Fixes indentation on text block

* Update Paperless NGX instructions to include correct scopes

`openid` scope is required for Paperless NGX

Signed-off-by: Jim Shank <jimshank@gmail.com>

* Update website/integrations/services/paperless-ngx/index.mdx

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

---------

Signed-off-by: Jim Shank <jimshank@gmail.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v8
         with:
           version: latest
           args: --timeout 5000s --verbose

Dockerfile

@@ -85,18 +85,17 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
-ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
     mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
 FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

README.md

@@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 
 ## Adoption and Contributions
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).

authentik/api/schema.py

@@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
     return component
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
     """Workaround to set a default response for endpoints.
     Workaround suggested at
     <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>

authentik/blueprints/v1/common.py

@@ -164,9 +164,7 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(
-        self, blueprint: "Blueprint"
-    ) -> Generator[BlueprintEntryPermission, None, None]:
+    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
         """Get permissions of this entry, with all yaml tags resolved"""
         for perm in self.permissions:
             yield BlueprintEntryPermission(

authentik/events/logs.py

@@ -57,7 +57,7 @@ class LogEventSerializer(PassiveSerializer):
 
 
 @contextmanager
-def capture_logs(log_default_output=True) -> Generator[list[LogEvent], None, None]:
+def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:
     """Capture log entries created"""
     logs = []
     cap = LogCapture()

authentik/lib/sync/mapper.py

@@ -59,7 +59,7 @@ class PropertyMappingManager:
         request: HttpRequest | None,
         return_mapping: bool = False,
         **kwargs,
-    ) -> Generator[tuple[dict, PropertyMapping], None]:
+    ) -> Generator[tuple[dict, PropertyMapping]]:
         """Iterate over all mappings that were pre-compiled and
         execute all of them with the given context"""
         if not self.__has_compiled:

authentik/providers/scim/clients/groups.py

@@ -199,7 +199,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
             chunk_size = len(ops)
         if len(ops) < 1:
             return
-        for chunk in batched(ops, chunk_size):
+        for chunk in batched(ops, chunk_size, strict=False):
             req = PatchRequest(Operations=list(chunk))
             self._request(
                 "PATCH",

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
-	github.com/pires/go-proxyproto v0.8.0
+	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
 	github.com/redis/go-redis/v9 v9.8.0
 	github.com/sethvargo/go-envconfig v1.3.0
@@ -29,8 +29,8 @@ require (
 	github.com/wwt/guac v1.3.2
 	goauthentik.io/api/v3 v3.2025040.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.29.0
-	golang.org/x/sync v0.13.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.14.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -75,7 +75,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -230,8 +230,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
-github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
-github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -358,16 +358,16 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -376,8 +376,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -412,8 +412,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

pyproject.toml

@@ -3,7 +3,7 @@ name = "authentik"
 version = "2025.4.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
-requires-python = "==3.12.*"
+requires-python = "==3.13.*"
 dependencies = [
     "argon2-cffi",
     "celery",
@@ -52,7 +52,7 @@ dependencies = [
     "pydantic-scim",
     "pyjwt",
     "pyrad",
-    "python-kadmin-rs ==0.6.0",
+    "python-kadmin-rs",
     "pyyaml",
     "requests-oauthlib",
     "scim2-filter-parser",
@@ -70,7 +70,7 @@ dependencies = [
     "watchdog",
     "webauthn",
     "wsproto",
-    "xmlsec <= 1.3.14",
+    "xmlsec",
     "zxcvbn",
 ]
 
@@ -101,6 +101,18 @@ dev = [
     "selenium",
 ]
 
+[tool.uv]
+no-binary-package = [
+    # This differs from the no-binary packages in the Dockerfile. This is due to the fact
+    # that these packages are built from source for different reasons than cryptography and kadmin.
+    # These packages are built from source to link against the libxml2 on the system which is
+    # required for functionality and to stay up-to-date on both libraries.
+    # The other packages specified in the dockerfile are compiled from source to link against the
+    # correct FIPS OpenSSL libraries
+    "lxml",
+    "xmlsec",
+]
+
 [tool.uv.sources]
 django-tenants = { git = "https://github.com/rissson/django-tenants.git", branch = "authentik-fixes" }
 opencontainers = { git = "https://github.com/BeryJu/oci-python", rev = "c791b19056769cd67957322806809ab70f5bead8" }
@@ -143,12 +155,12 @@ ignore-words = ".github/codespell-words.txt"
 
 [tool.black]
 line-length = 100
-target-version = ['py312']
+target-version = ['py313']
 exclude = 'node_modules'
 
 [tool.ruff]
 line-length = 100
-target-version = "py312"
+target-version = "py313"
 exclude = ["**/migrations/**", "**/node_modules/**"]
 
 [tool.ruff.lint]

tests/e2e/docker-compose.yml

@@ -1,12 +1,12 @@
 services:
   chrome:
-    image: docker.io/selenium/standalone-chrome:122.0
+    image: docker.io/selenium/standalone-chrome:136.0
     volumes:
       - /dev/shm:/dev/shm
     network_mode: host
     restart: always
   mailpit:
-    image: docker.io/axllent/mailpit:v1.6.5
+    image: docker.io/axllent/mailpit:v1.24.2
     ports:
       - 1025:1025
       - 8025:8025

tests/e2e/utils.py

@@ -26,6 +26,7 @@ from selenium import webdriver
 from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.remote.command import Command
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.remote.webelement import WebElement
 from selenium.webdriver.support.wait import WebDriverWait
@@ -197,7 +198,12 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
         super().tearDown()
         if IS_CI:
             print("::group::Browser logs")
-        for line in self.driver.get_log("browser"):
+        # Very verbose way to get browser logs
+        # https://github.com/SeleniumHQ/selenium/pull/15641
+        # for some reason this removes the `get_log` API from Remote Webdriver
+        # and only keeps it on the local Chrome web driver, even when using
+        # a remote chrome driver...? (nvm the fact this was released as a minor version)
+        for line in self.driver.execute(Command.GET_LOG, {"type": "browser"})["value"]:
             print(line["message"])
         if IS_CI:
             print("::endgroup::")

web/package-lock.json

@@ -9472,9 +9472,9 @@
             }
         },
         "node_modules/caniuse-lite": {
-            "version": "1.0.30001667",
-            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001667.tgz",
-            "integrity": "sha512-7LTwJjcRkzKFmtqGsibMeuXmvFDfZq/nzIjnmgCGzKKRVzjD72selLDK1oPF/Oxzmt4fNcPvTDvGqSDG4tCALw==",
+            "version": "1.0.30001716",
+            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001716.tgz",
+            "integrity": "sha512-49/c1+x3Kwz7ZIWt+4DvK3aMJy9oYXXG6/97JKsnjdCk/6n9vVyWL8NAwVt95Lwt9eigI10Hl782kDfZUUlRXw==",
             "dev": true,
             "funding": [
                 {
@@ -9489,7 +9489,8 @@
                     "type": "github",
                     "url": "https://github.com/sponsors/ai"
                 }
-            ]
+            ],
+            "license": "CC-BY-4.0"
         },
         "node_modules/ccount": {
             "version": "2.0.1",

web/src/admin/applications/ApplicationViewPage.ts

@@ -113,8 +113,7 @@ export class ApplicationViewPage extends AKElement {
 
     renderApp(): TemplateResult {
         if (!this.application) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html`<ak-tabs>
             ${this.missingOutpost

web/src/admin/providers/ProviderViewPage.ts

@@ -42,7 +42,7 @@ export class ProviderViewPage extends AKElement {
 
     renderProvider(): TemplateResult {
         if (!this.provider) {
-            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
         }
         switch (this.provider?.component) {
             case "ak-provider-saml-form":

