add api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
better endpoint
2025-06-30 21:31:16 +02:00 · 2025-06-30 21:31:16 +02:00 · 2025-06-30 21:31:16 +02:00 · 2025-06-30 21:31:16 +02:00 · 2025-06-30 21:31:16 +02:00 · 2025-06-30 21:31:16 +02:00
1124 changed files with 66200 additions and 37632 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0
+current_version = 2025.6.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -21,6 +21,8 @@ optional_value = final

 [bumpversion:file:package.json]

+[bumpversion:file:package-lock.json]
+
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
@ -31,6 +33,4 @@ optional_value = final

 [bumpversion:file:internal/constants/constants.go]

-[bumpversion:file:web/src/common/constants.ts]
-
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.dockerignore
+++ b/.dockerignore
@ -5,8 +5,10 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
+**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
+.venv
--- a/.editorconfig
+++ b/.editorconfig
@ -7,6 +7,9 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true

+[*.toml]
+indent_size = 2
+
 [*.html]
 indent_size = 2

--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -36,7 +36,7 @@ runs:
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
-      uses: ScribeMD/docker-cache@0.5.0
+      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,7 +23,13 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
-      - "/web/sfe"
+      - "/web/packages/sfe"
+      - "/web/packages/core"
+      - "/web/packages/esbuild-plugin-live-reload"
+      - "/packages/prettier-config"
+      - "/packages/tsconfig"
+      - "/packages/docusaurus-config"
+      - "/packages/eslint-config"
    schedule:
      interval: daily
      time: "04:00"
@ -68,6 +74,9 @@ updates:
      wdio:
        patterns:
          - "@wdio/*"
+      goauthentik:
+        patterns:
+          - "@goauthentik/*"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@ -88,6 +97,16 @@ updates:
          - "swc-*"
          - "lightningcss*"
          - "@rspack/binding*"
+      goauthentik:
+        patterns:
+          - "@goauthentik/*"
+      eslint:
+        patterns:
+          - "@eslint/*"
+          - "@typescript-eslint/*"
+          - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -38,6 +38,8 @@ jobs:
      # Needed for attestation
      id-token: write
      attestations: write
+      # Needed for checkout
+      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3.6.0
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -53,6 +53,7 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -9,14 +9,15 @@ on:

 jobs:
  test-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        version:
          - docs
+          - version-2025-4
          - version-2025-2
-          - version-2024-12
    steps:
      - uses: actions/checkout@v4
      - run: |
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -62,6 +62,7 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
+          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -116,6 +117,7 @@ jobs:
        psql:
          - 15-alpine
          - 16-alpine
+          - 17-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
@ -200,7 +202,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -208,6 +210,7 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
+          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
@ -244,11 +247,13 @@ jobs:
      # Needed for attestation
      id-token: write
      attestations: write
+      # Needed for checkout
+      contents: read
    needs: ci-core-mark
    uses: ./.github/workflows/_reusable-docker-build.yaml
    secrets: inherit
    with:
-      image_name: ghcr.io/goauthentik/dev-server
+      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
      release: false
  pr-comment:
    needs:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v8
        with:
          version: latest
          args: --timeout 5000s --verbose
@ -59,6 +59,7 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -49,6 +49,7 @@ jobs:
      matrix:
        job:
          - build
+          - build:integrations
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -61,14 +62,65 @@ jobs:
      - name: build
        working-directory: website/
        run: npm run ${{ matrix.job }}
+  build-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-docs
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker Image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          tags: ${{ steps.ev.outputs.imageTags }}
+          file: website/Dockerfile
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          platforms: linux/amd64,linux/arm64
+          context: .
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  ci-website-mark:
    if: always()
    needs:
      - lint
      - test
      - build
+      - build-container
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}
+          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,7 +2,7 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, "*", next, version*]
+    branches: [main, next, version*]
  pull_request:
    branches: [main]
  schedule:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -37,6 +37,7 @@ jobs:
          signoff: true
          # ID from https://api.github.com/users/authentik-automation[bot]
          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -53,6 +53,7 @@ jobs:
          body: ${{ steps.compress.outputs.markdown }}
          delete-branch: true
          signoff: true
+          labels: dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        with:
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -7,6 +7,7 @@ on:
      - packages/eslint-config/**
      - packages/prettier-config/**
      - packages/tsconfig/**
+      - web/packages/esbuild-plugin-live-reload/**
  workflow_dispatch:
 jobs:
  publish:
@ -16,27 +17,28 @@ jobs:
      fail-fast: false
      matrix:
        package:
-          - docusaurus-config
-          - eslint-config
-          - prettier-config
-          - tsconfig
+          - packages/docusaurus-config
+          - packages/eslint-config
+          - packages/prettier-config
+          - packages/tsconfig
+          - web/packages/esbuild-plugin-live-reload
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - uses: actions/setup-node@v4
        with:
-          node-version-file: packages/${{ matrix.package }}/package.json
+          node-version-file: ${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
        with:
          files: |
-            packages/${{ matrix.package }}/package.json
+            ${{ matrix.package }}/package.json
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: packages/${{ matrix.package}}
+        working-directory: ${{ matrix.package }}
        run: |
          npm ci
          npm run build
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -20,6 +20,49 @@ jobs:
      release: true
      registry_dockerhub: true
      registry_ghcr: true
+  build-docs:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/docs
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker Image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          tags: ${{ steps.ev.outputs.imageTags }}
+          file: website/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          context: .
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: true
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
@ -193,6 +236,6 @@ jobs:
          SENTRY_ORG: authentik-security-inc
          SENTRY_PROJECT: authentik
        with:
-          version: authentik@${{ steps.ev.outputs.version }}
+          release: authentik@${{ steps.ev.outputs.version }}
          sourcemaps: "./web/dist"
          url_prefix: "~/static/dist"
--- a/.github/workflows/repo-mirror-cleanup.yml
+++ b/.github/workflows/repo-mirror-cleanup.yml
@ -0,0 +1,21 @@
+name: "authentik-repo-mirror-cleanup"
+
+on:
+  workflow_dispatch:
+
+jobs:
+  to_internal:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - if: ${{ env.MIRROR_KEY != '' }}
+        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        with:
+          target_repo_url: git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
+          args: --tags --force --prune
+        env:
+          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@ -11,11 +11,10 @@ jobs:
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: pixta-dev/repository-mirroring-action@v1
+        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
        with:
-          target_repo_url:
-            git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key:
-            ${{ secrets.GH_MIRROR_KEY }}
+          target_repo_url: git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
+          args: --tags --force
        env:
          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -16,6 +16,7 @@ env:

 jobs:
  compile:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
@ -52,3 +53,6 @@ jobs:
          body: "core, web: update translations"
          delete-branch: true
          signoff: true
+          labels: dependencies
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -15,6 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
+      - uses: actions/checkout@v4
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
@ -25,23 +26,13 @@ jobs:
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          title=$(curl -q -L \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} | jq -r .title)
+          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
          echo "title=${title}" >> "$GITHUB_OUTPUT"
      - name: Rename
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
        run: |
-          curl -L \
-            -X PATCH \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
-            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
+          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
      - uses: peter-evans/enable-pull-request-automerge@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -6,13 +6,15 @@
        "!Context scalar",
        "!Enumerate sequence",
        "!Env scalar",
+        "!Env sequence",
        "!Find sequence",
        "!Format sequence",
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
        "!Value scalar",
-        "!AtIndex scalar"
+        "!AtIndex scalar",
+        "!ParseJSON scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
--- a/56
+++ b/56
@ -1,26 +1,7 @@
 # syntax=docker/dockerfile:1

-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
-
-ENV NODE_ENV=production
-
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
+# Stage 1: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@ -32,7 +13,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
    npm ci --include=dev

 COPY ./package.json /work
@ -40,9 +21,10 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build
+RUN npm run build && \
+    npm run build:sfe

-# Stage 3: Build go proxy
+# Stage 2: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder

 ARG TARGETOS
@ -67,8 +49,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@ -79,24 +61,23 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

-# Stage 4: MaxMind GeoIP
+# Stage 3: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
-ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"

 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
-# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
+# Stage 4: Download uv
+FROM ghcr.io/astral-sh/uv:0.7.17 AS uv
+# Stage 5: Base python image
+FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@ -109,7 +90,7 @@ WORKDIR /ak-root/

 COPY --from=uv /uv /uvx /bin/

-# Stage 7: Python dependencies
+# Stage 6: Python dependencies
 FROM python-base AS python-deps

 ARG TARGETARCH
@ -144,7 +125,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev

-# Stage 8: Run
+# Stage 7: Run
 FROM python-base AS final-image

 ARG VERSION
@ -187,9 +168,8 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=node-builder /work/web/dist/ /web/dist/
+COPY --from=node-builder /work/web/authentik/ /web/authentik/
 COPY --from=geoip /usr/share/GeoIP /geoip

 USER 1000
--- a/59
+++ b/59
@ -1,6 +1,7 @@
 .PHONY: gen dev-reset all clean test web website

-.SHELLFLAGS += ${SHELLFLAGS} -e
+SHELL := /usr/bin/env bash
+.SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
@ -8,9 +9,9 @@ NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

-GEN_API_TS = "gen-ts-api"
-GEN_API_PY = "gen-py-api"
-GEN_API_GO = "gen-go-api"
+GEN_API_TS = gen-ts-api
+GEN_API_PY = gen-py-api
+GEN_API_GO = gen-go-api

 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
@ -85,6 +86,10 @@ dev-create-db:

 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

+update-test-mmdb:  ## Update test GeoIP and ASN Databases
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
+
 #########################
 ## API Schema
 #########################
@ -93,7 +98,7 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema > blueprints/schema.json
+		uv run ak make_blueprint_schema --file blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
@ -117,14 +122,19 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md

 gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ./${GEN_API_TS}/
-	rm -rf ./web/node_modules/@goauthentik/api/
+	rm -rf ${PWD}/${GEN_API_TS}/
+	rm -rf ${PWD}/web/node_modules/@goauthentik/api/

 gen-clean-go:  ## Remove generated API client for Go
-	rm -rf ./${GEN_API_GO}/
+	mkdir -p ${PWD}/${GEN_API_GO}
+ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
+	make -C ${PWD}/${GEN_API_GO} clean
+else
+	rm -rf ${PWD}/${GEN_API_GO}
+endif

