website/docs: Break line.

Bump django from 5.0.14 to 5.1.8

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.3
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/api-py-publish.yml

@@ -30,7 +30,6 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version-file: "pyproject.toml"
-          cache: "poetry"
       - name: Generate API Client
         run: make gen-client-py
       - name: Publish package

.github/workflows/packages-npm-publish.yml

@@ -0,0 +1,45 @@
+name: authentik-packages-npm-publish
+on:
+  push:
+    branches: [main]
+    paths:
+      - packages/docusaurus-config
+      - packages/eslint-config
+      - packages/prettier-config
+      - packages/tsconfig
+  workflow_dispatch:
+jobs:
+  publish:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - docusaurus-config
+          - eslint-config
+          - prettier-config
+          - tsconfig
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: packages/${{ matrix.package }}/package.json
+          registry-url: "https://registry.npmjs.org"
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            packages/${{ matrix.package }}/package.json
+      - name: Publish package
+        if: steps.changed-files.outputs.any_changed == 'true'
+        working-directory: packages/${{ matrix.package}}
+        run: |
+          npm ci
+          npm run build
+          npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.gitignore

@@ -11,6 +11,10 @@ local_settings.py
 db.sqlite3
 media
 
+# Node
+
+node_modules
+
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -33,6 +37,7 @@ eggs/
 lib64/
 parts/
 dist/
+out/
 sdist/
 var/
 wheels/

.prettierignore

@@ -0,0 +1,47 @@
+# Prettier Ignorefile
+
+## Static Files
+**/LICENSE
+
+authentik/stages/**/*
+
+## Build asset directories
+coverage
+dist
+out
+.docusaurus
+website/docs/developer-docs/api/**/*
+
+## Environment
+*.env
+
+## Secrets
+*.secrets
+
+## Yarn
+.yarn/**/*
+
+## Node
+node_modules
+coverage
+
+## Configs
+*.log
+*.yaml
+*.yml
+
+# Templates
+# TODO: Rename affected files to *.template.* or similar.
+*.html
+*.mdx
+*.md
+
+## Import order matters
+poly.ts
+src/locale-codes.ts
+src/locales/
+
+# Storybook
+storybook-static/
+.storybook/css-import-maps*
+

CODEOWNERS

@@ -23,6 +23,8 @@ docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
+# Web packages
+packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend

Dockerfile

@@ -94,9 +94,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.11 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.14 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.9-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.2.3"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/v1/importer.py

@@ -36,6 +36,7 @@ from authentik.core.models import (
     GroupSourceConnection,
     PropertyMapping,
     Provider,
+    Session,
     Source,
     User,
     UserSourceConnection,
@@ -108,6 +109,7 @@ def excluded_models() -> list[type[Model]]:
         Policy,
         PolicyBindingModel,
         # Classes that have other dependencies
+        Session,
         AuthenticatedSession,
         # Classes which are only internally managed
         # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin

authentik/core/api/authenticated_sessions.py

@@ -5,6 +5,7 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
+from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
@@ -54,6 +55,11 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
     """AuthenticatedSession Serializer"""
 
+    expires = DateTimeField(source="session.expires", read_only=True)
+    last_ip = IPAddressField(source="session.last_ip", read_only=True)
+    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
+    last_used = DateTimeField(source="session.last_used", read_only=True)
+
     current = SerializerMethodField()
     user_agent = SerializerMethodField()
     geo_ip = SerializerMethodField()
@@ -62,19 +68,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
     def get_current(self, instance: AuthenticatedSession) -> bool:
         """Check if session is currently active session"""
         request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session_key
+        return request._request.session.session_key == instance.session.session_key
 
     def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
         """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.last_user_agent)
+        return user_agent_parser.Parse(instance.session.last_user_agent)
 
     def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
         """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
 
     def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
         """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
 
     class Meta:
         model = AuthenticatedSession
@@ -90,6 +96,7 @@ class AuthenticatedSessionSerializer(ModelSerializer):
             "last_used",
             "expires",
         ]
+        extra_args = {"uuid": {"read_only": True}}
 
 
 class AuthenticatedSessionViewSet(
@@ -101,9 +108,10 @@ class AuthenticatedSessionViewSet(
 ):
     """AuthenticatedSession Viewset"""
 
-    queryset = AuthenticatedSession.objects.all()
+    lookup_field = "uuid"
+    queryset = AuthenticatedSession.objects.select_related("session").all()
     serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "last_ip", "last_user_agent"]
-    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
+    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
     ordering = ["user__username"]
     owner_field = "user"

authentik/core/api/sources.py

@@ -179,10 +179,13 @@ class UserSourceConnectionSerializer(SourceSerializer):
             "user",
             "source",
             "source_obj",
+            "identifier",
             "created",
+            "last_updated",
         ]
         extra_kwargs = {
             "created": {"read_only": True},
+            "last_updated": {"read_only": True},
         }
 
 
@@ -199,7 +202,7 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     filterset_fields = ["user", "source__slug"]
-    search_fields = ["source__slug"]
+    search_fields = ["user__username", "source__slug", "identifier"]
     ordering = ["source__slug", "pk"]
     owner_field = "user"
 
@@ -218,9 +221,11 @@ class GroupSourceConnectionSerializer(SourceSerializer):
             "source_obj",
             "identifier",
             "created",
+            "last_updated",
         ]
         extra_kwargs = {
             "created": {"read_only": True},
+            "last_updated": {"read_only": True},
         }
 
 
@@ -237,6 +242,5 @@ class GroupSourceConnectionViewSet(
     queryset = GroupSourceConnection.objects.all()
     serializer_class = GroupSourceConnectionSerializer
     filterset_fields = ["group", "source__slug"]
-    search_fields = ["source__slug"]
+    search_fields = ["group__name", "source__slug", "identifier"]
     ordering = ["source__slug", "pk"]
-    owner_field = "user"

authentik/core/api/users.py

@@ -1,14 +1,11 @@
 """User API Views"""
 
 from datetime import timedelta
-from importlib import import_module
 from json import loads
 from typing import Any
 
-from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.contrib.sessions.backends.base import SessionBase
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@@ -72,8 +69,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_PATH_SERVICE_ACCOUNT,
-    AuthenticatedSession,
     Group,
+    Session,
     Token,
     TokenIntents,
     User,
@@ -92,7 +89,6 @@ from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
 
 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore
 
 
 class UserGroupSerializer(ModelSerializer):
@@ -228,6 +224,7 @@ class UserSerializer(ModelSerializer):
             "name",
             "is_active",
             "last_login",
+            "date_joined",
             "is_superuser",
             "groups",
             "groups_obj",
@@ -242,6 +239,7 @@ class UserSerializer(ModelSerializer):
         ]
         extra_kwargs = {
             "name": {"allow_blank": True},
+            "date_joined": {"read_only": True},
             "password_change_date": {"read_only": True},
         }
 
@@ -774,10 +772,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         response = super().partial_update(request, *args, **kwargs)
         instance: User = self.get_object()
         if not instance.is_active:
-            sessions = AuthenticatedSession.objects.filter(user=instance)
-            session_ids = sessions.values_list("session_key", flat=True)
-            for session in session_ids:
-                SessionStore(session).delete()
-            sessions.delete()
+            Session.objects.filter(authenticatedsession__user=instance).delete()
             LOGGER.debug("Deleted user's sessions", user=instance.username)
         return response

authentik/core/auth.py

@@ -24,6 +24,15 @@ class InbuiltBackend(ModelBackend):
         self.set_method("password", request)
         return user
 
+    async def aauthenticate(
+        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
+    ) -> User | None:
+        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
+        if not user:
+            return None
+        self.set_method("password", request)
+        return user
+
     def set_method(self, method: str, request: HttpRequest | None, **kwargs):
         """Set method data on current flow, if possbiel"""
         if not request:

authentik/core/management/commands/clearsessions.py

@@ -0,0 +1,15 @@
+"""Change user type"""
+
+from importlib import import_module
+
+from django.conf import settings
+
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Delete all sessions"""
+
+    def handle_per_tenant(self, **options):
+        engine = import_module(settings.SESSION_ENGINE)
+        engine.SessionStore.clear_expired()

authentik/core/middleware.py

@@ -2,9 +2,14 @@
 
 from collections.abc import Callable
 from contextvars import ContextVar
+from functools import partial
 from uuid import uuid4
 
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
+from django.utils.deprecation import MiddlewareMixin
+from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@@ -20,6 +25,40 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)
 
 
+def get_user(request):
+    if not hasattr(request, "_cached_user"):
+        user = None
+        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
+            user = authenticated_session.user
+        request._cached_user = user or AnonymousUser()
+    return request._cached_user
+
+
+async def aget_user(request):
+    if not hasattr(request, "_cached_user"):
+        user = None
+        if (
+            authenticated_session := await request.session.aget("authenticatedsession", None)
+        ) is not None:
+            user = authenticated_session.user
+        request._cached_user = user or AnonymousUser()
+    return request._cached_user
+
+
+class AuthenticationMiddleware(MiddlewareMixin):
+    def process_request(self, request):
+        if not hasattr(request, "session"):
+            raise ImproperlyConfigured(
+                "The Django authentication middleware requires session "
+                "middleware to be installed. Edit your MIDDLEWARE setting to "
+                "insert "
+                "'authentik.root.middleware.SessionMiddleware' before "
+                "'authentik.core.middleware.AuthenticationMiddleware'."
+            )
+        request.user = SimpleLazyObject(lambda: get_user(request))
+        request.auser = partial(aget_user, request)
+
+
 class ImpersonateMiddleware:
     """Middleware to impersonate users"""
 

authentik/core/migrations/0044_usersourceconnection_new_identifier.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.0.13 on 2025-04-07 14:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0043_alter_group_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="usersourceconnection",
+            name="new_identifier",
+            field=models.TextField(default=""),
+            preserve_default=False,
+        ),
+    ]

authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py

@@ -0,0 +1,30 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+        ("authentik_sources_kerberos", "0003_migrate_userkerberossourceconnection_identifier"),
+        ("authentik_sources_oauth", "0009_migrate_useroauthsourceconnection_identifier"),
+        ("authentik_sources_plex", "0005_migrate_userplexsourceconnection_identifier"),
+        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="usersourceconnection",
+            old_name="new_identifier",
+            new_name="identifier",
+        ),
+        migrations.AddIndex(
+            model_name="usersourceconnection",
+            index=models.Index(fields=["identifier"], name="authentik_c_identif_59226f_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="usersourceconnection",
+            index=models.Index(
+                fields=["source", "identifier"], name="authentik_c_source__649e04_idx"
+            ),
+        ),
+    ]

authentik/core/migrations/0046_session_and_more.py

@@ -0,0 +1,238 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:58
+
+import uuid
+import pickle  # nosec
+from django.core import signing
+from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
+from django.db import migrations, models
+import django.db.models.deletion
+from django.conf import settings
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.utils.timezone import now, timedelta
+from authentik.lib.migrations import progress_bar
+from authentik.root.middleware import ClientIPMiddleware
+
+
+SESSION_CACHE_ALIAS = "default"
+
+
+class PickleSerializer:
+    """
+    Simple wrapper around pickle to be used in signing.dumps()/loads() and
+    cache backends.
+    """
+
+    def __init__(self, protocol=None):
+        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
+
+    def dumps(self, obj):
+        """Pickle data to be stored in redis"""
+        return pickle.dumps(obj, self.protocol)
+
+    def loads(self, data):
+        """Unpickle data to be loaded from redis"""
+        return pickle.loads(data)  # nosec
+
+
+def _migrate_session(
+    apps,
+    db_alias,
+    session_key,
+    session_data,
+    expires,
+):
+    Session = apps.get_model("authentik_core", "Session")
+    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+
+    old_auth_session = (
+        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
+    )
+
+    args = {
+        "session_key": session_key,
+        "expires": expires,
+        "last_ip": ClientIPMiddleware.default_ip,
+        "last_user_agent": "",
+        "session_data": {},
+    }
+    for k, v in session_data.items():
+        if k == "authentik/stages/user_login/last_ip":
+            args["last_ip"] = v
+        elif k in ["last_user_agent", "last_used"]:
+            args[k] = v
+        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
+            pass
+        else:
+            args["session_data"][k] = v
+    if old_auth_session:
+        args["last_user_agent"] = old_auth_session.last_user_agent
+        args["last_used"] = old_auth_session.last_used
+
+    args["session_data"] = pickle.dumps(args["session_data"])
+    session = Session.objects.using(db_alias).create(**args)
+
+    if old_auth_session:
+        AuthenticatedSession.objects.using(db_alias).create(
+            session=session,
+            user=old_auth_session.user,
+        )
+
+
+def migrate_redis_sessions(apps, schema_editor):
+    from django.core.cache import caches
+
+    db_alias = schema_editor.connection.alias
+    cache = caches[SESSION_CACHE_ALIAS]
+
+    # Not a redis cache, skipping
+    if not hasattr(cache, "keys"):
+        return
+
+    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
+    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
+        _migrate_session(
+            apps=apps,
+            db_alias=db_alias,
+            session_key=key.removeprefix(KEY_PREFIX),
+            session_data=session_data,
+            expires=now() + timedelta(seconds=cache.ttl(key)),
+        )
+
+
+def migrate_database_sessions(apps, schema_editor):
+    DjangoSession = apps.get_model("sessions", "Session")
+    db_alias = schema_editor.connection.alias
+
+    print("\nMigration database sessions, this might take a couple of minutes...")
+    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
+        session_data = signing.loads(
+            django_session.session_data,
+            salt="django.contrib.sessions.SessionStore",
+            serializer=PickleSerializer,
+        )
+        _migrate_session(
+            apps=apps,
+            db_alias=db_alias,
+            session_key=django_session.session_key,
+            session_data=session_data,
+            expires=django_session.expire_date,
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("sessions", "0001_initial"),
+        ("authentik_core", "0045_rename_new_identifier_usersourceconnection_identifier_and_more"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+    ]
+
+    operations = [
+        # Rename AuthenticatedSession to OldAuthenticatedSession
+        migrations.RenameModel(
+            old_name="AuthenticatedSession",
+            new_name="OldAuthenticatedSession",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expires_cf4f72_idx",
+            old_name="authentik_c_expires_08251d_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_c1f17f_idx",
+            old_name="authentik_c_expirin_9cd839_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_e04f5d_idx",
+            old_name="authentik_c_expirin_195a84_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_session_a44819_idx",
+            old_name="authentik_c_session_d0f005_idx",
+        ),
+        migrations.RunSQL(
+            sql="ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
+            reverse_sql="ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
+        ),
+        # Create new Session and AuthenticatedSession models
+        migrations.CreateModel(
+            name="Session",
+            fields=[
+                (
+                    "session_key",
+                    models.CharField(
+                        max_length=40, primary_key=True, serialize=False, verbose_name="session key"
+                    ),
+                ),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                ("session_data", models.BinaryField(verbose_name="session data")),
+                ("last_ip", models.GenericIPAddressField()),
+                ("last_user_agent", models.TextField(blank=True)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+            ],
+            options={
+                "default_permissions": [],
+                "verbose_name": "Session",
+                "verbose_name_plural": "Sessions",
+            },
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expires", "session_key"], name="authentik_c_expires_c49143_idx"
+            ),
+        ),
+        migrations.CreateModel(
+            name="AuthenticatedSession",
+            fields=[
+                (
+                    "session",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.session",
+                    ),
+                ),
+                ("uuid", models.UUIDField(default=uuid.uuid4, unique=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Authenticated Session",
+                "verbose_name_plural": "Authenticated Sessions",
+            },
+        ),
+        migrations.RunPython(
+            code=migrate_redis_sessions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RunPython(
+            code=migrate_database_sessions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]

authentik/core/migrations/0047_delete_oldauthenticatedsession.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0046_session_and_more"),
+        ("authentik_providers_rac", "0007_migrate_session"),
+        ("authentik_providers_oauth2", "0028_migrate_session"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="OldAuthenticatedSession",
+        ),
+    ]

authentik/core/models.py

@@ -1,6 +1,7 @@
 """authentik core models"""
 
 from datetime import datetime
+from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@@ -9,6 +10,7 @@ from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
+from django.contrib.sessions.base_session import AbstractBaseSession
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
@@ -646,19 +648,30 @@ class SourceUserMatchingModes(models.TextChoices):
     """Different modes a source can handle new/returning users"""
 
     IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    EMAIL_LINK = "email_link", _(
-        "Link to a user with identical email address. Can have security implications "
-        "when a source doesn't validate email addresses."
+    EMAIL_LINK = (
+        "email_link",
+        _(
+            "Link to a user with identical email address. Can have security implications "
+            "when a source doesn't validate email addresses."
+        ),
     )
-    EMAIL_DENY = "email_deny", _(
-        "Use the user's email address, but deny enrollment when the email address already exists."
+    EMAIL_DENY = (
+        "email_deny",
+        _(
+            "Use the user's email address, but deny enrollment when the email address already "
+            "exists."
+        ),
     )
-    USERNAME_LINK = "username_link", _(
-        "Link to a user with identical username. Can have security implications "
-        "when a username is used with another source."
+    USERNAME_LINK = (
+        "username_link",
+        _(
+            "Link to a user with identical username. Can have security implications "
+            "when a username is used with another source."
+        ),
     )
-    USERNAME_DENY = "username_deny", _(
-        "Use the user's username, but deny enrollment when the username already exists."
+    USERNAME_DENY = (
+        "username_deny",
+        _("Use the user's username, but deny enrollment when the username already exists."),
     )
 
 
@@ -666,12 +679,16 @@ class SourceGroupMatchingModes(models.TextChoices):
     """Different modes a source can handle new/returning groups"""
 
     IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = "name_link", _(
-        "Link to a group with identical name. Can have security implications "
-        "when a group name is used with another source."
+    NAME_LINK = (
+        "name_link",
+        _(
+            "Link to a group with identical name. Can have security implications "
+            "when a group name is used with another source."
+        ),
     )
-    NAME_DENY = "name_deny", _(
-        "Use the group name, but deny enrollment when the name already exists."
+    NAME_DENY = (
+        "name_deny",
+        _("Use the group name, but deny enrollment when the name already exists."),
     )
 