web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts

@@ -432,7 +432,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                 <div class="pf-c-card__body">
                     ${this.preview
                         ? html`<pre>${JSON.stringify(this.preview?.preview, null, 4)}</pre>`
-                        : html` <ak-empty-state ?loading=${true}></ak-empty-state> `}
+                        : html` <ak-empty-state loading></ak-empty-state> `}
                 </div>
             </div>
         </div>`;

web/src/admin/providers/saml/SAMLProviderViewPage.ts

@@ -502,7 +502,7 @@ export class SAMLProviderViewPage extends AKElement {
 
     renderTabPreview(): TemplateResult {
         if (!this.preview) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         return html` <div
             class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter"

web/src/admin/sources/SourceViewPage.ts

@@ -34,7 +34,7 @@ export class SourceViewPage extends AKElement {
 
     renderSource(): TemplateResult {
         if (!this.source) {
-            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
         }
         switch (this.source?.component) {
             case "ak-source-kerberos-form":

web/src/elements/Diagram.ts

@@ -83,7 +83,7 @@ export class Diagram extends AKElement {
             }
         });
         if (!this.diagram) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         return html`${until(
             mermaid.render("graph", this.diagram).then((r) => {

web/src/elements/charts/Chart.ts

@@ -230,9 +230,7 @@ export abstract class AKChart<T> extends AKElement {
                               <p slot="body">${pluckErrorDetail(this.error)}</p>
                           </ak-empty-state>
                       `
-                    : html`${this.chart
-                          ? html``
-                          : html`<ak-empty-state ?loading="${true}"></ak-empty-state>`}`}
+                    : html`${this.chart ? html`` : html`<ak-empty-state loading></ak-empty-state>`}`}
                 ${this.centerText ? html` <span>${this.centerText}</span> ` : html``}
                 <canvas style="${this.chart === undefined ? "display: none;" : ""}"></canvas>
             </div>

web/src/elements/forms/ModelForm.ts

@@ -71,7 +71,7 @@ export abstract class ModelForm<T, PKT extends string | number> extends Form<T>
 
     renderVisible(): TemplateResult {
         if ((this._instancePk && !this.instance) || !this._initialDataLoad) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         return super.renderVisible();
     }

web/src/elements/router/Route.ts

@@ -51,7 +51,7 @@ export class Route {
         if (this.callback) {
             return html`${until(
                 this.callback(args),
-                html`<ak-empty-state ?loading=${true}></ak-empty-state>`,
+                html`<ak-empty-state loading></ak-empty-state>`,
             )}`;
         }
         if (this.element) {

web/src/elements/sync/SyncStatusCard.ts

@@ -121,7 +121,7 @@ export class SyncStatusCard extends AKElement {
 
     renderSyncStatus(): TemplateResult {
         if (this.loading) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
         }
         if (!this.syncState) {
             return html`${msg("No sync status.")}`;

web/src/elements/tests/EmptyState.test.ts

@@ -19,7 +19,7 @@ describe("ak-empty-state", () => {
     });
 
     it("should render the default loader", async () => {
-        render(html`<ak-empty-state ?loading=${true} header=${msg("Loading")}> </ak-empty-state>`);
+        render(html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`);
 
         const empty = await $("ak-empty-state").$(">>>.pf-c-empty-state__icon");
         await expect(empty).toExist();

web/src/elements/user/sources/SourceSettings.ts

@@ -139,8 +139,7 @@ export class UserSourceSettingsPage extends AKElement {
                                 })}
                             `}
                   `
-                : html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-                  </ak-empty-state>`}
+                : html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`}
         </ul>`;
     }
 }

web/src/flow/providers/SessionEnd.ts

@@ -24,8 +24,7 @@ export class SessionEnd extends BaseStage<SessionEndChallenge, unknown> {
 
     render(): TemplateResult {
         if (!this.challenge) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html`<header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">${this.challenge.flowInfo?.title}</h1>

web/src/user/LibraryPage/ak-library.ts

@@ -102,7 +102,7 @@ export class LibraryPage extends AKElement {
     }
 
     loading() {
-        return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}> </ak-empty-state>`;
+        return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
     }
 
     running() {

web/src/user/user-settings/details/UserSettingsFlowExecutor.ts

@@ -173,8 +173,7 @@ export class UserSettingsFlowExecutor
                     level: MessageLevel.success,
                     message: msg("Successfully updated details"),
                 });
-                return html`<ak-empty-state ?loading=${true} header=${msg("Loading")}>
-                </ak-empty-state>`;
+                return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
             default:
                 console.debug(
                     `authentik/user/flows: unsupported stage type ${this.challenge.component}`,
@@ -195,8 +194,7 @@ export class UserSettingsFlowExecutor
             return html`<p>${msg("No settings flow configured.")}</p> `;
         }
         if (!this.challenge || this.loading) {
-            return html`<ak-empty-state ?loading=${true} header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html` ${this.renderChallenge()} `;
     }

web/src/user/user-settings/details/stages/prompt/PromptStage.ts

@@ -64,8 +64,7 @@ export class UserSettingsPromptStage extends PromptStage {
 
     render(): TemplateResult {
         if (!this.challenge) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
         }
         return html`<div class="pf-c-login__main-body">
                 <form

web/xliff/de.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Willkommen,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9171,6 +9171,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -493,7 +493,7 @@
         <target>General system status</target>
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Welcome,
         <x id="0" equiv-text="${name}"/>.</target>
       </trans-unit>
@@ -7694,6 +7694,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Bienvenido,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9253,6 +9253,9 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Bienvenue,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9805,6 +9805,9 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
   <target>Nombre d'anciens mots de passe à vérifier</target>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Benvenuto,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9779,6 +9779,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -597,7 +597,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         
       </trans-unit>
       <trans-unit id="sc381422c585b867f">
@@ -9161,6 +9161,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -605,7 +605,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Welkom,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9063,6 +9063,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Witaj,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9488,6 +9488,9 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -603,7 +603,7 @@
 
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
   <target>Ŵēĺćōḿē, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</target>
 
       </trans-unit>
@@ -9496,4 +9496,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
 </trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Добро пожаловать,
         <x id="0" equiv-text="${name}"/>.</target>
         
@@ -9581,6 +9581,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -602,7 +602,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>Hoş geldiniz, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</target>
         
       </trans-unit>
@@ -9551,6 +9551,9 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -399,7 +399,7 @@
   <source>General system status</source>
 </trans-unit>
 <trans-unit id="s6dfd15978586d05f">
-  <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+  <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
 </trans-unit>
 <trans-unit id="sc381422c585b867f">
   <source>Quick actions</source>
@@ -6302,6 +6302,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
 </trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>欢迎，
         <x id="0" equiv-text="${name}"/>。</target>
         
@@ -9806,6 +9806,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
   <target>检查历史密码数量</target>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+  <target>切换侧边栏</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -485,7 +485,7 @@
         <target>常规系统状态</target>
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>欢迎，
         <x id="0" equiv-text="${name}"/>。</target>
       </trans-unit>
@@ -7394,6 +7394,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_CN.xlf

@@ -612,7 +612,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         <target>欢迎，
         <x id="0" equiv-text="${name}"/>。</target>
         
@@ -9806,6 +9806,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
   <target>检查历史密码数量</target>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
+  <target>切换侧边栏</target>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -596,7 +596,7 @@
         
       </trans-unit>
       <trans-unit id="s6dfd15978586d05f">
-        <source>Welcome, <x id="0" equiv-text="${name || &quot;&quot;}"/>.</source>
+        <source>Welcome, <x id="0" equiv-text="${username || &quot;&quot;}"/>.</source>
         
       </trans-unit>
       <trans-unit id="sc381422c585b867f">
@@ -9138,6 +9138,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
   <source>Number of previous passwords to check</source>
+</trans-unit>
+<trans-unit id="sdd66c5a2e706fb81">
+  <source>Toggle sidebar</source>
 </trans-unit>
     </body>
   </file>

website/.gitignore

@@ -3,6 +3,7 @@
 
 # Production
 /build
+/out
 /help
 
 # Generated files
@@ -25,4 +26,5 @@ yarn-error.log*
 
 static/docker-compose.yml
 static/schema.yml
+static/releases.gen.json
 docs/developer-docs/api/reference/**

website/.prettierignore

@@ -1,5 +1,6 @@
 # Ignore artifacts:
 build
+out
 coverage
 .docusaurus
 node_modules

website/.prettierrc.json

@@ -1 +0,0 @@
-{}

website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md

@@ -1,9 +1,8 @@
 ---
 title: Email Authenticator Setup stage
+authentik_version: "2025.2"
 ---
 
-<span class="badge badge--version">authentik 2025.2+</span>
-
 This stage configures an email-based authenticator that sends a one-time code to a user's email address for authentication.
 
