policies: don't fork for group and user bindings

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

authentik/flows/tests/test_inspector.py

@@ -48,6 +48,7 @@ class TestFlowInspector(APITestCase):
                 "allow_show_password": False,
                 "captcha_stage": None,
                 "component": "ak-stage-identification",
+                "enable_remember_me": False,
                 "flow_info": {
                     "background": "/static/dist/assets/images/flow_background.jpg",
                     "cancel_url": reverse("authentik_flows:cancel"),

authentik/policies/engine.py

@@ -108,6 +108,9 @@ class PolicyEngine:
         self.__cached_policies.append(cached_policy)
         return True
 
+    def _should_fork(self, binding: PolicyBinding) -> bool:
+        return binding.policy is not None
+
     def build(self) -> "PolicyEngine":
         """Build wrapper which monitors performance"""
         with (
@@ -134,7 +137,7 @@ class PolicyEngine:
                 task = PolicyProcess(binding, self.request, task_end)
                 task.daemon = False
                 self.logger.debug("P_ENG: Starting Process", binding=binding, request=self.request)
-                if not CURRENT_PROCESS._config.get("daemon"):
+                if not CURRENT_PROCESS._config.get("daemon") or not self._should_fork(binding):
                     task.run()
                 else:
                     task.start()

authentik/stages/identification/api.py

@@ -36,6 +36,7 @@ class IdentificationStageSerializer(StageSerializer):
             "sources",
             "show_source_labels",
             "pretend_user_exists",
+            "enable_remember_me",
         ]
 
 

authentik/stages/identification/migrations/0016_identificationstage_enable_remember_me.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.1.8 on 2025-04-16 17:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_identification", "0015_identificationstage_captcha_stage"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="identificationstage",
+            name="enable_remember_me",
+            field=models.BooleanField(
+                default=False,
+                help_text="Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.",
+            ),
+        ),
+    ]

authentik/stages/identification/models.py

@@ -76,7 +76,13 @@ class IdentificationStage(Stage):
             "is entered."
         ),
     )
-
+    enable_remember_me = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Show the user the 'Remember me on this device' toggle, allowing repeat "
+            "users to skip straight to entering their password."
+        ),
+    )
     enrollment_flow = models.ForeignKey(
         Flow,
         on_delete=models.SET_DEFAULT,

authentik/stages/identification/stage.py

@@ -85,6 +85,7 @@ class IdentificationChallenge(Challenge):
     primary_action = CharField()
     sources = LoginSourceSerializer(many=True, required=False)
     show_source_labels = BooleanField()
+    enable_remember_me = BooleanField(required=False, default=True)
 
     component = CharField(default="ak-stage-identification")
 
@@ -235,6 +236,7 @@ class IdentificationStageView(ChallengeStageView):
                 and current_stage.password_stage.allow_show_password,
                 "show_source_labels": current_stage.show_source_labels,
                 "flow_designation": self.executor.flow.designation,
+                "enable_remember_me": current_stage.enable_remember_me,
             }
         )
         # If the user has been redirected to us whilst trying to access an

blueprints/schema.json

@@ -11893,6 +11893,11 @@
                     "type": "boolean",
                     "title": "Pretend user exists",
                     "description": "When enabled, the stage will succeed and continue even when incorrect user info is entered."
+                },
+                "enable_remember_me": {
+                    "type": "boolean",
+                    "title": "Enable remember me",
+                    "description": "Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password."
                 }
             },
             "required": []

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.6
+	goauthentik.io/api/v3 v3.2025024.7
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.29.0
 	golang.org/x/sync v0.13.0

go.sum

@@ -300,8 +300,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.6 h1:3mmZY7E0EM/RR8uMF17mxa7368ZgZEIq/FjlCLJ9+lA=
+goauthentik.io/api/v3 v3.2025024.7 h1:OOBuyLzv+l5rtvrOYzoDs6Hy9cIfkE5sewRqR5ThSRc=
-goauthentik.io/api/v3 v3.2025024.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.7/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1007.0",
+                "aws-cdk": "^2.1010.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1007.0",
+            "version": "2.1010.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1007.0.tgz",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1010.0.tgz",
-            "integrity": "sha512-/UOYOTGWUm+pP9qxg03tID5tL6euC+pb+xo0RBue+xhnUWwj/Bbsw6DbqbpOPMrNzTUxmM723/uMEQmM6S26dw==",
+            "integrity": "sha512-kYNzBXVUZoRrTuYxRRA2Loz/Uvay0MqHobg8KPZaWylIbw/meUDgtoATRNt+stOdJ9PHODTjWmlDKI+2/KoF+w==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1007.0",
+        "aws-cdk": "^2.1010.0",
         "cross-env": "^7.0.3"
     }
 }

