORIGINAL_USER not in request.session
        ):
            LOGGER.debug("Can't end impersonation", user=request.user)
-            return redirect("authentik_core:root-redirect")
+            return redirect("authentik_core:if-user")

        original_user = request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER]

--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -0,0 +1,36 @@
+"""Interface views"""
+from json import dumps
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from django.views.generic.base import TemplateView
+from rest_framework.request import Request
+
+from authentik import get_build_hash
+from authentik.admin.tasks import LOCAL_VERSION
+from authentik.api.v3.config import ConfigView
+from authentik.flows.models import Flow
+from authentik.tenants.api import CurrentTenantSerializer
+
+
+class InterfaceView(TemplateView):
+    """Base interface view"""
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["config_json"] = dumps(ConfigView(request=Request(self.request)).get_config().data)
+        kwargs["tenant_json"] = dumps(CurrentTenantSerializer(self.request.tenant).data)
+        kwargs["version_family"] = f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}"
+        kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
+        kwargs["build"] = get_build_hash()
+        return super().get_context_data(**kwargs)
+
+
+class FlowInterfaceView(InterfaceView):
+    """Flow interface"""
+
+    template_name = "if/flow.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["inspector"] = "inspector" in self.request.GET
+        return super().get_context_data(**kwargs)
--- a/authentik/crypto/migrations/0002_create_self_signed_kp.py
+++ b/authentik/crypto/migrations/0002_create_self_signed_kp.py
@ -2,6 +2,8 @@

 from django.db import migrations

+from authentik.lib.generators import generate_id
+

 class Migration(migrations.Migration):
    dependencies = [
--- a/authentik/enterprise/LICENSE
+++ b/authentik/enterprise/LICENSE
@ -1,45 +0,0 @@
-The authentik Enterprise Edition (EE) license (the “EE License”)
-Copyright (c) 2022-present Authentik Security Inc.
-
-With regard to the authentik Software:
-
-This software and associated documentation files (the "Software") may only be
-used in production, if you (and any entity that you represent) have agreed to,
-and are in compliance with, the Authentik Subscription Terms of Service, available
-at https://goauthentik.io/legal/terms (the "EE Terms"), or other
-agreement governing the use of the Software, as agreed by you and authentik Security Inc,
-and otherwise have a valid authentik Enterprise Edition subscription for the
-correct number of user seats. Subject to the foregoing sentence, you are free to
-modify this Software and publish patches to the Software. You agree that Authentik
-Security Inc. and/or its licensors (as applicable) retain all right, title and interest
-in and to all such modifications and/or patches, and all such modifications and/or
-patches may only be used, copied, modified, displayed, distributed, or otherwise
-exploited with a valid authentik Enterprise Edition subscription for the  correct
-number of user seats.  Notwithstanding the foregoing, you may copy and modify
-the Software for development and testing purposes, without requiring a
-subscription.  You agree that Authentik Security Inc. and/or its
-licensors (as applicable) retain all right, title and interest in
-and to all such modifications.  You are not granted any other rights
-beyond what is expressly stated herein.  Subject to the
-foregoing, it is forbidden to copy, merge, publish, distribute, sublicense,
-and/or sell the Software.
-
-This EE License applies only to the part of this Software that is not
-distributed as part of authentik Open Source (OSS). Any part of this Software
-distributed as part of authentik OSS or is served client-side as an image, font,
-cascading stylesheet (CSS), file which produces or is compiled, arranged,
-augmented, or combined into client-side JavaScript, in whole or in part, is
-copyrighted under the MIT license. The full text of this EE License shall
-be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-For all third party components incorporated into the authentik Software, those
-components are licensed under the original license provided by the owner of the
-applicable component.
--- a/authentik/enterprise/apps.py
+++ b/authentik/enterprise/apps.py
@ -1,11 +0,0 @@
-"""Enterprise app config"""
-from authentik.blueprints.apps import ManagedAppConfig
-
-
-class AuthentikEnterpriseConfig(ManagedAppConfig):
-    """Enterprise app config"""
-
-    name = "authentik.enterprise"
-    label = "authentik_enterprise"
-    verbose_name = "authentik Enterprise"
-    default = True
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -1 +0,0 @@
-"""Enterprise additional settings"""
--- a/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
+++ b/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
@ -11,6 +11,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.events.models
 import authentik.lib.models
+from authentik.events.models import EventAction, NotificationSeverity, TransportMode
 from authentik.lib.migrations import progress_bar


--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -41,7 +41,8 @@ from authentik.lib.utils.http import get_client_ip, get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage
-from authentik.tenants.utils import get_fallback_tenant, get_tenant
+from authentik.tenants.models import Tenant
+from authentik.tenants.utils import DEFAULT_TENANT

 LOGGER = get_logger()
 if TYPE_CHECKING:
@ -56,7 +57,7 @@ def default_event_duration():

 def default_tenant():
    """Get a default value for tenant"""
-    return sanitize_dict(model_to_dict(get_fallback_tenant()))
+    return sanitize_dict(model_to_dict(DEFAULT_TENANT))


 class NotificationTransportError(SentryIgnoredException):
@ -226,7 +227,7 @@ class Event(SerializerModel, ExpiringModel):
                wrapped = self.context["http_request"]["args"][QS_QUERY]
                self.context["http_request"]["args"] = QueryDict(wrapped)
        if hasattr(request, "tenant"):
-            tenant = get_tenant(request)
+            tenant: Tenant = request.tenant
            # Because self.created only gets set on save, we can't use it's value here
            # hence we set self.created to now and then use it
            self.created = now()
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -25,8 +25,6 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
 from authentik.flows.planner import CACHE_PREFIX, PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.flows.views.executor import SESSION_KEY_HISTORY, SESSION_KEY_PLAN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import reverse_interface
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -296,11 +294,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        return Response(
            {
                "link": request._request.build_absolute_uri(
-                    reverse_interface(
-                        request,
-                        InterfaceType.FLOW,
-                        flow_slug=flow.slug,
-                    ),
+                    reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
                )
            }
        )
--- a/authentik/flows/tests/test_views_helper.py
+++ b/authentik/flows/tests/test_views_helper.py
@ -7,8 +7,6 @@ from authentik.core.tests.utils import create_test_flow
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_PLAN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.tests import reverse_interface
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider

@ -23,10 +21,7 @@ class TestHelperView(TestCase):
        response = self.client.get(
            reverse("authentik_flows:default-invalidation"),
        )
-        expected_url = reverse_interface(
-            InterfaceType.FLOW,
-            flow_slug=flow.slug,
-        )
+        expected_url = reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, expected_url)

@ -77,9 +72,6 @@ class TestHelperView(TestCase):
        response = self.client.get(
            reverse("authentik_flows:default-invalidation"),
        )
-        expected_url = reverse_interface(
-            InterfaceType.FLOW,
-            flow_slug=flow.slug,
-        )
+        expected_url = reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, expected_url)
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -53,14 +53,12 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import AccessDeniedChallengeView, StageView
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
 from authentik.policies.engine import PolicyEngine
-from authentik.tenants.utils import get_tenant
+from authentik.tenants.models import Tenant

 LOGGER = get_logger()
 # Argument used to redirect user after login
@ -481,7 +479,7 @@ class ToDefaultFlow(View):

    def get_flow(self) -> Flow:
        """Get a flow for the selected designation"""
-        tenant = get_tenant(self.request)
+        tenant: Tenant = self.request.tenant
        flow = None
        # First, attempt to get default flow from tenant
        if self.designation == FlowDesignation.AUTHENTICATION:
@ -514,7 +512,7 @@ class ToDefaultFlow(View):
                    flow_slug=flow.slug,
                )
                del self.request.session[SESSION_KEY_PLAN]
-        return redirect_to_default_interface(request, InterfaceType.FLOW, flow_slug=flow.slug)
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)