 When a user goes through a flow that includes this stage, they are prompted for their email address (if not already set). The user then receives an email with a one-time code, which they enter into the authentik Login panel.

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx

@@ -2,8 +2,6 @@
 title: WebAuthn / Passkeys Authenticator setup stage
 ---
 
-<span class="badge badge--version">authentik 2021.3.1+</span>
-
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
 
 ### Options

website/docs/add-secure-apps/flows-stages/stages/email/index.mdx

@@ -29,8 +29,8 @@ You can also use custom email templates, to use your own design or layout.
 Starting with authentik 2024.2, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
 :::
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/add-secure-apps/providers/proxy/server_caddy.mdx

@@ -2,8 +2,9 @@
 title: Caddy
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
 import Placeholders from "./__placeholders.md";
 import CaddyStandalone from "./_caddy_standalone.md";
 

website/docs/add-secure-apps/providers/proxy/server_envoy.mdx

@@ -2,13 +2,12 @@
 title: Envoy
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
 import Placeholders from "./__placeholders.md";
 import EnvoyIstio from "./_envoy_istio.md";
 
-# Envoy
-
 The configuration template shown below apply to both single-application and domain-level forward auth.
 
 :::info

website/docs/add-secure-apps/providers/proxy/server_nginx.mdx

@@ -1,5 +1,5 @@
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 # nginx
 

website/docs/add-secure-apps/providers/proxy/server_traefik.mdx

@@ -1,5 +1,5 @@
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 # Traefik
 

website/docs/add-secure-apps/providers/radius/HashSupport.tsx

@@ -0,0 +1,82 @@
+import styles from "./styles.module.css";
+
+const RADIUSProtocols = [
+    "PAP",
+    "CHAP",
+    "Digest",
+    "MS-CHAP",
+    "PEAP",
+    "MS-CHAPv2",
+    "Cisco LEAP",
+    "EAP-GTC",
+    "EAP-MD5",
+    "EAP-PWD",
+] as const satisfies string[];
+
+type RADIUSProtocol = (typeof RADIUSProtocols)[number];
+
+const HashKinds = [
+    "Cleartext",
+    "NT",
+    "MD5",
+    "Salted MD5",
+    "SHA1",
+    "Salted SHA1",
+    "Unix Crypt",
+] as const satisfies string[];
+
+type HashKind = (typeof HashKinds)[number];
+
+const supportMatrix: Record<HashKind, RADIUSProtocol[]> = {
+    "Cleartext": [
+        "PAP",
+        "CHAP",
+        "Digest",
+        "MS-CHAP",
+        "PEAP",
+        "MS-CHAPv2",
+        "Cisco LEAP",
+        "EAP-GTC",
+        "EAP-MD5",
+        "EAP-PWD",
+    ],
+    "NT": ["PAP", "MS-CHAP", "PEAP", "MS-CHAPv2", "Cisco LEAP", "EAP-GTC"],
+    "MD5": ["PAP", "EAP-GTC"],
+    "Salted MD5": ["PAP", "EAP-GTC"],
+    "SHA1": ["PAP", "EAP-GTC"],
+    "Salted SHA1": ["PAP", "EAP-GTC", "EAP-PWD"],
+    "Unix Crypt": ["PAP", "EAP-GTC", "EAP-PWD"],
+};
+
+export const HashSupport: React.FC = () => {
+    return (
+        <table className={styles.table}>
+            <thead>
+                <tr>
+                    <th></th>
+                    {HashKinds.map((hashKind, i) => (
+                        <th key={i}>{hashKind}</th>
+                    ))}
+                </tr>
+            </thead>
+
+            <tbody>
+                {RADIUSProtocols.map((radiusProtocol, i) => (
+                    <tr key={i}>
+                        <td>{radiusProtocol}</td>
+                        {HashKinds.map((hashKind) => {
+                            const protocols = supportMatrix[hashKind];
+                            const supported = protocols.includes(radiusProtocol);
+
+                            return (
+                                <td data-supported={supported} key={hashKind}>
+                                    {supported ? "✓" : "✗"}
+                                </td>
+                            );
+                        })}
+                    </tr>
+                ))}
+            </tbody>
+        </table>
+    );
+};

website/docs/add-secure-apps/providers/radius/index.mdx

@@ -2,7 +2,7 @@
 title: RADIUS Provider
 ---
 
-import { Check, X, AlertTriangle } from "react-feather";
+import { HashSupport } from "./HashSupport";
 
 You can configure a Radius provider for applications that don't support any other protocols or that require Radius.
 
@@ -56,15 +56,4 @@ After creation, make sure to select the RADIUS property mapping in the RADIUS pr
 
 The RADIUS provider only supports the [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol:
 
-|              | Clear-text      | NT hash         | MD5 hash        | Salted MD5 hash | SHA1 hash       | Salted SHA1 hash | Unix Crypt      |
-| ------------ | --------------- | --------------- | --------------- | --------------- | --------------- | ---------------- | --------------- |
-| PAP          | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check>  | <Check></Check> |
-| CHAP         | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| Digest       | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| MS-CHAP      | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| PEAP         | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| EAP-MSCHAPv2 | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| Cisco LEAP   | <Check></Check> | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| EAP-GTC      | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check>  | <Check></Check> |
-| EAP-MD5      | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <X></X>          | <X></X>         |
-| EAP-PWD      | <Check></Check> | <X></X>         | <X></X>         | <X></X>         | <X></X>         | <Check></Check>  | <Check></Check> |
+<HashSupport />

website/docs/add-secure-apps/providers/radius/styles.module.css

@@ -0,0 +1,20 @@
+.table td {
+    text-align: center;
+    font-weight: bold;
+
+    &:first-child {
+        text-align: right;
+        width: 13ch;
+    }
+
+    &:not(:first-child) {
+        width: 10ch;
+    }
+
+    &[data-supported="true"] {
+        color: var(--ifm-color-success-dark);
+    }
+    &[data-supported="false"] {
+        color: var(--ifm-color-danger-dark);
+    }
+}

website/docs/customize/blueprints/v1/example.md

@@ -4,6 +4,7 @@ title: Example
 
 This is one of the default packaged blueprints to create the default authentication flow.
 