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-15 00:11+0000\n"
+"POT-Creation-Date: 2025-04-17 00:09+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -2254,6 +2254,14 @@ msgstr ""
 msgid "No token received."
 msgstr ""
 
+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr ""
@@ -2291,6 +2299,11 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr ""
 
+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr ""

schema.yml

@@ -46049,6 +46049,9 @@ components:
             $ref: '#/components/schemas/LoginSource'
         show_source_labels:
           type: boolean
+        enable_remember_me:
+          type: boolean
+          default: true
       required:
       - flow_designation
       - password_fields
@@ -46161,6 +46164,10 @@ components:
           type: boolean
           description: When enabled, the stage will succeed and continue even when
             incorrect user info is entered.
+        enable_remember_me:
+          type: boolean
+          description: Show the user the 'Remember me on this device' toggle, allowing
+            repeat users to skip straight to entering their password.
       required:
       - component
       - meta_model_name
@@ -46235,6 +46242,10 @@ components:
           type: boolean
           description: When enabled, the stage will succeed and continue even when
             incorrect user info is entered.
+        enable_remember_me:
+          type: boolean
+          description: Show the user the 'Remember me on this device' toggle, allowing
+            repeat users to skip straight to entering their password.
       required:
       - name
     ImpersonationRequest:
@@ -52290,6 +52301,10 @@ components:
           type: boolean
           description: When enabled, the stage will succeed and continue even when
             incorrect user info is entered.
+        enable_remember_me:
+          type: boolean
+          description: Show the user the 'Remember me on this device' toggle, allowing
+            repeat users to skip straight to entering their password.
     PatchedInitialPermissionsRequest:
       type: object
       description: InitialPermissions serializer

web/package.json

@@ -1,14 +1,6 @@
 {
     "name": "@goauthentik/web",
     "version": "0.0.0",
-    "overrides": {
-        "rapidoc": {
-            "@apitools/openapi-parser@": "0.0.37"
-        },
-        "chromedriver": {
-            "axios": "^1.8.4"
-        }
-    },
     "dependencies": {
         "@codemirror/lang-css": "^6.3.1",
         "@codemirror/lang-html": "^6.4.9",
@@ -136,6 +128,14 @@
         "@rollup/rollup-linux-arm64-gnu": "4.23.0",
         "@rollup/rollup-linux-x64-gnu": "4.23.0"
     },
+    "overrides": {
+        "rapidoc": {
+            "@apitools/openapi-parser@": "0.0.37"
+        },
+        "chromedriver": {
+            "axios": "^1.8.4"
+        }
+    },
     "private": true,
     "scripts": {
         "build": "wireit",

web/scripts/eslint.precommit.mjs

@@ -22,6 +22,7 @@ export default [
             "coverage/",
             "src/locale-codes.ts",
             "storybook-static/",
+            "scripts/esbuild",
             "src/locales/",
         ],
     },

web/src/admin/providers/ldap/LDAPOptionsAndHelp.ts

@@ -15,9 +15,7 @@ export const bindModeOptions = [
     {
         label: msg("Direct binding"),
         value: LDAPAPIAccessMode.Direct,
-        description: html`${msg(
+        description: html`${msg("Always execute the configured bind flow to authenticate the user")}`,
-            "Always execute the configured bind flow to authenticate the user",
-        )}`,
     },
 ];
 
@@ -33,9 +31,7 @@ export const searchModeOptions = [
     {
         label: msg("Direct querying"),
         value: LDAPAPIAccessMode.Direct,
-        description: html`${msg(
+        description: html`${msg("Always returns the latest data, but slower than cached querying")}`,
-            "Always returns the latest data, but slower than cached querying",
-        )}`,
     },
 ];
 