 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ./${GEN_API_PY}/
+	rm -rf ${PWD}/${GEN_API_PY}/

 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients

@ -140,9 +150,9 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-	mkdir -p web/node_modules/@goauthentik/api
-	cd ./${GEN_API_TS} && npm i
-	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
+
+	cd ${PWD}/${GEN_API_TS} && npm link
+	cd ${PWD}/web && npm link @goauthentik/api

 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
@ -156,24 +166,17 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-	pip install ./${GEN_API_PY}

 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
-	cp schema.yml ./${GEN_API_GO}/
-	docker run \
-		--rm -v ${PWD}/${GEN_API_GO}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
-		-i /local/schema.yml \
-		-g go \
-		-o /local/ \
-		-c /local/config.yaml
+	mkdir -p ${PWD}/${GEN_API_GO}
+ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
+	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+else
+	cd ${PWD}/${GEN_API_GO} && git pull
+endif
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
+	make -C ${PWD}/${GEN_API_GO} build
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
-	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
 	uv run scripts/generate_config.py
@ -244,7 +247,7 @@ docker:  ## Build a docker image of the current source tree
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

 test-docker:
-	BUILD=true ./scripts/test_docker.sh
+	BUILD=true ${PWD}/scripts/test_docker.sh

 #########################
 ## CI
--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)

 ## Adoption and Contributions

-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
+| 2025.6.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.4.0"
+__version__ = "2025.6.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -1,79 +0,0 @@
-"""authentik administration metrics"""
-
-from datetime import timedelta
-
-from django.db.models.functions import ExtractHour
-from drf_spectacular.utils import extend_schema, extend_schema_field
-from guardian.shortcuts import get_objects_for_user
-from rest_framework.fields import IntegerField, SerializerMethodField
-from rest_framework.permissions import IsAuthenticated
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.views import APIView
-
-from authentik.core.api.utils import PassiveSerializer
-from authentik.events.models import EventAction
-
-
-class CoordinateSerializer(PassiveSerializer):
-    """Coordinates for diagrams"""
-
-    x_cord = IntegerField(read_only=True)
-    y_cord = IntegerField(read_only=True)
-
-
-class LoginMetricsSerializer(PassiveSerializer):
-    """Login Metrics per 1h"""
-
-    logins = SerializerMethodField()
-    logins_failed = SerializerMethodField()
-    authorizations = SerializerMethodField()
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins(self, _):
-        """Get successful logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins_failed(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN_FAILED
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_authorizations(self, _):
-        """Get successful authorizations per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-
-class AdministrationMetricsViewSet(APIView):
-    """Login Metrics per 1h"""
-
-    permission_classes = [IsAuthenticated]
-
-    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
-    def get(self, request: Request) -> Response:
-        """Login Metrics per 1h"""
-        serializer = LoginMetricsSerializer(True)
-        serializer.context["user"] = request.user
-        return Response(serializer.data)
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -1,6 +1,7 @@
 """authentik administration overview"""

 from django.core.cache import cache
+from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@ -13,6 +14,7 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
+from authentik.tenants.utils import get_current_tenant


 class VersionSerializer(PassiveSerializer):
@ -35,6 +37,8 @@ class VersionSerializer(PassiveSerializer):

    def get_version_latest(self, _) -> str:
        """Get latest version from cache"""
+        if get_current_tenant().schema_name == get_public_schema_name():
+            return __version__
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:  # pragma: no cover
            update_latest_version.delay()
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -14,3 +14,19 @@ class AuthentikAdminConfig(ManagedAppConfig):
    label = "authentik_admin"
    verbose_name = "authentik Admin"
    default = True
+
+    @ManagedAppConfig.reconcile_global
+    def clear_update_notifications(self):
+        """Clear update notifications on startup if the notification was for the version
+        we're running now."""
+        from packaging.version import parse
+
+        from authentik.admin.tasks import LOCAL_VERSION
+        from authentik.events.models import EventAction, Notification
+
+        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+            if "new_version" not in notification.event.context:
+                continue
+            notification_version = notification.event.context["new_version"]
+            if LOCAL_VERSION >= parse(notification_version):
+                notification.delete()
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -1,6 +1,7 @@
 """authentik admin settings"""

 from celery.schedules import crontab
+from django_tenants.utils import get_public_schema_name

 from authentik.lib.utils.time import fqdn_rand

@ -8,6 +9,7 @@ CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
        "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
+        "tenant_schemas": [get_public_schema_name()],
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,7 +1,6 @@
 """authentik admin tasks"""

 from django.core.cache import cache
-from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
@ -9,7 +8,7 @@ from structlog.stdlib import get_logger

 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction, Notification
+from authentik.events.models import Event, EventAction
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
@ -33,20 +32,6 @@ def _set_prom_info():
    )


-@CELERY_APP.task(
-    throws=(DatabaseError, ProgrammingError, InternalError),
-)
-def clear_update_notifications():
-    """Clear update notifications on startup if the notification was for the version
-    we're running now."""
-    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-        if "new_version" not in notification.event.context:
-            continue
-        notification_version = notification.event.context["new_version"]
-        if LOCAL_VERSION >= parse(notification_version):
-            notification.delete()
-
-
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def update_latest_version(self: SystemTask):
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -36,11 +36,6 @@ class TestAdminAPI(TestCase):
        body = loads(response.content)
        self.assertEqual(len(body), 0)

-    def test_metrics(self):
-        """Test metrics API"""
-        response = self.client.get(reverse("authentik_api:admin_metrics"))
-        self.assertEqual(response.status_code, 200)
-
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -1,12 +1,12 @@
 """test admin tasks"""

+from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker

 from authentik.admin.tasks import (
    VERSION_CACHE_KEY,
-    clear_update_notifications,
    update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@ -72,12 +72,13 @@ class TestAdminTasks(TestCase):

    def test_clear_update_notifications(self):
        """Test clear of previous notification"""
+        admin_config = apps.get_app_config("authentik_admin")
        Event.objects.create(
            action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
        )
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
        Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        clear_update_notifications()
+        admin_config.clear_update_notifications()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -3,7 +3,6 @@
 from django.urls import path

 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
-from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@ -12,11 +11,6 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
-    path(
-        "admin/metrics/",
-        AdministrationMetricsViewSet.as_view(),
-        name="admin_metrics",
-    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -1,12 +1,13 @@
 """authentik API AppConfig"""

-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig


-class AuthentikAPIConfig(AppConfig):
+class AuthentikAPIConfig(ManagedAppConfig):
    """authentik API Config"""

    name = "authentik.api"
    label = "authentik_api"
    mountpoint = "api/"
    verbose_name = "authentik API"
+    default = True
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -1,9 +1,12 @@
 """API Authentication"""

 from hmac import compare_digest
+from pathlib import Path
+from tempfile import gettempdir
 from typing import Any

 from django.conf import settings
+from django.contrib.auth.models import AnonymousUser
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@ -11,11 +14,17 @@ from rest_framework.request import Request
 from structlog.stdlib import get_logger

 from authentik.core.middleware import CTX_AUTH_VIA
-from authentik.core.models import Token, TokenIntents, User
+from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API

 LOGGER = get_logger()
+_tmp = Path(gettempdir())
+try:
+    with open(_tmp / "authentik-core-ipc.key") as _f:
+        ipc_key = _f.read()
+except OSError:
+    ipc_key = None


 def validate_auth(header: bytes) -> str | None:
@ -73,6 +82,11 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
    if user:
        CTX_AUTH_VIA.set("secret_key")
        return user
+    # then try to auth via secret key (for embedded outpost/etc)
+    user = token_ipc(auth_credentials)
+    if user:
+        CTX_AUTH_VIA.set("ipc")
+        return user
    raise AuthenticationFailed("Token invalid/expired")


@ -90,6 +104,43 @@ def token_secret_key(value: str) -> User | None:
    return outpost.user


+class IPCUser(AnonymousUser):
+    """'Virtual' user for IPC communication between authentik core and the authentik router"""
+
+    username = "authentik:system"
+    is_active = True
+    is_superuser = True
+
+    @property
+    def type(self):
+        return UserTypes.INTERNAL_SERVICE_ACCOUNT
+
+    def has_perm(self, perm, obj=None):
+        return True
+
+    def has_perms(self, perm_list, obj=None):
+        return True
+
+    def has_module_perms(self, module):
+        return True
+
+    @property
+    def is_anonymous(self):
+        return False
+
+    @property
+    def is_authenticated(self):
+        return True
+
+
+def token_ipc(value: str) -> User | None:
+    """Check if the token is the secret key
+    and return the service account for the managed outpost"""
+    if not ipc_key or not compare_digest(value, ipc_key):
+        return None
+    return IPCUser()
+
+
 class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""

--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component


-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -72,20 +72,33 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
-                    "type": "array",
-                    "items": {
-                        "oneOf": [],
-                    },
+                    "anyOf": [
+                        {
+                            "type": "array",
+                            "items": {"$ref": "#/$defs/blueprint_entry"},
+                        },
+                        {
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "array",
+                                "items": {"$ref": "#/$defs/blueprint_entry"},
+                            },
+                        },
+                    ],
                },
            },
-            "$defs": {},
+            "$defs": {"blueprint_entry": {"oneOf": []}},
        }

+    def add_arguments(self, parser):
+        parser.add_argument("--file", type=str)
+
    @no_translations
-    def handle(self, *args, **options):
+    def handle(self, *args, file: str, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
+        with open(file, "w") as _schema:
+            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))

    @staticmethod
    def json_default(value: Any) -> Any:
@ -112,7 +125,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["properties"]["entries"]["items"]["oneOf"].append(
+            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )

@ -134,7 +147,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": [s.value for s in BlueprintEntryDesiredState],
+                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@ -205,7 +218,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": perms},
+                    "permission": {"type": "string", "enum": sorted(perms)},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -1,10 +1,11 @@
 version: 1
 entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: present
-      attrs:
-          designation: stage_configuration
-          title: foo
+  foo:
+      - identifiers:
+            name: "%(id)s"
+            slug: "%(id)s"
+        model: authentik_flows.flow
+        state: present
+        attrs:
+            designation: stage_configuration
+            title: foo
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -37,6 +37,7 @@ entries:
    - attrs:
          attributes:
              env_null: !Env [bar-baz, null]
+              json_parse: !ParseJSON '{"foo": "bar"}'
              policy_pk1:
                  !Format [
                      "%s-%s",
--- a/authentik/blueprints/tests/test_managed_app_config.py
+++ b/authentik/blueprints/tests/test_managed_app_config.py
@ -0,0 +1,14 @@
+from django.test import TestCase
+
+from authentik.blueprints.apps import ManagedAppConfig
+from authentik.enterprise.apps import EnterpriseConfig
+from authentik.lib.utils.reflection import get_apps
+
+
+class TestManagedAppConfig(TestCase):
+    def test_apps_use_managed_app_config(self):
+        for app in get_apps():
+            if app.name.startswith("authentik.enterprise"):
+                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
+            else:
+                self.assertIn(ManagedAppConfig, app.__class__.__bases__)
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:


 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file):
+    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
        continue
    setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))
--- a/authentik/blueprints/tests/test_serializer_models.py
+++ b/authentik/blueprints/tests/test_serializer_models.py
@ -5,7 +5,6 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase

-from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken

@ -22,10 +21,13 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
            return
        model_class = test_model()
        self.assertTrue(isinstance(model_class, SerializerModel))
+        # Models that have subclasses don't have to have a serializer
+        if len(test_model.__subclasses__()) > 0:
+            return
        self.assertIsNotNone(model_class.serializer)
        if model_class.serializer.Meta().model == RefreshToken:
            return
-        self.assertEqual(model_class.serializer.Meta().model, test_model)
+        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))

    return tester

@ -34,6 +36,6 @@ for app in apps.get_app_configs():
    if not app.label.startswith("authentik"):
        continue
    for model in app.get_models():
-        if not is_model_allowed(model):
+        if not issubclass(model, SerializerModel):
            continue
        setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -215,6 +215,7 @@ class TestBlueprintsV1(TransactionTestCase):
                    },
                    "nested_context": "context-nested-value",
                    "env_null": None,
+                    "json_parse": {"foo": "bar"},
                    "at_index_sequence": "foo",
                    "at_index_sequence_default": "non existent",
                    "at_index_mapping": 2,
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -6,6 +6,7 @@ from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
+from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
 from typing import Any, Literal, Union
@ -164,9 +165,7 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))

-    def get_permissions(
-        self, blueprint: "Blueprint"
-    ) -> Generator[BlueprintEntryPermission, None, None]:
+    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
@ -193,11 +192,18 @@ class Blueprint:
    """Dataclass used for a full export"""

    version: int = field(default=1)
-    entries: list[BlueprintEntry] = field(default_factory=list)
+    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
    context: dict = field(default_factory=dict)

    metadata: BlueprintMetadata | None = field(default=None)

+    def iter_entries(self) -> Iterable[BlueprintEntry]:
+        if isinstance(self.entries, dict):
+            for _section, entries in self.entries.items():
+                yield from entries
+        else:
+            yield from self.entries
+

 class YAMLTag:
    """Base class for all YAML Tags"""
@ -228,7 +234,7 @@ class KeyOf(YAMLTag):
        self.id_from = node.value

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.entries:
+        for _entry in blueprint.iter_entries():
            if _entry.id == self.id_from and _entry._state.instance:
                # Special handling for PolicyBindingModels, as they'll have a different PK
                # which is used when creating policy bindings
@ -286,6 +292,22 @@ class Context(YAMLTag):
        return value


+class ParseJSON(YAMLTag):
+    """Parse JSON from context/env/etc value"""
+
+    raw: str
+
+    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
+        super().__init__()
+        self.raw = node.value
+
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+        try:
+            return loads(self.raw)
+        except JSONDecodeError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
+
+
 class Format(YAMLTag):
    """Format a string"""

@ -661,6 +683,7 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
        self.add_constructor("!AtIndex", AtIndex)
+        self.add_constructor("!ParseJSON", ParseJSON)


 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -43,6 +43,7 @@ from authentik.core.models import (
 )
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
+from authentik.enterprise.providers.apple_psso.models import AppleNonce
 from authentik.enterprise.providers.google_workspace.models import (
    GoogleWorkspaceProviderGroup,
    GoogleWorkspaceProviderUser,
@ -135,6 +136,7 @@ def excluded_models() -> list[type[Model]]:
        EndpointDeviceConnection,
        DeviceToken,
        StreamEvent,
+        AppleNonce,
    )


@ -384,7 +386,7 @@ class Importer:
    def _apply_models(self, raise_errors=False) -> bool:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
-        for entry in self._import.entries:
+        for entry in self._import.iter_entries():
            model_app_label, model_name = entry.get_model(self._import).split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return models
+        return sorted(models, key=str)

    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -59,6 +59,7 @@ class BrandSerializer(ModelSerializer):
            "flow_device_code",
            "default_application",
            "web_certificate",
+            "client_certificates",
            "attributes",
        ]
        extra_kwargs = {
@ -120,6 +121,7 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "domain",
        "branding_title",
        "web_certificate__name",
+        "client_certificates__name",
    ]
    filterset_fields = [
        "brand_uuid",
@ -136,6 +138,7 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "flow_user_settings",
        "flow_device_code",
        "web_certificate",
+        "client_certificates",
    ]
    ordering = ["domain"]

--- a/authentik/brands/apps.py
+++ b/authentik/brands/apps.py
@ -1,9 +1,9 @@
 """authentik brands app"""

-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig


-class AuthentikBrandsConfig(AppConfig):
+class AuthentikBrandsConfig(ManagedAppConfig):
    """authentik Brand app"""

    name = "authentik.brands"
@ -12,3 +12,4 @@ class AuthentikBrandsConfig(AppConfig):
    mountpoints = {
        "authentik.brands.urls_root": "",
    }
+    default = True
--- a/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
+++ b/authentik/brands/migrations/0010_brand_client_certificates_and_more.py
@ -0,0 +1,37 @@
+# Generated by Django 5.1.9 on 2025-05-19 15:09
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0009_brand_branding_default_flow_background"),
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="client_certificates",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                help_text="Certificates used for client authentication.",
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="brand",
+            name="web_certificate",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Web Certificate used by the authentik Core webserver.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="+",
+                to="authentik_crypto.certificatekeypair",
+            ),
+        ),
+    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -73,6 +73,13 @@ class Brand(SerializerModel):
        default=None,
        on_delete=models.SET_DEFAULT,
        help_text=_("Web Certificate used by the authentik Core webserver."),
+        related_name="+",
+    )
+    client_certificates = models.ManyToManyField(
+        CertificateKeyPair,
+        default=None,
+        blank=True,
+        help_text=_("Certificates used for client authentication."),
    )
    attributes = models.JSONField(default=dict, blank=True)

--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,3 +148,14 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
+
+    def test_custom_css(self):
+        """Test custom_css"""
+        brand = create_test_brand()
+        brand.branding_custom_css = """* {
+            font-family: "Foo bar";
+        }"""
+        brand.save()
+        res = self.client.get(reverse("authentik_core:if-user"))
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,10 +5,12 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span
+from django.utils.html import _json_script_escapes
+from django.utils.safestring import mark_safe

 from authentik import get_full_version
 from authentik.brands.models import Brand
+from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant

 _q_default = Q(default=True)
@ -32,13 +34,14 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    trace = ""
-    span = get_current_span()
-    if span:
-        trace = span.to_traceparent()
+    # similarly to `json_script` we escape everything HTML-related, however django
+    # only directly exposes this as a function that also wraps it in a <script> tag
+    # which we dont want for CSS
+    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
    return {
        "brand": brand,
+        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
-        "sentry_trace": trace,
+        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
    }
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -2,11 +2,9 @@

 from collections.abc import Iterator
 from copy import copy
-from datetime import timedelta

 from django.core.cache import cache
 from django.db.models import QuerySet
-from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@ -20,7 +18,6 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

-from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@ -28,7 +25,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
-from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -321,18 +317,3 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        return set_file_url(request, app, "meta_icon")
-
-    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
-    @extend_schema(responses={200: CoordinateSerializer(many=True)})
-    @action(detail=True, pagination_class=None, filter_backends=[])
-    def metrics(self, request: Request, slug: str):
-        """Metrics for application logins"""
-        app = self.get_object()
-        return Response(
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION,
-                context__authorized_application__pk=app.pk.hex,
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,8 +1,6 @@
 """Authenticator Devices API Views"""

-from django.utils.translation import gettext_lazy as _
-from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, extend_schema
+from drf_spectacular.utils import extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
@ -15,6 +13,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

+from authentik.core.api.users import ParamUserSerializer
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.stages.authenticator import device_classes, devices_for_user
@ -23,7 +22,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDevice


 class DeviceSerializer(MetaNameSerializer):
-    """Serializer for Duo authenticator devices"""
+    """Serializer for authenticator devices"""

    pk = CharField()
    name = CharField()
@ -33,22 +32,27 @@ class DeviceSerializer(MetaNameSerializer):
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
    extra_description = SerializerMethodField()
+    external_id = SerializerMethodField()

    def get_type(self, instance: Device) -> str:
        """Get type of device"""
        return instance._meta.label

-    def get_extra_description(self, instance: Device) -> str:
+    def get_extra_description(self, instance: Device) -> str | None:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
-            return (
-                instance.device_type.description
-                if instance.device_type
-                else _("Extra description not available")
-            )
+            return instance.device_type.description if instance.device_type else None
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
-        return ""
+        return None
+
+    def get_external_id(self, instance: Device) -> str | None:
+        """Get external Device ID"""
+        if isinstance(instance, WebAuthnDevice):
+            return instance.device_type.aaguid if instance.device_type else None
+        if isinstance(instance, EndpointDevice):
+            return instance.data.get("deviceSignals", {}).get("deviceModel")
+        return None


 class DeviceViewSet(ViewSet):
@ -57,7 +61,6 @@ class DeviceViewSet(ViewSet):
    serializer_class = DeviceSerializer
    permission_classes = [IsAuthenticated]