+<!-- prettier-ignore-start -->
 ```yaml
 version: 1
 metadata:
@@ -64,3 +65,4 @@ entries:
           target: !KeyOf flow
       model: authentik_flows.flowstagebinding
 ```
+<!-- prettier-ignore-end -->

website/docs/customize/blueprints/v1/tags.mdx

@@ -48,6 +48,8 @@ Returns the value of the given environment variable. Can be used as a scalar wit
 
 Examples:
 
+{/* prettier-ignore-start */}
+
 ```yaml
 configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]]
 ```
@@ -60,6 +62,8 @@ configure_flow:
     ]
 ```
 
+{/* prettier-ignore-end */}
+
 Looks up any model and resolves to the the matches' primary key.
 First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for.
 
@@ -67,10 +71,15 @@ First argument is the model to be queried, remaining arguments are expected to b
 
 Example:
 
+{/* prettier-ignore-start */}
+
+
 ```yaml
 configure_flow: !Context foo
 ```
 
+{/* prettier-ignore-end */}
+
 Find values from the context. Can optionally be called with a default like `!Context [foo, default-value]`.
 
 #### `!Format`
@@ -209,6 +218,8 @@ For example, given a sequence like this - `["a", "b", "c"]`, this tag will resol
 
 Minimal examples:
 
+{/* prettier-ignore-start */}
+
 ```yaml
 configuration_stages: !Enumerate [
         !Context map_of_totp_stage_names_and_types,
@@ -224,6 +235,8 @@ configuration_stages: !Enumerate [
     ]
 ```
 
+{/* prettier-ignore-end */}
+
 The above example will resolve to something like this:
 
 ```yaml
@@ -265,6 +278,8 @@ Full example:
 Note that an `!Enumeration` tag's iterable can never be an `!Item` or `!Value` tag with a depth of `0`. Minimum depth allowed is `1`. This is because a depth of `0` refers to the `!Enumeration` tag the `!Item` or `!Value` tag is in, and an `!Enumeration` tag cannot iterate over itself.
 :::
 
+{/* prettier-ignore-start */}
+
 ```yaml
 example: !Enumerate [
         !Context sequence, # ["foo", "bar"]
@@ -288,6 +303,8 @@ example: !Enumerate [
     ]
 ```
 
+{/* prettier-ignore-end */}
+
 The above example will resolve to something like this:
 
 ```yaml

website/docs/customize/interfaces/_global/customcss.mdx

@@ -2,8 +2,8 @@
 
 To further modify the look of authentik, a custom CSS file can be created. Creating such a file is outside the scope of this document.
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/developer-docs/docs/style-guide.mdx

@@ -255,8 +255,8 @@ This section covers the usage of React components within our documentation. File
 Use **Tabs** to display different configurations (e.g., setting up authentication with OIDC vs. SAML) to help users navigate between options. Default to the easier or more common option. Insert the following lines wherever you want the code block to appear:
 
 ```jsx
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
     defaultValue="oidc"

website/docs/developer-docs/index.md

@@ -163,7 +163,7 @@ While the prerequisites above must be satisfied prior to having your pull reques
 
 All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff).
 
-authentik runs on Python 3.12 at the time of writing this.
+authentik runs on Python 3.13 at the time of writing this.
 
 - Use native type-annotations wherever possible.
 - Add meaningful docstrings when possible.

website/docs/developer-docs/releases/index.md

@@ -148,7 +148,6 @@ We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _d
 
 <details>
 <summary>Mailing list template</summary>
-<p>
 
 Subject: `Release of authentik Security releases 2022.10.3 and 2022.11.3`
 
@@ -158,12 +157,10 @@ The security advisory for CVE-2022-xxxxx has been published: https://github.com/
 Releases 2022.10.3 and 2022.11.3 with fixes included are available here: https://github.com/goauthentik/authentik/releases
 ```
 
-</p>
 </details>
 
 <details>
 <summary>Discord template</summary>
-<p>
 
 ```markdown
 [...existing announcement...]
@@ -175,5 +172,4 @@ Advisory for for CVE-2022-xxxxx has been published here https://github.com/goaut
 The fixed versions 2022.10.3 and 2022.11.3 are available here: https://github.com/goauthentik/authentik/releases
 ```
 
-</p>
 </details>

website/docs/developer-docs/setup/full-dev-environment.mdx

@@ -9,15 +9,15 @@ tags:
     - docker
 ---
 
-import Tabs from "@theme/Tabs";
-import TabItem from "@theme/TabItem";
 import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment";
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## Requirements
 
-- [Python](https://www.python.org/) (3.12 or later)
+- [Python](https://www.python.org/) (3.13 or later)
 - [uv](https://docs.astral.sh/uv/getting-started/installation/), (Latest stable release)
-- [Go](https://go.dev/) (1.23 or later)
+- [Go](https://go.dev/) (1.24 or later)
 - [Node.js](https://nodejs.org/en) (22 or later)
 - [PostgreSQL](https://www.postgresql.org/) (16 or later)
 - [Redis](https://redis.io/) (7 or later)
@@ -54,9 +54,8 @@ values={[
     To install the native dependencies on macOS, run:
 
     ```sh
-    $ pip install uv
-    $ brew install libxmlsec1 libpq krb5   # Required development libraries,
-    $ brew install postgresql redis node@22 golangci-lint   # Required CLI tools
+    $ brew install libxmlsec1 libpq krb5 pkg-config  # Required development libraries,
+    $ brew install uv postgresql redis node@22 golangci-lint   # Required CLI tools
     ```
 
 </TabItem>
@@ -66,14 +65,13 @@ To install native dependencies on Debian or Ubuntu, run:
 
