release: 2025.2.0-rc2

policies/geoip: fix math in impossible travel (cherry-pick #13141 ) (#13145 )
policies/geoip: fix math in impossible travel (#13141) * policies/geoip: fix math in impossible travel * fix threshold --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
2025-02-20 23:47:15 +01:00 · 2025-02-20 23:46:21 +01:00 · 2025-02-20 23:45:43 +01:00 · 2025-02-20 16:07:21 +01:00 · 2025-02-20 15:12:03 +01:00 · 2025-02-19 18:20:28 +01:00
448 changed files with 2996 additions and 13136 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.1
+current_version = 2025.2.0-rc2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-
-   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -30,16 +30,12 @@ runs:
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
-    - name: Setup docker cache
-      uses: ScribeMD/docker-cache@0.5.0
-      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry sync
+        poetry install --sync
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -11,7 +11,7 @@ services:
      - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
    ports:
      - 6379:6379
    restart: always
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@ -1,32 +1,7 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
 keypair
 keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
+hass
 warmup
-webauthn
+ontext
+singed
+assertIn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -82,12 +82,6 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
-      build:
-        patterns:
-          - "@swc/*"
-          - "swc-*"
-          - "lightningcss*"
-          - "@rspack/binding*"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -40,7 +40,7 @@ jobs:
      attestations: write
    steps:
      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.6.0
+      - uses: docker/setup-qemu-action@v3.4.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -15,8 +15,8 @@ jobs:
      matrix:
        version:
          - docs
-          - version-2025-2
          - version-2024-12
+          - version-2024-10
    steps:
      - uses: actions/checkout@v4
      - run: |
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -82,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.4.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -42,7 +42,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.4.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -186,7 +186,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@v1
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -1,13 +1,9 @@
 ---
-name: authentik-translate-extract-compile
+name: authentik-backend-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-      - version-*

 env:
  POSTGRES_DB: authentik
@ -19,21 +15,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        if: ${{ github.event_name != 'pull_request' }}
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
-        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v4
-        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
      - name: run extract
        run: |
          poetry run make i18n-extract
@ -42,7 +32,6 @@ jobs:
          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
-        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,4 +1,26 @@
 {
+    "cSpell.words": [
+        "akadmin",
+        "asgi",
+        "authentik",
+        "authn",
+        "entra",
+        "goauthentik",
+        "jwe",
+        "jwks",
+        "kubernetes",
+        "oidc",
+        "openid",
+        "passwordless",
+        "plex",
+        "saml",
+        "scim",
+        "slo",
+        "sso",
+        "totp",
+        "traefik",
+        "webauthn"
+    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.

--- a/3
+++ b/3
@ -3,8 +3,7 @@
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder

-ENV NODE_ENV=production \
-    GIT_UNAVAILABLE=true
+ENV NODE_ENV=production

 WORKDIR /work/website

--- a/67
+++ b/67
@ -4,17 +4,34 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
+NPM_VERSION = $(shell python -m scripts.npm_version)
 PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"

 GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"

-pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
+
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
+		-I .github/codespell-words.txt \
+		-S 'web/src/locales/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
+		website/src \
+		website/blog \
+		website/docs \
+		website/integrations \
+		website/src

 all: lint-fix lint test gen web  ## Lint, build, and test everything

@ -32,26 +49,26 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	poetry run coverage run manage.py test --keepdb authentik
-	poetry run coverage html
-	poetry run coverage report
+	coverage run manage.py test --keepdb authentik
+	coverage html
+	coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	poetry run black $(PY_SOURCES)
-	poetry run ruff check --fix $(PY_SOURCES)
+	black $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	poetry run codespell -w
+	codespell -w $(CODESPELL_ARGS)

 lint: ## Lint the python and golang sources
-	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
 	golangci-lint run -v

 core-install:
 	poetry install

 migrate: ## Run the Authentik Django server's migrations
-	poetry run python -m lifecycle.migrate
+	python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

@ -59,7 +76,7 @@ aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn

 core-i18n-extract:
-	poetry run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@ -90,11 +107,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		poetry run ak make_blueprint_schema > blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		poetry run ak spectacular --file schema.yml
+		ak spectacular --file schema.yml

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@ -145,7 +162,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@ -173,7 +190,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
-	poetry run scripts/generate_config.py
+	python -m scripts.generate_config

 gen: gen-build gen-client-ts

@ -254,21 +271,21 @@ ci--meta-debug:
 	node --version

 ci-black: ci--meta-debug
-	poetry run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	poetry run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	poetry run codespell -s
+	codespell $(CODESPELL_ARGS) -s

 ci-bandit: ci--meta-debug
-	poetry run bandit -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES)

 ci-pending-migrations: ci--meta-debug
-	poetry run ak makemigrations --check
+	ak makemigrations --check

 ci-test: ci--meta-debug
-	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	poetry run coverage report
-	poetry run coverage xml
+	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	coverage report
+	coverage xml
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di

 ## Independent audits and pentests

-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).

 ## What authentik classifies as a CVE

@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
+| 2024.10.x | ✅        |
 | 2024.12.x | ✅        |
-| 2025.2.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.1"
+__version__ = "2025.2.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -5,7 +5,6 @@ from collections.abc import Iterable
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@ -155,17 +154,6 @@ class SourceViewSet(
            matching_sources.append(source_settings.validated_data)
        return Response(matching_sources)

-    def destroy(self, request: Request, *args, **kwargs):
-        """Prevent deletion of built-in sources"""
-        instance: Source = self.get_object()
-
-        if instance.managed == Source.MANAGED_INBUILT:
-            raise ValidationError(
-                {"detail": "Built-in sources cannot be deleted"}, code="protected"
-            )
-
-        return super().destroy(request, *args, **kwargs)
-

 class UserSourceConnectionSerializer(SourceSerializer):
    """User source connection"""
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -32,5 +32,5 @@ class AuthentikCoreConfig(ManagedAppConfig):
                "name": "authentik Built-in",
                "slug": "authentik-built-in",
            },
-            managed=Source.MANAGED_INBUILT,
+            managed="goauthentik.io/sources/inbuilt",
        )
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -678,8 +678,6 @@ class SourceGroupMatchingModes(models.TextChoices):
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""

-    MANAGED_INBUILT = "goauthentik.io/sources/inbuilt"
-
    name = models.TextField(help_text=_("Source's display Name."))
    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)

--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -11,7 +11,6 @@
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
-            relBase: "{{ base_url_rel }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -8,8 +8,6 @@
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
-        <meta name="darkreader-lock">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
        <link rel="icon" href="{{ brand.branding_favicon_url }}">
        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -55,7 +55,7 @@ class RedirectToAppLaunch(View):
            )
        except FlowNonApplicableException:
            raise Http404 from None
-        plan.append_stage(in_memory_stage(RedirectToAppStage))
+        plan.insert_stage(in_memory_stage(RedirectToAppStage))
        return plan.to_redirect(request, flow)


--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -53,7 +53,6 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
-        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
        return super().get_context_data(**kwargs)


--- a/authentik/enterprise/providers/google_workspace/api/providers.py
+++ b/authentik/enterprise/providers/google_workspace/api/providers.py
@ -37,7 +37,6 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
            "user_delete_action",
            "group_delete_action",
            "default_group_email_domain",
-            "dry_run",
        ]
        extra_kwargs = {}

--- a/authentik/enterprise/providers/google_workspace/clients/base.py
+++ b/authentik/enterprise/providers/google_workspace/clients/base.py
@ -8,10 +8,9 @@ from httplib2 import HttpLib2Error, HttpLib2ErrorWithResponse

 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
-    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -44,8 +43,6 @@ class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict
            self.domains.append(domain_name)

    def _request(self, request: HttpRequest):
-        if self.provider.dry_run and request.method.upper() not in SAFE_METHODS:
-            raise DryRunRejected(request.uri, request.method, request.body)
        try:
            response = request.execute()
        except GoogleAuthError as exc:
--- a/authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py
+++ b/authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py
@ -1,24 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-24 19:43
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_providers_google_workspace",
-            "0003_googleworkspaceprovidergroup_attributes_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="googleworkspaceprovider",
-            name="dry_run",
-            field=models.BooleanField(
-                default=False,
-                help_text="When enabled, provider will not modify or create objects in the remote system.",
-            ),
-        ),
-    ]
--- a/authentik/enterprise/providers/microsoft_entra/api/providers.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/providers.py
@ -36,7 +36,6 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
            "filter_group",
            "user_delete_action",
            "group_delete_action",
-            "dry_run",
        ]
        extra_kwargs = {}

--- a/authentik/enterprise/providers/microsoft_entra/clients/base.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/base.py
@ -3,7 +3,6 @@ from collections.abc import Coroutine
 from dataclasses import asdict
 from typing import Any