-    @extend_schema(responses={200: DeviceSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        devices = devices_for_user(request.user)
@ -79,18 +82,11 @@ class AdminDeviceViewSet(ViewSet):
            yield from device_set

    @extend_schema(
-        parameters=[
-            OpenApiParameter(
-                name="user",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.INT,
-            )
-        ],
+        parameters=[ParamUserSerializer],
        responses={200: DeviceSerializer(many=True)},
    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
-        kwargs = {}
-        if "user" in request.query_params:
-            kwargs = {"user": request.query_params["user"]}
-        return Response(DeviceSerializer(self.get_devices(**kwargs), many=True).data)
+        args = ParamUserSerializer(data=request.query_params)
+        args.is_valid(raise_exception=True)
+        return Response(DeviceSerializer(self.get_devices(**args.validated_data), many=True).data)
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -99,18 +99,17 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        has_perm = user.has_perm(perm)
-        if self.instance and not has_perm:
-            has_perm = user.has_perm(perm, self.instance)
-        if not has_perm:
-            raise ValidationError(
-                _(
-                    (
-                        "User does not have permission to set "
-                        "superuser status to {superuser_status}."
-                    ).format_map({"superuser_status": superuser})
+        if self.instance or superuser:
+            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
+            if not has_perm:
+                raise ValidationError(
+                    _(
+                        (
+                            "User does not have permission to set "
+                            "superuser status to {superuser_status}."
+                        ).format_map({"superuser_status": superuser})
+                    )
                )
-            )
        return superuser

    class Meta:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,7 +6,6 @@ from typing import Any

 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@ -52,7 +51,6 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

-from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@ -84,6 +82,7 @@ from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
+from authentik.stages.email.flow import pickle_flow_token_for_email
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -91,6 +90,12 @@ from authentik.stages.email.utils import TemplateEmailMessage
 LOGGER = get_logger()


+class ParamUserSerializer(PassiveSerializer):
+    """Partial serializer for query parameters to select a user"""
+
+    user = PrimaryKeyRelatedField(queryset=User.objects.all().exclude_anonymous(), required=False)
+
+
 class UserGroupSerializer(ModelSerializer):
    """Simplified Group Serializer for user's groups"""

@ -316,53 +321,6 @@ class SessionUserSerializer(PassiveSerializer):
    original = UserSelfSerializer(required=False)


-class UserMetricsSerializer(PassiveSerializer):
-    """User Metrics"""
-
-    logins = SerializerMethodField()
-    logins_failed = SerializerMethodField()
-    authorizations = SerializerMethodField()
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins(self, _):
-        """Get successful logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        request = self.context["request"]
-        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN, user__pk=user.pk
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins_failed(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        request = self.context["request"]
-        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN_FAILED, context__username=user.username
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_authorizations(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        request = self.context["request"]
-        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-
 class UsersFilter(FilterSet):
    """Filter for users"""

@ -434,8 +392,23 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
    filterset_class = UsersFilter
+    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
+
+    def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField
+
+        return [
+            StrField(User, "username"),
+            StrField(User, "name"),
+            StrField(User, "email"),
+            StrField(User, "path"),
+            BoolField(User, "is_active", nullable=True),
+            ChoiceSearchField(User, "type"),
+            JSONSearchField(User, "attributes", suggest_nested=False),
+        ]

    def get_queryset(self):
        base_qs = User.objects.all().exclude_anonymous()
@ -451,7 +424,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)

-    def _create_recovery_link(self) -> tuple[str, Token]:
+    def _create_recovery_link(self, for_email=False) -> tuple[str, Token]:
        """Create a recovery link (when the current brand has a recovery flow set),
        that can either be shown to an admin or sent to the user directly"""
        brand: Brand = self.request._request.brand
@ -473,12 +446,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            raise ValidationError(
                {"non_field_errors": "Recovery flow not applicable to user"}
            ) from None
+        _plan = FlowToken.pickle(plan)
+        if for_email:
+            _plan = pickle_flow_token_for_email(plan)
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
                "user": user,
                "flow": flow,
-                "_plan": FlowToken.pickle(plan),
+                "_plan": _plan,
+                "revoke_on_execution": not for_email,
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
@ -602,17 +579,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)

-    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
-    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
-    @action(detail=True, pagination_class=None, filter_backends=[])
-    def metrics(self, request: Request, pk: int) -> Response:
-        """User metrics per 1h"""
-        user: User = self.get_object()
-        serializer = UserMetricsSerializer(instance={})
-        serializer.context["user"] = user
-        serializer.context["request"] = request
-        return Response(serializer.data)
-
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        responses={
@ -648,7 +614,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if for_user.email == "":
            LOGGER.debug("User doesn't have an email address")
            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link()
+        link, token = self._create_recovery_link(for_email=True)
        # Lookup the email stage to assure the current user can access it
        stages = get_objects_for_user(
            request.user, "authentik_stages_email.view_emailstage"
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -2,6 +2,7 @@

 from typing import Any

+from django.db import models
 from django.db.models import Model
 from drf_spectacular.extensions import OpenApiSerializerFieldExtension
 from drf_spectacular.plumbing import build_basic_type
@ -30,7 +31,27 @@ def is_dict(value: Any):
    raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")


+class JSONDictField(JSONField):
+    """JSON Field which only allows dictionaries"""
+
+    default_validators = [is_dict]
+
+
+class JSONExtension(OpenApiSerializerFieldExtension):
+    """Generate API Schema for JSON fields as"""
+
+    target_class = "authentik.core.api.utils.JSONDictField"
+
+    def map_serializer_field(self, auto_schema, direction):
+        return build_basic_type(OpenApiTypes.OBJECT)
+
+
 class ModelSerializer(BaseModelSerializer):
+
+    # By default, JSON fields we have are used to store dictionaries
+    serializer_field_mapping = BaseModelSerializer.serializer_field_mapping.copy()
+    serializer_field_mapping[models.JSONField] = JSONDictField
+
    def create(self, validated_data):
        instance = super().create(validated_data)

@ -71,21 +92,6 @@ class ModelSerializer(BaseModelSerializer):
        return instance


-class JSONDictField(JSONField):
-    """JSON Field which only allows dictionaries"""
-
-    default_validators = [is_dict]
-
-
-class JSONExtension(OpenApiSerializerFieldExtension):
-    """Generate API Schema for JSON fields as"""
-
-    target_class = "authentik.core.api.utils.JSONDictField"
-
-    def map_serializer_field(self, auto_schema, direction):
-        return build_basic_type(OpenApiTypes.OBJECT)
-
-
 class PassiveSerializer(Serializer):
    """Base serializer class which doesn't implement create/update methods"""

--- a/authentik/core/management/commands/change_user_type.py
+++ b/authentik/core/management/commands/change_user_type.py
@ -13,7 +13,6 @@ class Command(TenantCommand):
        parser.add_argument("usernames", nargs="*", type=str)

    def handle_per_tenant(self, **options):
-        print(options)
        new_type = UserTypes(options["type"])
        qs = (
            User.objects.exclude_anonymous()
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,6 +2,7 @@

 from django.apps import apps
 from django.contrib.auth.management import create_permissions
+from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user

@ -16,6 +17,10 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
+                # See https://code.djangoproject.com/ticket/28417
+                # Remove potential lingering old permissions
+                call_command("remove_stale_contenttypes", "--no-input")
+
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -31,7 +31,10 @@ class PickleSerializer:

    def loads(self, data):
        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec
+        try:
+            return pickle.loads(data)  # nosec
+        except Exception:
+            return {}


 def _migrate_session(
@ -76,6 +79,7 @@ def _migrate_session(
        AuthenticatedSession.objects.using(db_alias).create(
            session=session,
            user=old_auth_session.user,
+            uuid=old_auth_session.uuid,
        )


--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -0,0 +1,103 @@
+# Generated by Django 5.1.9 on 2025-05-14 11:15
+
+from django.apps.registry import Apps, apps as global_apps
+from django.db import migrations
+from django.contrib.contenttypes.management import create_contenttypes
+from django.contrib.auth.management import create_permissions
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
+    db_alias = schema_editor.connection.alias
+
+    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
+    # real config for creating permissions and content types
+    authentik_core_config = global_apps.get_app_config("authentik_core")
+    # These are only ran by django after all migrations, but we need them right now.
+    # `global_apps` is needed,
+    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
+    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
+
+    # But from now on, this is just a regular migration, so use `apps`
+    Permission = apps.get_model("auth", "Permission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    try:
+        old_ct = ContentType.objects.using(db_alias).get(
+            app_label="authentik_core", model="oldauthenticatedsession"
+        )
+        new_ct = ContentType.objects.using(db_alias).get(
+            app_label="authentik_core", model="authenticatedsession"
+        )
+    except ContentType.DoesNotExist:
+        # This should exist at this point, but if not, let's cut our losses
+        return
+
+    # Get all permissions for the old content type
+    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
+
+    # Create equivalent permissions for the new content type
+    for old_perm in old_perms:
+        new_perm = (
+            Permission.objects.using(db_alias)
+            .filter(
+                content_type=new_ct,
+                codename=old_perm.codename,
+            )
+            .first()
+        )
+        if not new_perm:
+            # This should exist at this point, but if not, let's cut our losses
+            continue
+
+        # Global user permissions
+        User = apps.get_model("authentik_core", "User")
+        User.user_permissions.through.objects.using(db_alias).filter(
+            permission=old_perm
+        ).all().update(permission=new_perm)
+
+        # Global role permissions
+        DjangoGroup = apps.get_model("auth", "Group")
+        DjangoGroup.permissions.through.objects.using(db_alias).filter(
+            permission=old_perm
+        ).all().update(permission=new_perm)
+
+        # Object user permissions
+        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
+        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
+            permission=new_perm, content_type=new_ct
+        )
+
+        # Object role permissions
+        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
+        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
+            permission=new_perm, content_type=new_ct
+        )
+
+
+def remove_old_authenticated_session_content_type(
+    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
+):
+    db_alias = schema_editor.connection.alias
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            code=migrate_authenticated_session_permissions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RunPython(
+            code=remove_old_authenticated_session_content_type,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -18,7 +18,7 @@ from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_cte import CTEQuerySet, With
+from django_cte import CTE, with_cte
 from guardian.conf import settings
 from guardian.mixins import GuardianUserMixin
 from model_utils.managers import InheritanceManager
@ -136,7 +136,7 @@ class AttributesMixin(models.Model):
        return instance, False