 ```sh
 $ pip install uv
-$ sudo apt-get install  libgss-dev krb5-config libkrb5-dev postgresql-server-dev-all
+$ sudo apt-get install libgss-dev krb5-config libkrb5-dev postgresql-server-dev-all
 $ sudo apt-get install postresql redis
 ```
 
 Adjust your needs as required for other distributions such as Red Hat, SUSE, or Arch.
 
-Install golangci-lint locally [from the site
-instructions](https://golangci-lint.run/welcome/install/#other-ci).
+Install golangci-lint locally [from the site instructions](https://golangci-lint.run/welcome/install/#other-ci).
 
   </TabItem>
 

website/docs/index.mdx

@@ -24,39 +24,34 @@ The authentik product provides the following consoles:
 
 In authentik, you can use Light or Dark mode for the Admin interface, User interface, and the Flow interface.
 
-import "react-before-after-slider-component/dist/build.css";
-import ReactBeforeSliderComponent from "react-before-after-slider-component";
 import useBaseUrl from "@docusaurus/useBaseUrl";
+import ReactBeforeSliderComponent from "react-before-after-slider-component";
+
+import "react-before-after-slider-component/dist/build.css";
 
 <ReactBeforeSliderComponent
     firstImage={{
-        id: 1,
         imageUrl: useBaseUrl("img/screen_flow_dark.jpg"),
     }}
     secondImage={{
-        id: 2,
         imageUrl: useBaseUrl("img/screen_flow_light.jpg"),
     }}
 />
 
 <ReactBeforeSliderComponent
     firstImage={{
-        id: 1,
         imageUrl: useBaseUrl("img/screen_apps_dark.jpg"),
     }}
     secondImage={{
-        id: 2,
         imageUrl: useBaseUrl("img/screen_apps_light.jpg"),
     }}
 />
 
 <ReactBeforeSliderComponent
     firstImage={{
-        id: 1,
         imageUrl: useBaseUrl("img/screen_admin_dark.jpg"),
     }}
     secondImage={{
-        id: 2,
         imageUrl: useBaseUrl("img/screen_admin_light.jpg"),
     }}
 />

website/docs/install-config/air-gapped.mdx

@@ -17,8 +17,8 @@ To disable these outbound connections, adjust the settings as follows:
 
 To view a list of all configuration options, refer to the [Configuration](./configuration/configuration.mdx) documentation.
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/install-config/beta.mdx

@@ -8,8 +8,8 @@ You can test upcoming authentik versions, including major new features that are
 Downgrading from the Beta is not supported. It is recommended to take a backup before upgrading, or test Beta versions on a separate install. Upgrading from Beta versions to the next release is usually possible, however also not supported.
 :::
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/install-config/configuration/configuration.mdx

@@ -17,8 +17,8 @@ All of these variables can be set to values, but you can also use a URI-like for
 
 ## Set your environment variables
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs groupId="platform">
   <TabItem value="docker-compose" label="Docker Compose" default>
@@ -356,7 +356,7 @@ Defaults to `86400`.
 
 ### `AUTHENTIK_SESSION_STORAGE`:ak-version[2024.4]
 
-Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
+Configure if the sessions are stored in the cache or the database. Defaults to `db`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
 ### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`:ak-version[2025.4]
 

website/docs/install-config/install/docker-compose.mdx

@@ -27,8 +27,8 @@ This installation method is for test setups and small-scale production setups.
 To download the latest `docker-compose.yml` open your terminal and navigate to the directory of your choice.
 Run the following command:
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 {/* prettier-ignore */}
 <Tabs groupId="OS">

website/docs/install-config/upgrade.mdx

@@ -20,8 +20,8 @@ authentik does not support downgrading. Make sure to back up your database in ca
 
 ## Upgrade authentik
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs groupId="platform">
   <TabItem value="docker-compose" label="Docker Compose" default>

website/docs/releases/2024/v2024.10.md

@@ -5,8 +5,8 @@ slug: "/releases/2024.10"
 
 ## Highlights
 
-- **Chrome Device Trust** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>: Verify that your users are logging in from managed devices and validate the devices' compliance with company policies.
-- **FIPS/FAL3 for FedRAMP "very high" compliance** <span class="badge badge--primary">Enterprise+</span>: with support for SAML encryption and now JWE (JSON Web Encryption) support, authentik can now be configured for FIPS compliance at Federation Assurance Level (FAL) 3.
+- **Chrome Device Trust** :ak-enterprise :ak-preview : Verify that your users are logging in from managed devices and validate the devices' compliance with company policies.
+- **FIPS/FAL3 for FedRAMP "very high" compliance** :ak-enterprise : with support for SAML encryption and now JWE (JSON Web Encryption) support, authentik can now be configured for FIPS compliance at Federation Assurance Level (FAL) 3.
 - **Captcha on Identification stage**: Run a CAPTCHA process in the background while the user is entering their identification.
 - **Kerberos source**: authentik can now integrate with existing Kerberos environments by allowing users to log in with their Kerberos credentials, SPNEGO, or syncing users into authentik.
 
@@ -16,7 +16,7 @@ We have no breaking changes this release!
 
 ## New features
 
-- **Chrome Device Trust** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **Chrome Device Trust** :ak-enterprise :ak-preview
 
     This is a new stage for Enterprise clients that verifies the user through the Chrome Verified Access API. This stage only works with Google Chrome. You'll need to bring your own [Verified Access API instance](https://developers.google.com/chrome/verified-access/overview) via Google Cloud.
 

website/docs/releases/2024/v2024.12.md

@@ -6,8 +6,8 @@ slug: "/releases/2024.12"
 ## Highlights
 
 - **Redirect stage** Conditionally redirect users to other flows and URLs.
-- **Application entitlements** <span class="badge badge--info">Preview</span> Additional granular permission configuration on an application-level basis.
-- **CloudFormation** <span class="badge badge--info">Preview</span> One-click deploy on AWS.
+- **Application entitlements** :ak-preview Additional granular permission configuration on an application-level basis.
+- **CloudFormation** :ak-preview One-click deploy on AWS.
 - **Policies in the application wizard** Configure access restriction while creating an application.
 
 ## Breaking changes
@@ -32,7 +32,7 @@ slug: "/releases/2024.12"
 
     This new stage allows redirecting a user to another flow or external URL. This allows for dynamically choosing which flow runs depending on user attributes or other factors, or redirection to another URL.
 
-- **Application entitlements** <span class="badge badge--info">Preview</span>
+- **Application entitlements** :ak-preview
 
     Centrally configure permissions by granting entitlements to groups and users on an application-level basis.
 
@@ -40,7 +40,7 @@ slug: "/releases/2024.12"
 
     In the application creation wizard, administrators can now configure policies bindings along with the other application settings.
 