 def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpResponse:
@ -585,8 +583,8 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
            LOGGER.warning("Flow not applicable to user")
            raise Http404
        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(
-            self.request,
-            InterfaceType.FLOW,
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
            flow_slug=stage.configure_flow.slug,
        )
--- a/authentik/interfaces/init.py
+++ b/authentik/interfaces/init.py
--- a/authentik/interfaces/api.py
+++ b/authentik/interfaces/api.py
@ -1,28 +0,0 @@
-"""interfaces API"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.interfaces.models import Interface
-
-
-class InterfaceSerializer(ModelSerializer):
-    """Interface serializer"""
-
-    class Meta:
-        model = Interface
-        fields = [
-            "interface_uuid",
-            "url_name",
-            "type",
-            "template",
-        ]
-
-
-class InterfaceViewSet(UsedByMixin, ModelViewSet):
-    """Interface serializer"""
-
-    queryset = Interface.objects.all()
-    serializer_class = InterfaceSerializer
-    filterset_fields = ["url_name", "type", "template"]
-    search_fields = ["url_name", "type", "template"]
--- a/authentik/interfaces/apps.py
+++ b/authentik/interfaces/apps.py
@ -1,12 +0,0 @@
-"""authentik interfaces app config"""
-from authentik.blueprints.apps import ManagedAppConfig
-
-
-class AuthentikInterfacesConfig(ManagedAppConfig):
-    """authentik interfaces app config"""
-
-    name = "authentik.interfaces"
-    label = "authentik_interfaces"
-    verbose_name = "authentik Interfaces"
-    mountpoint = "if/"
-    default = True
--- a/authentik/interfaces/migrations/0001_initial.py
+++ b/authentik/interfaces/migrations/0001_initial.py
@ -1,36 +0,0 @@
-# Generated by Django 4.1.7 on 2023-02-16 11:01
-
-import uuid
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    initial = True
-
-    dependencies = []
-
-    operations = [
-        migrations.CreateModel(
-            name="Interface",
-            fields=[
-                (
-                    "interface_uuid",
-                    models.UUIDField(
-                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-                    ),
-                ),
-                ("url_name", models.SlugField(unique=True)),
-                (
-                    "type",
-                    models.TextField(
-                        choices=[("user", "User"), ("admin", "Admin"), ("flow", "Flow")]
-                    ),
-                ),
-                ("template", models.TextField()),
-            ],
-            options={
-                "abstract": False,
-            },
-        ),
-    ]
--- a/authentik/interfaces/migrations/init.py
+++ b/authentik/interfaces/migrations/init.py
--- a/authentik/interfaces/models.py
+++ b/authentik/interfaces/models.py
@ -1,33 +0,0 @@
-"""Interface models"""
-from typing import Type
-from uuid import uuid4
-
-from django.db import models
-from rest_framework.serializers import BaseSerializer
-
-from authentik.lib.models import SerializerModel
-
-
-class InterfaceType(models.TextChoices):
-    """Interface types"""
-
-    USER = "user"
-    ADMIN = "admin"
-    FLOW = "flow"
-
-
-class Interface(SerializerModel):
-    """Interface"""
-
-    interface_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-
-    url_name = models.SlugField(unique=True)
-
-    type = models.TextField(choices=InterfaceType.choices)
-    template = models.TextField()
-
-    @property
-    def serializer(self) -> Type[BaseSerializer]:
-        from authentik.interfaces.api import InterfaceSerializer
-
-        return InterfaceSerializer
--- a/authentik/interfaces/tests.py
+++ b/authentik/interfaces/tests.py
@ -1,12 +0,0 @@
-"""Interface tests"""
-from django.test import RequestFactory
-
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import reverse_interface as full_reverse_interface
-
-
-def reverse_interface(interface_type: InterfaceType, **kwargs):
-    """reverse_interface wrapper for tests"""
-    factory = RequestFactory()
-    request = factory.get("/")
-    return full_reverse_interface(request, interface_type, **kwargs)
--- a/authentik/interfaces/urls.py
+++ b/authentik/interfaces/urls.py
@ -1,14 +0,0 @@
-"""Interface urls"""
-from django.urls import path
-
-from authentik.interfaces.views import InterfaceView
-
-urlpatterns = [
-    path(
-        "<slug:if_name>/",
-        InterfaceView.as_view(),
-        kwargs={"flow_slug": None},
-        name="if",
-    ),
-    path("<slug:if_name>/<slug:flow_slug>/", InterfaceView.as_view(), name="if"),
-]
--- a/authentik/interfaces/views.py
+++ b/authentik/interfaces/views.py
@ -1,113 +0,0 @@
-"""Interface views"""
-from json import dumps
-from typing import Any, Optional
-from urllib.parse import urlencode
-
-from django.http import Http404, HttpRequest, HttpResponse, QueryDict
-from django.shortcuts import get_object_or_404, redirect
-from django.template import Template, TemplateSyntaxError, engines
-from django.template.response import TemplateResponse
-from django.utils.decorators import method_decorator
-from django.views import View
-from django.views.decorators.cache import cache_page
-from django.views.decorators.csrf import ensure_csrf_cookie
-from rest_framework.request import Request
-from structlog.stdlib import get_logger
-
-from authentik import get_build_hash
-from authentik.admin.tasks import LOCAL_VERSION
-from authentik.api.v3.config import ConfigView
-from authentik.flows.models import Flow
-from authentik.interfaces.models import Interface, InterfaceType
-from authentik.lib.utils.urls import reverse_with_qs
-from authentik.tenants.api import CurrentTenantSerializer
-from authentik.tenants.utils import get_tenant
-
-LOGGER = get_logger()
-
-
-def template_from_string(template_string: str) -> Template:
-    """Render template from string"""
-    chain = []
-    engine_list = engines.all()
-    for engine in engine_list:
-        try:
-            return engine.from_string(template_string)
-        except TemplateSyntaxError as exc:
-            chain.append(exc)
-    raise TemplateSyntaxError(template_string, chain=chain)
-
-
-def redirect_to_default_interface(request: HttpRequest, interface_type: InterfaceType, **kwargs):
-    """Shortcut to inline redirect to default interface,
-    keeping GET parameters of the passed request"""
-    return RedirectToInterface.as_view(type=interface_type)(request, **kwargs)
-
-
-def reverse_interface(
-    request: HttpRequest, interface_type: InterfaceType, query: Optional[QueryDict] = None, **kwargs
-):
-    """Reverse URL to configured default interface"""
-    tenant = get_tenant(request)
-    interface: Interface = None
-
-    if interface_type == InterfaceType.USER:
-        interface = tenant.interface_user
-    if interface_type == InterfaceType.ADMIN:
-        interface = tenant.interface_admin
-    if interface_type == InterfaceType.FLOW:
-        interface = tenant.interface_flow
-
-    if not interface:
-        LOGGER.warning("No interface found", type=interface_type, tenant=tenant)
-        raise Http404()
-    kwargs["if_name"] = interface.url_name
-    return reverse_with_qs(
-        "authentik_interfaces:if",
-        query=query or request.GET,
-        kwargs=kwargs,
-    )
-
-
-class RedirectToInterface(View):
-    """Redirect to tenant's configured view for specified type"""
-
-    type: Optional[InterfaceType] = None
-
-    def dispatch(self, request: HttpRequest, **kwargs: Any) -> HttpResponse:
-        target = reverse_interface(request, self.type, **kwargs)
-        if self.request.GET:
-            target += "?" + urlencode(self.request.GET.items())
-        return redirect(target)
-
-
-@method_decorator(ensure_csrf_cookie, name="dispatch")
-@method_decorator(cache_page(60 * 10), name="dispatch")
-class InterfaceView(View):
-    """General interface view"""
-
-    def get_context_data(self) -> dict[str, Any]:
-        """Get template context"""
-        return {
-            "config_json": dumps(ConfigView(request=Request(self.request)).get_config().data),
-            "tenant_json": dumps(CurrentTenantSerializer(get_tenant(self.request)).data),
-            "version_family": f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}",
-            "version_subdomain": f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}",
-            "build": get_build_hash(),
-        }
-
-    def type_flow(self, context: dict[str, Any]):
-        """Special handling for flow interfaces"""
-        if self.kwargs.get("flow_slug", None) is None:
-            raise Http404()
-        context["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        context["inspector"] = "inspector" in self.request.GET
-
-    def dispatch(self, request: HttpRequest, if_name: str, **kwargs: Any) -> HttpResponse:
-        context = self.get_context_data()
-        # TODO: Cache
-        interface: Interface = get_object_or_404(Interface, url_name=if_name)
-        if interface.type == InterfaceType.FLOW:
-            self.type_flow(context)
-        template = template_from_string(interface.template)
-        return TemplateResponse(request, template, context)
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -13,6 +13,7 @@ from paramiko.ssh_exception import SSHException
 from structlog.stdlib import get_logger
 from yaml import safe_dump

+from authentik import __version__
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.docker_ssh import DockerInlineSSH, SSHManagedExternallyException
--- a/authentik/outposts/controllers/k8s/deployment.py
+++ b/authentik/outposts/controllers/k8s/deployment.py
@ -22,7 +22,7 @@ from kubernetes.client import (
    V1SecurityContext,
 )

-from authentik import get_full_version
+from authentik import __version__, get_full_version
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -12,7 +12,6 @@ from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-from authentik.tenants.utils import get_tenant