-import httpx
 from azure.core.exceptions import (
    ClientAuthenticationError,
    ServiceRequestError,
@ -13,7 +12,6 @@ from azure.identity.aio import ClientSecretCredential
 from django.db.models import Model
 from django.http import HttpResponseBadRequest, HttpResponseNotFound
 from kiota_abstractions.api_error import APIError
-from kiota_abstractions.request_information import RequestInformation
 from kiota_authentication_azure.azure_identity_authentication_provider import (
    AzureIdentityAuthenticationProvider,
 )
@ -23,15 +21,13 @@ from msgraph.generated.models.o_data_errors.o_data_error import ODataError
 from msgraph.graph_request_adapter import GraphRequestAdapter, options
 from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory
-from opentelemetry import trace

 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
-    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -39,24 +35,20 @@ from authentik.lib.sync.outgoing.exceptions import (
 )


-class AuthentikRequestAdapter(GraphRequestAdapter):
-    def __init__(self, auth_provider, provider: MicrosoftEntraProvider, client=None):
-        super().__init__(auth_provider, client)
-        self._provider = provider
+def get_request_adapter(
+    credentials: ClientSecretCredential, scopes: list[str] | None = None
+) -> GraphRequestAdapter:
+    if scopes:
+        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials, scopes=scopes)
+    else:
+        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)

-    async def get_http_response_message(
-        self,
-        request_info: RequestInformation,
-        parent_span: trace.Span,
-        claims: str = "",
-    ) -> httpx.Response:
-        if self._provider.dry_run and request_info.http_method.value.upper() not in SAFE_METHODS:
-            raise DryRunRejected(
-                url=request_info.url,
-                method=request_info.http_method.value,
-                body=request_info.content.decode("utf-8"),
-            )
-        return await super().get_http_response_message(request_info, parent_span, claims=claims)
+    return GraphRequestAdapter(
+        auth_provider=auth_provider,
+        client=GraphClientFactory.create_with_default_middleware(
+            options=options, client=KiotaClientFactory.get_default_client()
+        ),
+    )


 class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
@ -71,27 +63,9 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
        self.credentials = provider.microsoft_credentials()
        self.__prefetch_domains()

-    def get_request_adapter(
-        self, credentials: ClientSecretCredential, scopes: list[str] | None = None
-    ) -> AuthentikRequestAdapter:
-        if scopes:
-            auth_provider = AzureIdentityAuthenticationProvider(
-                credentials=credentials, scopes=scopes
-            )
-        else:
-            auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
-
-        return AuthentikRequestAdapter(
-            auth_provider=auth_provider,
-            provider=self.provider,
-            client=GraphClientFactory.create_with_default_middleware(
-                options=options, client=KiotaClientFactory.get_default_client()
-            ),
-        )
-
    @property
    def client(self):
-        return GraphServiceClient(request_adapter=self.get_request_adapter(**self.credentials))
+        return GraphServiceClient(request_adapter=get_request_adapter(**self.credentials))

    def _request[T](self, request: Coroutine[Any, Any, T]) -> T:
        try:
--- a/authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py
+++ b/authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py
@ -1,24 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-24 19:43
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_providers_microsoft_entra",
-            "0002_microsoftentraprovidergroup_attributes_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="microsoftentraprovider",
-            name="dry_run",
-            field=models.BooleanField(
-                default=False,
-                help_text="When enabled, provider will not modify or create objects in the remote system.",
-            ),
-        ),
-    ]
--- a/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
@ -32,6 +32,7 @@ class MicrosoftEntraUserTests(APITestCase):

    @apply_blueprint("system/providers-microsoft-entra.yaml")
    def setUp(self) -> None:
+
        # Delete all users and groups as the mocked HTTP responses only return one ID
        # which will cause errors with multiple users
        Tenant.objects.update(avatars="none")
@ -96,38 +97,6 @@ class MicrosoftEntraUserTests(APITestCase):
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
            user_create.assert_called_once()

-    def test_user_create_dry_run(self):
-        """Test user creation (dry run)"""
-        self.provider.dry_run = True
-        self.provider.save()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNone(microsoft_user)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-
    def test_user_not_created(self):
        """Test without property mappings, no group is created"""
        self.provider.property_mappings.clear()
--- a/authentik/enterprise/stages/source/stage.py
+++ b/authentik/enterprise/stages/source/stage.py
@ -89,9 +89,9 @@ class SourceStageFinal(StageView):
    This stage uses the override flow token to resume execution of the initial flow the
    source stage is bound to."""

-    def dispatch(self, *args, **kwargs):
+    def dispatch(self):
        token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
-        self.logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
+        self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
        plan = token.plan
        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
        response = plan.to_redirect(self.request, token.flow)
--- a/authentik/enterprise/stages/source/tests.py
+++ b/authentik/enterprise/stages/source/tests.py
@ -4,8 +4,7 @@ from django.urls import reverse

 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.enterprise.stages.source.models import SourceStage
-from authentik.enterprise.stages.source.stage import SourceStageFinal
-from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken, in_memory_stage
+from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
@ -88,7 +87,6 @@ class TestSourceStage(FlowTestCase):
        self.assertIsNotNone(flow_token)
        session = self.client.session
        plan: FlowPlan = session[SESSION_KEY_PLAN]
-        plan.insert_stage(in_memory_stage(SourceStageFinal), index=0)
        plan.context[PLAN_CONTEXT_IS_RESTORED] = flow_token
        session[SESSION_KEY_PLAN] = plan
        session.save()
@ -98,6 +96,4 @@ class TestSourceStage(FlowTestCase):
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}), follow=True
        )
        self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(
-            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
-        )
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -76,10 +76,10 @@ class FlowPlan:
        self.bindings.append(binding)
        self.markers.append(marker or StageMarker())

-    def insert_stage(self, stage: Stage, marker: StageMarker | None = None, index=1):
+    def insert_stage(self, stage: Stage, marker: StageMarker | None = None):
        """Insert stage into plan, as immediate next stage"""
-        self.bindings.insert(index, FlowStageBinding(stage=stage, order=0))
-        self.markers.insert(index, marker or StageMarker())
+        self.bindings.insert(1, FlowStageBinding(stage=stage, order=0))
+        self.markers.insert(1, marker or StageMarker())

    def redirect(self, destination: str):
        """Insert a redirect stage as next stage"""
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -282,14 +282,16 @@ class ConfigLoader:

    def get_optional_int(self, path: str, default=None) -> int | None:
        """Wrapper for get that converts value into int or None if set"""
-        value = self.get(path, UNSET)
+        value = self.get(path, default)
        if value is UNSET:
            return default
        try:
            return int(value)
        except (ValueError, TypeError) as exc:
            if value is None or (isinstance(value, str) and value.lower() == "null"):
-                return None
+                return default
+            if value is UNSET:
+                return default
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default

@ -370,9 +372,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
-            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
-            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
-            "DISABLE_SERVER_SIDE_CURSORS": config.get_bool(
+            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
                "postgresql.disable_server_side_cursors", False
            ),
            "TEST": {
@ -381,8 +383,8 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        }
    }

-    conn_max_age = config.get_optional_int("postgresql.conn_max_age", UNSET)
-    disable_server_side_cursors = config.get_bool("postgresql.disable_server_side_cursors", UNSET)
+    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        if disable_server_side_cursors is not UNSET:
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -64,8 +64,6 @@ debugger: false
 log_level: info

 session_storage: cache
-sessions:
-  unauthenticated_age: days=1

 error_reporting:
  enabled: false
--- a/authentik/lib/sync/outgoing/api.py
+++ b/authentik/lib/sync/outgoing/api.py
@ -33,7 +33,6 @@ class SyncObjectSerializer(PassiveSerializer):
        )
    )
    sync_object_id = CharField()
-    override_dry_run = BooleanField(default=False)


 class SyncObjectResultSerializer(PassiveSerializer):
@ -99,7 +98,6 @@ class OutgoingSyncProviderStatusMixin:
            page=1,
            provider_pk=provider.pk,
            pk=params.validated_data["sync_object_id"],
-            override_dry_run=params.validated_data["override_dry_run"],
        ).get()
        return Response(SyncObjectResultSerializer(instance={"messages": res}).data)

--- a/authentik/lib/sync/outgoing/base.py
+++ b/authentik/lib/sync/outgoing/base.py
@ -28,14 +28,6 @@ class Direction(StrEnum):
    remove = "remove"