web/src/admin/stages/identification/IdentificationStageForm.ts

@@ -2,6 +2,7 @@ import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { first, groupBy } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-switch-input.js";
 import "@goauthentik/elements/ak-checkbox-group/ak-checkbox-group.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@@ -158,68 +159,38 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                             )}
                         </p>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="caseInsensitiveMatching">
+                    <ak-switch-input
-                        <label class="pf-c-switch">
+                        name="caseInsensitiveMatching"
-                            <input
+                        label=${msg("Case insensitive matching")}
-                                class="pf-c-switch__input"
-                                type="checkbox"
                         ?checked=${first(this.instance?.caseInsensitiveMatching, true)}
-                            />
+                        help=${msg(
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Case insensitive matching")}</span
-                            >
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
                             "When enabled, user fields are matched regardless of their casing.",
                         )}
-                        </p>
+                    ></ak-switch-input>
-                    </ak-form-element-horizontal>
+                    <ak-switch-input
-                    <ak-form-element-horizontal name="pretendUserExists">
+                        name="pretendUserExists"
-                        <label class="pf-c-switch">
+                        label=${msg("Pretend user exists")}
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
                         ?checked=${first(this.instance?.pretendUserExists, true)}
-                            />
+                        help=${msg(
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label">${msg("Pretend user exists")}</span>
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
                             "When enabled, the stage will always accept the given user identifier and continue.",
                         )}
-                        </p>
+                    ></ak-switch-input>
-                    </ak-form-element-horizontal>
+                    <ak-switch-input
-                    <ak-form-element-horizontal name="showMatchedUser">
+                        name="showMatchedUser"
-                        <label class="pf-c-switch">
+                        label=${msg("Show matched user")}
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
                         ?checked=${first(this.instance?.showMatchedUser, true)}
-                            />
+                        help=${msg(
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label">${msg("Show matched user")}</span>
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
                             "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.",
                         )}
-                        </p>
+                    ></ak-switch-input>
-                    </ak-form-element-horizontal>
+                    <ak-switch-input
+                        name="enableRememberMe"
+                        label=${msg('Enable "Remember me on this device"')}
+                        ?checked=${this.instance?.enableRememberMe}
+                        help=${msg(
+                            "When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.",
+                        )}
+                    ></ak-switch-input>
                 </div>
             </ak-form-group>
             <ak-form-group>

web/src/flow/stages/identification/IdentificationStage.ts

@@ -5,6 +5,7 @@ import "@goauthentik/elements/forms/FormElement";
 import "@goauthentik/flow/components/ak-flow-password-input.js";
 import { BaseStage } from "@goauthentik/flow/stages/base";
 import "@goauthentik/flow/stages/captcha/CaptchaStage";
+import { AkRememberMeController } from "@goauthentik/flow/stages/identification/RememberMeController.js";
 
 import { msg, str } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
@@ -47,6 +48,8 @@ export class IdentificationStage extends BaseStage<
 > {
     form?: HTMLFormElement;
 
+    rememberMe: AkRememberMeController;
+
     @state()
     captchaToken = "";
     @state()
@@ -62,8 +65,9 @@ export class IdentificationStage extends BaseStage<
             PFFormControl,
             PFTitle,
             PFButton,
-            /* login page's icons */
+            AkRememberMeController.styles,
             css`
+                /* login page's icons */
                 .pf-c-login__main-footer-links-item button {
                     background-color: transparent;
                     border: 0;
@@ -81,6 +85,11 @@ export class IdentificationStage extends BaseStage<
         ];
     }
 
+    constructor() {
+        super();
+        this.rememberMe = new AkRememberMeController(this);
+    }
+
     updated(changedProperties: PropertyValues<this>) {
         if (changedProperties.has("challenge") && this.challenge !== undefined) {
             this.autoRedirect();
@@ -268,8 +277,10 @@ export class IdentificationStage extends BaseStage<
                     autocomplete="username"
                     spellcheck="false"
                     class="pf-c-form-control"
+                    value=${this.rememberMe?.username ?? ""}
                     required
                 />
+                ${this.rememberMe.render()}
             </ak-form-element>
             ${this.challenge.passwordFields
                 ? html`