 LOGGER = get_logger()
 RE_LOWER = re.compile("[a-z]")
@ -144,8 +143,7 @@ class PasswordPolicy(Policy):
            user_inputs.append(request.user.name)
            user_inputs.append(request.user.email)
        if request.http_request:
-            tenant = get_tenant(request.http_request)
-            user_inputs.append(tenant.branding_title)
+            user_inputs.append(request.http_request.tenant.branding_title)
        # Only calculate result for the first 100 characters, as with over 100 char
        # long passwords we can be reasonably sure that they'll surpass the score anyways
        # See https://github.com/dropbox/zxcvbn#runtime-latency
--- a/authentik/policies/password/tests/test_flows.py
+++ b/authentik/policies/password/tests/test_flows.py
@ -59,7 +59,6 @@ class TestPasswordPolicyFlow(FlowTestCase):
                    "label": "PASSWORD_LABEL",
                    "order": 0,
                    "placeholder": "PASSWORD_PLACEHOLDER",
-                    "initial_value": "",
                    "required": True,
                    "type": "password",
                    "sub_text": "",
--- a/authentik/providers/oauth2/migrations/0001_initial.py
+++ b/authentik/providers/oauth2/migrations/0001_initial.py
@ -1,8 +1,10 @@
 # Generated by Django 3.1 on 2020-08-18 15:59

 import django.db.models.deletion
+from django.apps.registry import Apps
 from django.conf import settings
 from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.core.models
 import authentik.lib.generators
--- a/authentik/providers/oauth2/tests/test_device_init.py
+++ b/authentik/providers/oauth2/tests/test_device_init.py
@ -39,9 +39,8 @@ class TesOAuth2DeviceInit(OAuthTestCase):
        self.assertEqual(
            res.url,
            reverse(
-                "authentik_interfaces:if",
+                "authentik_core:if-flow",
                kwargs={
-                    "if_name": "flow",
                    "flow_slug": self.device_flow.slug,
                },
            ),
@ -69,9 +68,8 @@ class TesOAuth2DeviceInit(OAuthTestCase):
        self.assertEqual(
            res.url,
            reverse(
-                "authentik_interfaces:if",
+                "authentik_core:if-flow",
                kwargs={
-                    "if_name": "flow",
                    "flow_slug": self.provider.authorization_flow.slug,
                },
            )
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -29,9 +29,8 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
 from authentik.policies.views import PolicyAccessView, RequestValidationError
@ -69,7 +68,7 @@ from authentik.stages.consent.stage import (

 LOGGER = get_logger()

-PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
+PLAN_CONTEXT_PARAMS = "params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"

 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
@ -405,9 +404,9 @@ class AuthorizationFlowInitView(PolicyAccessView):
        plan.append_stage(in_memory_stage(OAuthFulfillmentStage))

        self.request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(
-            self.request,
-            InterfaceType.FLOW,
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
            flow_slug=self.provider.authorization_flow.slug,
        )

--- a/authentik/providers/oauth2/views/device_finish.py
+++ b/authentik/providers/oauth2/views/device_finish.py
@ -8,7 +8,7 @@ from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.providers.oauth2.models import DeviceToken

-PLAN_CONTEXT_DEVICE = "goauthentik.io/providers/oauth2/device"
+PLAN_CONTEXT_DEVICE = "device"


 class OAuthDeviceCodeFinishChallenge(Challenge):
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -15,8 +15,7 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider
 from authentik.providers.oauth2.views.device_finish import (
    PLAN_CONTEXT_DEVICE,
@ -27,7 +26,7 @@ from authentik.stages.consent.stage import (
    PLAN_CONTEXT_CONSENT_HEADER,
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
 )
-from authentik.tenants.utils import get_tenant
+from authentik.tenants.models import Tenant

 LOGGER = get_logger()
 QS_KEY_CODE = "code"  # nosec
@ -78,9 +77,9 @@ def validate_code(code: int, request: HttpRequest) -> Optional[HttpResponse]:
        return None
    plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
    request.session[SESSION_KEY_PLAN] = plan
-    return redirect_to_default_interface(
-        request,
-        InterfaceType.FLOW,
+    return redirect_with_qs(
+        "authentik_core:if-flow",
+        request.GET,
        flow_slug=token.provider.authorization_flow.slug,
    )

@ -89,7 +88,7 @@ class DeviceEntryView(View):
    """View used to initiate the device-code flow, url entered by endusers"""

    def dispatch(self, request: HttpRequest) -> HttpResponse:
-        tenant = get_tenant(request)
+        tenant: Tenant = request.tenant
        device_flow = tenant.flow_device_code
        if not device_flow:
            LOGGER.info("Tenant has no device code flow configured", tenant=tenant)
@ -111,9 +110,9 @@ class DeviceEntryView(View):
        plan.append_stage(in_memory_stage(OAuthDeviceCodeStage))

        self.request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(
-            self.request,
-            InterfaceType.FLOW,
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
            flow_slug=device_flow.slug,
        )

--- a/authentik/providers/oauth2/views/github.py
+++ b/authentik/providers/oauth2/views/github.py
@ -9,7 +9,6 @@ from django.views.decorators.csrf import csrf_exempt
 from authentik.providers.oauth2.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL
 from authentik.providers.oauth2.models import RefreshToken
 from authentik.providers.oauth2.utils import protected_resource_view
-from authentik.tenants.utils import get_tenant


@method_decorator(csrf_exempt, name="dispatch")
@ -77,7 +76,6 @@ class GitHubUserTeamsView(View):
    def get(self, request: HttpRequest, token: RefreshToken) -> HttpResponse:
        """Emulate GitHub's /user/teams API Endpoint"""
        user = token.user
-        tenant = get_tenant(request)

        orgs_response = []
        for org in user.ak_groups.all():
@ -99,7 +97,7 @@ class GitHubUserTeamsView(View):
                "created_at": "",
                "updated_at": "",
                "organization": {
-                    "login": slugify(tenant.branding_title),
+                    "login": slugify(request.tenant.branding_title),
                    "id": 1,
                    "node_id": "",
                    "url": "",
@ -111,7 +109,7 @@ class GitHubUserTeamsView(View):
                    "public_members_url": "",
                    "avatar_url": "",
                    "description": "",
-                    "name": tenant.branding_title,
+                    "name": request.tenant.branding_title,
                    "company": "",
                    "blog": "",
                    "location": "",
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -29,6 +29,9 @@ from authentik.providers.oauth2.utils import cors_allow

 LOGGER = get_logger()

+PLAN_CONTEXT_PARAMS = "params"
+PLAN_CONTEXT_SCOPES = "scopes"
+

 class ProviderInfoView(View):
    """OpenID-compliant Provider Info"""
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@ -15,8 +15,7 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_PLAN, SESSION_KEY_POST
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
@ -77,9 +76,9 @@ class SAMLSSOView(PolicyAccessView):
            raise Http404
        plan.append_stage(in_memory_stage(SAMLFlowFinalView))
        request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(
-            request,
-            InterfaceType.FLOW,
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            request.GET,
            flow_slug=self.provider.authorization_flow.slug,
        )

--- a/authentik/recovery/views.py
+++ b/authentik/recovery/views.py
@ -22,4 +22,4 @@ class UseTokenView(View):
        login(request, token.user, backend=BACKEND_INBUILT)
        token.delete()
        messages.warning(request, _("Used recovery-link to authenticate."))
-        return redirect("authentik_core:root-redirect")
+        return redirect("authentik_core:if-user")
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -65,7 +65,6 @@ INSTALLED_APPS = [
    "authentik.admin",
    "authentik.api",
    "authentik.crypto",
-    "authentik.interfaces",
    "authentik.events",
    "authentik.flows",
    "authentik.lib",
@ -493,12 +492,3 @@ if DEBUG:
 INSTALLED_APPS.append("authentik.core")

 CONFIG.log("info", "Booting authentik", version=__version__)
-
-# Attempt to load enterprise app, if available
-try:
-    importlib.import_module("authentik.enterprise.apps")
-    CONFIG.log("info", "Enabled authentik enterprise")
-    INSTALLED_APPS.append("authentik.enterprise")
-    _update_settings("authentik.enterprise.settings")
-except ImportError:
-    pass
--- a/authentik/sources/plex/migrations/0002_auto_20210505_1717.py
+++ b/authentik/sources/plex/migrations/0002_auto_20210505_1717.py
@ -3,6 +3,8 @@
 import django.contrib.postgres.fields
 from django.db import migrations, models

+import authentik.lib.generators
+

 class Migration(migrations.Migration):
    dependencies = [
--- a/authentik/sources/saml/views.py
+++ b/authentik/sources/saml/views.py
@ -32,8 +32,7 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import redirect_to_default_interface
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@ -41,7 +40,11 @@ from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 from authentik.sources.saml.processors.metadata import MetadataProcessor
 from authentik.sources.saml.processors.request import RequestProcessor
 from authentik.sources.saml.processors.response import ResponseProcessor
-from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_HEADER, ConsentStageView
+from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_HEADER,
+    PLAN_CONTEXT_CONSENT_TITLE,
+    ConsentStageView,
+)

 LOGGER = get_logger()

@ -73,7 +76,7 @@ class InitiateView(View):
        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:root-redirect"
+            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        kwargs.update(
            {
@ -92,9 +95,9 @@ class InitiateView(View):
        for stage in stages_to_append:
            plan.append_stage(stage)
        self.request.session[SESSION_KEY_PLAN] = plan
-        return redirect_to_default_interface(
-            self.request,
-            InterfaceType.FLOW,
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
            flow_slug=source.pre_authentication_flow.slug,
        )