-SAFE_METHODS = [
-    "GET",
-    "HEAD",
-    "OPTIONS",
-    "TRACE",
-]
-
-
 class BaseOutgoingSyncClient[
    TModel: "Model", TConnection: "Model", TSchema: dict, TProvider: "OutgoingSyncProvider"
 ]:
--- a/authentik/lib/sync/outgoing/exceptions.py
+++ b/authentik/lib/sync/outgoing/exceptions.py
@ -21,22 +21,6 @@ class BadRequestSyncException(BaseSyncException):
    """Exception when invalid data was sent to the remote system"""


-class DryRunRejected(BaseSyncException):
-    """When dry_run is enabled and a provider dropped a mutating request"""
-
-    def __init__(self, url: str, method: str, body: dict):
-        super().__init__()
-        self.url = url
-        self.method = method
-        self.body = body
-
-    def __repr__(self):
-        return self.__str__()
-
-    def __str__(self):
-        return f"Dry-run rejected request: {self.method} {self.url}"
-
-
 class StopSync(BaseSyncException):
    """Exception raised when a configuration error should stop the sync process"""

--- a/authentik/lib/sync/outgoing/models.py
+++ b/authentik/lib/sync/outgoing/models.py
@ -1,9 +1,8 @@
 from typing import Any, Self

 import pglock
-from django.db import connection, models
+from django.db import connection
 from django.db.models import Model, QuerySet, TextChoices
-from django.utils.translation import gettext_lazy as _

 from authentik.core.models import Group, User
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
@ -19,14 +18,6 @@ class OutgoingSyncDeleteAction(TextChoices):


 class OutgoingSyncProvider(Model):
-    """Base abstract models for providers implementing outgoing sync"""
-
-    dry_run = models.BooleanField(
-        default=False,
-        help_text=_(
-            "When enabled, provider will not modify or create objects in the remote system."
-        ),
-    )

    class Meta:
        abstract = True
@ -41,7 +32,7 @@ class OutgoingSyncProvider(Model):

    @property
    def sync_lock(self) -> pglock.advisory:
-        """Postgres lock for syncing to prevent multiple parallel syncs happening"""
+        """Postgres lock for syncing SCIM to prevent multiple parallel syncs happening"""
        return pglock.advisory(
            lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",
            timeout=0,
--- a/authentik/lib/sync/outgoing/tasks.py
+++ b/authentik/lib/sync/outgoing/tasks.py
@ -20,7 +20,6 @@ from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
-    DryRunRejected,
    StopSync,
    TransientSyncException,
 )
@ -106,9 +105,7 @@ class SyncTasks:
                return
        task.set_status(TaskStatus.SUCCESSFUL, *messages)

-    def sync_objects(
-        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
-    ):
+    def sync_objects(self, object_type: str, page: int, provider_pk: int, **filter):
        _object_type = path_to_class(object_type)
        self.logger = get_logger().bind(
            provider_type=class_to_path(self._provider_model),
@ -119,10 +116,6 @@ class SyncTasks:
        provider = self._provider_model.objects.filter(pk=provider_pk).first()
        if not provider:
            return messages
-        # Override dry run mode if requested, however don't save the provider
-        # so that scheduled sync tasks still run in dry_run mode
-        if override_dry_run:
-            provider.dry_run = False
        try:
            client = provider.client_for_model(_object_type)
        except TransientSyncException:
@ -139,22 +132,6 @@ class SyncTasks:
            except SkipObjectException:
                self.logger.debug("skipping object due to SkipObject", obj=obj)
                continue
-            except DryRunRejected as exc:
-                messages.append(
-                    asdict(
-                        LogEvent(
-                            _("Dropping mutating request due to dry run"),
-                            log_level="info",
-                            logger=f"{provider._meta.verbose_name}@{object_type}",
-                            attributes={
-                                "obj": sanitize_item(obj),
-                                "method": exc.method,
-                                "url": exc.url,
-                                "body": exc.body,
-                            },
-                        )
-                    )
-                )
            except BadRequestSyncException as exc:
                self.logger.warning("failed to sync object", exc=exc, obj=obj)
                messages.append(
@ -254,10 +231,8 @@ class SyncTasks:
                raise Retry() from exc
            except SkipObjectException:
                continue
-            except DryRunRejected as exc:
-                self.logger.info("Rejected dry-run event", exc=exc)
            except StopSync as exc:
-                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)
+                self.logger.warning(exc, provider_pk=provider.pk)

    def sync_signal_m2m(self, group_pk: str, action: str, pk_set: list[int]):
        self.logger = get_logger().bind(
@ -288,7 +263,5 @@ class SyncTasks:
                raise Retry() from exc
            except SkipObjectException:
                continue
-            except DryRunRejected as exc:
-                self.logger.info("Rejected dry-run event", exc=exc)
            except StopSync as exc:
-                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)
+                self.logger.warning(exc, provider_pk=provider.pk)
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -158,18 +158,6 @@ class TestConfig(TestCase):
            test_obj = Test()
            dumps(test_obj, indent=4, cls=AttrEncoder)

-    def test_get_optional_int(self):
-        config = ConfigLoader()
-        self.assertEqual(config.get_optional_int("foo", 21), 21)
-        self.assertEqual(config.get_optional_int("foo"), None)
-        config.set("foo", "21")
-        self.assertEqual(config.get_optional_int("foo"), 21)
-        self.assertEqual(config.get_optional_int("foo", 0), 21)
-        self.assertEqual(config.get_optional_int("foo", "null"), 21)
-        config.set("foo", "null")
-        self.assertEqual(config.get_optional_int("foo"), None)
-        self.assertEqual(config.get_optional_int("foo", 21), None)
-
    @mock.patch.dict(environ, check_deprecations_env_vars)
    def test_check_deprecations(self):
        """Test config key re-write for deprecated env vars"""
@ -233,16 +221,6 @@ class TestConfig(TestCase):
            },
        )

-    def test_db_conn_max_age(self):
-        """Test DB conn_max_age Config"""
-        config = ConfigLoader()
-        config.set("postgresql.conn_max_age", "null")
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf["default"]["CONN_MAX_AGE"],
-            None,
-        )
-
    def test_db_read_replicas(self):
        """Test read replicas"""
        config = ConfigLoader()
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -1,6 +1,5 @@
 """Base Kubernetes Reconciler"""

-import re
 from dataclasses import asdict
 from json import dumps
 from typing import TYPE_CHECKING, Generic, TypeVar
@ -68,8 +67,7 @@ class KubernetesObjectReconciler(Generic[T]):
    @property
    def name(self) -> str:
        """Get the name of the object this reconciler manages"""
-
-        base_name = (
+        return (
            self.controller.outpost.config.object_naming_template
            % {
                "name": slugify(self.controller.outpost.name),
@ -77,16 +75,6 @@ class KubernetesObjectReconciler(Generic[T]):
            }
        ).lower()

-        formatted = slugify(base_name)
-        formatted = re.sub(r"[^a-z0-9-]", "-", formatted)
-        formatted = re.sub(r"-+", "-", formatted)
-        formatted = formatted[:63]
-
-        if not formatted:
-            formatted = f"outpost-{self.controller.outpost.uuid.hex}"[:63]
-
-        return formatted
-
    def get_patched_reference_object(self) -> T:
        """Get patched reference object"""
        reference = self.get_reference_object()
@ -124,6 +112,7 @@ class KubernetesObjectReconciler(Generic[T]):
            try:
                current = self.retrieve()
            except (OpenApiException, HTTPError) as exc:
+
                if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                    self.logger.debug("Failed to get current, triggering recreate")
                    raise NeedsRecreate from exc
@ -167,6 +156,7 @@ class KubernetesObjectReconciler(Generic[T]):
            self.delete(current)
            self.logger.debug("Removing")
        except (OpenApiException, HTTPError) as exc:
+
            if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                self.logger.debug("Failed to get current, assuming non-existent")
                return
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -61,14 +61,9 @@ class KubernetesController(BaseController):
    client: KubernetesClient
    connection: KubernetesServiceConnection