 
@@ -730,8 +747,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         choices=SourceGroupMatchingModes.choices,
         default=SourceGroupMatchingModes.IDENTIFIER,
         help_text=_(
-            "How the source determines if an existing group should be used or "
-            "a new group created."
+            "How the source determines if an existing group should be used or a new group created."
         ),
     )
 
@@ -824,6 +840,7 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
 
     user = models.ForeignKey(User, on_delete=models.CASCADE)
     source = models.ForeignKey(Source, on_delete=models.CASCADE)
+    identifier = models.TextField()
 
     objects = InheritanceManager()
 
@@ -837,6 +854,10 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
 
     class Meta:
         unique_together = (("user", "source"),)
+        indexes = (
+            models.Index(fields=("identifier",)),
+            models.Index(fields=("source", "identifier")),
+        )
 
 
 class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
@@ -1007,45 +1028,75 @@ class PropertyMapping(SerializerModel, ManagedModel):
         verbose_name_plural = _("Property Mappings")
 
 
-class AuthenticatedSession(ExpiringModel):
-    """Additional session class for authenticated users. Augments the standard django session
-    to achieve the following:
-        - Make it queryable by user
-        - Have a direct connection to user objects
-        - Allow users to view their own sessions and terminate them
-        - Save structured and well-defined information.
-    """
+class Session(ExpiringModel, AbstractBaseSession):
+    """User session with extra fields for fast access"""
 
-    uuid = models.UUIDField(default=uuid4, primary_key=True)
+    # Remove upstream field because we're using our own ExpiringModel
+    expire_date = None
+    session_data = models.BinaryField(_("session data"))
 
-    session_key = models.CharField(max_length=40)
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-
-    last_ip = models.TextField()
+    # Keep in sync with Session.Keys
+    last_ip = models.GenericIPAddressField()
     last_user_agent = models.TextField(blank=True)
     last_used = models.DateTimeField(auto_now=True)
 
+    class Meta:
+        verbose_name = _("Session")
+        verbose_name_plural = _("Sessions")
+        indexes = ExpiringModel.Meta.indexes + [
+            models.Index(fields=["expires", "session_key"]),
+        ]
+        default_permissions = []
+
+    def __str__(self):
+        return self.session_key
+
+    class Keys(StrEnum):
+        """
+        Keys to be set with the session interface for the fields above to be updated.
+
+        If a field is added here that needs to be initialized when the session is initialized,
+        it must also be reflected in authentik.root.middleware.SessionMiddleware.process_request
+        and in authentik.core.sessions.SessionStore.__init__
+        """
+
+        LAST_IP = "last_ip"
+        LAST_USER_AGENT = "last_user_agent"
+        LAST_USED = "last_used"
+
+    @classmethod
+    def get_session_store_class(cls):
+        from authentik.core.sessions import SessionStore
+
+        return SessionStore
+
+    def get_decoded(self):
+        raise NotImplementedError
+
+
+class AuthenticatedSession(SerializerModel):
+    session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
+    # We use the session as primary key, but we need the API to be able to reference
+    # this object uniquely without exposing the session key
+    uuid = models.UUIDField(default=uuid4, unique=True)
+
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
     class Meta:
         verbose_name = _("Authenticated Session")
         verbose_name_plural = _("Authenticated Sessions")
-        indexes = ExpiringModel.Meta.indexes + [
-            models.Index(fields=["session_key"]),
-        ]
 
     def __str__(self) -> str:
-        return f"Authenticated Session {self.session_key[:10]}"
+        return f"Authenticated Session {str(self.pk)[:10]}"
 
     @staticmethod
     def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
         """Create a new session from a http request"""
-        from authentik.root.middleware import ClientIPMiddleware
-
-        if not hasattr(request, "session") or not request.session.session_key:
+        if not hasattr(request, "session") or not request.session.exists(
+            request.session.session_key
+        ):
             return None
         return AuthenticatedSession(
-            session_key=request.session.session_key,
+            session=Session.objects.filter(session_key=request.session.session_key).first(),
             user=user,
-            last_ip=ClientIPMiddleware.get_client_ip(request),
-            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
-            expires=request.session.get_expiry_date(),
         )

authentik/core/sessions.py

@@ -0,0 +1,168 @@
+"""authentik sessions engine"""
+
+import pickle  # nosec
+
+from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
+from django.contrib.sessions.backends.db import SessionStore as SessionBase
+from django.core.exceptions import SuspiciousOperation
+from django.utils import timezone
+from django.utils.functional import cached_property
+from structlog.stdlib import get_logger
+
+from authentik.root.middleware import ClientIPMiddleware
+
+LOGGER = get_logger()
+
+
+class SessionStore(SessionBase):
+    def __init__(self, session_key=None, last_ip=None, last_user_agent=""):
+        super().__init__(session_key)
+        self._create_kwargs = {
+            "last_ip": last_ip or ClientIPMiddleware.default_ip,
+            "last_user_agent": last_user_agent,
+        }
+
+    @classmethod
+    def get_model_class(cls):
+        from authentik.core.models import Session
+
+        return Session
+
+    @cached_property
+    def model_fields(self):
+        return [k.value for k in self.model.Keys]
+
+    def _get_session_from_db(self):
+        try:
+            return (
+                self.model.objects.select_related(
+                    "authenticatedsession",
+                    "authenticatedsession__user",
+                )
+                .prefetch_related(
+                    "authenticatedsession__user__groups",
+                    "authenticatedsession__user__user_permissions",
+                )
+                .get(
+                    session_key=self.session_key,
+                    expires__gt=timezone.now(),
+                )
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
+            if isinstance(exc, SuspiciousOperation):
+                LOGGER.warning(str(exc))
+            self._session_key = None
+
+    async def _aget_session_from_db(self):
+        try:
+            return (
+                await self.model.objects.select_related(
+                    "authenticatedsession",
+                    "authenticatedsession__user",
+                )
+                .prefetch_related(
+                    "authenticatedsession__user__groups",
+                    "authenticatedsession__user__user_permissions",
+                )
+                .aget(
+                    session_key=self.session_key,
+                    expires__gt=timezone.now(),
+                )
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
+            if isinstance(exc, SuspiciousOperation):
+                LOGGER.warning(str(exc))
+            self._session_key = None
+
+    def encode(self, session_dict):
+        return pickle.dumps(session_dict, protocol=pickle.HIGHEST_PROTOCOL)
+
+    def decode(self, session_data):
+        try:
+            return pickle.loads(session_data)  # nosec
+        except pickle.PickleError:
+            # ValueError, unpickling exceptions. If any of these happen, just return an empty
+            # dictionary (an empty session)
+            pass
+        return {}
+
+    def load(self):
+        s = self._get_session_from_db()
+        if s:
+            return {
+                "authenticatedsession": getattr(s, "authenticatedsession", None),
+                **{k: getattr(s, k) for k in self.model_fields},
+                **self.decode(s.session_data),
+            }
+        else:
+            return {}
+
+    async def aload(self):
+        s = await self._aget_session_from_db()
+        if s:
+            return {
+                "authenticatedsession": getattr(s, "authenticatedsession", None),
+                **{k: getattr(s, k) for k in self.model_fields},
+                **self.decode(s.session_data),
+            }
+        else:
+            return {}
+
+    def create_model_instance(self, data):
+        args = {
+            "session_key": self._get_or_create_session_key(),
+            "expires": self.get_expiry_date(),
+            "session_data": {},
+            **self._create_kwargs,
+        }
+        for k, v in data.items():
+            # Don't save:
+            # - unused auth data
+            # - related models
+            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
+                pass
+            elif k in self.model_fields:
+                args[k] = v
+            else:
+                args["session_data"][k] = v
+        args["session_data"] = self.encode(args["session_data"])
+        return self.model(**args)
+
+    async def acreate_model_instance(self, data):
+        args = {
+            "session_key": await self._aget_or_create_session_key(),
+            "expires": await self.aget_expiry_date(),
+            "session_data": {},
+            **self._create_kwargs,
+        }
+        for k, v in data.items():
+            # Don't save:
+            # - unused auth data
+            # - related models
+            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
+                pass
+            elif k in self.model_fields:
+                args[k] = v
+            else:
+                args["session_data"][k] = v
+        args["session_data"] = self.encode(args["session_data"])
+        return self.model(**args)
+
+    @classmethod
+    def clear_expired(cls):
+        cls.get_model_class().objects.filter(expires__lt=timezone.now()).delete()
+
+    @classmethod
+    async def aclear_expired(cls):
+        await cls.get_model_class().objects.filter(expires__lt=timezone.now()).adelete()
+
+    def cycle_key(self):
+        data = self._session
+        key = self.session_key
+        self.create()
+        self._session_cache = data
+        if key:
+            self.delete(key)
+        if (authenticated_session := data.get("authenticatedsession")) is not None:
+            authenticated_session.session_id = self.session_key
+            authenticated_session.save(force_insert=True)

authentik/core/signals.py

@@ -1,14 +1,10 @@
 """authentik core signals"""
 
-from importlib import import_module
-
-from django.conf import settings
-from django.contrib.auth.signals import user_logged_in, user_logged_out
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_save, pre_delete, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
@@ -18,6 +14,7 @@ from authentik.core.models import (
     AuthenticatedSession,
     BackchannelProvider,
     ExpiringModel,
+    Session,
     User,
     default_token_duration,
 )
@@ -28,7 +25,6 @@ password_changed = Signal()
 login_failed = Signal()
 
 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore
 
 
 @receiver(post_save, sender=Application)
@@ -53,18 +49,10 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
         session.save()
 
 
-@receiver(user_logged_out)
-def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
-    """Delete AuthenticatedSession if it exists"""
-    if not request.session or not request.session.session_key:
-        return
-    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
-
-
-@receiver(pre_delete, sender=AuthenticatedSession)
+@receiver(post_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
     """Delete session when authenticated session is deleted"""
-    SessionStore(instance.session_key).delete()
+    Session.objects.filter(session_key=instance.pk).delete()
 
 
 @receiver(pre_save)

authentik/core/sources/flow_manager.py

@@ -36,7 +36,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@@ -210,8 +209,6 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
         flow_context.update(
             {
                 # Since we authenticate the user by their token, they have no backend set

authentik/core/tasks.py

@@ -2,22 +2,16 @@
 
 from datetime import datetime, timedelta
 
-from django.conf import ImproperlyConfigured
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
-from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger
 
 from authentik.core.models import (
     USER_ATTRIBUTE_EXPIRES,
     USER_ATTRIBUTE_GENERATED,
-    AuthenticatedSession,
     ExpiringModel,
     User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -38,40 +32,6 @@ def clean_expired_models(self: SystemTask):
             obj.expire_action()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
-    # Special case
-    amount = 0
-
-    for session in AuthenticatedSession.objects.all():
-        match CONFIG.get("session_storage", "cache"):
-            case "cache":
-                cache_key = f"{KEY_PREFIX}{session.session_key}"
-                value = None
-                try:
-                    value = cache.get(cache_key)
-
-                except Exception as exc:
-                    LOGGER.debug("Failed to get session from cache", exc=exc)
-                if not value:
-                    session.delete()
-                    amount += 1
-            case "db":
-                if not (
-                    DBSessionStore.get_model_class()
-                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
-                    .exists()
-                ):
-                    session.delete()
-                    amount += 1
-            case _:
-                # Should never happen, as we check for other values in authentik/root/settings.py
-                raise ImproperlyConfigured(
-                    "Invalid session_storage setting, allowed values are db and cache"
-                )
-    if CONFIG.get("session_storage", "cache") == "db":
-        DBSessionStore.clear_expired()
-    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
-
-    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
     self.set_status(TaskStatus.SUCCESSFUL, *messages)
 
 

authentik/core/tests/test_authenticated_sessions_api.py

@@ -5,7 +5,7 @@ from json import loads
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, Session, User
 from authentik.core.tests.utils import create_test_admin_user
 
 
@@ -30,3 +30,18 @@ class TestAuthenticatedSessionsAPI(APITestCase):
         self.assertEqual(response.status_code, 200)
         body = loads(response.content.decode())
         self.assertEqual(body["pagination"]["count"], 1)
+
+    def test_delete(self):
+        """Test deletion"""
+        self.client.force_login(self.user)
+        self.assertEqual(AuthenticatedSession.objects.all().count(), 1)
+        self.assertEqual(Session.objects.all().count(), 1)
+        response = self.client.delete(
+            reverse(
+                "authentik_api:authenticatedsession-detail",
+                kwargs={"uuid": AuthenticatedSession.objects.first().uuid},
+            )
+        )
+        self.assertEqual(response.status_code, 204)
+        self.assertEqual(AuthenticatedSession.objects.all().count(), 0)
+        self.assertEqual(Session.objects.all().count(), 0)

authentik/core/tests/test_users_api.py

@@ -3,8 +3,6 @@
 from datetime import datetime
 from json import loads
 
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
@@ -12,6 +10,7 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     AuthenticatedSession,
+    Session,
     Token,
     User,
     UserTypes,
@@ -381,12 +380,15 @@ class TestUsersAPI(APITestCase):
         """Ensure sessions are deleted when a user is deactivated"""
         user = create_test_admin_user()
         session_id = generate_id()
-        AuthenticatedSession.objects.create(
-            user=user,
+        session = Session.objects.create(
             session_key=session_id,
-            last_ip="",
+            last_ip="255.255.255.255",
+            last_user_agent="",
+        )
+        AuthenticatedSession.objects.create(
+            session=session,
+            user=user,
         )
-        cache.set(KEY_PREFIX + session_id, "foo")
 
         self.client.force_login(self.admin)
         response = self.client.patch(
@@ -397,5 +399,7 @@ class TestUsersAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
-        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
+        self.assertFalse(Session.objects.filter(session_key=session_id).exists())
+        self.assertFalse(
+            AuthenticatedSession.objects.filter(session__session_key=session_id).exists()
+        )

authentik/core/urls.py

@@ -1,7 +1,5 @@
 """authentik URL Configuration"""
 
-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
@@ -13,7 +11,11 @@ from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.property_mappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
-from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
+from authentik.core.api.sources import (
+    GroupSourceConnectionViewSet,
+    SourceViewSet,
+    UserSourceConnectionViewSet,
+)
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
@@ -25,7 +27,7 @@ from authentik.core.views.interface import (
     RootRedirectView,
 )
 from authentik.flows.views.interface import FlowInterfaceView
-from authentik.root.asgi_middleware import SessionMiddleware
+from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
 
@@ -81,6 +83,7 @@ api_urlpatterns = [
     ("core/tokens", TokenViewSet),
     ("sources/all", SourceViewSet),
     ("sources/user_connections/all", UserSourceConnectionViewSet),
+    ("sources/group_connections/all", GroupSourceConnectionViewSet),
     ("providers/all", ProviderViewSet),
     ("propertymappings/all", PropertyMappingViewSet),
     ("authenticators/all", DeviceViewSet, "device"),
@@ -94,9 +97,7 @@ api_urlpatterns = [
 websocket_urlpatterns = [
     path(
         "ws/client/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(MessageConsumer.as_asgi())))
-        ),
+        ChannelsLoggingMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi())),
     ),
 ]
 

authentik/enterprise/providers/ssf/signals.py

@@ -102,7 +102,7 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi
             "format": "complex",
             "session": {
                 "format": "opaque",
-                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
+                "id": sha256(instance.session.session_key.encode("ascii")).hexdigest(),
             },
             "user": {
                 "format": "email",

authentik/events/signals.py

@@ -59,7 +59,7 @@ def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | Non
         session = request_or_session.session
     if isinstance(request_or_session, AuthenticatedSession):
         SessionStore = _session_engine.SessionStore
-        session = SessionStore(request_or_session.session_key)
+        session = SessionStore(request_or_session.session.session_key)
     return session.get(SESSION_LOGIN_EVENT, None)
 
 

authentik/lib/expression/evaluator.py

@@ -18,7 +18,7 @@ from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.events.models import Event
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
@@ -203,9 +203,7 @@ class BaseEvaluator:
             provider = OAuth2Provider.objects.get(name=provider)
         session = None
         if hasattr(request, "session") and request.session.session_key:
-            session = AuthenticatedSession.objects.filter(
-                session_key=request.session.session_key
-            ).first()
+            session = request.session["authenticatedsession"]
         access_token = AccessToken(
             provider=provider,
             user=user,

authentik/policies/reputation/signals.py

@@ -2,7 +2,6 @@
 
 from django.contrib.auth.signals import user_logged_in
 from django.db import transaction
-from django.db.models import F
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
@@ -13,20 +12,29 @@ from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.policies.reputation.models import Reputation, reputation_expiry
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.identification.signals import identification_failed
+from authentik.tenants.utils import get_current_tenant
 
 LOGGER = get_logger()
 
 
+def clamp(value, min, max):
+    return sorted([min, value, max])[1]
+
+
 def update_score(request: HttpRequest, identifier: str, amount: int):
     """Update score for IP and User"""
     remote_ip = ClientIPMiddleware.get_client_ip(request)
+    tenant = get_current_tenant()
+    new_score = clamp(amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit)
 
     with transaction.atomic():
         reputation, created = Reputation.objects.select_for_update().get_or_create(
             ip=remote_ip,
             identifier=identifier,
             defaults={
-                "score": amount,
+                "score": clamp(
+                    amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit
+                ),
                 "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
                 "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
                 "expires": reputation_expiry(),
@@ -34,9 +42,15 @@ def update_score(request: HttpRequest, identifier: str, amount: int):
         )
 
         if not created:
-            reputation.score = F("score") + amount
+            new_score = clamp(
+                reputation.score + amount,
+                tenant.reputation_lower_limit,
+                tenant.reputation_upper_limit,
+            )
+            reputation.score = new_score
             reputation.save()
-    LOGGER.info("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
+
+    LOGGER.info("Updated score", amount=new_score, for_user=identifier, for_ip=remote_ip)
 