@ -125,6 +128,7 @@ class InitiateView(View):
        injected_stages = []
        plan_kwargs = {
            PLAN_CONTEXT_TITLE: f"Redirecting to {source.name}...",
+            PLAN_CONTEXT_CONSENT_TITLE: f"Redirecting to {source.name}...",
            PLAN_CONTEXT_ATTRS: {
                "SAMLRequest": saml_request,
                "RelayState": relay_state,
--- a/authentik/stages/authenticator_duo/models.py
+++ b/authentik/stages/authenticator_duo/models.py
@ -10,6 +10,7 @@ from duo_client.admin import Admin
 from duo_client.auth import Auth
 from rest_framework.serializers import BaseSerializer, Serializer

+from authentik import __version__
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.models import SerializerModel
--- a/authentik/stages/authenticator_totp/stage.py
+++ b/authentik/stages/authenticator_totp/stage.py
@ -17,7 +17,6 @@ from authentik.flows.challenge import (
 from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage
 from authentik.stages.authenticator_totp.settings import OTP_TOTP_ISSUER
-from authentik.tenants.utils import get_tenant

 SESSION_TOTP_DEVICE = "totp_device"

@ -58,7 +57,7 @@ class AuthenticatorTOTPStageView(ChallengeStageView):
            data={
                "type": ChallengeTypes.NATIVE.value,
                "config_url": device.config_url.replace(
-                    OTP_TOTP_ISSUER, quote(get_tenant(self.request).branding_title)
+                    OTP_TOTP_ISSUER, quote(self.request.tenant.branding_title)
                ),
            }
        )
--- a/authentik/stages/authenticator_validate/challenge.py
+++ b/authentik/stages/authenticator_validate/challenge.py
@ -33,7 +33,7 @@ from authentik.stages.authenticator_validate.models import AuthenticatorValidate
 from authentik.stages.authenticator_webauthn.models import UserVerification, WebAuthnDevice
 from authentik.stages.authenticator_webauthn.stage import SESSION_KEY_WEBAUTHN_CHALLENGE
 from authentik.stages.authenticator_webauthn.utils import get_origin, get_rp_id
-from authentik.tenants.utils import get_tenant
+from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_TITLE

 LOGGER = get_logger()

@ -175,6 +175,8 @@ def validate_challenge_duo(device_pk: int, stage_view: StageView, user: User) ->
    pushinfo = {
        __("Domain"): stage_view.request.get_host(),
    }
+    if PLAN_CONTEXT_CONSENT_TITLE in stage_view.executor.plan.context:
+        pushinfo[__("Title")] = stage_view.executor.plan.context[PLAN_CONTEXT_CONSENT_TITLE]
    if SESSION_KEY_APPLICATION_PRE in stage_view.request.session:
        pushinfo[__("Application")] = stage_view.request.session.get(
            SESSION_KEY_APPLICATION_PRE, Application()
@ -188,7 +190,7 @@ def validate_challenge_duo(device_pk: int, stage_view: StageView, user: User) ->
            type=__(
                "%(brand_name)s Login request"
                % {
-                    "brand_name": get_tenant(stage_view.request).branding_title,
+                    "brand_name": stage_view.request.tenant.branding_title,
                }
            ),
            display_username=user.username,
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -14,6 +14,7 @@ from rest_framework.serializers import ValidationError
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
+from authentik.events.utils import cleanse_dict, sanitize_dict
 from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
 from authentik.flows.exceptions import FlowSkipStageException
 from authentik.flows.models import FlowDesignation, NotConfiguredAction, Stage
@ -381,9 +382,13 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            self.logger.debug("Set user from user-less flow", user=webauthn_device.user)
            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = webauthn_device.user
            self.executor.plan.context[PLAN_CONTEXT_METHOD] = "auth_webauthn_pwl"
-            self.executor.plan.context[PLAN_CONTEXT_METHOD_ARGS] = {
-                "device": webauthn_device,
-            }
+            self.executor.plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(
+                sanitize_dict(
+                    {
+                        "device": webauthn_device,
+                    }
+                )
+            )
        return self.set_valid_mfa_cookie(response.device)

    def cleanup(self):
--- a/authentik/stages/authenticator_validate/tests/test_duo.py
+++ b/authentik/stages/authenticator_validate/tests/test_duo.py
@ -19,7 +19,7 @@ from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, Duo
 from authentik.stages.authenticator_validate.challenge import validate_challenge_duo
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.user_login.models import UserLoginStage
-from authentik.tenants.utils import lookup_tenant_for_request
+from authentik.tenants.utils import get_tenant_for_request


 class AuthenticatorValidateStageDuoTests(FlowTestCase):
@ -36,7 +36,7 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
-        setattr(request, "tenant", lookup_tenant_for_request(request))
+        setattr(request, "tenant", get_tenant_for_request(request))

        stage = AuthenticatorDuoStage.objects.create(
            name=generate_id(),
--- a/authentik/stages/authenticator_webauthn/stage.py
+++ b/authentik/stages/authenticator_webauthn/stage.py
@ -29,7 +29,6 @@ from authentik.flows.challenge import (
 from authentik.flows.stage import ChallengeStageView
 from authentik.stages.authenticator_webauthn.models import AuthenticateWebAuthnStage, WebAuthnDevice
 from authentik.stages.authenticator_webauthn.utils import get_origin, get_rp_id
-from authentik.tenants.utils import get_tenant

 SESSION_KEY_WEBAUTHN_CHALLENGE = "authentik/stages/authenticator_webauthn/challenge"

@ -93,7 +92,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):

        registration_options: PublicKeyCredentialCreationOptions = generate_registration_options(
            rp_id=get_rp_id(self.request),
-            rp_name=get_tenant(self.request).branding_title,
+            rp_name=self.request.tenant.branding_title,
            user_id=user.uid,
            user_name=user.username,
            user_display_name=user.name,
--- a/authentik/stages/consent/stage.py
+++ b/authentik/stages/consent/stage.py
@ -19,6 +19,7 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.consent.models import ConsentMode, ConsentStage, UserConsent

 PLAN_CONTEXT_CONSENT = "consent"
+PLAN_CONTEXT_CONSENT_TITLE = "consent_title"
 PLAN_CONTEXT_CONSENT_HEADER = "consent_header"
 PLAN_CONTEXT_CONSENT_PERMISSIONS = "consent_permissions"
 PLAN_CONTEXT_CONSENT_EXTRA_PERMISSIONS = "consent_additional_permissions"
@ -58,6 +59,8 @@ class ConsentStageView(ChallengeStageView):
            ),
            "token": token,
        }
+        if PLAN_CONTEXT_CONSENT_TITLE in self.executor.plan.context:
+            data["title"] = self.executor.plan.context[PLAN_CONTEXT_CONSENT_TITLE]
        if PLAN_CONTEXT_CONSENT_HEADER in self.executor.plan.context:
            data["header_text"] = self.executor.plan.context[PLAN_CONTEXT_CONSENT_HEADER]
        challenge = ConsentChallenge(data=data)
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -3,6 +3,7 @@ from datetime import timedelta

 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
+from django.urls import reverse
 from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
@ -15,8 +16,6 @@ from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import reverse_interface
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -48,10 +47,9 @@ class EmailStageView(ChallengeStageView):

    def get_full_url(self, **kwargs) -> str:
        """Get full URL to be used in template"""
-        base_url = reverse_interface(
-            self.request,
-            InterfaceType.FLOW,
-            flow_slug=self.executor.flow.slug,
+        base_url = reverse(
+            "authentik_core:if-flow",
+            kwargs={"flow_slug": self.executor.flow.slug},
        )
        relative_url = f"{base_url}?{urlencode(kwargs)}"
        return self.request.build_absolute_uri(relative_url)
--- a/authentik/stages/email/tests/test_sending.py
+++ b/authentik/stages/email/tests/test_sending.py
@ -7,7 +7,6 @@ from django.core.mail.backends.locmem import EmailBackend
 from django.urls import reverse
 from rest_framework.test import APITestCase

-from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.flows.markers import StageMarker
@ -30,7 +29,6 @@ class TestEmailStageSending(APITestCase):
        )
        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)

-    @apply_blueprint("system/interfaces.yaml")
    def test_pending_user(self):
        """Test with pending user"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
@ -56,7 +54,6 @@ class TestEmailStageSending(APITestCase):
            self.assertEqual(event.context["to_email"], [self.user.email])
            self.assertEqual(event.context["from_email"], "system@authentik.local")

-    @apply_blueprint("system/interfaces.yaml")
    def test_send_error(self):
        """Test error during sending (sending will be retried)"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@ -7,7 +7,6 @@ from django.core.mail.backends.smtp import EmailBackend as SMTPEmailBackend
 from django.urls import reverse
 from django.utils.http import urlencode

-from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
@ -75,7 +74,6 @@ class TestEmailStage(FlowTestCase):
        response = self.client.get(url)
        self.assertEqual(response.status_code, 200)

-    @apply_blueprint("system/interfaces.yaml")
    @patch(
        "authentik.stages.email.models.EmailStage.backend_class",
        PropertyMock(return_value=EmailBackend),
@ -125,7 +123,6 @@ class TestEmailStage(FlowTestCase):
        with self.settings(EMAIL_HOST=host):
            self.assertEqual(EmailStage(use_global_settings=True).backend.host, host)