-    def __init__(
-        self,
-        outpost: Outpost,
-        connection: KubernetesServiceConnection,
-        client: KubernetesClient | None = None,
-    ) -> None:
+    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection) -> None:
        super().__init__(outpost, connection)
-        self.client = client if client else KubernetesClient(connection)
+        self.client = KubernetesClient(connection)
        self.reconcilers = {
            SecretReconciler.reconciler_name(): SecretReconciler,
            DeploymentReconciler.reconciler_name(): DeploymentReconciler,
--- a/authentik/outposts/tests/test_controller_k8s.py
+++ b/authentik/outposts/tests/test_controller_k8s.py
@ -1,44 +0,0 @@
-"""Kubernetes controller tests"""
-
-from django.test import TestCase
-
-from authentik.blueprints.tests import reconcile_app
-from authentik.lib.generators import generate_id
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
-from authentik.outposts.controllers.kubernetes import KubernetesController
-from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
-
-
-class KubernetesControllerTests(TestCase):
-    """Kubernetes controller tests"""
-
-    @reconcile_app("authentik_outposts")
-    def setUp(self) -> None:
-        self.outpost = Outpost.objects.create(
-            name="test",
-            type=OutpostType.PROXY,
-        )
-        self.integration = KubernetesServiceConnection(name="test")
-
-    def test_gen_name(self):
-        """Ensure the generated name is valid"""
-        controller = KubernetesController(
-            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(),
-            self.integration,
-            # Pass something not-none as client so we don't
-            # attempt to connect to K8s as that's not needed
-            client=self,
-        )
-        rec = DeploymentReconciler(controller)
-        self.assertEqual(rec.name, "ak-outpost-authentik-embedded-outpost")
-
-        controller.outpost.name = generate_id()
-        self.assertLess(len(rec.name), 64)
-
-        # Test custom naming template
-        _cfg = controller.outpost.config
-        _cfg.object_naming_template = ""
-        controller.outpost.config = _cfg
-        self.assertEqual(rec.name, f"outpost-{controller.outpost.uuid.hex}")
-        self.assertLess(len(rec.name), 64)
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -9,12 +9,7 @@ from hashlib import sha256
 from typing import Any
 from urllib.parse import urlparse, urlunparse

-from cryptography.hazmat.primitives.asymmetric.ec import (
-    SECP256R1,
-    SECP384R1,
-    SECP521R1,
-    EllipticCurvePrivateKey,
-)
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
@ -119,22 +114,6 @@ class JWTAlgorithms(models.TextChoices):
    HS256 = "HS256", _("HS256 (Symmetric Encryption)")
    RS256 = "RS256", _("RS256 (Asymmetric Encryption)")
    ES256 = "ES256", _("ES256 (Asymmetric Encryption)")
-    ES384 = "ES384", _("ES384 (Asymmetric Encryption)")
-    ES512 = "ES512", _("ES512 (Asymmetric Encryption)")
-
-    @classmethod
-    def from_private_key(cls, private_key: PrivateKeyTypes | None) -> str:
-        if isinstance(private_key, RSAPrivateKey):
-            return cls.RS256
-        if isinstance(private_key, EllipticCurvePrivateKey):
-            curve = private_key.curve
-            if isinstance(curve, SECP256R1):
-                return cls.ES256
-            if isinstance(curve, SECP384R1):
-                return cls.ES384
-            if isinstance(curve, SECP521R1):
-                return cls.ES512
-        raise ValueError(f"Invalid private key type: {type(private_key)}")


 class ScopeMapping(PropertyMapping):
@ -284,7 +263,11 @@ class OAuth2Provider(WebfingerProvider, Provider):
            return self.client_secret, JWTAlgorithms.HS256
        key: CertificateKeyPair = self.signing_key
        private_key = key.private_key
-        return private_key, JWTAlgorithms.from_private_key(private_key)
+        if isinstance(private_key, RSAPrivateKey):
+            return private_key, JWTAlgorithms.RS256
+        if isinstance(private_key, EllipticCurvePrivateKey):
+            return private_key, JWTAlgorithms.ES256
+        raise ValueError(f"Invalid private key type: {type(private_key)}")

    def get_issuer(self, request: HttpRequest) -> str | None:
        """Get issuer, based on request"""
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -254,10 +254,10 @@ class OAuthAuthorizationParams:
            raise AuthorizeError(self.redirect_uri, "invalid_scope", self.grant_type, self.state)
        if SCOPE_OFFLINE_ACCESS in self.scope:
            # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-            # Don't explicitly request consent with offline_access, as the spec allows for
-            # "other conditions for processing the request permitting offline access to the
-            # requested resources are in place"
-            # which we interpret as "the admin picks an authorization flow with or without consent"
+            if PROMPT_CONSENT not in self.prompt:
+                # Instead of ignoring the `offline_access` scope when `prompt`
+                # isn't set to `consent`, we set override it ourselves
+                self.prompt.add(PROMPT_CONSENT)
            if self.response_type not in [
                ResponseTypes.CODE,
                ResponseTypes.CODE_TOKEN,
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -71,7 +71,7 @@ class CodeValidatorView(PolicyAccessView):
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            return None
-        plan.append_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
+        plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
        return plan.to_redirect(self.request, self.token.provider.authorization_flow)


--- a/authentik/providers/oauth2/views/end_session.py
+++ b/authentik/providers/oauth2/views/end_session.py
@ -34,5 +34,5 @@ class EndSessionView(PolicyAccessView):
                PLAN_CONTEXT_APPLICATION: self.application,
            },
        )
-        plan.append_stage(in_memory_stage(SessionEndStage))
+        plan.insert_stage(in_memory_stage(SessionEndStage))
        return plan.to_redirect(self.request, self.flow)
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@ -75,7 +75,10 @@ class JWKSView(View):
        key_data = {}

        if use == "sig":
-            key_data["alg"] = JWTAlgorithms.from_private_key(private_key)
+            if isinstance(private_key, RSAPrivateKey):
+                key_data["alg"] = JWTAlgorithms.RS256
+            elif isinstance(private_key, EllipticCurvePrivateKey):
+                key_data["alg"] = JWTAlgorithms.ES256
        elif use == "enc":
            key_data["alg"] = "RSA-OAEP-256"
            key_data["enc"] = "A256CBC-HS512"
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@ -36,17 +36,17 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
    def reconciler_name() -> str:
        return "ingress"

-    def _check_annotations(self, current: V1Ingress, reference: V1Ingress):
+    def _check_annotations(self, reference: V1Ingress):
        """Check that all annotations *we* set are correct"""
-        for key, value in reference.metadata.annotations.items():
-            if key not in current.metadata.annotations:
+        for key, value in self.get_ingress_annotations().items():
+            if key not in reference.metadata.annotations:
                raise NeedsUpdate()
-            if current.metadata.annotations[key] != value:
+            if reference.metadata.annotations[key] != value:
                raise NeedsUpdate()

    def reconcile(self, current: V1Ingress, reference: V1Ingress):
        super().reconcile(current, reference)
-        self._check_annotations(current, reference)
+        self._check_annotations(reference)
        # Create a list of all expected host and tls hosts
        expected_hosts = []
        expected_hosts_tls = []
--- a/authentik/providers/rac/apps.py
+++ b/authentik/providers/rac/apps.py
@ -1,9 +1,9 @@
 """RAC app config"""

-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig


-class AuthentikProviderRAC(ManagedAppConfig):
+class AuthentikProviderRAC(AppConfig):
    """authentik rac app config"""

    name = "authentik.providers.rac"
--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@ -4,7 +4,8 @@ from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
-from django.db.models.signals import post_delete, post_save, pre_delete
+from django.db.models import Model
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

@ -45,8 +46,12 @@ def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **
    )


-@receiver([post_save, post_delete], sender=Endpoint)
-def post_save_post_delete_endpoint(**_):
-    """Clear user's endpoint cache upon endpoint creation or deletion"""
+@receiver(post_save, sender=Endpoint)
+def post_save_endpoint(sender: type[Model], instance, created: bool, **_):
+    """Clear user's endpoint cache upon endpoint creation"""
+    if not created:  # pragma: no cover
+        return
+
+    # Delete user endpoint cache
    keys = cache.keys(user_endpoint_cache_key("*"))
    cache.delete_many(keys)
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -46,7 +46,7 @@ class RACStartView(PolicyAccessView):
            )
        except FlowNonApplicableException:
            raise Http404 from None
-        plan.append_stage(
+        plan.insert_stage(
            in_memory_stage(
                RACFinalStage,
                application=self.application,
--- a/authentik/providers/saml/views/slo.py
+++ b/authentik/providers/saml/views/slo.py
@ -61,7 +61,7 @@ class SAMLSLOView(PolicyAccessView):
                PLAN_CONTEXT_APPLICATION: self.application,
            },
        )
-        plan.append_stage(in_memory_stage(SessionEndStage))
+        plan.insert_stage(in_memory_stage(SessionEndStage))
        return plan.to_redirect(self.request, self.flow)

    def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
--- a/authentik/providers/scim/api/providers.py
+++ b/authentik/providers/scim/api/providers.py
@ -28,10 +28,8 @@ class SCIMProviderSerializer(ProviderSerializer):
            "url",
            "verify_certificates",
            "token",
-            "compatibility_mode",
            "exclude_users_service_account",
            "filter_group",
-            "dry_run",
        ]
        extra_kwargs = {}