 
 @receiver(login_failed)

authentik/policies/reputation/tests.py

@@ -6,9 +6,11 @@ from authentik.core.models import User
 from authentik.lib.generators import generate_id
 from authentik.policies.reputation.api import ReputationPolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy
+from authentik.policies.reputation.signals import update_score
 from authentik.policies.types import PolicyRequest
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import authenticate
+from authentik.tenants.models import DEFAULT_REPUTATION_LOWER_LIMIT, DEFAULT_REPUTATION_UPPER_LIMIT
 
 
 class TestReputationPolicy(TestCase):
@@ -17,36 +19,48 @@ class TestReputationPolicy(TestCase):
     def setUp(self):
         self.request_factory = RequestFactory()
         self.request = self.request_factory.get("/")
-        self.test_ip = "127.0.0.1"
-        self.test_username = "test"
+        self.ip = "127.0.0.1"
+        self.username = "username"
+        self.password = generate_id()
         # We need a user for the one-to-one in userreputation
-        self.user = User.objects.create(username=self.test_username)
+        self.user = User.objects.create(username=self.username)
+        self.user.set_password(self.password)
         self.backends = [BACKEND_INBUILT]
 
     def test_ip_reputation(self):
         """test IP reputation"""
         # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
-        )
-        self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(ip=self.ip).score, -1)
 
     def test_user_reputation(self):
         """test User reputation"""
         # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
-        )
-        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(identifier=self.username).score, -1)
 
     def test_update_reputation(self):
         """test reputation update"""
-        Reputation.objects.create(identifier=self.test_username, ip=self.test_ip, score=43)
+        Reputation.objects.create(identifier=self.username, ip=self.ip, score=4)
         # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(identifier=self.username).score, 3)
+
+    def test_reputation_lower_limit(self):
+        """test reputation lower limit"""
+        Reputation.objects.create(identifier=self.username, ip=self.ip)
+        update_score(self.request, identifier=self.username, amount=-1000)
+        self.assertEqual(
+            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_LOWER_LIMIT
+        )
+
+    def test_reputation_upper_limit(self):
+        """test reputation upper limit"""
+        Reputation.objects.create(identifier=self.username, ip=self.ip)
+        update_score(self.request, identifier=self.username, amount=1000)
+        self.assertEqual(
+            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_UPPER_LIMIT
         )
-        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, 42)
 
     def test_policy(self):
         """Test Policy"""

authentik/providers/oauth2/id_token.py

@@ -126,7 +126,7 @@ class IDToken:
         id_token.iat = int(now.timestamp())
         id_token.auth_time = int(token.auth_time.timestamp())
         if token.session:
-            id_token.sid = hash_session_key(token.session.session_key)
+            id_token.sid = hash_session_key(token.session.session.session_key)
 
         # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
         auth_event = get_login_event(token.session)

authentik/providers/oauth2/migrations/0028_migrate_session.py

@@ -0,0 +1,116 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:00
+
+from django.db import migrations
+import django.db.models.deletion
+from django.db import migrations, models
+from functools import partial
+
+
+def migrate_sessions(apps, schema_editor, model):
+    Model = apps.get_model("authentik_providers_oauth2", model)
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    db_alias = schema_editor.connection.alias
+
+    for obj in Model.objects.using(db_alias).all():
+        if not obj.old_session:
+            continue
+        obj.session = (
+            AuthenticatedSession.objects.using(db_alias)
+            .filter(session__session_key=obj.old_session.session_key)
+            .first()
+        )
+        if obj.session:
+            obj.save()
+        else:
+            obj.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_core", "0046_session_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="accesstoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="authorizationcode",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="devicetoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="refreshtoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.AddField(
+            model_name="accesstoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="authorizationcode",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="devicetoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="refreshtoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RunPython(code=partial(migrate_sessions, model="AccessToken")),
+        migrations.RunPython(code=partial(migrate_sessions, model="AuthorizationCode")),
+        migrations.RunPython(code=partial(migrate_sessions, model="DeviceToken")),
+        migrations.RunPython(code=partial(migrate_sessions, model="RefreshToken")),
+        migrations.RemoveField(
+            model_name="accesstoken",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="authorizationcode",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="devicetoken",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="refreshtoken",
+            name="old_session",
+        ),
+    ]

authentik/providers/oauth2/signals.py

@@ -1,18 +1,30 @@
 from django.contrib.auth.signals import user_logged_out
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 
-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.oauth2.models import AccessToken, DeviceToken, RefreshToken
 
 
 @receiver(user_logged_out)
-def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, **_):
-    """Revoke access tokens upon user logout"""
+def user_logged_out_oauth_tokens_removal(sender, request: HttpRequest, user: User, **_):
+    """Revoke tokens upon user logout"""
     if not request.session or not request.session.session_key:
         return
-    AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
+    AccessToken.objects.filter(
+        user=user,
+        session__session__session_key=request.session.session_key,
+    ).delete()
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def user_session_deleted_oauth_tokens_removal(sender, instance: AuthenticatedSession, **_):
+    """Revoke tokens upon user logout"""
+    AccessToken.objects.filter(
+        user=instance.user,
+        session__session__session_key=instance.session.session_key,
+    ).delete()
 
 
 @receiver(post_save, sender=User)
@@ -20,6 +32,6 @@ def user_deactivated(sender, instance: User, **_):
     """Remove user tokens when deactivated"""
     if instance.is_active:
         return
-    AccessToken.objects.filter(session__user=instance).delete()
-    RefreshToken.objects.filter(session__user=instance).delete()
-    DeviceToken.objects.filter(session__user=instance).delete()
+    AccessToken.objects.filter(user=instance).delete()
+    RefreshToken.objects.filter(user=instance).delete()
+    DeviceToken.objects.filter(user=instance).delete()

authentik/providers/oauth2/tests/test_revoke.py

@@ -7,12 +7,13 @@ from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
 
-from authentik.core.models import Application
+from authentik.core.models import Application, AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import (
     AccessToken,
     ClientTypes,
+    DeviceToken,
     IDToken,
     OAuth2Provider,
     RedirectURI,
@@ -20,6 +21,7 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
+from authentik.root.middleware import ClientIPMiddleware
 
 
 class TesOAuth2Revoke(OAuthTestCase):
@@ -135,3 +137,86 @@ class TesOAuth2Revoke(OAuthTestCase):
             },
         )
         self.assertEqual(res.status_code, 200)
+
+    def test_revoke_logout(self):
+        """Test revoke on logout"""
+        self.client.force_login(self.user)
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            session=self.client.session["authenticatedsession"],
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        self.client.logout()
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+
+    def test_revoke_session_delete(self):
+        """Test revoke on logout"""
+        session = AuthenticatedSession.objects.create(
+            session=Session.objects.create(
+                session_key=generate_id(),
+                last_ip=ClientIPMiddleware.default_ip,
+            ),
+            user=self.user,
+        )
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            session=session,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        session.delete()
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+
+    def test_revoke_user_deactivated(self):
+        """Test revoke on logout"""
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        RefreshToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        DeviceToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            _scope="openid user profile",
+        )
+
+        self.user.is_active = False
+        self.user.save()
+
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+        self.assertEqual(RefreshToken.objects.all().count(), 0)
+        self.assertEqual(DeviceToken.objects.all().count(), 0)

authentik/providers/oauth2/views/authorize.py

@@ -15,7 +15,7 @@ from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
 from authentik.flows.challenge import (
@@ -316,9 +316,7 @@ class OAuthAuthorizationParams:
             expires=now + timedelta_from_string(self.provider.access_code_validity),
             scope=self.scope,
             nonce=self.nonce,
-            session=AuthenticatedSession.objects.filter(
-                session_key=request.session.session_key
-            ).first(),
+            session=request.session["authenticatedsession"],
         )
 
         if self.code_challenge and self.code_challenge_method:
@@ -615,9 +613,7 @@ class OAuthFulfillmentStage(StageView):
             expires=access_token_expiry,
             provider=self.provider,
             auth_time=auth_event.created if auth_event else now,
-            session=AuthenticatedSession.objects.filter(
-                session_key=self.request.session.session_key
-            ).first(),
+            session=self.request.session["authenticatedsession"],
         )
 
         id_token = IDToken.new(self.provider, token, self.request)

authentik/providers/proxy/signals.py

@@ -20,4 +20,4 @@ def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
 @receiver(pre_delete, sender=AuthenticatedSession)
 def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
     """Catch logout by expiring sessions being deleted"""
-    proxy_on_logout.delay(instance.session_key)
+    proxy_on_logout.delay(instance.session.session_key)

authentik/providers/rac/migrations/0007_migrate_session.py

@@ -0,0 +1,60 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:59
+
+from django.db import migrations
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+def migrate_sessions(apps, schema_editor):
+    ConnectionToken = apps.get_model("authentik_providers_rac", "ConnectionToken")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    db_alias = schema_editor.connection.alias
+
+    for token in ConnectionToken.objects.using(db_alias).all():
+        token.session = (
+            AuthenticatedSession.objects.using(db_alias)
+            .filter(session_key=token.old_session.session_key)
+            .first()
+        )
+        if token.session:
+            token.save()
+        else:
+            token.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+        ("authentik_core", "0046_session_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="connectiontoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.AddField(
+            model_name="connectiontoken",
+            name="session",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RunPython(code=migrate_sessions),
+        migrations.AlterField(
+            model_name="connectiontoken",
+            name="session",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RemoveField(
+            model_name="connectiontoken",
+            name="old_session",
+        ),
+    ]

authentik/providers/rac/signals.py

@@ -8,7 +8,7 @@ from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 
-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
 from authentik.providers.rac.consumer_client import (
     RAC_CLIENT_GROUP_SESSION,
@@ -32,6 +32,18 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     )
 
 
+@receiver(pre_delete, sender=AuthenticatedSession)
+def user_session_deleted(sender, instance: AuthenticatedSession, **_):
+    layer = get_channel_layer()
+    async_to_sync(layer.group_send)(
+        RAC_CLIENT_GROUP_SESSION
+        % {
+            "session": instance.session.session_key,
+        },
+        {"type": "event.disconnect", "reason": "session_logout"},
+    )
+
+
 @receiver(pre_delete, sender=ConnectionToken)
 def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **_):
     """Disconnect session when connection token is deleted"""

authentik/providers/rac/tests/test_models.py

@@ -2,7 +2,7 @@
 
 from django.test import TransactionTestCase
 
-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application, AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.providers.rac.models import (
@@ -36,13 +36,15 @@ class TestModels(TransactionTestCase):
 
     def test_settings_merge(self):
         """Test settings merge"""
+        session = Session.objects.create(
+            session_key=generate_id(),
+            last_ip="255.255.255.255",
+        )
+        auth_session = AuthenticatedSession.objects.create(session=session, user=self.user)
         token = ConnectionToken.objects.create(
             provider=self.provider,
             endpoint=self.endpoint,
-            session=AuthenticatedSession.objects.create(
-                user=self.user,
-                session_key=generate_id(),
-            ),
+            session=auth_session,
         )
         path = f"/tmp/connection/{token.token}"  # nosec
         self.assertEqual(

authentik/providers/rac/urls.py

@@ -1,7 +1,5 @@
 """rac urls"""
 
-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.urls import path
 
 from authentik.outposts.channels import TokenOutpostMiddleware
@@ -12,7 +10,7 @@ from authentik.providers.rac.api.providers import RACProviderViewSet
 from authentik.providers.rac.consumer_client import RACClientConsumer
 from authentik.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.providers.rac.views import RACInterface, RACStartView
-from authentik.root.asgi_middleware import SessionMiddleware
+from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.middleware import ChannelsLoggingMiddleware
 
 urlpatterns = [
@@ -31,9 +29,7 @@ urlpatterns = [
 websocket_urlpatterns = [
     path(
         "ws/rac/<str:token>/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(RACClientConsumer.as_asgi())))
-        ),
+        ChannelsLoggingMiddleware(AuthMiddlewareStack(RACClientConsumer.as_asgi())),
     ),
     path(
         "ws/outpost_rac/<str:channel>/",

authentik/providers/rac/views.py

@@ -8,7 +8,7 @@ from django.urls import reverse
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 
-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application
 from authentik.core.views.interface import InterfaceView
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import RedirectChallenge
@@ -113,9 +113,7 @@ class RACFinalStage(RedirectStage):
             provider=self.provider,
             endpoint=self.endpoint,
             settings=self.executor.plan.context.get("connection_settings", {}),
-            session=AuthenticatedSession.objects.filter(
-                session_key=self.request.session.session_key
-            ).first(),
+            session=self.request.session["authenticatedsession"],
             expires=now() + timedelta_from_string(self.provider.connection_expiry),
             expiring=True,
         )

authentik/recovery/tests.py

@@ -50,7 +50,7 @@ class TestRecovery(TestCase):
         )
         token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
         self.client.get(reverse("authentik_recovery:use-token", kwargs={"key": token.key}))
-        self.assertEqual(int(self.client.session["_auth_user_id"]), token.user.pk)
+        self.assertEqual(self.client.session["authenticatedsession"].user.pk, token.user.pk)
 
     def test_recovery_view_invalid(self):
         """Test recovery view with invalid token"""

authentik/root/asgi_middleware.py

@@ -1,8 +1,12 @@
 """ASGI middleware"""
 
+from channels.auth import UserLazyObject
 from channels.db import database_sync_to_async
+from channels.middleware import BaseMiddleware
+from channels.sessions import CookieMiddleware
 from channels.sessions import InstanceSessionWrapper as UpstreamInstanceSessionWrapper
 from channels.sessions import SessionMiddleware as UpstreamSessionMiddleware
+from django.contrib.auth.models import AnonymousUser
 
 from authentik.root.middleware import SessionMiddleware as HTTPSessionMiddleware
 
@@ -33,3 +37,48 @@ class SessionMiddleware(UpstreamSessionMiddleware):
         await wrapper.resolve_session()
 
         return await self.inner(wrapper.scope, receive, wrapper.send)
+
+
+@database_sync_to_async
+def get_user(scope):
+    """
+    Return the user model instance associated with the given scope.
+    If no user is retrieved, return an instance of `AnonymousUser`.
+    """
+    if "session" not in scope:
+        raise ValueError(
+            "Cannot find session in scope. You should wrap your consumer in SessionMiddleware."
+        )
+    user = None
+    if (authenticated_session := scope["session"].get("authenticated_session", None)) is not None:
+        user = authenticated_session.user
+    return user or AnonymousUser()
+
+
+class AuthMiddleware(BaseMiddleware):
+    def populate_scope(self, scope):
+        # Make sure we have a session
+        if "session" not in scope:
+            raise ValueError(
+                "AuthMiddleware cannot find session in scope. SessionMiddleware must be above it."
+            )
+        # Add it to the scope if it's not there already
+        if "user" not in scope:
+            scope["user"] = UserLazyObject()
+
+    async def resolve_scope(self, scope):
+        scope["user"]._wrapped = await get_user(scope)
+
+    async def __call__(self, scope, receive, send):
+        scope = dict(scope)
+        # Scope injection/mutation per this middleware's needs.
+        self.populate_scope(scope)
+        # Grab the finalized/resolved scope
+        await self.resolve_scope(scope)
+
+        return await super().__call__(scope, receive, send)
+
+
+# Handy shortcut for applying all three layers at once
+def AuthMiddlewareStack(inner):
+    return CookieMiddleware(SessionMiddleware(AuthMiddleware(inner)))

authentik/root/middleware.py

@@ -49,7 +49,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
         return False
 
     @staticmethod
-    def decode_session_key(key: str) -> str:
+    def decode_session_key(key: str | None) -> str | None:
         """Decode raw session cookie, and parse JWT"""
         # We need to support the standard django format of just a session key
         # for testing setups, where the session is directly set
@@ -64,7 +64,11 @@ class SessionMiddleware(UpstreamSessionMiddleware):
     def process_request(self, request: HttpRequest):
         raw_session = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
         session_key = SessionMiddleware.decode_session_key(raw_session)
-        request.session = self.SessionStore(session_key)
+        request.session = self.SessionStore(
+            session_key,
+            last_ip=ClientIPMiddleware.get_client_ip(request),
+            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
+        )
 
     def process_response(self, request: HttpRequest, response: HttpResponse) -> HttpResponse:
         """

authentik/root/sessions/pickle.py

@@ -1,23 +0,0 @@
-"""
-Module for abstract serializer/unserializer base classes.
-"""
-
-import pickle  # nosec
-
-
-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        """Pickle data to be stored in redis"""
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec

authentik/root/settings.py

@@ -7,7 +7,6 @@ from pathlib import Path
 
 import orjson
 from celery.schedules import crontab
-from django.conf import ImproperlyConfigured
 from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace
 