-class GroupQuerySet(CTEQuerySet):
+class GroupQuerySet(QuerySet):
    def with_children_recursive(self):
        """Recursively get all groups that have the current queryset as parents
        or are indirectly related."""
@ -165,9 +165,9 @@ class GroupQuerySet(CTEQuerySet):
            )

        # Build the recursive query, see above
-        cte = With.recursive(make_cte)
+        cte = CTE.recursive(make_cte)
        # Return the result, as a usable queryset for Group.
-        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
+        return with_cte(cte, select=cte.join(Group, group_uuid=cte.col.group_uuid))


 class Group(SerializerModel, AttributesMixin):
@ -1082,6 +1082,12 @@ class AuthenticatedSession(SerializerModel):

    user = models.ForeignKey(User, on_delete=models.CASCADE)

+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.core.api.authenticated_sessions import AuthenticatedSessionSerializer
+
+        return AuthenticatedSessionSerializer
+
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,12 +16,14 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
+        <style>{{ brand_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        {% for key, value in html_meta.items %}
+        <meta name="{{key}}" content="{{ value }}" />
+        {% endfor %}
    </head>
    <body>
        {% block body %}
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -10,7 +10,7 @@
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
+<ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
    <ak-loading></ak-loading>
 </ak-interface-admin>
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -114,6 +114,7 @@ class TestApplicationsAPI(APITestCase):
        self.assertJSONEqual(
            response.content.decode(),
            {
+                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
@ -167,6 +168,7 @@ class TestApplicationsAPI(APITestCase):
        self.assertJSONEqual(
            response.content.decode(),
            {
+                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -124,6 +124,16 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )

+    def test_superuser_no_perm_no_superuser(self):
+        """Test creating a group without permission and without superuser flag"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id(), "is_superuser": False},
+        )
+        self.assertEqual(res.status_code, 201)
+
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -81,22 +81,6 @@ class TestUsersAPI(APITestCase):
        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
        self.assertEqual(response.status_code, 200)

-    def test_metrics(self):
-        """Test user's metrics"""
-        self.client.force_login(self.admin)
-        response = self.client.get(
-            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_metrics_denied(self):
-        """Test user's metrics (non-superuser)"""
-        self.client.force_login(self.user)
-        response = self.client.get(
-            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
-        )
-        self.assertEqual(response.status_code, 403)
-
    def test_recovery_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -30,6 +30,7 @@ from structlog.stdlib import get_logger

 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
@ -272,11 +273,12 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def view_certificate(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs certificate and log access"""
        certificate: CertificateKeyPair = self.get_object()
-        Event.new(  # noqa # nosec
-            EventAction.SECRET_VIEW,
-            secret=certificate,
-            type="certificate",
-        ).from_http(request)
+        if request.user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            Event.new(  # noqa # nosec
+                EventAction.SECRET_VIEW,
+                secret=certificate,
+                type="certificate",
+            ).from_http(request)
        if "download" in request.query_params:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(
@ -302,11 +304,12 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def view_private_key(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs private key and log access"""
        certificate: CertificateKeyPair = self.get_object()
-        Event.new(  # noqa # nosec
-            EventAction.SECRET_VIEW,
-            secret=certificate,
-            type="private_key",
-        ).from_http(request)
+        if request.user.type != UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            Event.new(  # noqa # nosec
+                EventAction.SECRET_VIEW,
+                secret=certificate,
+                type="private_key",
+            ).from_http(request)
        if "download" in request.query_params:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(certificate.key_data, content_type="application/x-pem-file")
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,13 +132,14 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            total.internal_users += lic.internal_users
-            total.external_users += lic.external_users
+            if lic.is_valid:
+                total.internal_users += lic.internal_users
+                total.external_users += lic.external_users
+                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
-            total.license_flags.extend(lic.status.license_flags)
        return total

    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,6 +39,10 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()