--- a/authentik/providers/scim/clients/base.py
+++ b/authentik/providers/scim/clients/base.py
@ -12,9 +12,8 @@ from authentik.lib.sync.outgoing import (
    HTTP_SERVICE_UNAVAILABLE,
    HTTP_TOO_MANY_REQUESTS,
 )
-from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
-    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    TransientSyncException,
@ -22,7 +21,7 @@ from authentik.lib.sync.outgoing.exceptions import (
 from authentik.lib.utils.http import get_http_session
 from authentik.providers.scim.clients.exceptions import SCIMRequestException
 from authentik.providers.scim.clients.schema import ServiceProviderConfiguration
-from authentik.providers.scim.models import SCIMCompatibilityMode, SCIMProvider
+from authentik.providers.scim.models import SCIMProvider

 if TYPE_CHECKING:
    from django.db.models import Model
@ -55,8 +54,6 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](

    def _request(self, method: str, path: str, **kwargs) -> dict:
        """Wrapper to send a request to the full URL"""
-        if self.provider.dry_run and method.upper() not in SAFE_METHODS:
-            raise DryRunRejected(f"{self.base_url}{path}", method, body=kwargs.get("json"))
        try:
            response = self._session.request(
                method,
@ -90,14 +87,9 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
        """Get Service provider config"""
        default_config = ServiceProviderConfiguration.default()
        try:
-            config = ServiceProviderConfiguration.model_validate(
+            return ServiceProviderConfiguration.model_validate(
                self._request("GET", "/ServiceProviderConfig")
            )
-            if self.provider.compatibility_mode == SCIMCompatibilityMode.AWS:
-                config.patch.supported = False
-            if self.provider.compatibility_mode == SCIMCompatibilityMode.SLACK:
-                config.filter.supported = True
-            return config
        except (ValidationError, SCIMRequestException, NotFoundSyncException) as exc:
            self.logger.warning("failed to get ServiceProviderConfig", exc=exc)
            return default_config
--- a/authentik/providers/scim/clients/users.py
+++ b/authentik/providers/scim/clients/users.py
@ -1,12 +1,10 @@
 """User client"""

-from django.db import transaction
-from django.utils.http import urlencode
 from pydantic import ValidationError

 from authentik.core.models import User
 from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.lib.sync.outgoing.exceptions import ObjectExistsSyncException, StopSync
+from authentik.lib.sync.outgoing.exceptions import StopSync
 from authentik.policies.utils import delete_none_values
 from authentik.providers.scim.clients.base import SCIMClient
 from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
@ -57,35 +55,18 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
    def create(self, user: User):
        """Create user from scratch and create a connection object"""
        scim_user = self.to_schema(user, None)
-        with transaction.atomic():
-            try:
-                response = self._request(
-                    "POST",
-                    "/Users",
-                    json=scim_user.model_dump(
-                        mode="json",
-                        exclude_unset=True,
-                    ),
-                )
-            except ObjectExistsSyncException as exc:
-                if not self._config.filter.supported:
-                    raise exc
-                users = self._request(
-                    "GET", f"/Users?{urlencode({'filter': f'userName eq {scim_user.userName}'})}"
-                )
-                users_res = users.get("Resources", [])
-                if len(users_res) < 1:
-                    raise exc
-                return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=users_res[0]["id"]
-                )
-            else:
-                scim_id = response.get("id")
-                if not scim_id or scim_id == "":
-                    raise StopSync("SCIM Response with missing or invalid `id`")
-                return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=scim_id
-                )
+        response = self._request(
+            "POST",
+            "/Users",
+            json=scim_user.model_dump(
+                mode="json",
+                exclude_unset=True,
+            ),
+        )
+        scim_id = response.get("id")
+        if not scim_id or scim_id == "":
+            raise StopSync("SCIM Response with missing or invalid `id`")
+        return SCIMProviderUser.objects.create(provider=self.provider, user=user, scim_id=scim_id)

    def update(self, user: User, connection: SCIMProviderUser):
        """Update existing user"""
--- a/authentik/providers/scim/migrations/0011_scimprovider_dry_run.py
+++ b/authentik/providers/scim/migrations/0011_scimprovider_dry_run.py
@ -1,21 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-24 19:43
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_scim", "0010_scimprovider_verify_certificates"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimprovider",
-            name="dry_run",
-            field=models.BooleanField(
-                default=False,
-                help_text="When enabled, provider will not modify or create objects in the remote system.",
-            ),
-        ),
-    ]
--- a/authentik/providers/scim/migrations/0012_scimprovider_compatibility_mode.py
+++ b/authentik/providers/scim/migrations/0012_scimprovider_compatibility_mode.py
@ -1,24 +0,0 @@
-# Generated by Django 5.0.12 on 2025-03-07 23:35
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_scim", "0011_scimprovider_dry_run"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimprovider",
-            name="compatibility_mode",
-            field=models.CharField(
-                choices=[("default", "Default"), ("aws", "AWS"), ("slack", "Slack")],
-                default="default",
-                help_text="Alter authentik behavior for vendor-specific SCIM implementations.",
-                max_length=30,
-                verbose_name="SCIM Compatibility Mode",
-            ),
-        ),
-    ]
--- a/authentik/providers/scim/models.py
+++ b/authentik/providers/scim/models.py
@ -57,14 +57,6 @@ class SCIMProviderGroup(SerializerModel):
        return f"SCIM Provider Group {self.group_id} to {self.provider_id}"


-class SCIMCompatibilityMode(models.TextChoices):
-    """SCIM compatibility mode"""
-
-    DEFAULT = "default", _("Default")
-    AWS = "aws", _("AWS")
-    SLACK = "slack", _("Slack")
-
-
 class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
    """SCIM 2.0 provider to create users and groups in external applications"""

@ -85,14 +77,6 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
        help_text=_("Property mappings used for group creation/updating."),
    )

-    compatibility_mode = models.CharField(
-        max_length=30,
-        choices=SCIMCompatibilityMode.choices,
-        default=SCIMCompatibilityMode.DEFAULT,
-        verbose_name=_("SCIM Compatibility Mode"),
-        help_text=_("Alter authentik behavior for vendor-specific SCIM implementations."),
-    )
-
    @property
    def icon_url(self) -> str | None:
        return static("authentik/sources/scim.png")
--- a/authentik/providers/scim/tests/test_user.py
+++ b/authentik/providers/scim/tests/test_user.py
@ -3,15 +3,12 @@
 from json import loads

 from django.test import TestCase
-from django.utils.text import slugify
 from jsonschema import validate
 from requests_mock import Mocker

 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
-from authentik.events.models import SystemTask
 from authentik.lib.generators import generate_id
-from authentik.lib.sync.outgoing.base import SAFE_METHODS
 from authentik.providers.scim.models import SCIMMapping, SCIMProvider
 from authentik.providers.scim.tasks import scim_sync, sync_tasks
 from authentik.tenants.models import Tenant
@ -333,59 +330,3 @@ class SCIMUserTests(TestCase):
                "userName": uid,
            },
        )
-
-    def test_user_create_dry_run(self):
-        """Test user creation (dry_run)"""
-        # Update the provider before we start mocking as saving the provider triggers a full sync
-        self.provider.dry_run = True
-        self.provider.save()
-        with Mocker() as mock:
-            scim_id = generate_id()
-            mock.get(
-                "https://localhost/ServiceProviderConfig",
-                json={},
-            )
-            mock.post(
-                "https://localhost/Users",
-                json={
-                    "id": scim_id,
-                },
-            )
-            uid = generate_id()
-            User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            self.assertEqual(mock.call_count, 1, mock.request_history)
-            self.assertEqual(mock.request_history[0].method, "GET")
-
-    def test_sync_task_dry_run(self):
-        """Test sync tasks"""
-        # Update the provider before we start mocking as saving the provider triggers a full sync
-        self.provider.dry_run = True
-        self.provider.save()
-        with Mocker() as mock:
-            uid = generate_id()
-            mock.get(
-                "https://localhost/ServiceProviderConfig",
-                json={},
-            )
-            User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-
-            sync_tasks.trigger_single_task(self.provider, scim_sync).get()
-
-            self.assertEqual(mock.call_count, 3)
-            for request in mock.request_history:
-                self.assertIn(request.method, SAFE_METHODS)
-        task = SystemTask.objects.filter(uid=slugify(self.provider.name)).first()
-        self.assertIsNotNone(task)
-        drop_msg = task.messages[2]
-        self.assertEqual(drop_msg["event"], "Dropping mutating request due to dry run")
-        self.assertIsNotNone(drop_msg["attributes"]["url"])
-        self.assertIsNotNone(drop_msg["attributes"]["body"])
-        self.assertIsNotNone(drop_msg["attributes"]["method"])
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -16,7 +16,6 @@ from authentik.lib.config import CONFIG, django_db_config, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
-from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP

 BASE_DIR = Path(__file__).absolute().parent.parent.parent
@ -243,9 +242,6 @@ SESSION_CACHE_ALIAS = "default"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
-SESSION_COOKIE_AGE = timedelta_from_string(
-    CONFIG.get("sessions.unauthenticated_age", "days=1")
-).total_seconds()
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True