@@ -43,7 +42,6 @@ SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
 
 AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
     BACKEND_INBUILT,
     BACKEND_APP_PASSWORD,
     BACKEND_LDAP,
@@ -229,17 +227,7 @@ CACHES = {
 DJANGO_REDIS_SCAN_ITERSIZE = 1000
 DJANGO_REDIS_IGNORE_EXCEPTIONS = True
 DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
-match CONFIG.get("session_storage", "cache"):
-    case "cache":
-        SESSION_ENGINE = "django.contrib.sessions.backends.cache"
-    case "db":
-        SESSION_ENGINE = "django.contrib.sessions.backends.db"
-    case _:
-        raise ImproperlyConfigured(
-            "Invalid session_storage setting, allowed values are db and cache"
-        )
-SESSION_SERIALIZER = "authentik.root.sessions.pickle.PickleSerializer"
-SESSION_CACHE_ALIAS = "default"
+SESSION_ENGINE = "authentik.core.sessions"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
@@ -256,7 +244,7 @@ MIDDLEWARE = [
     "django_prometheus.middleware.PrometheusBeforeMiddleware",
     "authentik.root.middleware.ClientIPMiddleware",
     "authentik.stages.user_login.middleware.BoundSessionMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "authentik.core.middleware.AuthenticationMiddleware",
     "authentik.core.middleware.RequestIDMiddleware",
     "authentik.brands.middleware.BrandMiddleware",
     "authentik.events.middleware.AuditMiddleware",

authentik/root/test_plugin.py

@@ -28,8 +28,8 @@ def pytest_report_header(*_, **__):
 
 
 def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item]) -> None:
-    current_id = int(environ.get("CI_RUN_ID", 0)) - 1
-    total_ids = int(environ.get("CI_TOTAL_RUNS", 0))
+    current_id = int(environ.get("CI_RUN_ID", "0")) - 1
+    total_ids = int(environ.get("CI_TOTAL_RUNS", "0"))
 
     if total_ids:
         num_tests = len(items)

authentik/sources/kerberos/api/source_connection.py

@@ -1,13 +1,11 @@
-"""Kerberos Source Serializer"""
-
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.sources import (
     GroupSourceConnectionSerializer,
     GroupSourceConnectionViewSet,
     UserSourceConnectionSerializer,
+    UserSourceConnectionViewSet,
 )
-from authentik.core.api.used_by import UsedByMixin
 from authentik.sources.kerberos.models import (
     GroupKerberosSourceConnection,
     UserKerberosSourceConnection,
@@ -15,33 +13,20 @@ from authentik.sources.kerberos.models import (
 
 
 class UserKerberosSourceConnectionSerializer(UserSourceConnectionSerializer):
-    """Kerberos Source Serializer"""
-
-    class Meta:
+    class Meta(UserSourceConnectionSerializer.Meta):
         model = UserKerberosSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["identifier"]
 
 
-class UserKerberosSourceConnectionViewSet(UsedByMixin, ModelViewSet):
-    """Source Viewset"""
-
+class UserKerberosSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
     queryset = UserKerberosSourceConnection.objects.all()
     serializer_class = UserKerberosSourceConnectionSerializer
-    filterset_fields = ["source__slug"]
-    search_fields = ["source__slug"]
-    ordering = ["source__slug"]
-    owner_field = "user"
 
 
 class GroupKerberosSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    """OAuth Group-Source connection Serializer"""
-
     class Meta(GroupSourceConnectionSerializer.Meta):
         model = GroupKerberosSourceConnection
 
 
-class GroupKerberosSourceConnectionViewSet(GroupSourceConnectionViewSet):
-    """Group-source connection Viewset"""
-
+class GroupKerberosSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
     queryset = GroupKerberosSourceConnection.objects.all()
     serializer_class = GroupKerberosSourceConnectionSerializer

authentik/sources/kerberos/migrations/0003_migrate_userkerberossourceconnection_identifier.py

@@ -0,0 +1,28 @@
+from django.db import migrations
+
+
+def migrate_identifier(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    UserKerberosSourceConnection = apps.get_model(
+        "authentik_sources_kerberos", "UserKerberosSourceConnection"
+    )
+
+    for connection in UserKerberosSourceConnection.objects.using(db_alias).all():
+        connection.new_identifier = connection.identifier
+        connection.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_kerberos", "0002_kerberossource_kadmin_type"),
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+    ]
+
+    operations = [
+        migrations.RunPython(code=migrate_identifier, reverse_code=migrations.RunPython.noop),
+        migrations.RemoveField(
+            model_name="userkerberossourceconnection",
+            name="identifier",
+        ),
+    ]

authentik/sources/kerberos/models.py

@@ -372,8 +372,6 @@ class KerberosSourcePropertyMapping(PropertyMapping):
 class UserKerberosSourceConnection(UserSourceConnection):
     """Connection to configured Kerberos Sources."""
 
-    identifier = models.TextField()
-
     @property
     def serializer(self) -> type[Serializer]:
         from authentik.sources.kerberos.api.source_connection import (

authentik/sources/ldap/api.py

@@ -15,11 +15,22 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer
-from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.sources import (
+    GroupSourceConnectionSerializer,
+    GroupSourceConnectionViewSet,
+    SourceSerializer,
+    UserSourceConnectionSerializer,
+    UserSourceConnectionViewSet,
+)
 from authentik.core.api.used_by import UsedByMixin
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.sync.outgoing.api import SyncStatusSerializer
-from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
+from authentik.sources.ldap.models import (
+    GroupLDAPSourceConnection,
+    LDAPSource,
+    LDAPSourcePropertyMapping,
+    UserLDAPSourceConnection,
+)
 from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES
 
 
@@ -99,6 +110,7 @@ class LDAPSourceSerializer(SourceSerializer):
             "sync_groups",
             "sync_parent_group",
             "connectivity",
+            "lookup_groups_from_user",
         ]
         extra_kwargs = {"bind_password": {"write_only": True}}
 
@@ -134,6 +146,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "sync_parent_group",
         "user_property_mappings",
         "group_property_mappings",
+        "lookup_groups_from_user",
     ]
     search_fields = ["name", "slug"]
     ordering = ["name"]
@@ -219,3 +232,23 @@ class LDAPSourcePropertyMappingViewSet(UsedByMixin, ModelViewSet):
     filterset_class = LDAPSourcePropertyMappingFilter
     search_fields = ["name"]
     ordering = ["name"]
+
+
+class UserLDAPSourceConnectionSerializer(UserSourceConnectionSerializer):
+    class Meta(UserSourceConnectionSerializer.Meta):
+        model = UserLDAPSourceConnection
+
+
+class UserLDAPSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
+    queryset = UserLDAPSourceConnection.objects.all()
+    serializer_class = UserLDAPSourceConnectionSerializer
+
+
+class GroupLDAPSourceConnectionSerializer(GroupSourceConnectionSerializer):
+    class Meta(GroupSourceConnectionSerializer.Meta):
+        model = GroupLDAPSourceConnection
+
+
+class GroupLDAPSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
+    queryset = GroupLDAPSourceConnection.objects.all()
+    serializer_class = GroupLDAPSourceConnectionSerializer

authentik/sources/ldap/migrations/0007_ldapsource_lookup_groups_from_user.py

@@ -0,0 +1,24 @@
+# Generated by Django 5.0.13 on 2025-03-26 17:06
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_sources_ldap",
+            "0006_rename_ldappropertymapping_ldapsourcepropertymapping_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapsource",
+            name="lookup_groups_from_user",
+            field=models.BooleanField(
+                default=False,
+                help_text="Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory",
+            ),
+        ),
+    ]

authentik/sources/ldap/migrations/0008_groupldapsourceconnection_userldapsourceconnection.py

@@ -0,0 +1,57 @@
+# Generated by Django 5.0.14 on 2025-04-11 11:46
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+        ("authentik_sources_ldap", "0007_ldapsource_lookup_groups_from_user"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="GroupLDAPSourceConnection",
+            fields=[
+                (
+                    "groupsourceconnection_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.groupsourceconnection",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Group LDAP Source Connection",
+                "verbose_name_plural": "Group LDAP Source Connections",
+            },
+            bases=("authentik_core.groupsourceconnection",),
+        ),
+        migrations.CreateModel(
+            name="UserLDAPSourceConnection",
+            fields=[
+                (
+                    "usersourceconnection_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.usersourceconnection",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "User LDAP Source Connection",
+                "verbose_name_plural": "User LDAP Source Connections",
+            },
+            bases=("authentik_core.usersourceconnection",),
+        ),
+    ]

authentik/sources/ldap/models.py

@@ -15,7 +15,13 @@ from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
 from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
-from authentik.core.models import Group, PropertyMapping, Source
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    PropertyMapping,
+    Source,
+    UserSourceConnection,
+)
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
 from authentik.lib.models import DomainlessURLValidator
@@ -123,6 +129,14 @@ class LDAPSource(Source):
         Group, blank=True, null=True, default=None, on_delete=models.SET_DEFAULT
     )
 
+    lookup_groups_from_user = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Lookup group membership based on a user attribute instead of a group attribute. "
+            "This allows nested group resolution on systems like FreeIPA and Active Directory"
+        ),
+    )
+
     @property
     def component(self) -> str:
         return "ak-source-ldap-form"
@@ -304,3 +318,31 @@ class LDAPSourcePropertyMapping(PropertyMapping):
     class Meta:
         verbose_name = _("LDAP Source Property Mapping")
         verbose_name_plural = _("LDAP Source Property Mappings")
+
+
+class UserLDAPSourceConnection(UserSourceConnection):
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.sources.ldap.api import (
+            UserLDAPSourceConnectionSerializer,
+        )
+
+        return UserLDAPSourceConnectionSerializer
+
+    class Meta:
+        verbose_name = _("User LDAP Source Connection")
+        verbose_name_plural = _("User LDAP Source Connections")
+
+
+class GroupLDAPSourceConnection(GroupSourceConnection):
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.sources.ldap.api import (
+            GroupLDAPSourceConnectionSerializer,
+        )
+
+        return GroupLDAPSourceConnectionSerializer
+
+    class Meta:
+        verbose_name = _("Group LDAP Source Connection")
+        verbose_name_plural = _("Group LDAP Source Connections")

authentik/sources/ldap/sync/groups.py

@@ -14,7 +14,12 @@ from authentik.core.models import Group
 from authentik.core.sources.mapper import SourceMapper
 from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import StopSync
-from authentik.sources.ldap.models import LDAP_UNIQUENESS, LDAPSource, flatten
+from authentik.sources.ldap.models import (
+    LDAP_UNIQUENESS,
+    GroupLDAPSourceConnection,
+    LDAPSource,
+    flatten,
+)
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 
 
@@ -89,6 +94,12 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     defaults,
                 )
                 self._logger.debug("Created group with attributes", **defaults)
+                if not GroupLDAPSourceConnection.objects.filter(
+                    source=self._source, identifier=uniq
+                ):
+                    GroupLDAPSourceConnection.objects.create(
+                        source=self._source, group=ak_group, identifier=uniq
+                    )
             except SkipObjectException:
                 continue
             except PropertyMappingExpressionException as exc:

authentik/sources/ldap/sync/membership.py

@@ -28,15 +28,17 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
         if not self._source.sync_groups:
             self.message("Group syncing is disabled for this Source")
             return iter(())
+
+        # If we are looking up groups from users, we don't need to fetch the group membership field
+        attributes = [self._source.object_uniqueness_field, LDAP_DISTINGUISHED_NAME]
+        if not self._source.lookup_groups_from_user:
+            attributes.append(self._source.group_membership_field)
+
         return self.search_paginator(
             search_base=self.base_dn_groups,
             search_filter=self._source.group_object_filter,
             search_scope=SUBTREE,
-            attributes=[
-                self._source.group_membership_field,
-                self._source.object_uniqueness_field,
-                LDAP_DISTINGUISHED_NAME,
-            ],
+            attributes=attributes,
             **kwargs,
         )
 
@@ -47,9 +49,24 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
             return -1
         membership_count = 0
         for group in page_data:
-            if "attributes" not in group:
-                continue
-            members = group.get("attributes", {}).get(self._source.group_membership_field, [])
+            if self._source.lookup_groups_from_user:
+                group_dn = group.get("dn", {})
+                group_filter = f"({self._source.group_membership_field}={group_dn})"
+                group_members = self._source.connection().extend.standard.paged_search(
+                    search_base=self.base_dn_users,
+                    search_filter=group_filter,
+                    search_scope=SUBTREE,
+                    attributes=[self._source.object_uniqueness_field],
+                )
+                members = []
+                for group_member in group_members:
+                    group_member_dn = group_member.get("dn", {})
+                    members.append(group_member_dn)
+            else:
+                if "attributes" not in group:
+                    continue
+                members = group.get("attributes", {}).get(self._source.group_membership_field, [])
+
             ak_group = self.get_group(group)
             if not ak_group:
                 continue
@@ -68,7 +85,7 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
                         "ak_groups__in": [ak_group],
                     }
                 )
-            )
+            ).distinct()
             membership_count += 1
             membership_count += users.count()
             ak_group.users.set(users)

authentik/sources/ldap/sync/users.py

@@ -14,7 +14,12 @@ from authentik.core.models import User
 from authentik.core.sources.mapper import SourceMapper
 from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import StopSync
-from authentik.sources.ldap.models import LDAP_UNIQUENESS, LDAPSource, flatten
+from authentik.sources.ldap.models import (
+    LDAP_UNIQUENESS,
+    LDAPSource,
+    UserLDAPSourceConnection,
+    flatten,
+)
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
@@ -85,6 +90,12 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                 ak_user, created = User.update_or_create_attributes(
                     {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
                 )
+                if not UserLDAPSourceConnection.objects.filter(
+                    source=self._source, identifier=uniq
+                ):
+                    UserLDAPSourceConnection.objects.create(
+                        source=self._source, user=ak_user, identifier=uniq
+                    )
             except PropertyMappingExpressionException as exc:
                 raise StopSync(exc, None, exc.mapping) from exc
             except SkipObjectException:

authentik/sources/ldap/tests/mock_freeipa.py

@@ -96,6 +96,26 @@ def mock_freeipa_connection(password: str) -> Connection:
             "objectClass": "posixAccount",
         },
     )
+    # User with groups in memberOf attribute
+    connection.strategy.add_entry(
+        "cn=user4,ou=users,dc=goauthentik,dc=io",
+        {
+            "name": "user4_sn",
+            "uid": "user4_sn",
+            "objectClass": "person",
+            "memberOf": [
+                "cn=reverse-lookup-group,ou=groups,dc=goauthentik,dc=io",
+            ],
+        },
+    )
+    connection.strategy.add_entry(
+        "cn=reverse-lookup-group,ou=groups,dc=goauthentik,dc=io",
+        {
+            "cn": "reverse-lookup-group",
+            "uid": "reverse-lookup-group",
+            "objectClass": "groupOfNames",
+        },
+    )
     # Locked out user
     connection.strategy.add_entry(
         "cn=user-nsaccountlock,ou=users,dc=goauthentik,dc=io",

authentik/sources/ldap/tests/test_sync.py

@@ -162,6 +162,43 @@ class LDAPSyncTests(TestCase):
             self.assertFalse(User.objects.filter(username="user1_sn").exists())
             self.assertFalse(User.objects.get(username="user-nsaccountlock").is_active)
 
+    def test_sync_groups_freeipa_memberOf(self):
+        """Test group sync when membership is derived from memberOf user attribute"""
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.lookup_groups_from_user = True
+        self.source.group_membership_field = "memberOf"
+        self.source.user_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+            )
+        )
+        self.source.group_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                managed="goauthentik.io/sources/ldap/openldap-cn"
+            )
+        )
+        connection = MagicMock(return_value=mock_freeipa_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync_full()
+            group_sync = GroupLDAPSynchronizer(self.source)
+            group_sync.sync_full()
+            membership_sync = MembershipLDAPSynchronizer(self.source)
+            membership_sync.sync_full()
+
+            self.assertTrue(
+                User.objects.filter(username="user4_sn").exists(), "User does not exist"
+            )
+            # Test if membership mapping based on memberOf works.
+            memberof_group = Group.objects.filter(name="reverse-lookup-group")
+            self.assertTrue(memberof_group.exists(), "Group does not exist")
+            self.assertTrue(
+                memberof_group.first().users.filter(username="user4_sn").exists(),
+                "User not a member of the group",
+            )
+
     def test_sync_groups_ad(self):
         """Test group sync"""
         self.source.user_property_mappings.set(

authentik/sources/ldap/urls.py

@@ -1,8 +1,15 @@
 """API URLs"""
 
-from authentik.sources.ldap.api import LDAPSourcePropertyMappingViewSet, LDAPSourceViewSet
+from authentik.sources.ldap.api import (
+    GroupLDAPSourceConnectionViewSet,
+    LDAPSourcePropertyMappingViewSet,
+    LDAPSourceViewSet,
+    UserLDAPSourceConnectionViewSet,
+)
 
 api_urlpatterns = [
     ("propertymappings/source/ldap", LDAPSourcePropertyMappingViewSet),
     ("sources/ldap", LDAPSourceViewSet),
+    ("sources/user_connections/ldap", UserLDAPSourceConnectionViewSet),
+    ("sources/group_connections/ldap", GroupLDAPSourceConnectionViewSet),
 ]

authentik/sources/oauth/api/source_connection.py

@@ -1,5 +1,3 @@
-"""OAuth Source Serializer"""
-
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.sources import (
@@ -12,11 +10,9 @@ from authentik.sources.oauth.models import GroupOAuthSourceConnection, UserOAuth
 
 
 class UserOAuthSourceConnectionSerializer(UserSourceConnectionSerializer):
-    """OAuth Source Serializer"""
-
     class Meta(UserSourceConnectionSerializer.Meta):
         model = UserOAuthSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["identifier", "access_token"]
+        fields = UserSourceConnectionSerializer.Meta.fields + ["access_token"]
         extra_kwargs = {
             **UserSourceConnectionSerializer.Meta.extra_kwargs,
             "access_token": {"write_only": True},
@@ -24,21 +20,15 @@ class UserOAuthSourceConnectionSerializer(UserSourceConnectionSerializer):
 
 
 class UserOAuthSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
-    """Source Viewset"""
-
     queryset = UserOAuthSourceConnection.objects.all()
     serializer_class = UserOAuthSourceConnectionSerializer
 
 
 class GroupOAuthSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    """OAuth Group-Source connection Serializer"""
-
     class Meta(GroupSourceConnectionSerializer.Meta):
         model = GroupOAuthSourceConnection
 
 
 class GroupOAuthSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
-    """Group-source connection Viewset"""
-
     queryset = GroupOAuthSourceConnection.objects.all()
     serializer_class = GroupOAuthSourceConnectionSerializer

authentik/sources/oauth/migrations/0009_migrate_useroauthsourceconnection_identifier.py

@@ -0,0 +1,28 @@
+from django.db import migrations
+
+
+def migrate_identifier(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    UserOAuthSourceConnection = apps.get_model(
+        "authentik_sources_oauth", "UserOAuthSourceConnection"
+    )
+
+    for connection in UserOAuthSourceConnection.objects.using(db_alias).all():
+        connection.new_identifier = connection.identifier
+        connection.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0008_groupoauthsourceconnection_and_more"),
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+    ]
+
+    operations = [
+        migrations.RunPython(code=migrate_identifier, reverse_code=migrations.RunPython.noop),
+        migrations.RemoveField(
+            model_name="useroauthsourceconnection",
+            name="identifier",
+        ),
+    ]

authentik/sources/oauth/models.py

@@ -286,7 +286,6 @@ class OAuthSourcePropertyMapping(PropertyMapping):
 class UserOAuthSourceConnection(UserSourceConnection):
     """Authorized remote OAuth provider."""
 