-- **CloudFormation** <span class="badge badge--info">Preview</span>
+- **CloudFormation** :ak-preview
 
     Deploy authentik in your own AWS environment with one click using our new [AWS CloudFormation template](../../install-config/install/aws.md).
 

website/docs/releases/2024/v2024.2.md

@@ -5,9 +5,9 @@ slug: /releases/2024.2
 
 ## Highlights
 
-- **Remote Access Control** <span class="badge badge--primary">Enterprise</span> Access machines over RDP, SSH, and VNC from authentik
+- **Remote Access Control** :ak-enterprise Access machines over RDP, SSH, and VNC from authentik
 
-- **Audit logging** <span class="badge badge--primary">Enterprise</span> See what fields were changed when objects are updated
+- **Audit logging** :ak-enterprise See what fields were changed when objects are updated
 
 - **Session location and network binding** Increase security by preventing session theft
 
@@ -102,11 +102,11 @@ slug: /releases/2024.2
 
 ## New features
 
-- **New provider: Remote Access Control** <span class="badge badge--primary">Enterprise</span>
+- **New provider: Remote Access Control** :ak-enterprise
 
     The Remote Access Control provider allows you to remotely connect to remote machines over RDP, SSH and VNC through authentik. As such, you can use the same policy engine and customization options that are possible with other providers using the same user and admin interface.
 
-- **Audit logging** <span class="badge badge--primary">Enterprise</span>
+- **Audit logging** :ak-enterprise
 
     authentik instances that have a valid enterprise license installed will log any changes made to models, including which fields were changed with previous and new values of the fields. The values are censored if they are sensitive (for example a password hash), however a hash of the changed value will still be logged.
 

website/docs/releases/2024/v2024.4.md

@@ -5,9 +5,9 @@ slug: /releases/2024.4
 
 ## Highlights
 
-- **OAuth/SAML as authentication factor** <span class="badge badge--primary">Enterprise</span> Use an external provider as part of an MFA authentication flow, including custom implementations
+- **OAuth/SAML as authentication factor** :ak-enterprise Use an external provider as part of an MFA authentication flow, including custom implementations
 
-- **SCIM Source** <span class="badge badge--info">Preview</span> Provision users and groups in authentik using an SCIM API
+- **SCIM Source** :ak-preview Provision users and groups in authentik using an SCIM API
 
 - **Configurable WebAuthn device restrictions** Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.
 
@@ -27,13 +27,13 @@ slug: /releases/2024.4
 
 ## New features
 
-- **Source stage** <span class="badge badge--primary">Enterprise</span>
+- **Source stage** :ak-enterprise
 
     The source stage allows for an inclusion of a source as part of a flow. This can be used to link a user to a source as part of their authentication/enrollment, or it can be used as an external multi-factor to provide device health attestation for example.
 
     For details refer to [Source stage](../../add-secure-apps/flows-stages/stages/source/index.md)
 
-- **SCIM Source** <span class="badge badge--info">Preview</span>
+- **SCIM Source** :ak-preview
 
     Provision users and groups in authentik using an SCIM API.
 

website/docs/releases/2024/v2024.6.md

@@ -6,7 +6,7 @@ slug: /releases/2024.6
 ## Highlights
 
 - **PostgreSQL read replicas**: Optimize database query routing by using read replicas to balance the load
-- **New Enterprise providers**: <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span> Google Workspace and Microsoft Entra ID providers allow for user synchronization with authentik
+- **New Enterprise providers**: :ak-enterprise :ak-preview Google Workspace and Microsoft Entra ID providers allow for user synchronization with authentik
 - **Improved CAPTCHA stage**: Allows configurable dynamic use of CAPTCHAs
 
 ## Breaking changes
@@ -29,13 +29,13 @@ The `context["geoip"]` and `context["asn"]` objects available in expression poli
 
 ## New features
 
-- **Google Workspace Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **Google Workspace Provider** :ak-enterprise :ak-preview
 
     With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
 
     For details refer to the [Google Workspace Provider documentation](../../add-secure-apps/providers/gws/index.md)
 
-- **Microsoft Entra ID Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **Microsoft Entra ID Provider** :ak-enterprise :ak-preview
 
     With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
 

website/docs/releases/2025/v2025.2.md

@@ -5,7 +5,7 @@ slug: "/releases/2025.2"
 
 ## Highlights
 
-- **SSF Provider <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>** Add support for Shared Signals Framework.
+- **SSF Provider :ak-enterprise :ak-preview** Add support for Shared Signals Framework.
 - **RAC moved open source** Remote access is now available to everyone!
 - **GeoIP distance and impossible travel checks** Add the ability to check for the distance a user has moved compared to a previous login, and if the user could have travelled the distance.
 - **Email OTP Stage** Allow users to use their email accounts as a one-time-password during authentication.
@@ -13,7 +13,7 @@ slug: "/releases/2025.2"
 
 ## Breaking changes
 
-- **Fixed behaviour in Source stage <span class="badge badge--primary">Enterprise</span>**
+- **Fixed behaviour in Source stage :ak-enterprise**
 
     In previous versions, the Source stage would incorrectly continue with the initial flow after returning from the source, which didn't match the documented behaviour.
 
@@ -29,7 +29,7 @@ slug: "/releases/2025.2"
 
 ## New features
 
-- **SSF Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
+- **SSF Provider** :ak-enterprise :ak-preview
 
     [Shared Signals Framework](../../add-secure-apps/providers/ssf/index.md) allows applications to register a stream with authentik within which they can received events from authentik such as when a session was revoked or a credential was add/changed/deleted and execute actions based on these events.
 

website/docs/releases/2025/v2025.4.md

@@ -11,7 +11,7 @@ slug: "/releases/2025.4"
 
 - **RBAC: Initial Permissions** :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.
 
-- **Password History Policy** <span class="badge badge--primary">Enterprise</span> A new policy (the Password Uniqueness policy) can be implemented to prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for FedRAMP compliance.
+- **Password History Policy** :ak-enterprise A new policy (the Password Uniqueness policy) can be implemented to prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for FedRAMP compliance.
 
 - **Provider Sync Dry Run** :ak-preview Add the option for dry-run syncs for SCIM, Google Workspace, and Microsoft Entra providers to preview the results of a sync without affecting live accounts.
 
@@ -108,7 +108,7 @@ When you upgrade, be aware that the version of the authentik instance and of any
 To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
 