 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -68,6 +68,8 @@ class OAuth2Client(BaseOAuthClient):
            error_desc = self.get_request_arg("error_description", None)
            return {"error": error_desc or error or _("No token received.")}
        args = {
+            "client_id": self.get_client_id(),
+            "client_secret": self.get_client_secret(),
            "redirect_uri": callback,
            "code": code,
            "grant_type": "authorization_code",
--- a/authentik/sources/oauth/tasks.py
+++ b/authentik/sources/oauth/tasks.py
@ -28,7 +28,7 @@ def update_well_known_jwks(self: SystemTask):
            LOGGER.warning("Failed to update well_known", source=source, exc=exc, text=text)
            messages.append(f"Failed to update OIDC configuration for {source.slug}")
            continue
-        config: dict = well_known_config.json()
+        config = well_known_config.json()
        try:
            dirty = False
            source_attr_key = (
@ -40,9 +40,7 @@ def update_well_known_jwks(self: SystemTask):
            for source_attr, config_key in source_attr_key:
                # Check if we're actually changing anything to only
                # save when something has changed
-                if config_key not in config:
-                    continue
-                if getattr(source, source_attr, "") != config.get(config_key, ""):
+                if getattr(source, source_attr, "") != config[config_key]:
                    dirty = True
                setattr(source, source_attr, config[config_key])
        except (IndexError, KeyError) as exc:
--- a/authentik/sources/oauth/types/reddit.py
+++ b/authentik/sources/oauth/types/reddit.py
@ -25,10 +25,8 @@ class RedditOAuth2Client(UserprofileHeaderAuthClient):

    def get_access_token(self, **request_kwargs):
        "Fetch access token from callback request."
-        request_kwargs["auth"] = HTTPBasicAuth(
-            self.source.consumer_key, self.source.consumer_secret
-        )
-        return super().get_access_token(**request_kwargs)
+        auth = HTTPBasicAuth(self.source.consumer_key, self.source.consumer_secret)
+        return super().get_access_token(auth=auth)


 class RedditOAuth2Callback(OAuthCallback):
--- a/authentik/stages/authenticator_email/models.py
+++ b/authentik/stages/authenticator_email/models.py
@ -7,7 +7,6 @@ from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer

-from authentik.core.types import UserSettingSerializer
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
@ -72,14 +71,6 @@ class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
    def component(self) -> str:
        return "ak-stage-authenticator-email-form"

-    def ui_user_settings(self) -> UserSettingSerializer | None:
-        return UserSettingSerializer(
-            data={
-                "title": self.friendly_name or str(self._meta.verbose_name),
-                "component": "ak-user-settings-authenticator-email",
-            }
-        )
-
    @property
    def backend_class(self) -> type[BaseEmailBackend]:
        """Get the email backend class to use"""
--- a/authentik/stages/authenticator_email/tests.py
+++ b/authentik/stages/authenticator_email/tests.py
@ -299,6 +299,10 @@ class TestAuthenticatorEmailStage(FlowTestCase):
                data={"component": "ak-stage-authenticator-email", "code": device.token},
            )
            self.assertEqual(response.status_code, 200)
+            self.assertTrue(device.confirmed)
+            # Session key should be removed after device is saved
+            device.save()
+            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)

    def test_model_properties_and_methods(self):
        """Test model properties"""
@ -325,6 +329,7 @@ class TestAuthenticatorEmailStage(FlowTestCase):
            self.stage.send(device)