-    identifier = models.CharField(max_length=255)
     access_token = models.TextField(blank=True, null=True, default=None)
 
     @property

authentik/sources/plex/api/source_connection.py

@@ -1,5 +1,3 @@
-"""Plex Source connection Serializer"""
-
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.sources import (
@@ -12,14 +10,9 @@ from authentik.sources.plex.models import GroupPlexSourceConnection, UserPlexSou
 
 
 class UserPlexSourceConnectionSerializer(UserSourceConnectionSerializer):
-    """Plex Source connection Serializer"""
-
     class Meta(UserSourceConnectionSerializer.Meta):
         model = UserPlexSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + [
-            "identifier",
-            "plex_token",
-        ]
+        fields = UserSourceConnectionSerializer.Meta.fields + ["plex_token"]
         extra_kwargs = {
             **UserSourceConnectionSerializer.Meta.extra_kwargs,
             "plex_token": {"write_only": True},
@@ -27,21 +20,15 @@ class UserPlexSourceConnectionSerializer(UserSourceConnectionSerializer):
 
 
 class UserPlexSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
-    """Plex Source connection Serializer"""
-
     queryset = UserPlexSourceConnection.objects.all()
     serializer_class = UserPlexSourceConnectionSerializer
 
 
 class GroupPlexSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    """Plex Group-Source connection Serializer"""
-
     class Meta(GroupSourceConnectionSerializer.Meta):
         model = GroupPlexSourceConnection
 
 
 class GroupPlexSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
-    """Group-source connection Viewset"""
-
     queryset = GroupPlexSourceConnection.objects.all()
     serializer_class = GroupPlexSourceConnectionSerializer

authentik/sources/plex/migrations/0005_migrate_userplexsourceconnection_identifier.py

@@ -0,0 +1,29 @@
+from django.db import migrations
+
+
+def migrate_identifier(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    UserPlexSourceConnection = apps.get_model("authentik_sources_plex", "UserPlexSourceConnection")
+
+    for connection in UserPlexSourceConnection.objects.using(db_alias).all():
+        connection.new_identifier = connection.identifier
+        connection.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_sources_plex",
+            "0004_groupplexsourceconnection_plexsourcepropertymapping_and_more",
+        ),
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+    ]
+
+    operations = [
+        migrations.RunPython(code=migrate_identifier, reverse_code=migrations.RunPython.noop),
+        migrations.RemoveField(
+            model_name="userplexsourceconnection",
+            name="identifier",
+        ),
+    ]

authentik/sources/plex/models.py

@@ -141,7 +141,6 @@ class UserPlexSourceConnection(UserSourceConnection):
     """Connect user and plex source"""
 
     plex_token = models.TextField()
-    identifier = models.TextField()
 
     @property
     def serializer(self) -> type[Serializer]:

authentik/sources/saml/api/source_connection.py

@@ -1,5 +1,3 @@
-"""SAML Source Serializer"""
-
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.sources import (
@@ -12,29 +10,20 @@ from authentik.sources.saml.models import GroupSAMLSourceConnection, UserSAMLSou
 
 
 class UserSAMLSourceConnectionSerializer(UserSourceConnectionSerializer):
-    """SAML Source Serializer"""
-
     class Meta(UserSourceConnectionSerializer.Meta):
         model = UserSAMLSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["identifier"]
 
 
 class UserSAMLSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
-    """Source Viewset"""
-
     queryset = UserSAMLSourceConnection.objects.all()
     serializer_class = UserSAMLSourceConnectionSerializer
 
 
 class GroupSAMLSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    """OAuth Group-Source connection Serializer"""
-
     class Meta(GroupSourceConnectionSerializer.Meta):
         model = GroupSAMLSourceConnection
 
 
-class GroupSAMLSourceConnectionViewSet(GroupSourceConnectionViewSet):
-    """Group-source connection Viewset"""
-
+class GroupSAMLSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
     queryset = GroupSAMLSourceConnection.objects.all()
     serializer_class = GroupSAMLSourceConnectionSerializer

authentik/sources/saml/migrations/0019_migrate_usersamlsourceconnection_identifier.py

@@ -0,0 +1,26 @@
+from django.db import migrations
+
+
+def migrate_identifier(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    UserSAMLSourceConnection = apps.get_model("authentik_sources_saml", "UserSAMLSourceConnection")
+
+    for connection in UserSAMLSourceConnection.objects.using(db_alias).all():
+        connection.new_identifier = connection.identifier
+        connection.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_saml", "0018_alter_samlsource_slo_url_alter_samlsource_sso_url"),
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+    ]
+
+    operations = [
+        migrations.RunPython(code=migrate_identifier, reverse_code=migrations.RunPython.noop),
+        migrations.RemoveField(
+            model_name="usersamlsourceconnection",
+            name="identifier",
+        ),
+    ]

authentik/sources/saml/models.py

@@ -318,8 +318,6 @@ class SAMLSourcePropertyMapping(PropertyMapping):
 class UserSAMLSourceConnection(UserSourceConnection):
     """Connection to configured SAML Sources."""
 
-    identifier = models.TextField()
-
     @property
     def serializer(self) -> Serializer:
         from authentik.sources.saml.api.source_connection import UserSAMLSourceConnectionSerializer

authentik/sources/saml/views.py

@@ -33,7 +33,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@@ -74,8 +73,6 @@ class InitiateView(View):
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
         kwargs.update(
             {
                 PLAN_CONTEXT_SSO: True,

authentik/stages/authenticator_email/tests.py

@@ -255,6 +255,7 @@ class TestAuthenticatorEmailStage(FlowTestCase):
             )
             masked_email = mask_email(self.user.email)
             self.assertEqual(masked_email, response.json()["email"])
+            self.client.logout()
 
             # Test without email
             self.client.force_login(self.user_noemail)

authentik/stages/email/tasks.py

@@ -104,6 +104,13 @@ def send_mail(
         # can't be converted to json)
         message_object.attach(logo_data())
 
+        if (
+            message_object.to
+            and isinstance(message_object.to[0], str)
+            and "=?utf-8?" in message_object.to[0]
+        ):
+            message_object.to = [message_object.to[0].split("<")[-1].replace(">", "")]
+
         LOGGER.debug("Sending mail", to=message_object.to)
         backend.send_messages([message_object])
         Event.new(

authentik/stages/email/tests/test_sending.py

@@ -97,6 +97,37 @@ class TestEmailStageSending(FlowTestCase):
             self.assertEqual(mail.outbox[0].subject, "authentik")
             self.assertEqual(mail.outbox[0].to, [f"Test User   Many Words   <{long_user.email}>"])
 
+    def test_utf8_name(self):
+        """Test with pending user"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        utf8_user = create_test_user()
+        utf8_user.name = "Cirilo ЉМНЊ el cirilico И̂ӢЙӤ "
+        utf8_user.email = "cyrillic@authentik.local"
+        utf8_user.save()
+        plan.context[PLAN_CONTEXT_PENDING_USER] = utf8_user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+        Event.objects.filter(action=EventAction.EMAIL_SENT).delete()
+
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        with patch(
+            "authentik.stages.email.models.EmailStage.backend_class",
+            PropertyMock(return_value=EmailBackend),
+        ):
+            response = self.client.post(url)
+            self.assertEqual(response.status_code, 200)
+            self.assertStageResponse(
+                response,
+                self.flow,
+                response_errors={
+                    "non_field_errors": [{"string": "email-sent", "code": "email-sent"}]
+                },
+            )
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "authentik")
+            self.assertEqual(mail.outbox[0].to, [f"{utf8_user.email}"])
+
     def test_pending_fake_user(self):
         """Test with pending (fake) user"""
         self.flow.designation = FlowDesignation.RECOVERY

authentik/stages/user_login/middleware.py

@@ -6,14 +6,12 @@ from django.contrib.auth.views import redirect_to_login
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 
-from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.root.middleware import ClientIPMiddleware, SessionMiddleware
 from authentik.stages.user_login.models import GeoIPBinding, NetworkBinding
 
-SESSION_KEY_LAST_IP = "authentik/stages/user_login/last_ip"
 SESSION_KEY_BINDING_NET = "authentik/stages/user_login/binding/net"
 SESSION_KEY_BINDING_GEO = "authentik/stages/user_login/binding/geo"
 LOGGER = get_logger()
@@ -91,7 +89,7 @@ class BoundSessionMiddleware(SessionMiddleware):
 
     def recheck_session(self, request: HttpRequest):
         """Check if a session is still valid with a changed IP"""
-        last_ip = request.session.get(SESSION_KEY_LAST_IP)
+        last_ip = request.session.get(request.session.model.Keys.LAST_IP)
         new_ip = ClientIPMiddleware.get_client_ip(request)
         # Check changed IP
         if new_ip == last_ip:
@@ -111,10 +109,7 @@ class BoundSessionMiddleware(SessionMiddleware):
         if SESSION_KEY_BINDING_NET in request.session or SESSION_KEY_BINDING_GEO in request.session:
             # Only set the last IP in the session if there's a binding specified
             # (== basically requires the user to be logged in)
-            request.session[SESSION_KEY_LAST_IP] = new_ip
-        AuthenticatedSession.objects.filter(session_key=request.session.session_key).update(
-            last_ip=new_ip, last_user_agent=request.META.get("HTTP_USER_AGENT", "")
-        )
+            request.session[request.session.model.Keys.LAST_IP] = new_ip
 
     def recheck_session_net(self, binding: NetworkBinding, last_ip: str, new_ip: str):
         """Check network/ASN binding"""

authentik/stages/user_login/stage.py

@@ -8,7 +8,7 @@ from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
 from rest_framework.fields import BooleanField, CharField
 
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import Session, User
 from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, WithUserInfoChallenge
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
@@ -20,7 +20,6 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.user_login.middleware import (
     SESSION_KEY_BINDING_GEO,
     SESSION_KEY_BINDING_NET,
-    SESSION_KEY_LAST_IP,
 )
 from authentik.stages.user_login.models import UserLoginStage
 
@@ -73,7 +72,9 @@ class UserLoginStageView(ChallengeStageView):
         """Set the sessions' last IP and session bindings"""
         stage: UserLoginStage = self.executor.current_stage
 
-        self.request.session[SESSION_KEY_LAST_IP] = ClientIPMiddleware.get_client_ip(self.request)
+        self.request.session[self.request.session.model.Keys.LAST_IP] = (
+            ClientIPMiddleware.get_client_ip(self.request)
+        )
         self.request.session[SESSION_KEY_BINDING_NET] = stage.network_binding
         self.request.session[SESSION_KEY_BINDING_GEO] = stage.geoip_binding
 
@@ -112,7 +113,7 @@ class UserLoginStageView(ChallengeStageView):
         if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
             messages.success(self.request, _("Successfully logged in!"))
         if self.executor.current_stage.terminate_other_sessions:
-            AuthenticatedSession.objects.filter(
-                user=user,
+            Session.objects.filter(
+                authenticatedsession__user=user,
             ).exclude(session_key=self.request.session.session_key).delete()
         return self.executor.stage_ok()

authentik/stages/user_login/tests.py

@@ -3,12 +3,10 @@
 from time import sleep
 from unittest.mock import patch
 
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core.cache import cache
 from django.urls import reverse
 from django.utils.timezone import now
 
-from authentik.core.models import AuthenticatedSession
+from authentik.core.models import AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
@@ -74,12 +72,13 @@ class TestUserLoginStage(FlowTestCase):
         session.save()
 
         key = generate_id()
-        other_session = AuthenticatedSession.objects.create(
+        AuthenticatedSession.objects.create(
+            session=Session.objects.create(
+                session_key=key,
+                last_ip=ClientIPMiddleware.default_ip,
+            ),
             user=self.user,
-            session_key=key,
-            last_ip=ClientIPMiddleware.default_ip,
         )
-        cache.set(f"{KEY_PREFIX}{other_session.session_key}", "foo")
 
         response = self.client.post(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
@@ -87,8 +86,8 @@ class TestUserLoginStage(FlowTestCase):
 
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
-        self.assertFalse(AuthenticatedSession.objects.filter(session_key=key))
-        self.assertFalse(cache.has_key(f"{KEY_PREFIX}{key}"))
+        self.assertFalse(AuthenticatedSession.objects.filter(session__session_key=key))
+        self.assertFalse(Session.objects.filter(session_key=key).exists())
 
     def test_expiry(self):
         """Test with expiry"""
@@ -108,7 +107,7 @@ class TestUserLoginStage(FlowTestCase):
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
         self.assertNotEqual(list(self.client.session.keys()), [])
         session_key = self.client.session.session_key
-        session = AuthenticatedSession.objects.filter(session_key=session_key).first()
+        session = Session.objects.filter(session_key=session_key).first()
         self.assertAlmostEqual(
             session.expires.timestamp() - before_request.timestamp(),
             timedelta_from_string(self.stage.session_duration).total_seconds(),
@@ -143,7 +142,7 @@ class TestUserLoginStage(FlowTestCase):
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
         self.assertNotEqual(list(self.client.session.keys()), [])
         session_key = self.client.session.session_key
-        session = AuthenticatedSession.objects.filter(session_key=session_key).first()
+        session = Session.objects.filter(session_key=session_key).first()
         self.assertAlmostEqual(
             session.expires.timestamp() - _now,
             timedelta_from_string(self.stage.session_duration).total_seconds()

authentik/tenants/api/settings.py

@@ -20,6 +20,8 @@ class SettingsSerializer(ModelSerializer):
             "default_user_change_email",
             "default_user_change_username",
             "event_retention",
+            "reputation_lower_limit",
+            "reputation_upper_limit",
             "footer_links",
             "gdpr_compliance",
             "impersonation",

authentik/tenants/migrations/0005_tenant_reputation_lower_limit_and_more.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.0.14 on 2025-04-14 07:50
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_tenants", "0004_tenant_impersonation_require_reason"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="tenant",
+            name="reputation_lower_limit",
+            field=models.IntegerField(
+                default=-5,
+                help_text="Reputation cannot decrease lower than this value. Zero or negative.",
+                validators=[django.core.validators.MaxValueValidator(0)],
+            ),
+        ),
+        migrations.AddField(
+            model_name="tenant",
+            name="reputation_upper_limit",
+            field=models.IntegerField(
+                default=5,
+                help_text="Reputation cannot increase higher than this value. Zero or positive.",
+                validators=[django.core.validators.MinValueValidator(0)],
+            ),
+        ),
+    ]

authentik/tenants/models.py

@@ -5,7 +5,7 @@ from uuid import uuid4
 
 from django.apps import apps
 from django.core.exceptions import ValidationError
-from django.core.validators import MinValueValidator
+from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db import models
 from django.db.utils import IntegrityError
 from django.dispatch import receiver
@@ -25,6 +25,8 @@ VALID_SCHEMA_NAME = re.compile(r"^t_[a-z0-9]{1,61}$")
 
 DEFAULT_TOKEN_DURATION = "days=1"  # nosec
 DEFAULT_TOKEN_LENGTH = 60
+DEFAULT_REPUTATION_LOWER_LIMIT = -5
+DEFAULT_REPUTATION_UPPER_LIMIT = 5
 
 
 def _validate_schema_name(name):
@@ -70,6 +72,16 @@ class Tenant(TenantMixin, SerializerModel):
             "Events will be deleted after this duration.(Format: weeks=3;days=2;hours=3,seconds=2)."
         ),
     )
+    reputation_lower_limit = models.IntegerField(
+        help_text=_("Reputation cannot decrease lower than this value. Zero or negative."),
+        default=DEFAULT_REPUTATION_LOWER_LIMIT,
+        validators=[MaxValueValidator(0)],
+    )
+    reputation_upper_limit = models.IntegerField(
+        help_text=_("Reputation cannot increase higher than this value. Zero or positive."),
+        default=DEFAULT_REPUTATION_UPPER_LIMIT,
+        validators=[MinValueValidator(0)],
+    )
     footer_links = models.JSONField(
         help_text=_("The option configures the footer links on the flow executor pages."),
         default=list,