 ```shell
-wget -O docker-compose.yml https://goauthentik.io/version/xxxx.x/docker-compose.yml
+wget -O docker-compose.yml https://goauthentik.io/version/2025.4/docker-compose.yml
 docker compose up -d
 ```
 

website/docs/sys-mgmt/ops/geoip.mdx

@@ -14,8 +14,8 @@ By default, the GeoIP database is loaded from `/geoip/GeoLite2-City.mmdb`. If mo
 
 If you want to disable GeoIP, you can set the path to a non-existent path and authentik will skip the GeoIP.
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   defaultValue="docker-compose"

website/docs/sys-mgmt/service-accounts.md

@@ -3,8 +3,6 @@ title: Service Accounts
 sidebar_label: Service Accounts
 ---
 
-# Service Accounts
-
 Service accounts are specialized user accounts designed for machine-to-machine authentication and automation purposes rather than interactive human use. They're ideal for integrating authentik with external systems, APIs, and services.
 
 ## Types of Service Accounts

website/docs/troubleshooting/forward_auth/general.mdx

@@ -2,8 +2,8 @@
 title: General troubleshooting steps
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## Set the log level to TRACE
 

website/docs/troubleshooting/logs.mdx

@@ -10,8 +10,8 @@ The server and worker containers support multiple log levels: `debug`, `info`, `
 
 To modify the log level, follow the steps for your platform
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs
   groupId="platform"

website/docs/users-sources/access-control/manage_permissions.md

@@ -23,7 +23,7 @@ To view _object_ permissions for a specific user or role:
 
 ### View flow permissions
 
-\_These instructions apply to all objects that have a detail page, which can be accessed by clicking on the name in the list page.\_\_
+_These instructions apply to all objects that have a detail page, which can be accessed by clicking on the name in the list page._
 
 1. Go to the Admin interface and navigate to **Flows and Stages -> Flows**.
 2. Click the name of the flow (this opens the details page).

website/docs/users-sources/access-control/permissions.md

@@ -26,6 +26,8 @@ Global permissions define who can do what on a global level across the entire sy
 
 You can assign _global permissions_ to individual [users](../user/index.mdx) or to [roles](../roles/index.md). The most common and best practice is to assign permissions to roles.
 
+An example of a global permission is [`Can view admin interface`](./manage_permissions#assign-can-view-admin-interface-permissions), which an administrator can assign to a non-administrator user or role to provide view access to the Admin interface.
+
 ### Object permissions
 
 Object permissions have two categories:

website/docs/users-sources/sources/protocols/scim/index.md

@@ -32,6 +32,7 @@ See the [overview](../../property-mappings/index.md) for information on how prop
 
 Each top level SCIM attribute is available as a variable in the expression. For example given an SCIM request with the payload of
 
+<!-- prettier-ignore-start -->
 ```json
 {
     "schemas": [
@@ -57,6 +58,7 @@ Each top level SCIM attribute is available as a variable in the expression. For
     }
 }
 ```
+<!-- prettier-ignore-end -->
 
 The following variables are available in the expression:
 

website/docusaurus.config.cjs

@@ -0,0 +1,12 @@
+/**
+ * @file CommonJS Docusaurus config adapter.
+ *
+ * This exists to allow an ESM Docusaurus configuration to be imported in a CommonJS.
+ *
+ * @import Config from "./docusaurus.config.esm.mjs"
+ */
+
+/**
+ * @see {@linkcode Config} for the Docusaurus configuration type.
+ */
+module.exports = import("./docusaurus.config.esm.mjs").then(($) => $.default);

website/docusaurus.config.esm.mjs

@@ -0,0 +1,164 @@
+/**
+ * @file Docusaurus config.
+ *
+ * @import * as Preset from "@docusaurus/preset-classic";
+ * @import * as OpenApiPlugin from "docusaurus-plugin-openapi-docs";
+ * @import { BuildUrlValues } from "remark-github";
+ */
+import { createDocusaurusConfig } from "@goauthentik/docusaurus-config";
+import { createRequire } from "node:module";
+import remarkDirective from "remark-directive";
+import remarkGithub, { defaultBuildUrl } from "remark-github";
+
+import remarkEnterpriseDirective from "./remark/enterprise-directive.mjs";
+import remarkPreviewDirective from "./remark/preview-directive.mjs";
+import remarkSupportDirective from "./remark/support-directive.mjs";
+import remarkVersionDirective from "./remark/version-directive.mjs";
+
+const require = createRequire(import.meta.url);
+
+/**
+ * Documentation site configuration for Docusaurus.
+ */
+const config = createDocusaurusConfig({
+    url: "https://docs.goauthentik.io",
+    future: {
+        experimental_faster: true,
+    },
+    themes: ["@docusaurus/theme-mermaid", "docusaurus-theme-openapi-docs"],
+    themeConfig: {
+        image: "img/social.png",
+        navbar: {
+            logo: {
+                alt: "authentik logo",
+                src: "img/icon_left_brand.svg",
+                href: "https://goauthentik.io/",
+                target: "_self",
+            },
+            items: [
+                {
+                    to: "https://goauthentik.io/features",
+                    label: "Features",
+                    position: "left",
+                    target: "_self",
+                },
+                {
+                    to: "integrations/",
+                    label: "Integrations",
+                    position: "left",
+                },
+                {
+                    to: "docs/",
+                    label: "Documentation",
+                    position: "left",
+                },
+                {
+                    to: "https://goauthentik.io/pricing/",
+                    label: "Pricing",
+                    position: "left",
+                    target: "_self",
+                },
+                {
+                    to: "https://goauthentik.io/blog",
+                    label: "Blog",
+                    position: "left",
+                    target: "_self",
+                },
+                {
+                    "href": "https://github.com/goauthentik/authentik",
+                    "data-icon": "github",
+                    "aria-label": "GitHub",
+                    "position": "right",
+                },
+                {
+                    "href": "https://goauthentik.io/discord",
+                    "data-icon": "discord",
+                    "aria-label": "Discord",
+                    "position": "right",
+                },
+            ],
+        },
+        footer: {
+            links: [],
+            copyright: `Copyright © ${new Date().getFullYear()} Authentik Security Inc. Built with Docusaurus.`,
+        },
+        algolia: {
+            appId: "36ROD0O0FV",
+            apiKey: "727db511300ca9aec5425645bbbddfb5",
+            indexName: "goauthentik",
+        },
+    },
+    presets: [
+        [
+            "@docusaurus/preset-classic",
+            /** @type {Preset.Options} */ ({
+                docs: {
+                    id: "docs",
+                    sidebarPath: "./sidebars/docs.mjs",
+                    showLastUpdateTime: false,
+                    editUrl: "https://github.com/goauthentik/authentik/edit/main/website/",
+                    docItemComponent: "@theme/ApiItem",
+
+                    beforeDefaultRemarkPlugins: [
+                        remarkDirective,
+                        remarkVersionDirective,
+                        remarkEnterpriseDirective,
+                        remarkPreviewDirective,
+                        remarkSupportDirective,
+                    ],
+                    remarkPlugins: [
+                        [
+                            remarkGithub,
+                            {
+                                repository: "goauthentik/authentik",
+                                /**
+                                 * @param {BuildUrlValues} values
+                                 */
+                                buildUrl: (values) => {
+                                    // Only replace issues and PR links
+                                    return values.type === "issue" || values.type === "mention"
+                                        ? defaultBuildUrl(values)
+                                        : false;
+                                },
+                            },
+                        ],
+                    ],
+                },
+                theme: {
+                    customCss: require.resolve("@goauthentik/docusaurus-config/css/index.css"),
+                },
+            }),
+        ],
+    ],
+    plugins: [
+        [
+            "@docusaurus/plugin-content-docs",
+            {
+                id: "docsIntegrations",
+                path: "integrations",
+                routeBasePath: "integrations",
+                sidebarPath: "./sidebars/integrations.mjs",
+                editUrl: "https://github.com/goauthentik/authentik/edit/main/website/",
+            },
+        ],
+        [
+            "docusaurus-plugin-openapi-docs",
+            {
+                id: "api",
+                docsPluginId: "docs",
+                config: /** @type {OpenApiPlugin.Options} */ ({
+                    authentik: {
+                        specPath: "static/schema.yml",
+                        outputDir: "docs/developer-docs/api/reference/",
+                        hideSendButton: true,
+                        sidebarOptions: {
+                            groupPathsBy: "tag",
+                        },
+                    },
+                }),
+            },
+        ],
+    ],
+});
+
+export default config;

website/docusaurus.config.ts

@@ -1,188 +0,0 @@
-import type { Config } from "@docusaurus/types";
-import type * as Preset from "@docusaurus/preset-classic";
-import { themes as prismThemes } from "prism-react-renderer";
-import type * as OpenApiPlugin from "docusaurus-plugin-openapi-docs";
-import remarkGithub, { BuildUrlValues } from "remark-github";
-import { defaultBuildUrl } from "remark-github";
-import remarkDirective from "remark-directive";
-import remarkVersionDirective from "./remark/version-directive.js";
-import remarkPreviewDirective from "./remark/preview-directive.js";
-import remarkSupportDirective from "./remark/support-directive.js";
-
-const createConfig = (): Config => {
-    return {
-        title: "authentik",
-        tagline: "Bring all of your authentication into a unified platform.",
-        url: "https://docs.goauthentik.io",
-        baseUrl: "/",
-        onBrokenLinks: "throw",
-        onBrokenAnchors: "throw",
-        favicon: "img/icon.png",
-        organizationName: "Authentik Security Inc.",
-        projectName: "authentik",
-        themeConfig: {
-            image: "img/social.png",
-            navbar: {
-                logo: {
-                    alt: "authentik logo",
-                    src: "img/icon_left_brand.svg",
-                    href: "https://goauthentik.io/",
-                    target: "_self",
-                },
-                items: [
-                    {
-                        to: "https://goauthentik.io/features",
-                        label: "Features",
-                        position: "left",
-                        target: "_self",
-                    },
-                    {
-                        to: "integrations/",
-                        label: "Integrations",
-                        position: "left",
-                    },
-                    {
-                        to: "docs/",
-                        label: "Documentation",
-                        position: "left",
-                    },
-                    {
-                        to: "https://goauthentik.io/pricing/",
-                        label: "Pricing",
-                        position: "left",
-                        target: "_self",
-                    },
-                    {
-                        to: "https://goauthentik.io/blog",
-                        label: "Blog",
-                        position: "left",
-                        target: "_self",
-                    },
-                    {
-                        href: "https://github.com/goauthentik/authentik",
-                        "data-icon": "github",
-                        "aria-label": "GitHub",
-                        position: "right",