    def test_email_tasks(self):
+
        email_send_mock = MagicMock()
        with patch(
            "authentik.stages.email.tasks.send_mails",
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
@ -146,10 +146,5 @@
 		"name": "LogMeOnce",
 		"icon_dark": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgdmVyc2lvbj0iMS4xIiB2aWV3Qm94PSIwIDAgMjA0OCAyMDQ4IiB3aWR0aD0iMTI4IiBoZWlnaHQ9IjEyOCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTSAwIDAgTCAtNSAxIEwgLTE1IDQgTCAtMzggMTEgTCAtNTcgMTggTCAtNzYgMjkgTCAtOTAgMzggTCAtMTA5IDUyIEwgLTExNiA1OSBMIC0xMjcgNjggTCAtMTQwIDgxIEwgLTE0OCA4OCBMIC0xNDkgOTEgTCAtMTUxIDkxIEwgLTE2MSAxMDEgTCAtMTY5IDEwOCBMIC0xNjkgMTEwIEwgLTE3MSAxMTAgTCAtMTgwIDExOSBMIC0xODggMTI2IEwgLTIwMSAxMzcgTCAtMjEyIDE0NiBMIC0yMjYgMTU3IEwgLTIzOSAxNjcgTCAtMjUwIDE3NSBMIC0yNzAgMTg4IEwgLTI5MSAyMDIgTCAtMzA5IDIxMiBMIC0zMzAgMjI0IEwgLTM1MyAyMzUgTCAtMzg2IDI1MCBMIC00MDcgMjU5IEwgLTQ0OSAyNzMgTCAtNDcyIDI4MSBMIC01MDIgMjg5IEwgLTU1MSAyOTggTCAtNjE1IDMwOSBMIC02NDcgMzE2IEwgLTY4MSAzMjQgTCAtNjk4IDMzMCBMIC03MTQgMzM4IEwgLTczNSAzNTEgTCAtNzQ1IDM1OCBMIC03NTYgMzY3IEwgLTc2NCAzNzUgTCAtNzY2IDM3OSBMIC03NjggMzc5IEwgLTc3MyAzODUgTCAtNzgxIDM5NSBMIC03OTEgNDEwIEwgLTgwMSA0MjggTCAtODEwIDQ0NyBMIC04MTYgNDY1IEwgLTgyMiA1MDAgTCAtODI3IDU0NSBMIC04MzAgNTkyIEwgLTgzMiA2NTMgTCAtODMyIDcxMiBMIC04MzEgNzQyIEwgLTgyOCA3OTQgTCAtODIyIDg2NiBMIC04MTYgOTI4IEwgLTgxMiA5NTcgTCAtODAwIDEwMjAgTCAtNzg5IDEwNzIgTCAtNzgzIDEwOTggTCAtNzY1IDExNjIgTCAtNzUxIDEyMDcgTCAtNzQ0IDEyMjUgTCAtNzM0IDEyNTQgTCAtNzIwIDEyOTAgTCAtNzA0IDEzMjggTCAtNjg5IDEzNjEgTCAtNjY4IDE0MDMgTCAtNjUzIDE0MzEgTCAtNjM5IDE0NTYgTCAtNjIwIDE0ODggTCAtNjA3IDE1MDkgTCAtNTk0IDE1MjkgTCAtNTg0IDE1NDQgTCAtNTcxIDE1NjMgTCAtNTU4IDE1ODEgTCAtNTQ0IDE2MDAgTCAtNTMzIDE2MTUgTCAtNTIwIDE2MzIgTCAtNTA3IDE2NDggTCAtNDc5IDE2ODIgTCAtNDcwIDE2OTMgTCAtNDYwIDE3MDQgTCAtNDQ5IDE3MTYgTCAtNDQyIDE3MjQgTCAtNDMyIDE3MzQgTCAtNDI1IDE3NDIgTCAtMzY4IDE3OTkgTCAtMzUxIDE4MTUgTCAtMzM1IDE4MzAgTCAtMzI3IDE4MzcgTCAtMzE0IDE4NDkgTCAtMjg4IDE4NzEgTCAtMjcxIDE4ODUgTCAtMjYxIDE4OTMgTCAtMjQ0IDE5MDcgTCAtMjI4IDE5MTkgTCAtMjE1IDE5MjkgTCAtMTk2IDE5NDMgTCAtMTg0IDE5NTIgTCAtMTY4IDE5NjMgTCAtMTQ4IDE5NzcgTCAtMTMzIDE5ODcgTCAtMTEyIDIwMDAgTCAtODggMjAxMyBMIC03MiAyMDIxIEwgLTUyIDIwMzAgTCAtMzIgMjAzNyBMIDEyIDIwNDggTCA2MCAyMDQ4IEwgNjEgMjA0NyBMIDczIDIwNDQgTCAxMDAgMjAzNyBMIDEyMSAyMDI5IEwgMTQ5IDIwMTUgTCAxNjcgMjAwNSBMIDE4NiAxOTk0IEwgMjEwIDE5NzkgTCAyMzEgMTk2NSBMIDI2NiAxOTQxIEwgMjg0IDE5MjggTCAyOTUgMTkyMCBMIDMwNiAxOTExIEwgMzI0IDE4OTggTCAzMzggMTg4NyBMIDM0OSAxODc3IEwgMzU4IDE4NzAgTCAzNjkgMTg2MCBMIDM4MCAxODUxIEwgMzgwIDE4NDkgTCAzODIgMTg0OSBMIDM4NSAxODQ2IEwgMzk2IDE4MzcgTCA0MDMgMTgzMCBMIDQxMSAxODIzIEwgNDE4IDE4MTYgTCA0MjYgMTgwOSBMIDQ3NSAxNzYwIEwgNDc3IDE3NTYgTCA0NzkgMTc1NiBMIDQ4NyAxNzQ3IEwgNTAzIDE3MzAgTCA1MTAgMTcyMiBMIDUxOSAxNzEyIEwgNTI2IDE3MDQgTCA1MzggMTY5MSBMIDU0NyAxNjgwIEwgNTU4IDE2NjcgTCA1NjYgMTY1NiBMIDU3OSAxNjQwIEwgNTkwIDE2MjYgTCA2MDYgMTYwNSBMIDYyMSAxNTgzIEwgNjMxIDE1NjkgTCA2NDUgMTU0OSBMIDY1NSAxNTMzIEwgNjcwIDE1MTAgTCA2ODUgMTQ4NSBMIDY5NiAxNDY3IEwgNzA2IDE0NDkgTCA3MzAgMTQwNSBMIDc0NSAxMzc0IEwgNzYyIDEzMzggTCA3NzQgMTMxMCBMIDc5MiAxMjY3IEwgODExIDEyMTYgTCA4MjcgMTE2NiBMIDg0MiAxMTE3IEwgODU4IDEwNTEgTCA4NzAgOTk2IEwgODc1IDk2NyBMIDg4MSA5MTcgTCA4ODYgODgyIEwgODkxIDg0NiBMIDg5NCA4MTIgTCA4OTYgNzc0IEwgODk2IDY1NSBMIDg5NSA2MzAgTCA4OTIgNTkzIEwgODg4IDU1OSBMIDg3NyA0NzAgTCA4NzIgNDQ1IEwgODY1IDQyNiBMIDg1NyA0MTEgTCA4NDcgMzk1IEwgODM0IDM3OCBMIDgxNCAzNTggTCA4MDAgMzQ3IEwgNzg1IDMzNyBMIDc2NiAzMjcgTCA3NTAgMzIxIEwgNzI3IDMxNSBMIDY5MyAzMDggTCA2NTAgMzAxIEwgNTk3IDI5MiBMIDU3MCAyODYgTCA1NDggMjgwIEwgNTE1IDI3MCBMIDQ4NyAyNjEgTCA0NTkgMjUwIEwgNDM4IDI0MSBMIDQxNCAyMzAgTCAzODIgMjEzIEwgMzU4IDE5OSBMIDM0NyAxOTIgTCAzMzAgMTgwIEwgMzEyIDE2NyBMIDMwMCAxNTcgTCAyODYgMTQ2IEwgMjcxIDEzMyBMIDI2MyAxMjYgTCAyNTEgMTE1IEwgMjQwIDEwNiBMIDIyOCA5NSBMIDIwMCA3MSBMIDE4OSA2MiBMIDE3NCA1MCBMIDE1OCAzOCBMIDE0MiAyNyBMIDEyNyAxOSBMIDExNSAxNCBMIDk1IDggTCA3MSAwIEwgMCAwIHogTSAzMCA2MjIgTCA1MSA2MjMgTCA3OSA2MjcgTCAxMDAgNjMzIEwgMTIxIDY0MSBMIDE0MSA2NTIgTCAxNTcgNjYzIEwgMTcyIDY3NiBMIDE4NiA2OTAgTCAxODYgNjkyIEwgMTg4IDY5MiBMIDIwNiA3MTYgTCAyMTYgNzM0IEwgMjIxIDc0NSBMIDIyNiA3NTggTCAyMzMgNzg0IEwgMjM2IDc5OCBMIDIzNyA4MDggTCAyMzcgODQwIEwgMjMzIDg2NSBMIDIyNiA4OTEgTCAyMTkgOTA5IEwgMjA5IDkyOCBMIDE5NSA5NDkgTCAxODYgOTU5IEwgMTc5IDk2NyBMIDE2NiA5ODAgTCAxNTUgOTg5IEwgMTQyIDk5OCBMIDEyNiAxMDA3IEwgMTEzIDEwMTIgTCAxMTQgMTAyNCBMIDEyMiAxMDYwIEwgMTM3IDExMjMgTCAxNTYgMTIwOCBMIDE3MCAxMjcxIEwgMTc0IDEyOTYgTCAxNzYgMTMxMCBMIDE3NiAxMzM1IEwgMTczIDEzNDkgTCAxNjYgMTM1OSBMIDE1NyAxMzY3IEwgMTQ2IDEzNzIgTCAxNDAgMTM3NCBMIDExOSAxMzc2IEwgNTEgMTM3NiBMIC0zMiAxMzc3IEwgLTY0IDEzNzcgTCAtNzggMTM3NCBMIC04NSAxMzcwIEwgLTk4IDEzNTkgTCAtMTA2IDEzNDkgTCAtMTEwIDEzNDEgTCAtMTEyIDEzMzMgTCAtMTEyIDEzMTggTCAtMTA3IDEyODggTCAtMTAwIDEyNTYgTCAtODUgMTE5NiBMIC02OSAxMTI0IEwgLTU3IDEwNzIgTCAtNTAgMTAzNiBMIC00NyAxMDExIEwgLTUzIDEwMDkgTCAtNjkgMTAwMSBMIC04MSA5OTQgTCAtOTMgOTg1IEwgLTEwMyA5NzYgTCAtMTExIDk2OSBMIC0xMjAgOTYwIEwgLTEzMSA5NDYgTCAtMTQyIDkyOSBMIC0xNTIgOTEwIEwgLTE2MCA4OTAgTCAtMTY2IDg3MCBMIC0xNjkgODUzIEwgLTE3MCA4NDQgTCAtMTcwIDgxNCBMIC0xNjcgNzk0IEwgLTE2MSA3NjcgTCAtMTU0IDc0NiBMIC0xMzcgNzEzIEwgLTEyNiA2OTggTCAtMTE5IDY5MCBMIC0xMDggNjc4IEwgLTkzIDY2NSBMIC03NyA2NTMgTCAtNTYgNjQxIEwgLTM4IDYzMyBMIC0xNiA2MjcgTCAzIDYyNCBMIDMwIDYyMiB6ICIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoOTkxKSIgc3R5bGU9ImZpbGw6I2ZmZmZmZiIgLz4KPC9zdmc+Cg==",