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.2.3 Blueprint schema",
+    "title": "authentik 2025.2.4 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -1441,6 +1441,86 @@
                             }
                         }
                     },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_sources_ldap.userldapsourceconnection"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "permissions": {
+                                "$ref": "#/$defs/model_authentik_sources_ldap.userldapsourceconnection_permissions"
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_sources_ldap.userldapsourceconnection"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_sources_ldap.userldapsourceconnection"
+                            }
+                        }
+                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_sources_ldap.groupldapsourceconnection"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "permissions": {
+                                "$ref": "#/$defs/model_authentik_sources_ldap.groupldapsourceconnection_permissions"
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_sources_ldap.groupldapsourceconnection"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_sources_ldap.groupldapsourceconnection"
+                            }
+                        }
+                    },
                     {
                         "type": "object",
                         "required": [
@@ -4754,6 +4834,8 @@
                         "authentik_sources_kerberos.groupkerberossourceconnection",
                         "authentik_sources_ldap.ldapsource",
                         "authentik_sources_ldap.ldapsourcepropertymapping",
+                        "authentik_sources_ldap.userldapsourceconnection",
+                        "authentik_sources_ldap.groupldapsourceconnection",
                         "authentik_sources_oauth.oauthsource",
                         "authentik_sources_oauth.oauthsourcepropertymapping",
                         "authentik_sources_oauth.useroauthsourceconnection",
@@ -7112,14 +7194,22 @@
                             "authentik_sources_kerberos.view_kerberossource",
                             "authentik_sources_kerberos.view_kerberossourcepropertymapping",
                             "authentik_sources_kerberos.view_userkerberossourceconnection",
+                            "authentik_sources_ldap.add_groupldapsourceconnection",
                             "authentik_sources_ldap.add_ldapsource",
                             "authentik_sources_ldap.add_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.add_userldapsourceconnection",
+                            "authentik_sources_ldap.change_groupldapsourceconnection",
                             "authentik_sources_ldap.change_ldapsource",
                             "authentik_sources_ldap.change_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.change_userldapsourceconnection",
+                            "authentik_sources_ldap.delete_groupldapsourceconnection",
                             "authentik_sources_ldap.delete_ldapsource",
                             "authentik_sources_ldap.delete_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.delete_userldapsourceconnection",
+                            "authentik_sources_ldap.view_groupldapsourceconnection",
                             "authentik_sources_ldap.view_ldapsource",
                             "authentik_sources_ldap.view_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.view_userldapsourceconnection",
                             "authentik_sources_oauth.add_groupoauthsourceconnection",
                             "authentik_sources_oauth.add_oauthsource",
                             "authentik_sources_oauth.add_oauthsourcepropertymapping",
@@ -7885,6 +7975,11 @@
                     "type": "string",
                     "format": "uuid",
                     "title": "Sync parent group"
+                },
+                "lookup_groups_from_user": {
+                    "type": "boolean",
+                    "title": "Lookup groups from user",
+                    "description": "Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory"
                 }
             },
             "required": []
@@ -7966,6 +8061,107 @@
                 }
             }
         },
+        "model_authentik_sources_ldap.userldapsourceconnection": {
+            "type": "object",
+            "properties": {
+                "user": {
+                    "type": "integer",
+                    "title": "User"
+                },
+                "source": {
+                    "type": "integer",
+                    "title": "Source"
+                },
+                "identifier": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Identifier"
+                },
+                "icon": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Icon"
+                }
+            },
+            "required": []
+        },
+        "model_authentik_sources_ldap.userldapsourceconnection_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_userldapsourceconnection",
+                            "change_userldapsourceconnection",
+                            "delete_userldapsourceconnection",
+                            "view_userldapsourceconnection"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
+        "model_authentik_sources_ldap.groupldapsourceconnection": {
+            "type": "object",
+            "properties": {
+                "group": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Group"
+                },
+                "source": {
+                    "type": "integer",
+                    "title": "Source"
+                },
+                "identifier": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Identifier"
+                },
+                "icon": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Icon"
+                }
+            },
+            "required": []
+        },
+        "model_authentik_sources_ldap.groupldapsourceconnection_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_groupldapsourceconnection",
+                            "change_groupldapsourceconnection",
+                            "delete_groupldapsourceconnection",
+                            "view_groupldapsourceconnection"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
         "model_authentik_sources_oauth.oauthsource": {
             "type": "object",
             "properties": {
@@ -8231,7 +8427,6 @@
                 },
                 "identifier": {
                     "type": "string",
-                    "maxLength": 255,
                     "minLength": 1,
                     "title": "Identifier"
                 },
@@ -13623,14 +13818,22 @@
                             "authentik_sources_kerberos.view_kerberossource",
                             "authentik_sources_kerberos.view_kerberossourcepropertymapping",
                             "authentik_sources_kerberos.view_userkerberossourceconnection",
+                            "authentik_sources_ldap.add_groupldapsourceconnection",
                             "authentik_sources_ldap.add_ldapsource",
                             "authentik_sources_ldap.add_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.add_userldapsourceconnection",
+                            "authentik_sources_ldap.change_groupldapsourceconnection",
                             "authentik_sources_ldap.change_ldapsource",
                             "authentik_sources_ldap.change_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.change_userldapsourceconnection",
+                            "authentik_sources_ldap.delete_groupldapsourceconnection",
                             "authentik_sources_ldap.delete_ldapsource",
                             "authentik_sources_ldap.delete_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.delete_userldapsourceconnection",
+                            "authentik_sources_ldap.view_groupldapsourceconnection",
                             "authentik_sources_ldap.view_ldapsource",
                             "authentik_sources_ldap.view_ldapsourcepropertymapping",
+                            "authentik_sources_ldap.view_userldapsourceconnection",
                             "authentik_sources_oauth.add_groupoauthsourceconnection",
                             "authentik_sources_oauth.add_oauthsource",
                             "authentik_sources_oauth.add_oauthsourcepropertymapping",

docker-compose.yml

@@ -31,10 +31,11 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
     restart: unless-stopped
     command: server
     environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
@@ -54,10 +55,11 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
     restart: unless-stopped
     command: worker
     environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}

go.mod

@@ -1,10 +1,11 @@
 module goauthentik.io
 
 go 1.24.0
+
 require (
 	beryju.io/ldap v0.1.0
-	github.com/coreos/go-oidc/v3 v3.13.0
-	github.com/getsentry/sentry-go v0.31.1
+	github.com/coreos/go-oidc/v3 v3.14.1
+	github.com/getsentry/sentry-go v0.32.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/go-openapi/runtime v0.28.0
@@ -19,17 +20,17 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.0
-	github.com/prometheus/client_golang v1.21.1
+	github.com/prometheus/client_golang v1.22.0
 	github.com/redis/go-redis/v9 v9.7.3
-	github.com/sethvargo/go-envconfig v1.1.1
+	github.com/sethvargo/go-envconfig v1.2.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025023.2
+	goauthentik.io/api/v3 v3.2025024.4
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.12.0
+	golang.org/x/oauth2 v0.29.0
+	golang.org/x/sync v0.13.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -59,7 +60,6 @@ require (
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
@@ -76,6 +76,6 @@ require (
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -55,8 +55,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
-github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -69,8 +69,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.31.1 h1:ELVc0h7gwyhnXHDouXkhqTFSO5oslsRDk0++eyE0KJ4=
-github.com/getsentry/sentry-go v0.31.1/go.mod h1:CYNcMMz73YigoHljQRG+qPF+eMq8gG72XcGN/p71BAY=
+github.com/getsentry/sentry-go v0.32.0 h1:YKs+//QmwE3DcYtfKRH8/KyOOF/I6Qnx7qYGNHCGmCY=
+github.com/getsentry/sentry-go v0.32.0/go.mod h1:CYNcMMz73YigoHljQRG+qPF+eMq8gG72XcGN/p71BAY=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -148,8 +148,9 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -207,8 +208,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -239,8 +240,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
-github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
@@ -254,8 +255,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sethvargo/go-envconfig v1.1.1 h1:JDu8Q9baIzJf47NPkzhIB6aLYL0vQ+pPypoYrejS9QY=
-github.com/sethvargo/go-envconfig v1.1.1/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
+github.com/sethvargo/go-envconfig v1.2.0 h1:q3XkOZWkC+G1sMLCrw9oPGTjYexygLOXDmGUit1ti8Q=
+github.com/sethvargo/go-envconfig v1.2.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -299,8 +300,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025023.2 h1:4XHlnykN5jQH78liQ4cp2Jf8eigvQImIJp+A+bsq1nA=
-goauthentik.io/api/v3 v3.2025023.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.4 h1:fD4K6YcCTdwtkqKbYBdJk3POHVzw+LDdJdZSbOAKbX4=
+goauthentik.io/api/v3 v3.2025024.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -395,8 +396,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -411,8 +412,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -599,8 +600,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.2.3"
+const VERSION = "2025.2.4"

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1006.0",
+                "aws-cdk": "^2.1007.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1006.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1006.0.tgz",
-            "integrity": "sha512-6qYnCt4mBN+3i/5F+FC2yMETkDHY/IL7gt3EuqKVPcaAO4jU7oXfVSlR60CYRkZWL4fnAurUV14RkJuJyVG/IA==",
+            "version": "2.1007.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1007.0.tgz",
+            "integrity": "sha512-/UOYOTGWUm+pP9qxg03tID5tL6euC+pb+xo0RBue+xhnUWwj/Bbsw6DbqbpOPMrNzTUxmM723/uMEQmM6S26dw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1006.0",
+        "aws-cdk": "^2.1007.0",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.2.3
+    Default: 2025.2.4
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

locale/de/LC_MESSAGES/django.po

@@ -19,27 +19,28 @@
 # Benjamin Böhmke, 2023
 # Sven S <transifex@versvendet.de>, 2023
 # Dirk R, 2023
-# 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2024
 # Paul Frey, 2024
 # Sascha Brockel, 2024
 # Michael Milz, 2024
 # Thomas Liske, 2024
-# Michael Gottinger, 2024
+# bob4os, 2024
 # itxworks, 2024
 # Christian Wichmann <cw1981@gmx.de>, 2024
 # Stefan Werner, 2024
 # Alexander Möbius, 2025
 # Jonas, 2025
 # Niklas Kroese, 2025
+# 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
+# datenschmutz, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Niklas Kroese, 2025\n"
+"Last-Translator: datenschmutz, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -147,6 +148,12 @@ msgstr "Nutzer hat keinen Zugriff auf diese Applikation."
 msgid "Extra description not available"
 msgstr "Eine weitergehende Beschreibung ist nicht verfügbar"
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr ""
+"Es ist nicht möglich, die Gruppe als Übergruppe von sich selbst zu "
+"definieren."
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -194,6 +201,14 @@ msgstr "Nutzer zu Gruppe hinzufügen"
 msgid "Remove user from group"
 msgstr "Nutzer aus Gruppe entfernen"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "Superuser-Status aktivieren"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "Superuser-Status deaktivieren"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Anzeigename"
@@ -572,60 +587,6 @@ msgstr "Microsoft Entra Provider Zuordnung"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra Provider Zuordnungen"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Legt fest, wie lange eine Sitzung dauert. Der Standardwert 0 bedeutet, dass "
-"die Sitzung so lange dauert, bis der Browser geschlossen wird. (Format: "
-"hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "Wenn aktiviert, werden Verbindungstoken beim Trennen gelöscht."
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC Anbieter"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC Anbieter"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC Endpunkt"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC Endpunkte"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC Provider Eigenschafts-Zuordnung"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC Provider Eigenschafts-Zuordnungen"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC Verbindungstoken"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC Verbindungstoken"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Maximale Verbindungsgrenze erreicht."
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Sie sind bereits in einem anderen Tab/Fenster verbunden)"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -633,39 +594,39 @@ msgstr "Signaturschlüssel"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr ""
+msgstr "Schlüssel, der zum Signieren der SSF-Ereignisse verwendet wird."
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr ""
+msgstr "Anbieter des Shared Signals Frameworks"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr ""
+msgstr "Shared Signals Frameworks Anbieter"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr ""
+msgstr "Stream zum SSF-Anbieter hinzufügen."
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr ""
+msgstr "SSF Stream"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr ""
+msgstr "SSF Streams"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr ""
+msgstr "SSF Stream Ereignis"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr ""
+msgstr "SSF Stream Ereignisse"
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr ""
+msgstr "Anfrage konnte nicht gesendet werden."
 
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@@ -729,9 +690,26 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook (Slack/Discord)"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "E-Mail"
 
+#: authentik/events/models.py
+msgid ""
+"Customize the body of the request. Mapping should return data that is JSON-"
+"serializable."
+msgstr ""
+"Passen Sie den Inhalt der Anfrage an. Die Zuordnung sollte Daten "
+"zurückgeben, die JSON-serialisierbar sind."
+
+#: authentik/events/models.py
+msgid ""
+"Configure additional headers to be sent. Mapping should return a dictionary "
+"of key-value pairs"
+msgstr ""
+"Konfigurieren Sie zusätzliche Header, die gesendet werden sollen. Die "
+"Zuordnung sollte ein dictionary von Schlüssel-Wert-Paaren zurückgeben."
+
 #: authentik/events/models.py
 msgid ""
 "Only send notification once, for example when sending a webhook into a chat "
@@ -1009,6 +987,12 @@ msgstr "Flow-Tokens"
 msgid "Invalid next URL"
 msgstr "Ungültige nächste URL"
 
+#: authentik/lib/sync/outgoing/models.py
+msgid ""
+"When enabled, provider will not modify or create objects in the remote "
+"system."
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "Starte komplette Provider Synchronisation."
@@ -1023,6 +1007,10 @@ msgstr "Synchonisiere Benutzer Seite {page}"
 msgid "Syncing page {page} of groups"
 msgstr "Synchonisiere Gruppen Seite {page}"
 
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Dropping mutating request due to dry run"
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1237,6 +1225,14 @@ msgstr "GeoIP: Die Client IP wurde nicht in der Stadt Datenbank gefunden"
 msgid "Client IP is not in an allowed country."
 msgstr "GeoIP: Die Client IP befindet sich nicht in einem erlaubten Land."
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr ""
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr ""
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP Richtlinie"
@@ -1369,6 +1365,20 @@ msgstr "Reputationswert"
 msgid "Reputation Scores"
 msgstr "Reputationswert"
 
+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Erlaubnis verweigert"
@@ -1560,6 +1570,14 @@ msgstr "RS256 (Asymmetrische Verschlüsselung)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (Asymmetrische Verschlüsselung)"
 
+#: authentik/providers/oauth2/models.py
+msgid "ES384 (Asymmetric Encryption)"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "ES512 (Asymmetric Encryption)"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "Vom Client verwendeter Scope"
@@ -1844,6 +1862,59 @@ msgstr "Proxy Anbieter"
 msgid "Proxy Providers"
 msgstr "Proxy Anbietern"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Legt fest, wie lange eine Sitzung dauert. Der Standardwert 0 bedeutet, dass "
+"die Sitzung so lange dauert, bis der Browser geschlossen wird. (Format: "
+"hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "Wenn aktiviert, werden Verbindungstoken beim Trennen gelöscht."
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC Anbieter"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC Anbieter"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC Endpunkt"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC Endpunkte"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC Provider Eigenschafts-Zuordnung"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC Provider Eigenschafts-Zuordnungen"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC Verbindungstoken"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC Verbindungstoken"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Maximale Verbindungsgrenze erreicht."
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Sie sind bereits in einem anderen Tab/Fenster verbunden)"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@@ -1933,6 +2004,17 @@ msgstr ""
 "Legen Sie fest, wie der NameID-Wert erstellt werden soll. Bleibt der Wert "
 "leer, wird die NameIDPolicy der eingehenden Anfrage berücksichtigt"
 
+#: authentik/providers/saml/models.py
+msgid "AuthnContextClassRef Property Mapping"
+msgstr ""
+
+#: authentik/providers/saml/models.py
+msgid ""
+"Configure how the AuthnContextClassRef value will be created. When left "
+"empty, the AuthnContextClassRef will be set based on which authentication "
+"methods the user used to authenticate."
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid ""
 "Assertion valid not before current time + this value (Format: "
@@ -2074,6 +2156,18 @@ msgstr "SAML Anbieter aus Metadaten"
 msgid "SAML Providers from Metadata"
 msgstr "SAML Provider aus Metadaten"
 
+#: authentik/providers/scim/models.py
+msgid "Default"
+msgstr "Standard"
+
+#: authentik/providers/scim/models.py
+msgid "AWS"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Slack"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "Basis-URL für SCIM-Anfragen, endet normalerweise auf /v2"
@@ -2082,6 +2176,14 @@ msgstr "Basis-URL für SCIM-Anfragen, endet normalerweise auf /v2"
 msgid "Authentication token"
 msgstr "Authentifizierungstoken"
 
+#: authentik/providers/scim/models.py
+msgid "SCIM Compatibility Mode"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Alter authentik behavior for vendor-specific SCIM implementations."
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "SCIM-Anbieter"
@@ -2353,6 +2455,13 @@ msgstr ""
 "Wenn ein Benutzer sein Passwort ändert, wird es zurück zum LDAP "
 "synchronisiert. Dies kann nur für eine einzige LDAP-Quelle aktiviert werden."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Quelle"
@@ -2764,6 +2873,103 @@ msgstr "Duo Gerät"
 msgid "Duo Devices"
 msgstr "Duo Geräte"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Wenn diese Option aktiviert ist, werden die globalen E-Mail "
+"Verbindungseinstellungen benutzt und die unten angegebenen Einstellungen "
+"ignoriert"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "Beim Rendern der E-Mail-Vorlage ist ein Fehler aufgetreten"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr ""
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "Code stimmt nicht überein"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Hallo %(username)s,\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Hallo %(username)s,"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2802,11 +3008,6 @@ msgstr "SMS Gerät"
 msgid "SMS Devices"
 msgstr "SMS Geräte"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "Code stimmt nicht überein"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Ungültige Telefonnummer"
@@ -3041,23 +3242,10 @@ msgstr "Passwort zurücksetzen"
 msgid "Account Confirmation"
 msgstr "Konto-Bestätigung"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Wenn diese Option aktiviert ist, werden die globalen E-Mail "
-"Verbindungseinstellungen benutzt und die unten angegebenen Einstellungen "
-"ignoriert"
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Aktivieren Sie die Benutzer nach Abschluss der Stufe."
 