+    @property
+    def is_valid(self) -> bool:
+        return self.expiry >= now()
+
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/policies/unique_password/tests/test_tasks.py
+++ b/authentik/enterprise/policies/unique_password/tests/test_tasks.py
@ -119,17 +119,17 @@ class TestTrimPasswordHistory(TestCase):
            [
                UserPasswordHistory(
                    user=self.user,
-                    old_password="hunter1",  # nosec B106
+                    old_password="hunter1",  # nosec
                    created_at=_now - timedelta(days=3),
                ),
                UserPasswordHistory(
                    user=self.user,
-                    old_password="hunter2",  # nosec B106
+                    old_password="hunter2",  # nosec
                    created_at=_now - timedelta(days=2),
                ),
                UserPasswordHistory(
                    user=self.user,
-                    old_password="hunter3",  # nosec B106
+                    old_password="hunter3",  # nosec
                    created_at=_now,
                ),
            ]
--- a/authentik/enterprise/providers/apple_psso/init.py
+++ b/authentik/enterprise/providers/apple_psso/init.py
--- a/authentik/enterprise/providers/apple_psso/api/init.py
+++ b/authentik/enterprise/providers/apple_psso/api/init.py
--- a/authentik/enterprise/providers/apple_psso/api/providers.py
+++ b/authentik/enterprise/providers/apple_psso/api/providers.py
@ -0,0 +1,32 @@
+"""Apple Platform SSO Provider API Views"""
+
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.apple_psso.models import ApplePlatformSSOProvider
+
+
+class ApplePlatformSSOProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """ApplePlatformSSOProvider Serializer"""
+
+    class Meta:
+        model = ApplePlatformSSOProvider
+        fields = [
+            "pk",
+            "name",
+        ]
+        extra_kwargs = {}
+
+
+class ApplePlatformSSOProviderViewSet(UsedByMixin, ModelViewSet):
+    """ApplePlatformSSOProvider Viewset"""
+
+    queryset = ApplePlatformSSOProvider.objects.all()
+    serializer_class = ApplePlatformSSOProviderSerializer
+    filterset_fields = [
+        "name",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
--- a/authentik/enterprise/providers/apple_psso/apps.py
+++ b/authentik/enterprise/providers/apple_psso/apps.py
@ -0,0 +1,13 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderApplePSSOConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.apple_psso"
+    label = "authentik_providers_apple_psso"
+    verbose_name = "authentik Enterprise.Providers.Apple Platform SSO"
+    default = True
+    mountpoints = {
+        "authentik.enterprise.providers.apple_psso.urls": "endpoint/apple/sso/",
+        "authentik.enterprise.providers.apple_psso.urls_root": "",
+    }
--- a/authentik/enterprise/providers/apple_psso/http.py
+++ b/authentik/enterprise/providers/apple_psso/http.py
@ -0,0 +1,118 @@
+from base64 import urlsafe_b64encode
+from json import dumps
+from secrets import token_bytes
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.concatkdf import ConcatKDFHash
+from django.http import HttpResponse
+from jwcrypto.common import base64url_decode, base64url_encode
+
+from authentik.enterprise.providers.apple_psso.models import AppleDevice
+
+
+def length_prefixed(data: bytes) -> bytes:
+    length = len(data)
+    return length.to_bytes(4, "big") + data
+
+
+def build_apu(public_key: ec.EllipticCurvePublicKey):
+    # X9.63 representation: 0x04 || X || Y
+    public_numbers = public_key.public_numbers()
+
+    x_bytes = public_numbers.x.to_bytes(32, "big")
+    y_bytes = public_numbers.y.to_bytes(32, "big")
+
+    x963 = bytes([0x04]) + x_bytes + y_bytes
+
+    result = length_prefixed(b"APPLE") + length_prefixed(x963)
+
+    return result
+
+
+def encrypt_token_with_a256_gcm(body: dict, device_encryption_key: str, apv: bytes) -> str:
+    ephemeral_key = ec.generate_private_key(curve=ec.SECP256R1())
+    device_public_key = serialization.load_pem_public_key(
+        device_encryption_key.encode(), backend=default_backend()
+    )
+
+    shared_secret_z = ephemeral_key.exchange(ec.ECDH(), device_public_key)
+
+    apu = build_apu(ephemeral_key.public_key())
+
+    jwe_header = {
+        "enc": "A256GCM",
+        "kid": "ephemeralKey",
+        "epk": {
+            "x": base64url_encode(
+                ephemeral_key.public_key().public_numbers().x.to_bytes(32, "big")
+            ),
+            "y": base64url_encode(
+                ephemeral_key.public_key().public_numbers().y.to_bytes(32, "big")
+            ),
+            "kty": "EC",
+            "crv": "P-256",
+        },
+        "typ": "platformsso-login-response+jwt",
+        "alg": "ECDH-ES",
+        "apu": base64url_encode(apu),
+        "apv": base64url_encode(apv),
+    }
+
+    party_u_info = length_prefixed(apu)
+    party_v_info = length_prefixed(apv)
+    supp_pub_info = (256).to_bytes(4, "big")
+
+    other_info = length_prefixed(b"A256GCM") + party_u_info + party_v_info + supp_pub_info
+
+    ckdf = ConcatKDFHash(
+        algorithm=hashes.SHA256(),
+        length=32,
+        otherinfo=other_info,
+    )
+
+    derived_key = ckdf.derive(shared_secret_z)
+
+    nonce = token_bytes(12)
+
+    header_json = dumps(jwe_header, separators=(",", ":")).encode()
+    aad = urlsafe_b64encode(header_json).rstrip(b"=")
+
+    aesgcm = AESGCM(derived_key)
+    ciphertext = aesgcm.encrypt(nonce, dumps(body).encode(), aad)
+
+    ciphertext_body = ciphertext[:-16]
+    tag = ciphertext[-16:]
+
+    # base64url encoding
+    protected_b64 = urlsafe_b64encode(header_json).rstrip(b"=")
+    iv_b64 = urlsafe_b64encode(nonce).rstrip(b"=")
+    ciphertext_b64 = urlsafe_b64encode(ciphertext_body).rstrip(b"=")
+    tag_b64 = urlsafe_b64encode(tag).rstrip(b"=")
+
+    jwe_compact = b".".join(
+        [
+            protected_b64,
+            b"",
+            iv_b64,
+            ciphertext_b64,
+            tag_b64,
+        ]
+    )
+    return jwe_compact.decode()
+
+
+class JWEResponse(HttpResponse):
+
+    def __init__(
+        self,
+        data: dict,
+        device: AppleDevice,
+        apv: str,
+    ):
+        super().__init__(
+            content=encrypt_token_with_a256_gcm(data, device.encryption_key, base64url_decode(apv)),
+            content_type="application/platformsso-login-response+jwt",
+        )
--- a/authentik/enterprise/providers/apple_psso/migrations/0001_initial.py
+++ b/authentik/enterprise/providers/apple_psso/migrations/0001_initial.py
@ -0,0 +1,36 @@
+# Generated by Django 5.1.11 on 2025-06-28 00:12
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0028_migrate_session"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ApplePlatformSSOProvider",
+            fields=[
+                (
+                    "oauth2provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_providers_oauth2.oauth2provider",
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+            bases=("authentik_providers_oauth2.oauth2provider",),
+        ),
+    ]
--- a/authentik/enterprise/providers/apple_psso/migrations/0002_appledevice_appledeviceuser_appledevice_users_and_more.py
+++ b/authentik/enterprise/providers/apple_psso/migrations/0002_appledevice_appledeviceuser_appledevice_users_and_more.py
@ -0,0 +1,94 @@
+# Generated by Django 5.1.11 on 2025-06-28 15:50
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_apple_psso", "0001_initial"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AppleDevice",
+            fields=[
+                (
+                    "endpoint_uuid",
+                    models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False),
+                ),
+                ("signing_key", models.TextField()),
+                ("encryption_key", models.TextField()),
+                ("key_exchange_key", models.TextField()),
+                ("sign_key_id", models.TextField()),
+                ("enc_key_id", models.TextField()),
+                ("creation_time", models.DateTimeField(auto_now_add=True)),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_apple_psso.appleplatformssoprovider",
+                    ),
+                ),
+            ],
+        ),
+        migrations.CreateModel(
+            name="AppleDeviceUser",
+            fields=[
+                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ("signing_key", models.TextField()),
+                ("encryption_key", models.TextField()),
+                ("sign_key_id", models.TextField()),
+                ("enc_key_id", models.TextField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_apple_psso.appledevice",
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="appledevice",
+            name="users",
+            field=models.ManyToManyField(
+                through="authentik_providers_apple_psso.AppleDeviceUser",
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.CreateModel(
+            name="AppleNonce",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                ("nonce", models.TextField()),
+            ],
+            options={
+                "abstract": False,
+                "indexes": [
+                    models.Index(fields=["expires"], name="authentik_p_expires_47d534_idx"),
+                    models.Index(fields=["expiring"], name="authentik_p_expirin_87253e_idx"),
+                    models.Index(
+                        fields=["expiring", "expires"], name="authentik_p_expirin_20a7c9_idx"
+                    ),
+                ],
+            },
+        ),
+    ]
--- a/authentik/enterprise/providers/apple_psso/migrations/0003_rename_sign_key_id_appledeviceuser_enclave_key_id_and_more.py
+++ b/authentik/enterprise/providers/apple_psso/migrations/0003_rename_sign_key_id_appledeviceuser_enclave_key_id_and_more.py
@ -0,0 +1,34 @@
+# Generated by Django 5.1.11 on 2025-06-28 22:18
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_apple_psso",
+            "0002_appledevice_appledeviceuser_appledevice_users_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="appledeviceuser",
+            old_name="sign_key_id",
+            new_name="enclave_key_id",
+        ),
+        migrations.RenameField(
+            model_name="appledeviceuser",
+            old_name="signing_key",
+            new_name="secure_enclave_key",
+        ),
+        migrations.RemoveField(
+            model_name="appledeviceuser",
+            name="enc_key_id",
+        ),
+        migrations.RemoveField(
+            model_name="appledeviceuser",
+            name="encryption_key",
+        ),
+    ]
--- a/authentik/enterprise/providers/apple_psso/migrations/init.py
+++ b/authentik/enterprise/providers/apple_psso/migrations/init.py
--- a/authentik/enterprise/providers/apple_psso/models.py
+++ b/authentik/enterprise/providers/apple_psso/models.py
@ -0,0 +1,85 @@
+from uuid import uuid4
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from rest_framework.serializers import Serializer
+
+from authentik.core.models import ExpiringModel, User
+from authentik.crypto.models import CertificateKeyPair
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    IssuerMode,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
+
+
+class ApplePlatformSSOProvider(OAuth2Provider):
+    """Integrate with Apple Platform SSO"""
+
+    def set_oauth_defaults(self):
+        """Ensure all OAuth2-related settings are correct"""
+        self.issuer_mode = IssuerMode.PER_PROVIDER
+        self.client_type = ClientTypes.PUBLIC
+        self.signing_key = CertificateKeyPair.objects.get(name="authentik Self-signed Certificate")
+        self.include_claims_in_id_token = True
+        scopes = ScopeMapping.objects.filter(
+            managed__in=[
+                "goauthentik.io/providers/oauth2/scope-openid",
+                "goauthentik.io/providers/oauth2/scope-profile",
+                "goauthentik.io/providers/oauth2/scope-email",
+                "goauthentik.io/providers/oauth2/scope-offline_access",
+                "goauthentik.io/providers/oauth2/scope-authentik_api",
+            ]
+        )
+        self.property_mappings.add(*list(scopes))
+        self.redirect_uris = [
+            RedirectURI(RedirectURIMatchingMode.STRICT, "io.goauthentik.endpoint:/oauth2redirect"),
+        ]
+
+    @property
+    def component(self) -> str:
+        return "ak-provider-apple-psso-form"
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.apple_psso.api.providers import (
+            ApplePlatformSSOProviderSerializer,
+        )
+
+        return ApplePlatformSSOProviderSerializer
+
+    class Meta:
+        verbose_name = _("Apple Platform SSO Provider")
+        verbose_name_plural = _("Apple Platform SSO Providers")
+
+
+class AppleDevice(models.Model):
+
+    endpoint_uuid = models.UUIDField(default=uuid4, primary_key=True)