-    @apply_blueprint("system/interfaces.yaml")
    def test_token(self):
        """Test with token"""
        # Make sure token exists
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -26,9 +26,8 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import reverse_interface
 from authentik.lib.utils.http import get_client_ip
+from authentik.lib.utils.urls import reverse_with_qs
 from authentik.sources.oauth.types.apple import AppleLoginChallenge
 from authentik.sources.plex.models import PlexAuthenticationChallenge
 from authentik.stages.identification.models import IdentificationStage
@ -206,25 +205,22 @@ class IdentificationStageView(ChallengeStageView):
        get_qs = self.request.session.get(SESSION_KEY_GET, self.request.GET)
        # Check for related enrollment and recovery flow, add URL to view
        if current_stage.enrollment_flow:
-            challenge.initial_data["enroll_url"] = reverse_interface(
-                self.request,
-                InterfaceType.FLOW,
+            challenge.initial_data["enroll_url"] = reverse_with_qs(
+                "authentik_core:if-flow",
                query=get_qs,
-                flow_slug=current_stage.enrollment_flow.slug,
+                kwargs={"flow_slug": current_stage.enrollment_flow.slug},
            )
        if current_stage.recovery_flow:
-            challenge.initial_data["recovery_url"] = reverse_interface(
-                self.request,
-                InterfaceType.FLOW,
+            challenge.initial_data["recovery_url"] = reverse_with_qs(
+                "authentik_core:if-flow",
                query=get_qs,
-                flow_slug=current_stage.recovery_flow.slug,
+                kwargs={"flow_slug": current_stage.recovery_flow.slug},
            )
        if current_stage.passwordless_flow:
-            challenge.initial_data["passwordless_url"] = reverse_interface(
-                self.request,
-                InterfaceType.FLOW,
+            challenge.initial_data["passwordless_url"] = reverse_with_qs(
+                "authentik_core:if-flow",
                query=get_qs,
-                flow_slug=current_stage.passwordless_flow.slug,
+                kwargs={"flow_slug": current_stage.passwordless_flow.slug},
            )

        # Check all enabled source, add them if they have a UI Login button.
--- a/authentik/stages/identification/tests.py
+++ b/authentik/stages/identification/tests.py
@ -5,8 +5,6 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.tests import FlowTestCase
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.tests import reverse_interface
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.identification.models import IdentificationStage, UserFields
 from authentik.stages.password import BACKEND_INBUILT
@ -168,9 +166,9 @@ class TestIdentificationStage(FlowTestCase):
            component="ak-stage-identification",
            user_fields=["email"],
            password_fields=False,
-            enroll_url=reverse_interface(
-                InterfaceType.FLOW,
-                flow_slug=flow.slug,
+            enroll_url=reverse(
+                "authentik_core:if-flow",
+                kwargs={"flow_slug": flow.slug},
            ),
            show_source_labels=False,
            primary_action="Log in",
@ -206,9 +204,9 @@ class TestIdentificationStage(FlowTestCase):
            component="ak-stage-identification",
            user_fields=["email"],
            password_fields=False,
-            recovery_url=reverse_interface(
-                InterfaceType.FLOW,
-                flow_slug=flow.slug,
+            recovery_url=reverse(
+                "authentik_core:if-flow",
+                kwargs={"flow_slug": flow.slug},
            ),
            show_source_labels=False,
            primary_action="Log in",
--- a/authentik/stages/password/migrations/0007_app_password.py
+++ b/authentik/stages/password/migrations/0007_app_password.py
@ -4,7 +4,7 @@ from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor

-from authentik.stages.password import BACKEND_APP_PASSWORD
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT


 def update_default_backends(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
--- a/authentik/stages/password/migrations/0008_replace_inbuilt.py
+++ b/authentik/stages/password/migrations/0008_replace_inbuilt.py
@ -1,6 +1,7 @@
 # Generated by Django 3.2.6 on 2021-08-23 14:34
+import django.contrib.postgres.fields
 from django.apps.registry import Apps
-from django.db import migrations
+from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 from authentik.stages.password import BACKEND_INBUILT
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@ -5,6 +5,7 @@ from django.contrib.auth import _clean_credentials
 from django.contrib.auth.backends import BaseBackend
 from django.core.exceptions import PermissionDenied
 from django.http import HttpRequest, HttpResponse
+from django.urls import reverse
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ErrorDetail, ValidationError
 from rest_framework.fields import CharField
@ -22,8 +23,6 @@ from authentik.flows.challenge import (
 from authentik.flows.models import Flow, FlowDesignation, Stage
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
-from authentik.interfaces.models import InterfaceType
-from authentik.interfaces.views import reverse_interface
 from authentik.lib.utils.reflection import path_to_class
 from authentik.stages.password.models import PasswordStage

@ -96,12 +95,11 @@ class PasswordStageView(ChallengeStageView):
                "type": ChallengeTypes.NATIVE.value,
            }
        )
-        recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY).first()
-        if recovery_flow:
-            recover_url = reverse_interface(
-                self.request,
-                InterfaceType.FLOW,
-                flow_slug=recovery_flow.slug,
+        recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
+        if recovery_flow.exists():
+            recover_url = reverse(
+                "authentik_core:if-flow",
+                kwargs={"flow_slug": recovery_flow.first().slug},
            )
            challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
        return challenge
--- a/authentik/stages/prompt/api.py
+++ b/authentik/stages/prompt/api.py
@ -57,12 +57,10 @@ class PromptSerializer(ModelSerializer):
            "type",
            "required",
            "placeholder",
-            "initial_value",
            "order",
            "promptstage_set",
            "sub_text",
            "placeholder_expression",
-            "initial_value_expression",
        ]


--- a/authentik/stages/prompt/migrations/0011_prompt_initial_value_prompt_initial_value_expression_and_more.py
+++ b/authentik/stages/prompt/migrations/0011_prompt_initial_value_prompt_initial_value_expression_and_more.py
@ -1,53 +0,0 @@
-# Generated by Django 4.1.7 on 2023-03-24 17:32
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_placeholder_expressions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.stages.prompt.models import CHOICE_FIELDS
-
-    db_alias = schema_editor.connection.alias
-    Prompt = apps.get_model("authentik_stages_prompt", "prompt")
-
-    for prompt in Prompt.objects.using(db_alias).all():
-        if not prompt.placeholder_expression or prompt.type in CHOICE_FIELDS:
-            continue
-
-        prompt.initial_value = prompt.placeholder
-        prompt.initial_value_expression = True
-        prompt.placeholder = ""
-        prompt.placeholder_expression = False
-        prompt.save()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_stages_prompt", "0010_alter_prompt_placeholder_alter_prompt_type"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="prompt",
-            name="initial_value",
-            field=models.TextField(
-                blank=True,
-                help_text="Optionally pre-fill the input with an initial value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple default choices.",
-            ),
-        ),
-        migrations.AddField(
-            model_name="prompt",
-            name="initial_value_expression",
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AlterField(
-            model_name="prompt",
-            name="placeholder",
-            field=models.TextField(
-                blank=True,
-                help_text="Optionally provide a short hint that describes the expected input value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple choices.",
-            ),
-        ),
-        migrations.RunPython(code=migrate_placeholder_expressions),
-    ]
--- a/authentik/stages/prompt/models.py
+++ b/authentik/stages/prompt/models.py
@ -29,8 +29,6 @@ from authentik.flows.models import Stage
 from authentik.lib.models import SerializerModel
 from authentik.policies.models import Policy

-CHOICES_CONTEXT_SUFFIX = "__choices"
-
 LOGGER = get_logger()


@ -121,25 +119,15 @@ class Prompt(SerializerModel):
    placeholder = models.TextField(
        blank=True,
        help_text=_(
-            "Optionally provide a short hint that describes the expected input value. "
-            "When creating a fixed choice field, enable interpreting as "
+            "When creating a Radio Button Group or Dropdown, enable interpreting as "
            "expression and return a list to return multiple choices."
        ),
    )
-    initial_value = models.TextField(
-        blank=True,
-        help_text=_(
-            "Optionally pre-fill the input with an initial value. "
-            "When creating a fixed choice field, enable interpreting as "
-            "expression and return a list to return multiple default choices."
-        ),
-    )
    sub_text = models.TextField(blank=True, default="")

    order = models.IntegerField(default=0)

    placeholder_expression = models.BooleanField(default=False)
-    initial_value_expression = models.BooleanField(default=False)