-#: authentik/stages/email/models.py
-msgid "Time in minutes the token sent is valid."
-msgstr "Zeit in Minuten wie lange der verschickte Token gültig ist"
-
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "E-Mail Stufe"
@@ -3066,10 +3254,6 @@ msgstr "E-Mail Stufe"
 msgid "Email Stages"
 msgstr "E-Mail Stufen"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "Beim Rendern der E-Mail-Vorlage ist ein Fehler aufgetreten"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Erfolgreich Mailadresse verifiziert."
@@ -3153,17 +3337,6 @@ msgstr ""
 "\n"
 "Diese E-Mail wurde vom  Benachrichtigungsdienst %(name)s gesendet.\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Hallo %(username)s,\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -3184,11 +3357,6 @@ msgstr ""
 "\n"
 "  Wenn Sie keine Passwortänderung beantragt haben, ignorieren Sie bitte diese E-Mail. Der obige Link ist gültig für %(expires)s."
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Hallo %(username)s,"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-31 00:10+0000\n"
+"POT-Creation-Date: 2025-04-14 00:11+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -335,6 +335,18 @@ msgstr ""
 msgid "Property Mappings"
 msgstr ""
 
+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr ""
@@ -2190,6 +2202,13 @@ msgid ""
 "enabled on a single LDAP source."
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr ""
@@ -2206,6 +2225,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""
 
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr ""

locale/es/LC_MESSAGES/django.po

@@ -5,18 +5,19 @@
 # 
 # Translators:
 # jcamat, 2022
-# Jens L. <jens@goauthentik.io>, 2024
 # Angel, 2024
 # Iamanaws, 2024
+# Marcelo Elizeche Landó, 2025
+# Jens L. <jens@goauthentik.io>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Iamanaws, 2024\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -118,12 +119,16 @@ msgstr "Marcas"
 
 #: authentik/core/api/application_entitlements.py
 msgid "User does not have access to application."
-msgstr ""
+msgstr "El usuario no tiene acceso a la aplicación"
 
 #: authentik/core/api/devices.py
 msgid "Extra description not available"
 msgstr "Descripción adicional no disponible."
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "No se puede establecer el grupo como padre de sí mismo."
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -172,6 +177,14 @@ msgstr "Agrega usuario al grupo"
 msgid "Remove user from group"
 msgstr "Remueve usuario del grupo"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "Habiliar estado de \"superusuario\""
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "Deshabiliar estado de \"superusuario\""
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Nombre para mostrar del usuario."
@@ -548,62 +561,6 @@ msgstr "Asignación de Proveedor de Microsoft Entra"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Asignaciones de Proveedores de Microsoft Entra"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Determina la duración de una sesión. El valor predeterminado de 0 significa "
-"que las sesiones duran hasta que se cierra el navegador. (Formato: horas = "
-"-1; minutos = -2; segundos = -3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-"Cuando es verdadero, los tokens de conexión serán eliminados al "
-"desconectarse."
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "Proveedor de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "Proveedores de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "Punto de Conexión de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "Puntos de Conexión de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "Asignación de Propiedades de Proveedor de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "Asignaciones de Propiedades de Proveedor de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "Token de Conexión de RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "Tokens de Conexión de RAC"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Límite máximo de conexiones alcanzado."
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Ya estás conectado en otra pestaña/ventana)"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -643,7 +600,7 @@ msgstr ""
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr ""
+msgstr "Falló envio de petición"
 
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@@ -711,9 +668,22 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Webhook de Slack (Slack/Discord)"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "Correo"
 
+#: authentik/events/models.py
+msgid ""
+"Customize the body of the request. Mapping should return data that is JSON-"
+"serializable."
+msgstr ""
+
+#: authentik/events/models.py
+msgid ""
+"Configure additional headers to be sent. Mapping should return a dictionary "
+"of key-value pairs"
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Only send notification once, for example when sending a webhook into a chat "
@@ -983,6 +953,12 @@ msgstr "Tokens de flujo"
 msgid "Invalid next URL"
 msgstr "Siguiente URL invalida"
 
+#: authentik/lib/sync/outgoing/models.py
+msgid ""
+"When enabled, provider will not modify or create objects in the remote "
+"system."
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "Iniciando sincronización completa de proveedor"
@@ -997,6 +973,10 @@ msgstr "Sincronizando página {page} de usuarios"
 msgid "Syncing page {page} of groups"
 msgstr "Sincronizando página {page} de grupos"
 
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Dropping mutating request due to dry run"
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1210,6 +1190,14 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr "La IP del cliente no está en un país permitido."
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr "La distancia desde la autenticación previa es mayor que el límite."
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "La distancia es mayor de lo posible."
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "Política de GeoIP"
@@ -1344,6 +1332,20 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"
 
+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@@ -1535,6 +1537,14 @@ msgstr "RS256 (Encriptación Asimétrica)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (Encriptación Asimétrica)"
 
+#: authentik/providers/oauth2/models.py
+msgid "ES384 (Asymmetric Encryption)"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "ES512 (Asymmetric Encryption)"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "Alcance utilizado por el cliente"
@@ -1818,6 +1828,61 @@ msgstr "Proveedor de Proxy"
 msgid "Proxy Providers"
 msgstr "Proveedores de Proxy"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Determina la duración de una sesión. El valor predeterminado de 0 significa "
+"que las sesiones duran hasta que se cierra el navegador. (Formato: horas = "
+"-1; minutos = -2; segundos = -3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+"Cuando es verdadero, los tokens de conexión serán eliminados al "
+"desconectarse."
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "Proveedor de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "Proveedores de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "Punto de Conexión de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "Puntos de Conexión de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "Asignación de Propiedades de Proveedor de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "Asignaciones de Propiedades de Proveedor de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "Token de Conexión de RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "Tokens de Conexión de RAC"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Límite máximo de conexiones alcanzado."
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Ya estás conectado en otra pestaña/ventana)"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "Secreto compartido entre clientes y servidor para hashear paquetes."
@@ -1905,6 +1970,17 @@ msgstr ""
 "Configurar cómo se creará el valor NameID. Si se deja vacío, se considerará "
 "el NameIDPolicy de la solicitud entrante."
 
+#: authentik/providers/saml/models.py
+msgid "AuthnContextClassRef Property Mapping"
+msgstr ""
+
+#: authentik/providers/saml/models.py
+msgid ""
+"Configure how the AuthnContextClassRef value will be created. When left "
+"empty, the AuthnContextClassRef will be set based on which authentication "
+"methods the user used to authenticate."
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid ""
 "Assertion valid not before current time + this value (Format: "
@@ -2047,6 +2123,18 @@ msgstr "Proveedor de SAML a partir de Metadatos"
 msgid "SAML Providers from Metadata"
 msgstr "Proveedores de SAML a partir de Metadatos"
 
+#: authentik/providers/scim/models.py
+msgid "Default"
+msgstr "Predeterminado"
+
+#: authentik/providers/scim/models.py
+msgid "AWS"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Slack"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "URL base para solicitudes SCIM, generalmente termina en /v2"
@@ -2055,6 +2143,14 @@ msgstr "URL base para solicitudes SCIM, generalmente termina en /v2"
 msgid "Authentication token"
 msgstr "Token de Autenticación"
 
+#: authentik/providers/scim/models.py
+msgid "SCIM Compatibility Mode"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Alter authentik behavior for vendor-specific SCIM implementations."
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "Proveedor de SCIM"
@@ -2324,6 +2420,13 @@ msgstr ""
 "Cuando un usuario cambie su contraseña, sincronízala de vuelta con LDAP. "
 "Esto solo puede habilitarse en una única fuente de LDAP."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Fuente de LDAP"
@@ -2733,6 +2836,110 @@ msgstr "Dispositivo Duo"
 msgid "Duo Devices"
 msgstr "Dispositivos Duo"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Cuando se habilita, se utilizará la configuración global de conexión de "
+"correo electrónico y se ignorarán las configuraciones de conexión que se "
+"indican a continuación"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+"Tiempo de validez del token enviado (Formato: "
+"hours=3,minutes=17,seconds=300)."
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr ""
+"Se produjo una excepción al procesar la plantilla de correo electrónico"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "Dispositivo de Email"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "Dispositivos de Email"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "El código no coincide"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "Email Inválido"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Hola %(username)s,\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s."
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Hola %(username)s,"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s.\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2770,11 +2977,6 @@ msgstr "Dispositivo SMS"
 msgid "SMS Devices"
 msgstr "Dispositivos SMS"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "El código no coincide"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Número de teléfono inválido"
@@ -3012,23 +3214,10 @@ msgstr "Restablecimiento de contraseña"
 msgid "Account Confirmation"
 msgstr "Confirmación cuenta"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Cuando se habilita, se utilizará la configuración global de conexión de "
-"correo electrónico y se ignorarán las configuraciones de conexión que se "
-"indican a continuación"
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Activar a los usuarios al finalizar la etapa."
 
-#: authentik/stages/email/models.py
-msgid "Time in minutes the token sent is valid."
-msgstr "El tiempo en minutos que se envía el token es válido."
-
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "Etapa de correo electrónico"
@@ -3037,11 +3226,6 @@ msgstr "Etapa de correo electrónico"
 msgid "Email Stages"
 msgstr "Etapas del correo"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr ""
-"Se produjo una excepción al procesar la plantilla de correo electrónico"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Correo electrónico verificado correctamente."
@@ -3126,17 +3310,6 @@ msgstr ""
 "\n"
 "Este correo electrónico fue enviado desde el transporte de notificaciones %(name)s.\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Hola %(username)s,\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -3154,11 +3327,8 @@ msgid ""
 "    If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 "    "
 msgstr ""
-
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Hola %(username)s,"
+"\n"
+"Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s."
 
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
@@ -3174,6 +3344,8 @@ msgid ""
 "\n"
 "If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
+"\n"
+"Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s.\n"
 
 #: authentik/stages/email/templates/email/setup.html
 msgid "authentik Test-Email"
@@ -3493,11 +3665,11 @@ msgstr ""
 
 #: authentik/stages/redirect/models.py
 msgid "Redirect Stage"
-msgstr ""
+msgstr "Etapa de Redirección"
 
 #: authentik/stages/redirect/models.py
 msgid "Redirect Stages"
-msgstr ""
+msgstr "Etapas de Redirección"
 
 #: authentik/stages/user_delete/models.py
 msgid "User Delete Stage"

locale/fi/LC_MESSAGES/django.po

@@ -4,20 +4,20 @@
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 # 
 # Translators:
-# Ville Ranki, 2022
 # Skyler Mäntysaari, 2024
 # Jani Hast, 2024
 # MarkoTukiainen, 2025
 # Marc Schmitt, 2025
+# Ville Ranki, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Marc Schmitt, 2025\n"
+"Last-Translator: Ville Ranki, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/authentik/teams/119923/fi/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -122,6 +122,10 @@ msgstr "Käyttäjällä ei ole pääsyä sovellukseen."
 msgid "Extra description not available"
 msgstr "Lisäkuvaus ei ole saatavilla"
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr ""
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -169,6 +173,14 @@ msgstr "Lisää käyttäjä ryhmään"
 msgid "Remove user from group"
 msgstr "Poista käyttäjä ryhmästä"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Käyttäjän näytettävä nimi"
@@ -540,61 +552,6 @@ msgstr "Microsoft Entra -palveluntarjoajan kytkentä"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra -palveluntarjoajan kytkennät"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Määrittää istunnon keston. Oletusarvo 0 tarkoittaa, että istunto kestää "
-"kunnes selain suljetaan. (Muoto: hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-"Kun asetettu arvoon tosi, yhteystunnisteet poistetaan yhteyden katkaisemisen"
-" yhteydessä."
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC-palveluntarjoaja"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC-palveluntarjoajat"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC-päätepiste"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC-päätepisteet"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC-palveluntarjoajan ominaisuuskytkentä"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC-palveluntarjoajan ominaisuuskytkennät"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC-yhteystunniste"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC-yhteystunnisteet"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Yhteyksien enimmäismäärä saavutettu."
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Olet jo yhteydessä toisen selainvälilehden tai -ikkunan kautta)"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -698,9 +655,22 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack-webhook (Slack/Discord)"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "Sähköposti"
 
+#: authentik/events/models.py
+msgid ""
+"Customize the body of the request. Mapping should return data that is JSON-"
+"serializable."
+msgstr ""
+
+#: authentik/events/models.py
+msgid ""
+"Configure additional headers to be sent. Mapping should return a dictionary "
+"of key-value pairs"
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Only send notification once, for example when sending a webhook into a chat "
@@ -970,6 +940,12 @@ msgstr "Prosessin tunnisteet"
 msgid "Invalid next URL"
 msgstr "Virheellinen seuraava URL"
 
+#: authentik/lib/sync/outgoing/models.py
+msgid ""
+"When enabled, provider will not modify or create objects in the remote "
+"system."
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "Käynnistetään palveluntarjoajan täysi synkronisointi"
@@ -984,6 +960,10 @@ msgstr "Synkronoidaan käyttäjien sivua {page}"
 msgid "Syncing page {page} of groups"
 msgstr "Synkronoidaan ryhmien sivua {page}"
 
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Dropping mutating request due to dry run"
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1194,6 +1174,14 @@ msgstr "GeoIP: asiakkaan IP-osoitetta ei löydy kaupunkitietokannasta."
 msgid "Client IP is not in an allowed country."
 msgstr "Asiakkaan IP-osoite ei sijaitse sallitussa maassa."
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr ""
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr ""
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP-käytäntö"
@@ -1326,6 +1314,20 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"
 
+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@@ -1517,6 +1519,14 @@ msgstr "RS256 (asymmetrinen salaus)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (asymmetrinen salaus)"
 
+#: authentik/providers/oauth2/models.py
+msgid "ES384 (Asymmetric Encryption)"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "ES512 (Asymmetric Encryption)"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "Asiakkaan käyttämä käyttöalue"
@@ -1797,6 +1807,60 @@ msgstr "Välityspalveluntarjoaja"
 msgid "Proxy Providers"
 msgstr "Välityspalveluntarjoajat"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Määrittää istunnon keston. Oletusarvo 0 tarkoittaa, että istunto kestää "
+"kunnes selain suljetaan. (Muoto: hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+"Kun asetettu arvoon tosi, yhteystunnisteet poistetaan yhteyden katkaisemisen"
+" yhteydessä."
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC-palveluntarjoaja"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC-palveluntarjoajat"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC-päätepiste"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC-päätepisteet"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC-palveluntarjoajan ominaisuuskytkentä"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC-palveluntarjoajan ominaisuuskytkennät"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC-yhteystunniste"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC-yhteystunnisteet"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Yhteyksien enimmäismäärä saavutettu."
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Olet jo yhteydessä toisen selainvälilehden tai -ikkunan kautta)"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@@ -1886,6 +1950,17 @@ msgstr ""
 "Määritä, kuinka NameID:n arvo luodaan. Jos tämä jätetään tyhjäksi, käytetään"
 " sisääntulevan pyynnön NameIDPolicy-kentän arvoa."
 
+#: authentik/providers/saml/models.py
+msgid "AuthnContextClassRef Property Mapping"
+msgstr ""
+
+#: authentik/providers/saml/models.py
+msgid ""
+"Configure how the AuthnContextClassRef value will be created. When left "
+"empty, the AuthnContextClassRef will be set based on which authentication "
+"methods the user used to authenticate."
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid ""
 "Assertion valid not before current time + this value (Format: "
@@ -2028,6 +2103,18 @@ msgstr "SAML-palveluntarjoaja metatiedoista"
 msgid "SAML Providers from Metadata"
 msgstr "SAML-palveluntarjoajat metatiedoista"
 
+#: authentik/providers/scim/models.py
+msgid "Default"
+msgstr "Oletus"
+
+#: authentik/providers/scim/models.py
+msgid "AWS"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Slack"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "URL-osoitteen perusosa SCIM-pyyntöjä varten, päättyy yleensä /v2"
@@ -2036,6 +2123,14 @@ msgstr "URL-osoitteen perusosa SCIM-pyyntöjä varten, päättyy yleensä /v2"
 msgid "Authentication token"
 msgstr "Todennustunniste"
 
+#: authentik/providers/scim/models.py
+msgid "SCIM Compatibility Mode"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Alter authentik behavior for vendor-specific SCIM implementations."
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "SCIM-palveluntarjoaja"
@@ -2302,6 +2397,13 @@ msgstr ""
 "Kun käyttäjä muuttaa salasanansa, synkronoi se LDAPiin. Tämä voi olla "
 "käytössä vain yhden LDAP-lähteen kanssa."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP-lähde"
@@ -2712,6 +2814,102 @@ msgstr "Duo-laite"
 msgid "Duo Devices"
 msgstr "Duo-laitteet"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Kun tämä on käytössä, käytetään globaaleja sähköpostiyhteysasetuksia, ja "
+"alla olevat yhteysasetukset ohitetaan."
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "Sähköpostimallin käytössä tapahtui virhe"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr ""
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "Koodi ei täsmää"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Hei %(username)s,\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Hei %(username)s,"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2749,11 +2947,6 @@ msgstr "SMS-laite"
 msgid "SMS Devices"
 msgstr "SMS-laitteet"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "Koodi ei täsmää"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Virheellinen puhelinnumero"
@@ -2992,22 +3185,10 @@ msgstr "Salasanan nollaus"
 msgid "Account Confirmation"
 msgstr "Tunnuksen vahvistus"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Kun tämä on käytössä, käytetään globaaleja sähköpostiyhteysasetuksia, ja "
-"alla olevat yhteysasetukset ohitetaan."
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Aktivoi käyttäjät tämän vaiheen lopuksi."
 