-                    },
-                    {
-                        href: "https://goauthentik.io/discord",
-                        "data-icon": "discord",
-                        "aria-label": "Discord",
-                        position: "right",
-                    },
-                ],
-            },
-            footer: {
-                links: [],
-                copyright: `Copyright © ${new Date().getFullYear()} Authentik Security Inc. Built with Docusaurus.`,
-            },
-            tableOfContents: {
-                minHeadingLevel: 2,
-                maxHeadingLevel: 3,
-            },
-            colorMode: {
-                respectPrefersColorScheme: true,
-            },
-            algolia: {
-                appId: "36ROD0O0FV",
-                apiKey: "727db511300ca9aec5425645bbbddfb5",
-                indexName: "goauthentik",
-            },
-            prism: {
-                theme: prismThemes.oneLight,
-                darkTheme: prismThemes.oneDark,
-                additionalLanguages: [
-                    // ---
-                    "apacheconf",
-                    "diff",
-                    "http",
-                    "json",
-                    "nginx",
-                    "python",
-                    "bash",
-                ],
-            },
-        },
-        presets: [
-            [
-                "@docusaurus/preset-classic",
-                {
-                    docs: {
-                        id: "docs",
-                        sidebarPath: "./sidebars.js",
-                        showLastUpdateTime: false,
-                        editUrl:
-                            "https://github.com/goauthentik/authentik/edit/main/website/",
-                        docItemComponent: "@theme/ApiItem",
-
-                        beforeDefaultRemarkPlugins: [
-                            remarkDirective,
-                            remarkVersionDirective,
-                            remarkPreviewDirective,
-                            remarkSupportDirective,
-                        ],
-                        remarkPlugins: [
-                            [
-                                remarkGithub,
-                                {
-                                    repository: "goauthentik/authentik",
-                                    // Only replace issues and PR links
-                                    buildUrl: (values: BuildUrlValues) => {
-                                        return values.type === "issue" ||
-                                            values.type === "mention"
-                                            ? defaultBuildUrl(values)
-                                            : false;
-                                    },
-                                },
-                            ],
-                        ],
-                    },
-                    theme: {
-                        customCss: require.resolve(
-                            "@goauthentik/docusaurus-config/css/index.css",
-                        ),
-                    },
-                } satisfies Preset.Options,
-            ],
-        ],
-        plugins: [
-            [
-                "@docusaurus/plugin-content-docs",
-                {
-                    id: "docsIntegrations",
-                    path: "integrations",
-                    routeBasePath: "integrations",
-                    sidebarPath: "./sidebarsIntegrations.js",
-                    editUrl:
-                        "https://github.com/goauthentik/authentik/edit/main/website/",
-                },
-            ],
-            [
-                "docusaurus-plugin-openapi-docs",
-                {
-                    id: "api",
-                    docsPluginId: "docs",
-                    config: {
-                        authentik: {
-                            specPath: "static/schema.yml",
-                            outputDir: "docs/developer-docs/api/reference/",
-                            hideSendButton: true,
-                            sidebarOptions: {
-                                groupPathsBy: "tag",
-                            },
-                        } satisfies OpenApiPlugin.Options,
-                    },
-                },
-            ],
-        ],
-        markdown: {
-            mermaid: true,
-        },
-        future: {
-            experimental_faster: true,
-        },
-        themes: ["@docusaurus/theme-mermaid", "docusaurus-theme-openapi-docs"],
-    };
-};
-
-module.exports = createConfig;

website/integrations/services/actual-budget/index.mdx

@@ -4,8 +4,8 @@ sidebar_label: Actual Budget
 support_level: community
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## What is Actual Budget
 

website/integrations/services/apache-guacamole/index.mdx

@@ -4,8 +4,8 @@ sidebar_label: Apache Guacamole™
 support_level: authentik
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 ## What is Apache Guacamole™
 

website/integrations/services/atlassian/index.mdx

@@ -0,0 +1,117 @@
+---
+title: Integrate with Atlassian Cloud
+sidebar_label: Atlassian Cloud
+support_level: community
+---
+
+## What is Atlassian Cloud
+
+> Atlassian is a proprietary software company that specializes in collaboration tools designed primarily for software development and project management. Atlassian Cloud is their cloud platform and provides access to their popular apps; Jira, Confluence, Bitbucket, Trello and others.
+>
+> -- https://www.atlassian.com/
+
+:::important
+This guide offers instructions for setting up authentik as a SAML provider specifically for Atlassian Cloud. It is applicable to all Atlassian Cloud applications, including Jira, Confluence, Bitbucket, Trello, and others.
+
+Atlassian Cloud has two types of users; **internal** and **external**.
+
+Internal users are defined by their email domain which needs to be a [verified domain in Atlassian Cloud](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/). Internal users are able to utilise SSO without Atlassian Cloud credentials.
+
+[External users](https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/) are required to log into Atlassian Cloud using Atlassian Cloud credentials. They are then prompted for authentik credentials when accessing specific Atlassian Cloud apps like Jira.
+:::
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+
+SAML SSO for Atlassian Cloud apps requires an [Atlassian Guard](https://support.atlassian.com/security-and-access-policies/docs/understand-atlassian-guard/) subscription and a [verified domain](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/). Further information on requirements for SSO can be found in the [Atlassian SSO documentation](https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on-with-an-identity-provider/).
+
+:::note
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## authentik configuration
+
+To support the integration of Atlassian Cloud with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+        - Note the application slug, it will be required when filling out the **Identity provider SSO URL** later on.
+    - **Choose a Provider type**: select **SAML Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Temporarily set the **ACS URL** and **Audience** to `https://temp.temp`
+        - Set the **Service Provider Binding** to `Post`.
+        - Under **Advanced protocol settings**, set an available signing certificate.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+### Download the signing certificate
+
+1. Log into authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click on the name of the newly created Atlassian Cloud provider.
+3. Under **Download signing certificate** click the **Download** button. The contents of this certificate will be required in the next section.
+
+## Atlassian Cloud configuration
+
+1. Log in to the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization administrator.
+2. Navigate to **Security** > **Identity providers**.
+3. Under **Choose an identity provider** select **Other provider**.
+4. Provide a **Directory name** e.g authentik and click **Add**.
+5. Click **Set up SAML single sign-on** and then **Next**.
+6. Set the following required configurations:
+    - **Identity provider Entity ID**: `authentik`
+    - **Identity provider SSO URL**: `https://authentik.company/application/saml/<application slug>/sso/binding/redirect/`
+    - **Public x509 certificate**: enter the contents of the certificate that was downloaded in the previous section.
+7. Click **Add**.
+8. You will be shown a **Service provider entity URL** and **Service provider assertion consumer service URL**. Copy both, they will be required in authentik.
+9. Click **Next**.
+10. Under **Link domain** select a verified domain.
+11. Click **Stop and save SAML**
+
+## Reconfigure authentik provider
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Atlassian Cloud provider.
+3. Under **Protocol settgins**, set the following required configurations:
+    - **ACS URL**: set the acs url to the copied **Service provider assertion consumer service URL** (e.g. https://auth.atlassian.com/login/callback?connection=saml-example).
+    - **Audience**: set the audience to the copied **Service provider entity URL** (e.g. https://auth.atlassian.com/saml/example).
+4. Click **Update**
+
+## Enabling SSO in Atlassian Cloud
+
+### Internal users
+
+1. Log into the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization admin.
+2. Navigate to **Security** > **Authentication policies**.
+3. Click **Add policy** at the top right.
+4. Select the `authentik` directory and provide a name for the policy.
+5. Edit the new policy and check `Enforce single sign-on`.
+6. Click **Update**.
+
+### External users
+
+1. Log in to the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization admin.
+2. Navigate to **Security** > **External users**.
+3. Click on **External user policy**.
+4. Under **Authorization method** check **Single sign-on**.
+5. Under **Identity provider** select `authentik`.
+6. Click **Update**.
+
+## Configuration verification
+
+### Internal users
+
+To verify that authentik is correctly integrated with Atlassian Cloud, first log out of your account. Then, log back in using your credentials for an internal user. You should be redirected to your authentik instance and after successfully logging in, you should be redirected to the selected Atlassian Cloud app.
+
+### External users
+
+To verify that authentik is correctly integrated with Atlassian Cloud, first log out of your account. Then, log back in using your credentials for an external user.
+
+From the Atlassian Cloud dashboard, select an app such as Jira. You will be prompted to verify your identity and redirected to your authentik instance. After successfully logging in to authentik you should be logged into the selected Atlassian Cloud app.

website/integrations/services/aws/index.mdx

@@ -21,8 +21,8 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
 
 <Tabs>
 <TabItem value="iam" label="Classic IAM" default>

website/integrations/services/beszel/index.mdx

@@ -1,12 +1,9 @@
 ---
 title: Integrate with Beszel
 sidebar_label: Beszel
+support_level: community
 ---
 
-# Integrate With Beszel
-
-<span class="badge badge--secondary">Support level: Community</span>
-
 ## What is Beszel
 
 > Beszel is a lightweight server monitoring platform that provides Docker statistics, historical data, and configurable alerts.

website/integrations/services/bookstack/index.mdx

@@ -1,14 +1,11 @@
 ---
 title: Integrate with BookStack
 sidebar_label: BookStack
+support_level: community
 ---
 
-import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
-
-# Integrate with BookStack
-
-<span class="badge badge--secondary">Support level: Community</span>
+import Tabs from "@theme/Tabs";
 
 ## What is BookStack
 

website/integrations/services/chronograf/index.mdx

@@ -3,10 +3,6 @@ title: Integrate with Chronograf
 sidebar_label: Chronograf
 ---
 
-# Integrate with Chronograf
-
-<span class="badge badge--secondary">Support level: Community</span>
-
 ## What is Chronograf
 
 > Chronograf lets you quickly visualize the data stored in InfluxDB, enabling you to build robust queries and alerts. It is simple to use and comes with templates and libraries for rapidly creating dashboards with real-time data visualizations.