web/src/flow/stages/identification/RememberMeController.ts

@@ -0,0 +1,156 @@
+import { getCookie } from "@goauthentik/common/utils.js";
+
+import { msg } from "@lit/localize";
+import { css, html, nothing } from "lit";
+import { ReactiveController, ReactiveControllerHost } from "lit";
+
+import type { IdentificationStage } from "./IdentificationStage.js";
+
+type RememberMeHost = ReactiveControllerHost & IdentificationStage;
+
+export class AkRememberMeController implements ReactiveController {
+    static get styles() {
+        return css`
+            .remember-me-switch {
+                display: inline-block;
+                padding-top: 0.25rem;
+            }
+        `;
+    }
+
+    username?: string;
+
+    rememberingUsername: boolean = false;
+
+    constructor(private host: RememberMeHost) {
+        this.trackRememberMe = this.trackRememberMe.bind(this);
+        this.toggleRememberMe = this.toggleRememberMe.bind(this);
+        this.host.addController(this);
+    }
+
+    // Record a stable token that we can use between requests to track if we've
+    // been here before.  If we can't, clear out the username.
+    hostConnected() {
+        try {
+            const sessionId = localStorage.getItem("authentik-remember-me-session");
+            if (!!this.localSession && sessionId === this.localSession) {
+                this.username = undefined;
+                localStorage?.removeItem("authentik-remember-me-user");
+            }
+            localStorage?.setItem("authentik-remember-me-session", this.localSession);
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } catch (_e: any) {
+            this.username = undefined;
+        }
+    }
+
+    get localSession() {
+        return (getCookie("authentik_csrf") ?? "").substring(0, 8);
+    }
+
+    get usernameField() {
+        return this.host.renderRoot.querySelector(
+            'input[name="uidField"]',
+        ) as HTMLInputElement | null;
+    }
+
+    get rememberMeToggle() {
+        return this.host.renderRoot.querySelector(
+            "#authentik-remember-me",
+        ) as HTMLInputElement | null;
+    }
+
+    get isValidChallenge() {
+        return !(
+            this.host.challenge.responseErrors &&
+            this.host.challenge.responseErrors.non_field_errors &&
+            this.host.challenge.responseErrors.non_field_errors.find(
+                (cre) => cre.code === "invalid",
+            )
+        );
+    }
+
+    get submitButton() {
+        return this.host.renderRoot.querySelector('button[type="submit"]') as HTMLButtonElement;
+    }
+
+    get isEnabled() {
+        return (
+            this.host.challenge !== undefined &&
+            this.host.challenge.enableRememberMe &&
+            typeof localStorage !== "undefined"
+        );
+    }
+
+    get canAutoSubmit() {
+        return (
+            !!this.host.challenge &&
+            !!this.username &&
+            !!this.usernameField?.value &&
+            !this.host.challenge.passwordFields &&
+            !this.host.challenge.passwordlessUrl
+        );
+    }
+
+    // Before the page is updated, try to extract the username from localstorage.
+    hostUpdate() {
+        if (!this.isEnabled) {
+            return;
+        }
+
+        try {
+            this.username = localStorage.getItem("authentik-remember-me-user") || undefined;
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } catch (_e: any) {
+            this.username = undefined;
+        }
+    }
+
+    // After the page is updated, if everything is ready to go, do the autosubmit.
+    hostUpdated() {
+        if (this.isEnabled && this.canAutoSubmit) {
+            this.submitButton?.click();
+        }
+    }
+
+    trackRememberMe() {
+        if (!this.usernameField || this.usernameField.value === undefined) {
+            return;
+        }
+        this.username = this.usernameField.value;
+        localStorage?.setItem("authentik-remember-me-user", this.username);
+    }
+
+    // When active, save current details and record every keystroke to the username.
+    // When inactive, clear all fields and remove keystroke recorder.
+    toggleRememberMe() {
+        if (!this.rememberMeToggle || !this.rememberMeToggle.checked) {
+            localStorage?.removeItem("authentik-remember-me-user");
+            localStorage?.removeItem("authentik-remember-me-session");
+            this.username = undefined;
+            this.usernameField?.removeEventListener("keyup", this.trackRememberMe);
+            return;
+        }
+        if (!this.usernameField) {
+            return;
+        }
+        localStorage?.setItem("authentik-remember-me-user", this.usernameField.value);
+        localStorage?.setItem("authentik-remember-me-session", this.localSession);
+        this.usernameField.addEventListener("keyup", this.trackRememberMe);
+    }
+
+    render() {
+        return this.isEnabled
+            ? html` <label class="pf-c-switch remember-me-switch">
+                  <input
+                      class="pf-c-switch__input"
+                      id="authentik-remember-me"
+                      @click=${this.toggleRememberMe}
+                      type="checkbox"
+                      ?checked=${!!this.username}
+                  />
+                  <span class="pf-c-form__label">${msg("Remember me on this device")}</span>
+              </label>`
+            : nothing;
+    }
+}

web/xliff/de.xlf

@@ -9134,6 +9134,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -7667,6 +7667,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -9226,6 +9226,18 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -9769,6 +9769,18 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
   <target>La réputation ne peut pas monter au dessus de cette valeur. Zéro ou positif.</target>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -9751,6 +9751,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -9134,6 +9134,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -9036,6 +9036,18 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -9461,6 +9461,18 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -9469,4 +9469,16 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
 </trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
+</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -9554,6 +9554,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -9525,6 +9525,18 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -6275,6 +6275,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
 </trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -9770,6 +9770,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
   <target>信誉无法提高到此值以上。可为零或正数。</target>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -7367,6 +7367,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -9111,6 +9111,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

website/docs/add-secure-apps/flows-stages/stages/identification/index.mdx

@@ -34,6 +34,10 @@ These fields specify if and which flows are linked on the form. The enrollment f
 
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
 
+## Enable "Remember me on this device":ak-version[2025.4]
+
+When enabled, users will be given the option at login of having their username stored on the device. If selected, on future logins this stage will automatically fill in the username and fast-forward to the password field. Users will still have the options of clicking "Not you?" and going back to provide a different username or disable this feature.
+
 ## Source settings
 
 Some sources (like the [OAuth Source](../../../../users-sources/sources/protocols/oauth/index.mdx) and [SAML Source](../../../../users-sources/sources/protocols/saml/index.md)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).