    @property
    def serializer(self) -> Type[BaseSerializer]:
@ -160,8 +148,8 @@ class Prompt(SerializerModel):

        raw_choices = self.placeholder

-        if self.field_key + CHOICES_CONTEXT_SUFFIX in prompt_context:
-            raw_choices = prompt_context[self.field_key + CHOICES_CONTEXT_SUFFIX]
+        if self.field_key in prompt_context:
+            raw_choices = prompt_context[self.field_key]
        elif self.placeholder_expression:
            evaluator = PropertyMappingEvaluator(
                self, user, request, prompt_context=prompt_context, dry_run=dry_run
@ -196,9 +184,16 @@ class Prompt(SerializerModel):
    ) -> str:
        """Get fully interpolated placeholder"""
        if self.type in CHOICE_FIELDS:
-            # Choice fields use the placeholder to define all valid choices.
-            # Therefore their actual placeholder is always blank
-            return ""
+            # Make sure to return a valid choice as placeholder
+            choices = self.get_choices(prompt_context, user, request, dry_run=dry_run)
+            if not choices:
+                return ""
+            return choices[0]
+
+        if self.field_key in prompt_context:
+            # We don't want to parse this as an expression since a user will
+            # be able to control the input
+            return prompt_context[self.field_key]

        if self.placeholder_expression:
            evaluator = PropertyMappingEvaluator(
@ -216,47 +211,6 @@ class Prompt(SerializerModel):
                    raise wrapped from exc
        return self.placeholder

-    def get_initial_value(
-        self,
-        prompt_context: dict,
-        user: User,
-        request: HttpRequest,
-        dry_run: Optional[bool] = False,
-    ) -> str:
-        """Get fully interpolated initial value"""
-
-        if self.field_key in prompt_context:
-            # We don't want to parse this as an expression since a user will
-            # be able to control the input
-            value = prompt_context[self.field_key]
-        elif self.initial_value_expression:
-            evaluator = PropertyMappingEvaluator(
-                self, user, request, prompt_context=prompt_context, dry_run=dry_run
-            )
-            try:
-                value = evaluator.evaluate(self.initial_value)
-            except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc))
-                LOGGER.warning(
-                    "failed to evaluate prompt initial value",
-                    exc=wrapped,
-                )
-                if dry_run:
-                    raise wrapped from exc
-                value = self.initial_value
-        else:
-            value = self.initial_value
-
-        if self.type in CHOICE_FIELDS:
-            # Ensure returned value is a valid choice
-            choices = self.get_choices(prompt_context, user, request)
-            if not choices:
-                return ""
-            if value not in choices:
-                return choices[0]
-
-        return value
-
    def field(self, default: Optional[Any], choices: Optional[list[Any]] = None) -> CharField:
        """Get field type for Challenge and response. Choices are only valid for CHOICE_FIELDS."""
        field_class = CharField
--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@ -38,7 +38,6 @@ class StagePromptSerializer(PassiveSerializer):
    type = ChoiceField(choices=FieldTypes.choices)
    required = BooleanField()
    placeholder = CharField(allow_blank=True)
-    initial_value = CharField(allow_blank=True)
    order = IntegerField()
    sub_text = CharField(allow_blank=True)
    choices = ListField(child=CharField(allow_blank=True), allow_empty=True, allow_null=True)
@ -77,7 +76,7 @@ class PromptChallengeResponse(ChallengeResponse):
            choices = field.get_choices(
                plan.context.get(PLAN_CONTEXT_PROMPT, {}), user, self.request
            )
-            current = field.get_initial_value(
+            current = field.get_placeholder(
                plan.context.get(PLAN_CONTEXT_PROMPT, {}), user, self.request
            )
            self.fields[field.field_key] = field.field(current, choices)
@ -198,9 +197,8 @@ class PromptStageView(ChallengeStageView):
        serializers = []
        for field in fields:
            data = StagePromptSerializer(field).data
-            # Ensure all choices, placeholders and initial values are str, as
-            # otherwise further in we can fail serializer validation if we return
-            # some types such as bool
+            # Ensure all choices and placeholders are str, as otherwise further in
+            # we can fail serializer validation if we return some types such as bool
            choices = field.get_choices(context, self.get_pending_user(), self.request, dry_run)
            if choices:
                data["choices"] = [str(choice) for choice in choices]
@ -209,9 +207,6 @@ class PromptStageView(ChallengeStageView):
            data["placeholder"] = str(
                field.get_placeholder(context, self.get_pending_user(), self.request, dry_run)
            )
-            data["initial_value"] = str(
-                field.get_initial_value(context, self.get_pending_user(), self.request, dry_run)
-            )
            serializers.append(data)
        return serializers

--- a/authentik/stages/prompt/tests.py
+++ b/authentik/stages/prompt/tests.py
@ -22,7 +22,6 @@ from authentik.stages.prompt.stage import (
 )


-# pylint: disable=too-many-public-methods
 class TestPromptStage(FlowTestCase):
    """Prompt tests"""

@ -38,7 +37,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.USERNAME,
            required=True,
            placeholder="USERNAME_PLACEHOLDER",
-            initial_value="akuser",
        )
        text_prompt = Prompt.objects.create(
            name=generate_id(),
@ -47,7 +45,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.TEXT,
            required=True,
            placeholder="TEXT_PLACEHOLDER",
-            initial_value="some text",
        )
        text_area_prompt = Prompt.objects.create(
            name=generate_id(),
@ -56,7 +53,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.TEXT_AREA,
            required=True,
            placeholder="TEXT_AREA_PLACEHOLDER",
-            initial_value="some text",
        )
        email_prompt = Prompt.objects.create(
            name=generate_id(),
@ -65,7 +61,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.EMAIL,
            required=True,
            placeholder="EMAIL_PLACEHOLDER",
-            initial_value="email@example.com",
        )
        password_prompt = Prompt.objects.create(
            name=generate_id(),
@ -74,7 +69,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.PASSWORD,
            required=True,
            placeholder="PASSWORD_PLACEHOLDER",
-            initial_value="supersecurepassword",
        )
        password2_prompt = Prompt.objects.create(
            name=generate_id(),
@ -83,7 +77,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.PASSWORD,
            required=True,
            placeholder="PASSWORD_PLACEHOLDER",
-            initial_value="supersecurepassword",
        )
        number_prompt = Prompt.objects.create(
            name=generate_id(),
@ -92,7 +85,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.NUMBER,
            required=True,
            placeholder="NUMBER_PLACEHOLDER",
-            initial_value="42",
        )
        hidden_prompt = Prompt.objects.create(
            name=generate_id(),
@ -100,7 +92,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.HIDDEN,
            required=True,
            placeholder="HIDDEN_PLACEHOLDER",
-            initial_value="something idk",
        )
        static_prompt = Prompt.objects.create(
            name=generate_id(),
@ -108,7 +99,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.STATIC,
            required=True,
            placeholder="static",
-            initial_value="something idk",
        )
        radio_button_group = Prompt.objects.create(
            name=generate_id(),
@ -116,7 +106,6 @@ class TestPromptStage(FlowTestCase):
            type=FieldTypes.RADIO_BUTTON_GROUP,
            required=True,
            placeholder="test",
-            initial_value="test",
        )
        dropdown = Prompt.objects.create(
            name=generate_id(),
@ -148,9 +137,9 @@ class TestPromptStage(FlowTestCase):
            password_prompt.field_key: "test",
            password2_prompt.field_key: "test",
            number_prompt.field_key: 3,
-            hidden_prompt.field_key: hidden_prompt.initial_value,
-            static_prompt.field_key: static_prompt.initial_value,
-            radio_button_group.field_key: radio_button_group.initial_value,
+            hidden_prompt.field_key: hidden_prompt.placeholder,
+            static_prompt.field_key: static_prompt.placeholder,
+            radio_button_group.field_key: radio_button_group.placeholder,
            dropdown.field_key: "",
        }

@ -346,176 +335,106 @@ class TestPromptStage(FlowTestCase):
        self.assertEqual(
            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
        )
-
-    def test_prompt_placeholder_does_not_take_value_from_context(self):
-        """Test placeholder does not automatically take value from context"""
-        context = {
-            "foo": generate_id(),
-        }
-        prompt: Prompt = Prompt(
-            field_key="text_prompt_expression",
-            label="TEXT_LABEL",
-            type=FieldTypes.TEXT,
-            placeholder="return prompt_context['foo']",
-            placeholder_expression=True,
-        )
-        context["text_prompt_expression"] = generate_id()
-
-        self.assertEqual(
-            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
-        )
-
-    def test_prompt_initial_value(self):
-        """Test initial_value and expression"""
-        context = {
-            "foo": generate_id(),
-        }
-        prompt: Prompt = Prompt(
-            field_key="text_prompt_expression",
-            label="TEXT_LABEL",
-            type=FieldTypes.TEXT,
-            initial_value="return prompt_context['foo']",
-            initial_value_expression=True,
-        )
-        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")), context["foo"]
-        )
        context["text_prompt_expression"] = generate_id()
        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")),
+            prompt.get_placeholder(context, self.user, self.factory.get("/")),
            context["text_prompt_expression"],
        )
        self.assertNotEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")), context["foo"]
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
        )

-    def test_choice_prompts_placeholder_and_initial_value_no_choices(self):
-        """Test placeholder and initial value of choice fields with 0 choices"""
-        context = {}
+    def test_choice_prompts_placeholders(self):
+        """Test placeholders and expression of choice fields"""
+        context = {"foo": generate_id()}