+
+    signing_key = models.TextField()
+    encryption_key = models.TextField()
+    key_exchange_key = models.TextField()
+    sign_key_id = models.TextField()
+    enc_key_id = models.TextField()
+    creation_time = models.DateTimeField(auto_now_add=True)
+    provider = models.ForeignKey(ApplePlatformSSOProvider, on_delete=models.CASCADE)
+    users = models.ManyToManyField(User, through="AppleDeviceUser")
+
+
+class AppleDeviceUser(models.Model):
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True)
+
+    device = models.ForeignKey(AppleDevice, on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
+    secure_enclave_key = models.TextField()
+    enclave_key_id = models.TextField()
+
+
+class AppleNonce(ExpiringModel):
+    nonce = models.TextField()
--- a/authentik/enterprise/providers/apple_psso/urls.py
+++ b/authentik/enterprise/providers/apple_psso/urls.py
@ -0,0 +1,15 @@
+from django.urls import path
+
+from authentik.enterprise.providers.apple_psso.views.nonce import NonceView
+from authentik.enterprise.providers.apple_psso.views.register import (
+    RegisterDeviceView,
+    RegisterUserView,
+)
+from authentik.enterprise.providers.apple_psso.views.token import TokenView
+
+urlpatterns = [
+    path("token/", TokenView.as_view(), name="token"),
+    path("nonce/", NonceView.as_view(), name="nonce"),
+    path("register/device/", RegisterDeviceView.as_view(), name="register-device"),
+    path("register/user/", RegisterUserView.as_view(), name="register-user"),
+]
--- a/authentik/enterprise/providers/apple_psso/urls_root.py
+++ b/authentik/enterprise/providers/apple_psso/urls_root.py
@ -0,0 +1,7 @@
+from django.urls import path
+
+from authentik.enterprise.providers.apple_psso.views.site_association import AppleAppSiteAssociation
+
+urlpatterns = [
+    path(".well-known/apple-app-site-association", AppleAppSiteAssociation.as_view(), name="asa"),
+]
--- a/authentik/enterprise/providers/apple_psso/views/init.py
+++ b/authentik/enterprise/providers/apple_psso/views/init.py
--- a/authentik/enterprise/providers/apple_psso/views/nonce.py
+++ b/authentik/enterprise/providers/apple_psso/views/nonce.py
@ -0,0 +1,25 @@
+from base64 import b64encode
+from datetime import timedelta
+from secrets import token_bytes
+
+from django.http import HttpRequest, JsonResponse
+from django.utils.decorators import method_decorator
+from django.utils.timezone import now
+from django.views import View
+from django.views.decorators.csrf import csrf_exempt
+
+from authentik.enterprise.providers.apple_psso.models import AppleNonce
+
+
+@method_decorator(csrf_exempt, name="dispatch")
+class NonceView(View):
+
+    def post(self, request: HttpRequest, *args, **kwargs):
+        nonce = AppleNonce.objects.create(
+            nonce=b64encode(token_bytes(32)).decode(), expires=now() + timedelta(minutes=5)
+        )
+        return JsonResponse(
+            {
+                "Nonce": nonce.nonce,
+            }
+        )
--- a/authentik/enterprise/providers/apple_psso/views/register.py
+++ b/authentik/enterprise/providers/apple_psso/views/register.py
@ -0,0 +1,92 @@
+from django.shortcuts import get_object_or_404
+from rest_framework.authentication import BaseAuthentication
+from rest_framework.fields import CharField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.api.authentication import TokenAuthentication
+from authentik.core.api.utils import PassiveSerializer
+from authentik.core.models import User
+from authentik.enterprise.providers.apple_psso.models import (
+    AppleDevice,
+    AppleDeviceUser,
+    ApplePlatformSSOProvider,
+)
+from authentik.lib.generators import generate_key
+
+
+class DeviceRegisterAuth(BaseAuthentication):
+    def authenticate(self, request):
+        # very temporary, lol
+        return (User(), None)
+
+
+class RegisterDeviceView(APIView):
+
+    class DeviceRegistration(PassiveSerializer):
+
+        device_uuid = CharField()
+        client_id = CharField()
+        device_signing_key = CharField()
+        device_encryption_key = CharField()
+        sign_key_id = CharField()
+        enc_key_id = CharField()
+
+    permission_classes = []
+    pagination_class = None
+    filter_backends = []
+    serializer_class = DeviceRegistration
+    authentication_classes = [DeviceRegisterAuth, TokenAuthentication]
+
+    def post(self, request: Request) -> Response:
+        data = self.DeviceRegistration(data=request.data)
+        data.is_valid(raise_exception=True)
+        provider = get_object_or_404(
+            ApplePlatformSSOProvider, client_id=data.validated_data["client_id"]
+        )
+        AppleDevice.objects.update_or_create(
+            endpoint_uuid=data.validated_data["device_uuid"],
+            defaults={
+                "signing_key": data.validated_data["device_signing_key"],
+                "encryption_key": data.validated_data["device_encryption_key"],
+                "sign_key_id": data.validated_data["sign_key_id"],
+                "enc_key_id": data.validated_data["enc_key_id"],
+                "key_exchange_key": generate_key(),
+                "provider": provider,
+            },
+        )
+        return Response()
+
+
+class RegisterUserView(APIView):
+
+    class UserRegistration(PassiveSerializer):
+
+        device_uuid = CharField()
+        user_secure_enclave_key = CharField()
+        enclave_key_id = CharField()
+
+    permission_classes = []
+    pagination_class = None
+    filter_backends = []
+    serializer_class = UserRegistration
+    authentication_classes = [TokenAuthentication]
+
+    def post(self, request: Request) -> Response:
+        data = self.UserRegistration(data=request.data)
+        data.is_valid(raise_exception=True)
+        device = get_object_or_404(AppleDevice, endpoint_uuid=data.validated_data["device_uuid"])
+        AppleDeviceUser.objects.update_or_create(
+            device=device,
+            user=request.user,
+            defaults={
+                "secure_enclave_key": data.validated_data["user_secure_enclave_key"],
+                "enclave_key_id": data.validated_data["enclave_key_id"],
+            },
+        )
+        return Response(
+            {
+                "username": request.user.username,
+            }
+        )
--- a/authentik/enterprise/providers/apple_psso/views/site_association.py
+++ b/authentik/enterprise/providers/apple_psso/views/site_association.py
@ -0,0 +1,16 @@
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+
+class AppleAppSiteAssociation(View):
+    def get(self, request: HttpRequest) -> HttpResponse:
+        return JsonResponse(
+            {
+                "authsrv": {
+                    "apps": [
+                        "232G855Y8N.io.goauthentik.endpoint",
+                        "232G855Y8N.io.goauthentik.endpoint.psso",
+                    ]
+                }
+            }
+        )
--- a/authentik/enterprise/providers/apple_psso/views/token.py
+++ b/authentik/enterprise/providers/apple_psso/views/token.py
@ -0,0 +1,140 @@
+from datetime import timedelta
+
+from django.http import Http404, HttpRequest, HttpResponse
+from django.utils.decorators import method_decorator
+from django.utils.timezone import now
+from django.views import View
+from django.views.decorators.csrf import csrf_exempt
+from jwt import PyJWT, decode
+from rest_framework.exceptions import ValidationError
+from structlog.stdlib import get_logger
+
+from authentik.core.models import AuthenticatedSession, Session, User
+from authentik.core.sessions import SessionStore
+from authentik.enterprise.providers.apple_psso.http import JWEResponse
+from authentik.enterprise.providers.apple_psso.models import (
+    AppleDevice,
+    AppleDeviceUser,
+    AppleNonce,
+    ApplePlatformSSOProvider,
+)
+from authentik.events.models import Event, EventAction
+from authentik.events.signals import SESSION_LOGIN_EVENT
+from authentik.providers.oauth2.constants import TOKEN_TYPE
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import RefreshToken
+from authentik.root.middleware import SessionMiddleware
+
+LOGGER = get_logger()
+
+
+@method_decorator(csrf_exempt, name="dispatch")
+class TokenView(View):
+
+    device: AppleDevice
+    provider: ApplePlatformSSOProvider
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        version = request.POST.get("platform_sso_version")
+        assertion = request.POST.get("assertion", request.POST.get("request"))
+        if not assertion:
+            return HttpResponse(status=400)
+
+        decode_unvalidated = PyJWT().decode_complete(assertion, options={"verify_signature": False})
+        LOGGER.debug(decode_unvalidated["header"])
+        expected_kid = decode_unvalidated["header"]["kid"]
+
+        self.device = AppleDevice.objects.filter(sign_key_id=expected_kid).first()
+        if not self.device:
+            raise Http404
+        self.provider = self.device.provider
+
+        # Properly decode the JWT with the key from the device
+        decoded = decode(
+            assertion, self.device.signing_key, algorithms=["ES256"], options={"verify_aud": False}
+        )
+        LOGGER.debug(decoded)
+
+        LOGGER.debug("got device", device=self.device)
+
+        # Check that the nonce hasn't been used before
+        nonce = AppleNonce.objects.filter(nonce=decoded["request_nonce"]).first()
+        if not nonce:
+            return HttpResponse(status=400)
+        nonce.delete()
+
+        handler_func = (
+            f"handle_v{version}_{decode_unvalidated["header"]["typ"]}".replace("-", "_")
+            .replace("+", "_")
+            .replace(".", "_")
+        )
+        handler = getattr(self, handler_func, None)
+        if not handler:
+            LOGGER.debug("Handler not found", handler=handler_func)
+            return HttpResponse(status=400)
+        LOGGER.debug("sending to handler", handler=handler_func)
+        return handler(decoded)
+
+    def validate_device_user_response(self, assertion: str) -> tuple[AppleDeviceUser, dict] | None:
+        """Decode an embedded assertion and validate it by looking up the matching device user"""
+        decode_unvalidated = PyJWT().decode_complete(assertion, options={"verify_signature": False})
+        expected_kid = decode_unvalidated["header"]["kid"]
+
+        device_user = AppleDeviceUser.objects.filter(
+            device=self.device, enclave_key_id=expected_kid
+        ).first()
+        if not device_user:
+            return None
+        return device_user, decode(
+            assertion,
+            device_user.secure_enclave_key,
+            audience="apple-platform-sso",
+            algorithms=["ES256"],
+        )
+
+    def create_auth_session(self, user: User):
+        event = Event.new(EventAction.LOGIN).from_http(self.request, user=user)
+        store = SessionStore()
+        store[SESSION_LOGIN_EVENT] = event
+        store.save()
+        session = Session.objects.filter(session_key=store.session_key).first()
+        AuthenticatedSession.objects.create(session=session, user=user)
+        session = SessionMiddleware.encode_session(store.session_key, user)
+        return session
+
+    def handle_v1_0_platformsso_login_request_jwt(self, decoded: dict):
+        user = None
+        if decoded["grant_type"] == "urn:ietf:params:oauth:grant-type:jwt-bearer":
+            # Decode and validate inner assertion
+            user, inner = self.validate_device_user_response(decoded["assertion"])
+            if inner["nonce"] != decoded["nonce"]:
+                LOGGER.warning("Mis-matched nonce to outer assertion")
+                raise ValidationError("Invalid request")
+
+        refresh_token = RefreshToken(
+            user=user.user,
+            scope=decoded["scope"],
+            expires=now() + timedelta(hours=8),
+            provider=self.provider,
+            auth_time=now(),
+            session=None,
+        )
+        id_token = IDToken.new(
+            self.provider,
+            refresh_token,
+            self.request,
+        )
+        id_token.nonce = decoded["nonce"]
+        refresh_token.id_token = id_token
+        refresh_token.save()
+        return JWEResponse(
+            {
+                "refresh_token": refresh_token.token,
+                "refresh_token_expires_in": int((refresh_token.expires - now()).total_seconds()),
+                "id_token": refresh_token.id_token.to_jwt(self.provider),
+                "token_type": TOKEN_TYPE,
+                "session_key": self.create_auth_session(user.user),
+            },
+            device=self.device,
+            apv=decoded["jwe_crypto"]["apv"],
+        )
--- a/authentik/enterprise/providers/google_workspace/clients/groups.py
+++ b/authentik/enterprise/providers/google_workspace/clients/groups.py
@ -25,7 +25,7 @@ class GoogleWorkspaceGroupClient(
    """Google client for groups"""