-#: authentik/stages/email/models.py
-msgid "Time in minutes the token sent is valid."
-msgstr "Aika minuutteina, jonka verran lähetetty tunniste on voimassa."
-
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "Sähköpostivaihe"
@@ -3016,10 +3197,6 @@ msgstr "Sähköpostivaihe"
 msgid "Email Stages"
 msgstr "Sähköpostivaiheet"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "Sähköpostimallin käytössä tapahtui virhe"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Sähköpostiosoite vahvistettu."
@@ -3102,17 +3279,6 @@ msgstr ""
 "\n"
 "Tämä viesti on lähetetty notifikaatiokanavasta %(name)s.\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Hei %(username)s,\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -3134,11 +3300,6 @@ msgstr ""
 "    Jos et ole pyytänyt salasanan vaihtoa, jätä tämä viesti huomiotta. Yllä oleva linkki on voimassa  %(expires)s.\n"
 "    "
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Hei %(username)s,"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-31 00:10+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -2441,6 +2441,13 @@ msgstr ""
 "Lorsqu'un utilisateur change son mot de passe, le synchroniser à nouveau "
 "vers LDAP. Ne peut être activé que sur une seule source LDAP."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Source LDAP"

locale/it/LC_MESSAGES/django.po

@@ -6,23 +6,23 @@
 # Translators:
 # Dario Rigolin, 2022
 # aoor9, 2023
-# Matteo Piccina <altermatte@gmail.com>, 2024
 # Enrico Campani, 2024
 # Marco Vitale, 2024
-# Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2024
 # Nicola Mersi, 2024
 # tmassimi, 2024
 # Marc Schmitt, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
+# Matteo Piccina <altermatte@gmail.com>, 2025
+# Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-04-11 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2024\n"
+"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -130,6 +130,10 @@ msgstr "L'utente non ha accesso all'applicazione."
 msgid "Extra description not available"
 msgstr "Descrizione extra non disponibile"
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "Impossibile impostare il gruppo come padre di se stesso."
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -177,6 +181,14 @@ msgstr "Aggiungi utente al gruppo"
 msgid "Remove user from group"
 msgstr "Rimuovi l'utente dal gruppo"
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "Abilita stato di superutente"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "Disabilita stato di superutente"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Nome visualizzato dell'utente."
@@ -260,11 +272,11 @@ msgstr "Applicazioni"
 
 #: authentik/core/models.py
 msgid "Application Entitlement"
-msgstr ""
+msgstr "Entitlement Applicazione"
 
 #: authentik/core/models.py
 msgid "Application Entitlements"
-msgstr ""
+msgstr "Entitlements Applicazione"
 
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
@@ -551,62 +563,6 @@ msgstr "Mappatura Microsoft Entra Provider"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Mappature Microsoft Entra Provider"
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Determina quanto può durare una sessione. Se impostato a 0, la sessione "
-"durerà fino alla chiusura del browser. (Formato: "
-"hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-"Se impostato su vero, i token di connessione verranno eliminati alla "
-"disconnessione."
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "Fornitore di controllo dell'accesso remoto"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "Fornitori di controllo dell'accesso remoto"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "Endpoint RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "Endpoints RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "Mappatura delle proprietà del provider RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "Mappature proprietà del provider RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC Connection token"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC Connection tokens"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Limite massimo di connessioni raggiunto."
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Sei già connesso in un'altra scheda/finestra)"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -614,39 +570,39 @@ msgstr "Chiave di firma"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr ""
+msgstr "Chiave utilizzata per firmare gli eventi SSF."
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr ""
+msgstr "Fornitore Shared Signals Framework"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr ""
+msgstr "Fornitori Shared Signals Framework"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr ""
+msgstr "Aggiungi Stream al provider SSF"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr ""
+msgstr "SSF Stream"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr ""
+msgstr "SSF Streams"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr ""
+msgstr "Evento di Stream SSF"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr ""
+msgstr "Eventi di Stream SSF"
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr ""
+msgstr "Impossibile inviare la richiesta"
 
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@@ -712,9 +668,26 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook (Slack/Discord)"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "Email"
 
+#: authentik/events/models.py
+msgid ""
+"Customize the body of the request. Mapping should return data that is JSON-"
+"serializable."
+msgstr ""
+"Personalizza il corpo della richiesta. Il mapping dovrebbe restituire dati "
+"serializzabili in JSON."
+
+#: authentik/events/models.py
+msgid ""
+"Configure additional headers to be sent. Mapping should return a dictionary "
+"of key-value pairs"
+msgstr ""
+"Configurare le intestazioni aggiuntive da inviare. Il mapping dovrebbe "
+"restituire un dizionario di coppie chiave-valore."
+
 #: authentik/events/models.py
 msgid ""
 "Only send notification once, for example when sending a webhook into a chat "
@@ -944,7 +917,7 @@ msgstr ""
 
 #: authentik/flows/models.py
 msgid "Evaluate policies when the Stage is presented to the user."
-msgstr ""
+msgstr "Valutare i criteri quando la fase viene presentata all'utente."
 
 #: authentik/flows/models.py
 msgid ""
@@ -986,6 +959,14 @@ msgstr "Tokens del flusso"
 msgid "Invalid next URL"
 msgstr "URL successivo non valido"
 
+#: authentik/lib/sync/outgoing/models.py
+msgid ""
+"When enabled, provider will not modify or create objects in the remote "
+"system."
+msgstr ""
+"Quando abilitato, il provider non modificherà o creerà oggetti nel sistema "
+"remoto."
+
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "Avvio della sincronizzazione completa del provider"
@@ -1000,6 +981,10 @@ msgstr "Sincronizzando pagina {page} degli utenti"
 msgid "Syncing page {page} of groups"
 msgstr "Sincronizzando pagina {page} dei gruppi"
 
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Dropping mutating request due to dry run"
+msgstr "Richiesta di mutazione ignorata a causa della prova di funzionamento"
+
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1212,6 +1197,14 @@ msgstr "GeoIP: indirizzo IP del client non trovato nel database della città."
 msgid "Client IP is not in an allowed country."
 msgstr "L'IP del client non si trova in un paese consentito."
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr "La distanza dall'autenticazione precedente è maggiore della soglia."
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "La distanza è maggiore del possibile."
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "Criterio GeoIP"
@@ -1344,6 +1337,22 @@ msgstr "Punteggio di reputazione"
 msgid "Reputation Scores"
 msgstr "Punteggi di reputazione"
 
+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "In attesa di autenticazione..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Ti stai già autenticando in un'altra scheda. Questa pagina si aggiornerà una"
+" volta completata l'autenticazione."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Autenticati in questa scheda"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permesso negato"
@@ -1531,6 +1540,14 @@ msgstr "RS256 (Crittografia Asimmetrica)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (Crittografia Asimmetrica)"
 
+#: authentik/providers/oauth2/models.py
+msgid "ES384 (Asymmetric Encryption)"
+msgstr "ES384 (Crittografia Asimmetrica)"
+
+#: authentik/providers/oauth2/models.py
+msgid "ES512 (Asymmetric Encryption)"
+msgstr "ES512 (Crittografia Asimmetrica)"
+
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "Scope usato dall'utente"
@@ -1814,6 +1831,61 @@ msgstr "Provider Proxy"
 msgid "Proxy Providers"
 msgstr "Providers Proxy"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Determina quanto può durare una sessione. Se impostato a 0, la sessione "
+"durerà fino alla chiusura del browser. (Formato: "
+"hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+"Se impostato su vero, i token di connessione verranno eliminati alla "
+"disconnessione."
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "Fornitore di controllo dell'accesso remoto"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "Fornitori di controllo dell'accesso remoto"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "Endpoint RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "Endpoints RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "Mappatura delle proprietà del provider RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "Mappature proprietà del provider RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC Connection token"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC Connection tokens"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Limite massimo di connessioni raggiunto."
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Sei già connesso in un'altra scheda/finestra)"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "Segreto condiviso tra client e server per hashare i pacchetti."
@@ -1901,6 +1973,20 @@ msgstr ""
 "Configura il modo in cui verrà creato il valore NameID. Se lasciato vuoto, "
 "verrà considerato il NameIDPolicy della richiesta in arrivo"
 
+#: authentik/providers/saml/models.py
+msgid "AuthnContextClassRef Property Mapping"
+msgstr "Mapping delle proprietà AuthnContextClassRef"
+
+#: authentik/providers/saml/models.py
+msgid ""
+"Configure how the AuthnContextClassRef value will be created. When left "
+"empty, the AuthnContextClassRef will be set based on which authentication "
+"methods the user used to authenticate."
+msgstr ""
+"Configura come verrà creato il valore AuthnContextClassRef. Se lasciato "
+"vuoto, AuthnContextClassRef verrà impostato in base ai metodi di "
+"autenticazione utilizzati dall'utente."
+
 #: authentik/providers/saml/models.py
 msgid ""
 "Assertion valid not before current time + this value (Format: "
@@ -2042,6 +2128,18 @@ msgstr "Provider SAML dai Metadati"
 msgid "SAML Providers from Metadata"
 msgstr "Providers SAML dai Metadati"
 
+#: authentik/providers/scim/models.py
+msgid "Default"
+msgstr "Predefinito"
+
+#: authentik/providers/scim/models.py
+msgid "AWS"
+msgstr "AWS"
+
+#: authentik/providers/scim/models.py
+msgid "Slack"
+msgstr "Slack"
+
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "URL di base per le richieste SCIM, di solito termina con /v2"
@@ -2050,6 +2148,16 @@ msgstr "URL di base per le richieste SCIM, di solito termina con /v2"
 msgid "Authentication token"
 msgstr "Token di autenticazione"
 
+#: authentik/providers/scim/models.py
+msgid "SCIM Compatibility Mode"
+msgstr "SCIM Modalità di Compatibilità"
+
+#: authentik/providers/scim/models.py
+msgid "Alter authentik behavior for vendor-specific SCIM implementations."
+msgstr ""
+"Modifica il comportamento di autenticazione per le implementazioni SCIM "
+"specifiche del fornitore."
+
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "Privider SCIM"
@@ -2125,7 +2233,7 @@ msgstr ""
 
 #: authentik/sources/kerberos/models.py
 msgid "KAdmin server type"
-msgstr ""
+msgstr "Tipo server KAdmin"
 
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
@@ -2321,6 +2429,13 @@ msgstr ""
 "Quando un utente cambia la propria password, sincronizzala con LDAP. Questo "
 "può essere abilitato solo su una singola origine LDAP."
 
+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "Sorgente LDAP"
@@ -2730,6 +2845,117 @@ msgstr "Dispositivo Duo"
 msgid "Duo Devices"
 msgstr "Dispositivi Duo"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "Email OTP"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Se abilitato, verranno utilizzate le impostazioni di connessione e-mail "
+"globali e le impostazioni di connessione riportate di seguito verranno "
+"ignorate."
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+"Tempo di validità del token inviato (formato: "
+"hours=3,minutes=17,seconds=300)."
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "Fase di configurazione dell'autenticatore email"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "Fasi di configurazione dell'autenticatore email"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr ""
+"Eccezione verificatasi durante la visualizzazione del modello di posta "
+"elettronica"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "Dispositivo email"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "Dispositivi email"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "Il codice non corrisponde"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "Email non valida"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Ciao %(username)s,\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          Codice MFA via e-mail.\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    Se non hai richiesto questo codice, ignora questa email. Il codice sopra riportato è valido per %(expires)s.\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Ciao %(username)s,"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"Codice e-mail MFA\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"Se non hai richiesto questo codice, ignora questa email. Il codice sopra riportato è valido per %(expires)s.\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2768,11 +2994,6 @@ msgstr "Dispositivo SMS"
 msgid "SMS Devices"
 msgstr "Dispositivi SMS"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "Il codice non corrisponde"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Numero di telefono non valido"
@@ -3013,23 +3234,10 @@ msgstr "Ripristino password"
 msgid "Account Confirmation"
 msgstr "Conferma dell'account"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Se abilitato, verranno utilizzate le impostazioni di connessione e-mail "
-"globali e le impostazioni di connessione riportate di seguito verranno "
-"ignorate."
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Attiva gli utenti al completamento della fase."
 
-#: authentik/stages/email/models.py
-msgid "Time in minutes the token sent is valid."
-msgstr "Tempo in minuti in cui il token inviato è valido."
-
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "Fase email"
@@ -3038,12 +3246,6 @@ msgstr "Fase email"
 msgid "Email Stages"
 msgstr "Fasi Email"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr ""
-"Eccezione verificatasi durante la visualizzazione del modello di posta "
-"elettronica"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Email verificato con successo."
@@ -3127,17 +3329,6 @@ msgstr ""
 "\n"
 "Questa email è stata inviata dal trasporto delle notifiche %(name)s.\n"
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Ciao %(username)s,\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -3158,11 +3349,6 @@ msgstr ""
 "   Se non hai richiesto una modifica della password, ignora questa e-mail. Il link sopra è valido per %(expires)s.\n"
 "    "
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Ciao %(username)s,"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
@@ -3492,6 +3678,7 @@ msgstr ""
 #: authentik/stages/redirect/api.py
 msgid "Target Flow should be present when mode is Flow."
 msgstr ""
+"Il flusso target dovrebbe essere presente quando la modalità è Flusso."
 
 #: authentik/stages/redirect/models.py
 msgid "Redirect Stage"

locale/ko/LC_MESSAGES/django.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-03-31 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: NavyStack, 2023\n"
 "Language-Team: Korean (https://app.transifex.com/authentik/teams/119923/ko/)\n"
@@ -115,6 +115,10 @@ msgstr ""
 msgid "Extra description not available"
 msgstr ""
 
+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr ""
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -159,6 +163,14 @@ msgstr ""
 msgid "Remove user from group"
 msgstr ""
 
+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "사용자의 표시 이름"
@@ -509,59 +521,6 @@ msgstr ""
 msgid "Microsoft Entra Provider Mappings"
 msgstr ""
 
-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"세션이 지속되는 시간을 결정합니다. 기본값인 0초는 브라우저가 닫힐 때까지 세션이 지속된다는 의미입니다. (서식: "
-"hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr ""
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -663,9 +622,22 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack 웹훅 (Slack/Discord)"
 
 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "이메일"
 
+#: authentik/events/models.py
+msgid ""
+"Customize the body of the request. Mapping should return data that is JSON-"
+"serializable."
+msgstr ""
+
+#: authentik/events/models.py
+msgid ""
+"Configure additional headers to be sent. Mapping should return a dictionary "
+"of key-value pairs"
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Only send notification once, for example when sending a webhook into a chat "
@@ -920,6 +892,12 @@ msgstr "플로우 토큰"
 msgid "Invalid next URL"
 msgstr ""
 
+#: authentik/lib/sync/outgoing/models.py
+msgid ""
+"When enabled, provider will not modify or create objects in the remote "
+"system."
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr ""
@@ -934,6 +912,10 @@ msgstr ""
 msgid "Syncing page {page} of groups"
 msgstr ""
 
+#: authentik/lib/sync/outgoing/tasks.py
+msgid "Dropping mutating request due to dry run"
+msgstr ""
+
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1126,6 +1108,14 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr ""
 
+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr ""
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr ""
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr ""
@@ -1250,6 +1240,20 @@ msgstr "평판 점수"
 msgid "Reputation Scores"
 msgstr "평판 점수"
 
+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr ""
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "권한 거부됨"
@@ -1429,6 +1433,14 @@ msgstr "RS256 (비대칭 암호화)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (비대칭 암호화)"
 
+#: authentik/providers/oauth2/models.py
+msgid "ES384 (Asymmetric Encryption)"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "ES512 (Asymmetric Encryption)"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "클라이언트에서 사용할 스코프"
@@ -1680,6 +1692,58 @@ msgstr "프록시 공급자"
 msgid "Proxy Providers"
 msgstr "프록시 공급자"
 
+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"세션이 지속되는 시간을 결정합니다. 기본값인 0초는 브라우저가 닫힐 때까지 세션이 지속된다는 의미입니다. (서식: "
+"hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr ""
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr ""
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr ""
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "클라이언트와 서버가 패킷을 해시하기 위해 공유하는 비밀입니다."
@@ -1758,6 +1822,17 @@ msgid ""
 "NameIDPolicy of the incoming request will be considered"
 msgstr "NameID 값이 어떻게 생성될지 구성합니다. 비워 둘 경우, 들어오는 요청의 NameIDPolicy을 고려합니다."
 
+#: authentik/providers/saml/models.py
+msgid "AuthnContextClassRef Property Mapping"
+msgstr ""
+
+#: authentik/providers/saml/models.py
+msgid ""
+"Configure how the AuthnContextClassRef value will be created. When left "
+"empty, the AuthnContextClassRef will be set based on which authentication "
+"methods the user used to authenticate."
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid ""
 "Assertion valid not before current time + this value (Format: "
@@ -1886,6 +1961,18 @@ msgstr "SAML 공급자 메타데이터"
 msgid "SAML Providers from Metadata"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Default"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "AWS"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Slack"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "SCIM 요청에 대한 기본 URL은, 일반적으로 /v2로 끝납니다"
@@ -1894,6 +1981,14 @@ msgstr "SCIM 요청에 대한 기본 URL은, 일반적으로 /v2로 끝납니다
 msgid "Authentication token"
 msgstr "인증 토큰"
 
+#: authentik/providers/scim/models.py
+msgid "SCIM Compatibility Mode"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "Alter authentik behavior for vendor-specific SCIM implementations."
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "SCIM 공급자"
@@ -2532,6 +2627,100 @@ msgstr "Duo 디바이스"
 msgid "Duo Devices"
 msgstr "Duo 디바이스"
 
+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "활성화하면, 전역 이메일 연결 설정이 사용되며 아래의 연결 설정은 무시됩니다."
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "이메일 템플릿 렌더링 중 예외가 발생"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr ""
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "코드가 일치하지 않음"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 님께,\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@@ -2566,11 +2755,6 @@ msgstr "SMS 디바이스"
 msgid "SMS Devices"
 msgstr "SMS 디바이스"
 
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "코드가 일치하지 않음"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "유효하지 않은 전화번호"
@@ -2795,20 +2979,10 @@ msgstr "비밀번호 초기화"
 msgid "Account Confirmation"
 msgstr "계정 확인"
 
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "활성화하면, 전역 이메일 연결 설정이 사용되며 아래의 연결 설정은 무시됩니다."
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "스테이지가 완료되면 사용자를 활성화합니다."
 
-#: authentik/stages/email/models.py
-msgid "Time in minutes the token sent is valid."
-msgstr "전송된 토큰이 유효한 시간(분)입니다."
-
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "이메일 스테이지"
@@ -2817,10 +2991,6 @@ msgstr "이메일 스테이지"
 msgid "Email Stages"
 msgstr "이메일 스테이지"
 
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "이메일 템플릿 렌더링 중 예외가 발생"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "이메일을 성공적으로 확인했습니다."
@@ -2899,17 +3069,6 @@ msgid ""
 "This email was sent from the notification transport %(name)s.\n"
 msgstr ""
 
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 님께,\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -2928,11 +3087,6 @@ msgid ""
 "    "
 msgstr ""
 
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"