+        # No choices - unusable (in the sense it creates an unsubmittable form)
+        # but valid behaviour
        prompt: Prompt = Prompt(
            field_key="fixed_choice_prompt_expression",
            label="LABEL",
            type=FieldTypes.RADIO_BUTTON_GROUP,
            placeholder="return []",
            placeholder_expression=True,
-            initial_value="Invalid choice",
-            initial_value_expression=False,
        )
        self.assertEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
-        self.assertEqual(prompt.get_initial_value(context, self.user, self.factory.get("/")), "")
        self.assertEqual(prompt.get_choices(context, self.user, self.factory.get("/")), tuple())
-
-    def test_choice_prompts_placeholder_and_initial_value_single_choice(self):
-        """Test placeholder and initial value of choice fields with 1 choice"""
-        context = {"foo": generate_id()}
-
-        prompt: Prompt = Prompt(
-            field_key="fixed_choice_prompt_expression",
-            label="LABEL",
-            type=FieldTypes.DROPDOWN,
-            placeholder=context["foo"],
-            placeholder_expression=False,
-            initial_value=context["foo"],
-            initial_value_expression=False,
-        )
-        self.assertEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
+        context["fixed_choice_prompt_expression"] = generate_id()
        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")), context["foo"]
-        )
-        self.assertEqual(
-            prompt.get_choices(context, self.user, self.factory.get("/")), (context["foo"],)
-        )
-
-        prompt: Prompt = Prompt(
-            field_key="fixed_choice_prompt_expression",
-            label="LABEL",
-            type=FieldTypes.DROPDOWN,
-            placeholder="return [prompt_context['foo']]",
-            placeholder_expression=True,
-            initial_value="return prompt_context['foo']",
-            initial_value_expression=True,
-        )
-        self.assertEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
-        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")), context["foo"]
-        )
-        self.assertEqual(
-            prompt.get_choices(context, self.user, self.factory.get("/")), (context["foo"],)
-        )
-
-    def test_choice_prompts_placeholder_and_initial_value_multiple_choices(self):
-        """Test placeholder and initial value of choice fields with multiple choices"""
-        context = {}
-
-        prompt: Prompt = Prompt(
-            field_key="fixed_choice_prompt_expression",
-            label="LABEL",
-            type=FieldTypes.RADIO_BUTTON_GROUP,
-            placeholder="return ['test', True, 42]",
-            placeholder_expression=True,
-        )
-        self.assertEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
-        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")), "test"
-        )
-        self.assertEqual(
-            prompt.get_choices(context, self.user, self.factory.get("/")), ("test", True, 42)
-        )
-
-        prompt: Prompt = Prompt(
-            field_key="fixed_choice_prompt_expression",
-            label="LABEL",
-            type=FieldTypes.RADIO_BUTTON_GROUP,
-            placeholder="return ['test', True, 42]",
-            placeholder_expression=True,
-            initial_value="return True",
-            initial_value_expression=True,
-        )
-        self.assertEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
-        self.assertEqual(prompt.get_initial_value(context, self.user, self.factory.get("/")), True)
-        self.assertEqual(
-            prompt.get_choices(context, self.user, self.factory.get("/")), ("test", True, 42)
-        )
-
-    def test_choice_prompts_placeholder_and_initial_value_from_context(self):
-        """Test placeholder and initial value of choice fields with values from context"""
-        rand_value = generate_id()
-        context = {
-            "fixed_choice_prompt_expression": rand_value,
-            "fixed_choice_prompt_expression__choices": ["test", 42, rand_value],
-        }
-
-        prompt: Prompt = Prompt(
-            field_key="fixed_choice_prompt_expression",
-            label="LABEL",
-            type=FieldTypes.RADIO_BUTTON_GROUP,
-        )
-        self.assertEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
-        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")), rand_value
-        )
-        self.assertEqual(
-            prompt.get_choices(context, self.user, self.factory.get("/")), ("test", 42, rand_value)
-        )
-
-    def test_initial_value_not_valid_choice(self):
-        """Test initial_value not a valid choice"""
-        context = {}
-        prompt: Prompt = Prompt(
-            field_key="choice_prompt",
-            label="TEXT_LABEL",
-            type=FieldTypes.DROPDOWN,
-            placeholder="choice",
-            initial_value="another_choice",
+            prompt.get_placeholder(context, self.user, self.factory.get("/")),
+            context["fixed_choice_prompt_expression"],
        )
        self.assertEqual(
            prompt.get_choices(context, self.user, self.factory.get("/")),
-            ("choice",),
+            (context["fixed_choice_prompt_expression"],),
+        )
+        self.assertNotEqual(prompt.get_placeholder(context, self.user, self.factory.get("/")), "")
+        self.assertNotEqual(prompt.get_choices(context, self.user, self.factory.get("/")), tuple())
+
+        del context["fixed_choice_prompt_expression"]
+
+        # Single choice
+        prompt: Prompt = Prompt(
+            field_key="fixed_choice_prompt_expression",
+            label="LABEL",
+            type=FieldTypes.RADIO_BUTTON_GROUP,
+            placeholder="return prompt_context['foo']",
+            placeholder_expression=True,
        )
        self.assertEqual(
-            prompt.get_initial_value(context, self.user, self.factory.get("/")),
-            "choice",
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
+        )
+        self.assertEqual(
+            prompt.get_choices(context, self.user, self.factory.get("/")), (context["foo"],)
+        )
+        context["fixed_choice_prompt_expression"] = generate_id()
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")),
+            context["fixed_choice_prompt_expression"],
+        )
+        self.assertEqual(
+            prompt.get_choices(context, self.user, self.factory.get("/")),
+            (context["fixed_choice_prompt_expression"],),
+        )
+        self.assertNotEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
+        )
+        self.assertNotEqual(
+            prompt.get_choices(context, self.user, self.factory.get("/")), (context["foo"],)
+        )
+
+        del context["fixed_choice_prompt_expression"]
+
+        # Multi choice
+        prompt: Prompt = Prompt(
+            field_key="fixed_choice_prompt_expression",
+            label="LABEL",
+            type=FieldTypes.DROPDOWN,
+            placeholder="return [prompt_context['foo'], True, 'text']",
+            placeholder_expression=True,
+        )
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
+        )
+        self.assertEqual(
+            prompt.get_choices(context, self.user, self.factory.get("/")),
+            (context["foo"], True, "text"),
+        )
+        context["fixed_choice_prompt_expression"] = tuple(["text", generate_id(), 2])
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")),
+            "text",
+        )
+        self.assertEqual(
+            prompt.get_choices(context, self.user, self.factory.get("/")),
+            context["fixed_choice_prompt_expression"],
+        )
+        self.assertNotEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
+        )
+        self.assertNotEqual(
+            prompt.get_choices(context, self.user, self.factory.get("/")),
+            (context["foo"], True, "text"),
        )

    def test_choices_are_none_for_non_choice_fields(self):
@ -586,8 +505,6 @@ class TestPromptStage(FlowTestCase):
                "type": FieldTypes.TEXT,
                "placeholder": 'return "Hello world"',
                "placeholder_expression": True,
-                "initial_value": 'return "Hello Hello world"',
-                "initial_value_expression": True,
                "sub_text": "test",
                "order": 123,
            },
@ -605,7 +522,6 @@ class TestPromptStage(FlowTestCase):
                        "type": "text",
                        "required": True,
                        "placeholder": "Hello world",
-                        "initial_value": "Hello Hello world",
                        "order": 123,
                        "sub_text": "test",
                        "choices": None,
--- a/authentik/tenants/api.py
+++ b/authentik/tenants/api.py
@ -18,7 +18,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.lib.config import CONFIG
 from authentik.tenants.models import Tenant
-from authentik.tenants.utils import get_tenant


 class FooterLinkSerializer(PassiveSerializer):
@ -55,9 +54,6 @@ class TenantSerializer(ModelSerializer):
            "flow_unenrollment",
            "flow_user_settings",
            "flow_device_code",
-            "interface_admin",
-            "interface_user",
-            "interface_flow",
            "event_retention",
            "web_certificate",
            "attributes",
@ -124,9 +120,6 @@ class TenantViewSet(UsedByMixin, ModelViewSet):
        "flow_unenrollment",
        "flow_user_settings",
        "flow_device_code",
-        "interface_admin",
-        "interface_user",
-        "interface_flow",
        "event_retention",
        "web_certificate",
    ]
@ -140,4 +133,5 @@ class TenantViewSet(UsedByMixin, ModelViewSet):
    @action(methods=["GET"], detail=False, permission_classes=[AllowAny])
    def current(self, request: Request) -> Response:
        """Get current tenant"""
-        return Response(CurrentTenantSerializer(get_tenant(request)).data)
+        tenant: Tenant = request._request.tenant
+        return Response(CurrentTenantSerializer(tenant).data)
--- a/authentik/tenants/middleware.py
+++ b/authentik/tenants/middleware.py
@ -6,7 +6,7 @@ from django.http.response import HttpResponse
 from django.utils.translation import activate
 from sentry_sdk.api import set_tag