    connection_type = GoogleWorkspaceProviderGroup
-    connection_type_query = "group"
+    connection_attr = "googleworkspaceprovidergroup_set"
    can_discover = True

    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
--- a/authentik/enterprise/providers/google_workspace/clients/users.py
+++ b/authentik/enterprise/providers/google_workspace/clients/users.py
@ -20,7 +20,7 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
    """Sync authentik users into google workspace"""

    connection_type = GoogleWorkspaceProviderUser
-    connection_type_query = "user"
+    connection_attr = "googleworkspaceprovideruser_set"
    can_discover = True

    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@ -132,7 +132,11 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
        if type == User:
            # Get queryset of all users with consistent ordering
            # according to the provider's settings
-            base = User.objects.all().exclude_anonymous()
+            base = (
+                User.objects.prefetch_related("googleworkspaceprovideruser_set")
+                .all()
+                .exclude_anonymous()
+            )
            if self.exclude_users_service_account:
                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@ -142,7 +146,11 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
            return base.order_by("pk")
        if type == Group:
            # Get queryset of all groups with consistent ordering
-            return Group.objects.all().order_by("pk")
+            return (
+                Group.objects.prefetch_related("googleworkspaceprovidergroup_set")
+                .all()
+                .order_by("pk")
+            )
        raise ValueError(f"Invalid type {type}")

    def google_credentials(self):
--- a/authentik/enterprise/providers/microsoft_entra/clients/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/groups.py
@ -29,7 +29,7 @@ class MicrosoftEntraGroupClient(
    """Microsoft client for groups"""

    connection_type = MicrosoftEntraProviderGroup
-    connection_type_query = "group"
+    connection_attr = "microsoftentraprovidergroup_set"
    can_discover = True

    def __init__(self, provider: MicrosoftEntraProvider) -> None:
--- a/authentik/enterprise/providers/microsoft_entra/clients/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/users.py
@ -24,7 +24,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
    """Sync authentik users into microsoft entra"""

    connection_type = MicrosoftEntraProviderUser
-    connection_type_query = "user"
+    connection_attr = "microsoftentraprovideruser_set"
    can_discover = True

    def __init__(self, provider: MicrosoftEntraProvider) -> None:
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@ -121,7 +121,11 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
        if type == User:
            # Get queryset of all users with consistent ordering
            # according to the provider's settings
-            base = User.objects.all().exclude_anonymous()
+            base = (
+                User.objects.prefetch_related("microsoftentraprovideruser_set")
+                .all()
+                .exclude_anonymous()
+            )
            if self.exclude_users_service_account:
                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
@ -131,7 +135,11 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
            return base.order_by("pk")
        if type == Group:
            # Get queryset of all groups with consistent ordering
-            return Group.objects.all().order_by("pk")
+            return (
+                Group.objects.prefetch_related("microsoftentraprovidergroup_set")
+                .all()
+                .order_by("pk")
+            )
        raise ValueError(f"Invalid type {type}")

    def microsoft_credentials(self):
--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -1,10 +1,8 @@
 from hashlib import sha256

-from django.contrib.auth.signals import user_logged_out
 from django.db.models import Model
 from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
-from django.http.request import HttpRequest
 from guardian.shortcuts import assign_perm

 from authentik.core.models import (
@ -62,31 +60,6 @@ def ssf_providers_post_save(sender: type[Model], instance: SSFProvider, created:
            instance.save()


-@receiver(user_logged_out)
-def ssf_user_logged_out_session_revoked(sender, request: HttpRequest, user: User, **_):
-    """Session revoked trigger (user logged out)"""
-    if not request.session or not request.session.session_key or not user:
-        return
-    send_ssf_event(
-        EventTypes.CAEP_SESSION_REVOKED,
-        {
-            "initiating_entity": "user",
-        },
-        sub_id={
-            "format": "complex",
-            "session": {
-                "format": "opaque",
-                "id": sha256(request.session.session_key.encode("ascii")).hexdigest(),
-            },
-            "user": {
-                "format": "email",
-                "email": user.email,
-            },
-        },
-        request=request,
-    )
-
-
@receiver(pre_delete, sender=AuthenticatedSession)
 def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSession, **_):
    """Session revoked trigger (users' session has been deleted)
--- a/authentik/enterprise/search/init.py
+++ b/authentik/enterprise/search/init.py
--- a/authentik/enterprise/search/apps.py
+++ b/authentik/enterprise/search/apps.py
@ -0,0 +1,12 @@
+"""Enterprise app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseSearchConfig(EnterpriseConfig):
+    """Enterprise app config"""
+
+    name = "authentik.enterprise.search"
+    label = "authentik_search"
+    verbose_name = "authentik Enterprise.Search"
+    default = True
--- a/authentik/enterprise/search/fields.py
+++ b/authentik/enterprise/search/fields.py
@ -0,0 +1,128 @@
+"""DjangoQL search"""
+
+from collections import OrderedDict, defaultdict
+from collections.abc import Generator
+
+from django.db import connection
+from django.db.models import Model, Q
+from djangoql.compat import text_type
+from djangoql.schema import StrField
+
+
+class JSONSearchField(StrField):
+    """JSON field for DjangoQL"""
+
+    model: Model
+
+    def __init__(self, model=None, name=None, nullable=None, suggest_nested=True):
+        # Set this in the constructor to not clobber the type variable
+        self.type = "relation"
+        self.suggest_nested = suggest_nested
+        super().__init__(model, name, nullable)
+
+    def get_lookup(self, path, operator, value):
+        search = "__".join(path)
+        op, invert = self.get_operator(operator)
+        q = Q(**{f"{search}{op}": self.get_lookup_value(value)})
+        return ~q if invert else q
+
+    def json_field_keys(self) -> Generator[tuple[str]]:
+        with connection.cursor() as cursor:
+            cursor.execute(
+                f"""
+                WITH RECURSIVE "{self.name}_keys" AS (
+                    SELECT
+                        ARRAY[jsonb_object_keys("{self.name}")] AS key_path_array,
+                        "{self.name}" -> jsonb_object_keys("{self.name}") AS value
+                    FROM {self.model._meta.db_table}
+                    WHERE "{self.name}" IS NOT NULL
+                        AND jsonb_typeof("{self.name}") = 'object'
+
+                    UNION ALL
+
+                    SELECT
+                        ck.key_path_array || jsonb_object_keys(ck.value),
+                        ck.value -> jsonb_object_keys(ck.value) AS value
+                    FROM "{self.name}_keys" ck
+                    WHERE jsonb_typeof(ck.value) = 'object'
+                ),
+
+                unique_paths AS (
+                    SELECT DISTINCT key_path_array
+                    FROM "{self.name}_keys"
+                )
+
+                SELECT key_path_array FROM unique_paths;
+            """  # nosec
+            )
+            return (x[0] for x in cursor.fetchall())
+
+    def get_nested_options(self) -> OrderedDict:
+        """Get keys of all nested objects to show autocomplete"""
+        if not self.suggest_nested:
+            return OrderedDict()
+        base_model_name = f"{self.model._meta.app_label}.{self.model._meta.model_name}_{self.name}"
+
+        def recursive_function(parts: list[str], parent_parts: list[str] | None = None):
+            if not parent_parts:
+                parent_parts = []
+            path = parts.pop(0)
+            parent_parts.append(path)
+            relation_key = "_".join(parent_parts)
+            if len(parts) > 1:
+                out_dict = {
+                    relation_key: {
+                        parts[0]: {
+                            "type": "relation",
+                            "relation": f"{relation_key}_{parts[0]}",
+                        }
+                    }
+                }
+                child_paths = recursive_function(parts.copy(), parent_parts.copy())
+                child_paths.update(out_dict)
+                return child_paths
+            else:
+                return {relation_key: {parts[0]: {}}}
+
+        relation_structure = defaultdict(dict)
+
+        for relations in self.json_field_keys():
+            result = recursive_function([base_model_name] + relations)
+            for relation_key, value in result.items():
+                for sub_relation_key, sub_value in value.items():
+                    if not relation_structure[relation_key].get(sub_relation_key, None):
+                        relation_structure[relation_key][sub_relation_key] = sub_value
+                    else:
+                        relation_structure[relation_key][sub_relation_key].update(sub_value)
+
+        final_dict = defaultdict(dict)
+
+        for key, value in relation_structure.items():
+            for sub_key, sub_value in value.items():
+                if not sub_value:
+                    final_dict[key][sub_key] = {
+                        "type": "str",
+                        "nullable": True,
+                    }
+                else:
+                    final_dict[key][sub_key] = sub_value
+        return OrderedDict(final_dict)
+
+    def relation(self) -> str:
+        return f"{self.model._meta.app_label}.{self.model._meta.model_name}_{self.name}"
+
+
+class ChoiceSearchField(StrField):
+    def __init__(self, model=None, name=None, nullable=None):
+        super().__init__(model, name, nullable, suggest_options=True)
+
+    def get_options(self, search):
+        result = []
+        choices = self._field_choices()
+        if choices:
+            search = search.lower()
+            for c in choices:
+                choice = text_type(c[0])
+                if search in choice.lower():
+                    result.append(choice)
+        return result
--- a/authentik/enterprise/search/pagination.py
+++ b/authentik/enterprise/search/pagination.py
@ -0,0 +1,53 @@
+from rest_framework.response import Response
+
+from authentik.api.pagination import Pagination
+from authentik.enterprise.search.ql import AUTOCOMPLETE_COMPONENT_NAME, QLSearch
+
+
+class AutocompletePagination(Pagination):
+
+    def paginate_queryset(self, queryset, request, view=None):
+        self.view = view
+        return super().paginate_queryset(queryset, request, view)
+
+    def get_autocomplete(self):
+        schema = QLSearch().get_schema(self.request, self.view)
+        introspections = {}
+        if hasattr(self.view, "get_ql_fields"):
+            from authentik.enterprise.search.schema import AKQLSchemaSerializer
+
+            introspections = AKQLSchemaSerializer().serialize(
+                schema(self.page.paginator.object_list.model)
+            )
+        return introspections
+
+    def get_paginated_response(self, data):
+        previous_page_number = 0
+        if self.page.has_previous():
+            previous_page_number = self.page.previous_page_number()
+        next_page_number = 0
+        if self.page.has_next():
+            next_page_number = self.page.next_page_number()
+        return Response(
+            {
+                "pagination": {
+                    "next": next_page_number,
+                    "previous": previous_page_number,
+                    "count": self.page.paginator.count,
+                    "current": self.page.number,
+                    "total_pages": self.page.paginator.num_pages,
+                    "start_index": self.page.start_index(),
+                    "end_index": self.page.end_index(),
+                },
+                "results": data,
+                "autocomplete": self.get_autocomplete(),
+            }
+        )
+
+    def get_paginated_response_schema(self, schema):
+        final_schema = super().get_paginated_response_schema(schema)
+        final_schema["properties"]["autocomplete"] = {
+            "$ref": f"#/components/schemas/{AUTOCOMPLETE_COMPONENT_NAME}"
+        }
+        final_schema["required"].append("autocomplete")
+        return final_schema
--- a/Show More
+++ b/Show More