-from authentik.tenants.utils import lookup_tenant_for_request
+from authentik.tenants.utils import get_tenant_for_request


 class TenantMiddleware:
@ -19,7 +19,7 @@ class TenantMiddleware:

    def __call__(self, request: HttpRequest) -> HttpResponse:
        if not hasattr(request, "tenant"):
-            tenant = lookup_tenant_for_request(request)
+            tenant = get_tenant_for_request(request)
            setattr(request, "tenant", tenant)
            set_tag("authentik.tenant_uuid", tenant.tenant_uuid.hex)
            set_tag("authentik.tenant_domain", tenant.domain)
--- a/authentik/tenants/migrations/0001_squashed_0005_tenant_web_certificate.py
+++ b/authentik/tenants/migrations/0001_squashed_0005_tenant_web_certificate.py
@ -3,7 +3,9 @@
 import uuid

 import django.db.models.deletion
+from django.apps.registry import Apps
 from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.lib.utils.time

--- a/authentik/tenants/migrations/0005_tenant_interface_admin_tenant_interface_flow_and_more.py
+++ b/authentik/tenants/migrations/0005_tenant_interface_admin_tenant_interface_flow_and_more.py
@ -1,78 +0,0 @@
-# Generated by Django 4.1.7 on 2023-02-21 14:18
-
-import django.db.models.deletion
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_set_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    Tenant = apps.get_model("authentik_tenants", "tenant")
-    Interface = apps.get_model("authentik_interfaces", "Interface")
-    db_alias = schema_editor.connection.alias
-
-    from authentik.blueprints.models import BlueprintInstance
-    from authentik.blueprints.v1.importer import Importer
-    from authentik.blueprints.v1.tasks import blueprints_discovery
-    from authentik.interfaces.models import InterfaceType
-
-    # If we don't have any tenants yet, we don't need wait for the default interface blueprint
-    if not Tenant.objects.using(db_alias).exists():
-        return
-
-    interface_blueprint = BlueprintInstance.objects.filter(path="system/interfaces.yaml").first()
-    if not interface_blueprint:
-        blueprints_discovery.delay().get()
-        interface_blueprint = BlueprintInstance.objects.filter(
-            path="system/interfaces.yaml"
-        ).first()
-    if not interface_blueprint:
-        raise ValueError("Failed to apply system/interfaces.yaml blueprint")
-    Importer(interface_blueprint.retrieve()).apply()
-
-    for tenant in Tenant.objects.using(db_alias).all():
-        tenant.interface_admin = Interface.objects.filter(type=InterfaceType.ADMIN).first()
-        tenant.interface_user = Interface.objects.filter(type=InterfaceType.USER).first()
-        tenant.interface_flow = Interface.objects.filter(type=InterfaceType.FLOW).first()
-        tenant.save()
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_interfaces", "0001_initial"),
-        ("authentik_tenants", "0004_tenant_flow_device_code"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="tenant",
-            name="interface_admin",
-            field=models.ForeignKey(
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="tenant_admin",
-                to="authentik_interfaces.interface",
-            ),
-        ),
-        migrations.AddField(
-            model_name="tenant",
-            name="interface_flow",
-            field=models.ForeignKey(
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="tenant_flow",
-                to="authentik_interfaces.interface",
-            ),
-        ),
-        migrations.AddField(
-            model_name="tenant",
-            name="interface_user",
-            field=models.ForeignKey(
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="tenant_user",
-                to="authentik_interfaces.interface",
-            ),
-        ),
-        migrations.RunPython(migrate_set_default),
-    ]
--- a/authentik/tenants/models.py
+++ b/authentik/tenants/models.py
@ -7,6 +7,7 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

 from authentik.crypto.models import CertificateKeyPair
+from authentik.flows.models import Flow
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator

@ -32,59 +33,22 @@ class Tenant(SerializerModel):
    branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")

    flow_authentication = models.ForeignKey(
-        "authentik_flows.Flow",
-        null=True,
-        on_delete=models.SET_NULL,
-        related_name="tenant_authentication",
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_authentication"
    )
    flow_invalidation = models.ForeignKey(
-        "authentik_flows.Flow",
-        null=True,
-        on_delete=models.SET_NULL,
-        related_name="tenant_invalidation",
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_invalidation"
    )
    flow_recovery = models.ForeignKey(
-        "authentik_flows.Flow", null=True, on_delete=models.SET_NULL, related_name="tenant_recovery"
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_recovery"
    )
    flow_unenrollment = models.ForeignKey(
-        "authentik_flows.Flow",
-        null=True,
-        on_delete=models.SET_NULL,
-        related_name="tenant_unenrollment",
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_unenrollment"
    )
    flow_user_settings = models.ForeignKey(
-        "authentik_flows.Flow",
-        null=True,
-        on_delete=models.SET_NULL,
-        related_name="tenant_user_settings",
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_user_settings"
    )
    flow_device_code = models.ForeignKey(
-        "authentik_flows.Flow",
-        null=True,
-        on_delete=models.SET_NULL,
-        related_name="tenant_device_code",
-    )
-
-    interface_flow = models.ForeignKey(
-        "authentik_interfaces.Interface",
-        default=None,
-        on_delete=models.SET_NULL,
-        null=True,
-        related_name="tenant_flow",
-    )
-    interface_user = models.ForeignKey(
-        "authentik_interfaces.Interface",
-        default=None,
-        on_delete=models.SET_NULL,
-        null=True,
-        related_name="tenant_user",
-    )
-    interface_admin = models.ForeignKey(
-        "authentik_interfaces.Interface",
-        default=None,
-        on_delete=models.SET_NULL,
-        null=True,
-        related_name="tenant_admin",
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_device_code"
    )

    event_retention = models.TextField(
--- a/authentik/tenants/tests.py
+++ b/authentik/tenants/tests.py
@ -75,7 +75,7 @@ class TestTenants(APITestCase):
        )
        factory = RequestFactory()
        request = factory.get("/")
-        setattr(request, "tenant", tenant)
+        request.tenant = tenant
        event = Event.new(action=EventAction.SYSTEM_EXCEPTION, message="test").from_http(request)
        self.assertEqual(event.expires.day, (event.created + timedelta_from_string("weeks=3")).day)
        self.assertEqual(
--- a/authentik/tenants/utils.py
+++ b/authentik/tenants/utils.py
@ -4,41 +4,17 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from rest_framework.request import Request
 from sentry_sdk.hub import Hub

 from authentik import get_full_version
-from authentik.interfaces.models import Interface, InterfaceType
 from authentik.lib.config import CONFIG
 from authentik.tenants.models import Tenant

 _q_default = Q(default=True)
+DEFAULT_TENANT = Tenant(domain="fallback")


-def get_fallback_tenant():
-    """Get fallback tenant"""
-
-    fallback_interface = Interface(
-        url_name="fallback",
-        type=InterfaceType.FLOW,
-        template="Fallback interface",
-    )
-    return Tenant(
-        domain="fallback",
-        interface_flow=fallback_interface,
-        interface_user=fallback_interface,
-        interface_admin=fallback_interface,
-    )
-
-
-def get_tenant(request: HttpRequest | Request) -> "Tenant":
-    """Get the request's tenant, falls back to a fallback tenant object"""
-    if isinstance(request, Request):
-        request = request._request
-    return getattr(request, "tenant", get_fallback_tenant())
-
-
-def lookup_tenant_for_request(request: HttpRequest) -> "Tenant":
+def get_tenant_for_request(request: HttpRequest) -> Tenant:
    """Get tenant object for current request"""
    db_tenants = (
        Tenant.objects.annotate(host_domain=V(request.get_host()))
@ -47,13 +23,13 @@ def lookup_tenant_for_request(request: HttpRequest) -> "Tenant":
    )
    tenants = list(db_tenants.all())
    if len(tenants) < 1:
-        return get_fallback_tenant()
+        return DEFAULT_TENANT
    return tenants[0]


 def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects tenant object into every template"""
-    tenant = getattr(request, "tenant", get_fallback_tenant())
+    tenant = getattr(request, "tenant", DEFAULT_TENANT)
    trace = ""
    span = Hub.current.scope.span
    if span:
--- a/blueprints/default/default-tenant.yaml
+++ b/blueprints/default/default-tenant.yaml
@ -2,11 +2,6 @@ metadata:
  name: Default - Tenant
 version: 1
 entries:
- model: authentik_blueprints.metaapplyblueprint
-  attrs:
-    identifiers:
-      name: System - Interfaces
-    required: false
 - model: authentik_blueprints.metaapplyblueprint
  attrs:
    identifiers:
@ -26,9 +21,6 @@ entries:
    flow_authentication: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    flow_invalidation: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
    flow_user_settings: !Find [authentik_flows.flow, [slug, default-user-settings-flow]]
-    interface_admin: !Find [authentik_interfaces.Interface, [type, admin]]
-    interface_user: !Find [authentik_interfaces.Interface, [type, user]]
-    interface_flow: !Find [authentik_interfaces.Interface, [type, flow]]
  identifiers:
    domain: authentik-default
    default: True
--- a/Show More
+++ b/Show More