 		"icon_light": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAyMDQ4IDIwNDgiIHdpZHRoPSIxMjgiIGhlaWdodD0iMTI4IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSg5OTEpIiBkPSJtMCAwaDcxbDI0IDggMjAgNiAxMiA1IDE1IDggMTYgMTEgMTYgMTIgMTUgMTIgMTEgOSAyOCAyNCAxMiAxMSAxMSA5IDEyIDExIDggNyAxNSAxMyAxNCAxMSAxMiAxMCAxOCAxMyAxNyAxMiAxMSA3IDI0IDE0IDMyIDE3IDI0IDExIDIxIDkgMjggMTEgMjggOSAzMyAxMCAyMiA2IDI3IDYgNTMgOSA0MyA3IDM0IDcgMjMgNiAxNiA2IDE5IDEwIDE1IDEwIDE0IDExIDIwIDIwIDEzIDE3IDEwIDE2IDggMTUgNyAxOSA1IDI1IDExIDg5IDQgMzQgMyAzNyAxIDI1djExOWwtMiAzOC0zIDM0LTUgMzYtNSAzNS02IDUwLTUgMjktMTIgNTUtMTYgNjYtMTUgNDktMTYgNTAtMTkgNTEtMTggNDMtMTIgMjgtMTcgMzYtMTUgMzEtMjQgNDQtMTAgMTgtMTEgMTgtMTUgMjUtMTUgMjMtMTAgMTYtMTQgMjAtMTAgMTQtMTUgMjItMTYgMjEtMTEgMTQtMTMgMTYtOCAxMS0xMSAxMy05IDExLTEyIDEzLTcgOC05IDEwLTcgOC0xNiAxNy04IDloLTJsLTIgNC00OSA0OS04IDctNyA3LTggNy03IDctMTEgOS0zIDNoLTJ2MmwtMTEgOS0xMSAxMC05IDctMTEgMTAtMTQgMTEtMTggMTMtMTEgOS0xMSA4LTE4IDEzLTM1IDI0LTIxIDE0LTI0IDE1LTE5IDExLTE4IDEwLTI4IDE0LTIxIDgtMjcgNy0xMiAzLTEgMWgtNDhsLTQ0LTExLTIwLTctMjAtOS0xNi04LTI0LTEzLTIxLTEzLTE1LTEwLTIwLTE0LTE2LTExLTEyLTktMTktMTQtMTMtMTAtMTYtMTItMTctMTQtMTAtOC0xNy0xNC0yNi0yMi0xMy0xMi04LTctMTYtMTUtMTctMTYtNTctNTctNy04LTEwLTEwLTctOC0xMS0xMi0xMC0xMS05LTExLTI4LTM0LTEzLTE2LTEzLTE3LTExLTE1LTE0LTE5LTEzLTE4LTEzLTE5LTEwLTE1LTEzLTIwLTEzLTIxLTE5LTMyLTE0LTI1LTE1LTI4LTIxLTQyLTE1LTMzLTE2LTM4LTE0LTM2LTEwLTI5LTctMTgtMTQtNDUtMTgtNjQtNi0yNi0xMS01Mi0xMi02My00LTI5LTYtNjItNi03Mi0zLTUyLTEtMzB2LTU5bDItNjEgMy00NyA1LTQ1IDYtMzUgNi0xOCA5LTE5IDEwLTE4IDEwLTE1IDgtMTAgNS02aDJsMi00IDgtOCAxMS05IDEwLTcgMjEtMTMgMTYtOCAxNy02IDM0LTggMzItNyA2NC0xMSA0OS05IDMwLTggMjMtOCA0Mi0xNCAyMS05IDMzLTE1IDIzLTExIDIxLTEyIDE4LTEwIDIxLTE0IDIwLTEzIDExLTggMTMtMTAgMTQtMTEgMTEtOSAxMy0xMSA4LTcgOS05aDJ2LTJsOC03IDEwLTEwaDJsMS0zIDgtNyAxMy0xMyAxMS05IDctNyAxOS0xNCAxNC05IDE5LTExIDE5LTcgMjMtNyAxMC0zeiIgZmlsbD0iI0YxODQyOSIvPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxMDIxLDYyMikiIGQ9Im0wIDAgMjEgMSAyOCA0IDIxIDYgMjEgOCAyMCAxMSAxNiAxMSAxNSAxMyAxNCAxNHYyaDJsMTggMjQgMTAgMTggNSAxMSA1IDEzIDcgMjYgMyAxNCAxIDEwdjMybC00IDI1LTcgMjYtNyAxOC0xMCAxOS0xNCAyMS05IDEwLTcgOC0xMyAxMy0xMSA5LTEzIDktMTYgOS0xMyA1IDEgMTIgOCAzNiAxNSA2MyAxOSA4NSAxNCA2MyA0IDI1IDIgMTR2MjVsLTMgMTQtNyAxMC05IDgtMTEgNS02IDItMjEgMmgtNjhsLTgzIDFoLTMybC0xNC0zLTctNC0xMy0xMS04LTEwLTQtOC0yLTh2LTE1bDUtMzAgNy0zMiAxNS02MCAxNi03MiAxMi01MiA3LTM2IDMtMjUtNi0yLTE2LTgtMTItNy0xMi05LTEwLTktOC03LTktOS0xMS0xNC0xMS0xNy0xMC0xOS04LTIwLTYtMjAtMy0xNy0xLTl2LTMwbDMtMjAgNi0yNyA3LTIxIDE3LTMzIDExLTE1IDctOCAxMS0xMiAxNS0xMyAxNi0xMiAyMS0xMiAxOC04IDIyLTYgMTktM3oiIGZpbGw9IiNGRUZGRkUiLz4KPC9zdmc+Cg=="
-	},
-    "a10c6dd9-465e-4226-8198-c7c44b91c555": {
-        "name": "Kaspersky Password Manager",
-        "icon_dark": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzc0ODRfODc0NSkiPjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMV83NDg0Xzg3NDUpIj48ZyBjbGlwLXBhdGg9InVybCgjY2xpcDJfNzQ4NF84NzQ1KSI+PHBhdGggZD0iTTI4MS45NjQgNi45NjE3MUMyNjUuODkzIC0yLjI5OTc0IDI0Ni4xMDcgLTIuMjk5NzQgMjMwLjAzNiA2Ljk2MTcxTDQ2LjAzNjUgMTEzLjAwMkMyOS45MjcxIDEyMi4yODYgMjAgMTM5LjQ2NiAyMCAxNTguMDZWMzUzLjk3MkMyMCAzNzIuNTY2IDI5LjkyNzEgMzg5Ljc0NSA0Ni4wMzY1IDM5OS4wMjlMMjMwLjAzNiA1MDUuMDdDMjQ2LjEwNyA1MTQuMzMxIDI2NS44OTMgNTE0LjMzMSAyODEuOTY0IDUwNS4wN0w0NjUuOTY0IDM5OS4wMjlDNDgyLjA3MyAzODkuNzQ1IDQ5MiAzNzIuNTY2IDQ5MiAzNTMuOTcyVjE1OC4wNkM0OTIgMTM5LjQ2NiA0ODIuMDczIDEyMi4yODYgNDY1Ljk2NCAxMTMuMDAyTDI4MS45NjQgNi45NjE3MVoiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUpIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00NTMuOTggMTMzLjc5OEwyNjkuOTggMjcuNzU3NEMyNjEuMzI3IDIyLjc3MDQgMjUwLjY3MyAyMi43NzA0IDI0Mi4wMiAyNy43NTc0TDU4LjAxOTYgMTMzLjc5OEM0OS4zNDUzIDEzOC43OTcgNDQgMTQ4LjA0NyA0NCAxNTguMDZWMzUzLjk3MkM0NCAzNjMuOTg0IDQ5LjM0NTMgMzczLjIzNCA1OC4wMTk2IDM3OC4yMzNMMjQyLjAyIDQ4NC4yNzRDMjUwLjY3MyA0ODkuMjYxIDI2MS4zMjcgNDg5LjI2MSAyNjkuOTggNDg0LjI3NEw0NTMuOTggMzc4LjIzM0M0NjIuNjU1IDM3My4yMzQgNDY4IDM2My45ODQgNDY4IDM1My45NzJWMTU4LjA2QzQ2OCAxNDguMDQ3IDQ2Mi42NTUgMTM4Ljc5NyA0NTMuOTggMTMzLjc5OFpNMjgxLjk2NCA2Ljk2MTcxQzI2NS44OTMgLTIuMjk5NzQgMjQ2LjEwNyAtMi4yOTk3NCAyMzAuMDM2IDYuOTYxNzFMNDYuMDM2NSAxMTMuMDAyQzI5LjkyNzEgMTIyLjI4NiAyMCAxMzkuNDY2IDIwIDE1OC4wNlYzNTMuOTcyQzIwIDM3Mi41NjYgMjkuOTI3MSAzODkuNzQ1IDQ2LjAzNjUgMzk5LjAyOUwyMzAuMDM2IDUwNS4wN0MyNDYuMTA3IDUxNC4zMzEgMjY1Ljg5MyA1MTQuMzMxIDI4MS45NjQgNTA1LjA3TDQ2NS45NjQgMzk5LjAyOUM0ODIuMDczIDM4OS43NDUgNDkyIDM3Mi41NjYgNDkyIDM1My45NzJWMTU4LjA2QzQ5MiAxMzkuNDY2IDQ4Mi4wNzMgMTIyLjI4NiA0NjUuOTY0IDExMy4wMDJMMjgxLjk2NCA2Ljk2MTcxWiIgZmlsbD0iYmxhY2siLz48L2c+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yNTYgMTQwQzI0Mi43NDUgMTQwIDIzMiAxNTAuNzQ1IDIzMiAxNjRDMjMyIDE3Ny4yNTUgMjQyLjc0NSAxODggMjU2IDE4OEMyNjkuMjU1IDE4OCAyODAgMTc3LjI1NSAyODAgMTY0QzI4MCAxNTAuNzQ1IDI2OS4yNTUgMTQwIDI1NiAxNDBaTTI0OCAxNjRDMjQ4IDE1OS41ODIgMjUxLjU4MiAxNTYgMjU2IDE1NkMyNjAuNDE4IDE1NiAyNjQgMTU5LjU4MiAyNjQgMTY0QzI2NCAxNjguNDE4IDI2MC40MTggMTcyIDI1NiAxNzJDMjUxLjU4MiAxNzIgMjQ4IDE2OC40MTggMjQ4IDE2NFoiIGZpbGw9ImJsYWNrIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xNzIgMTkyQzE3MiAxNDUuNjA4IDIwOS42MDggMTA4IDI1NiAxMDhDMzAyLjM5MiAxMDggMzQwIDE0NS42MDggMzQwIDE5MkMzNDAgMjI3LjA2MSAzMTguNTE5IDI1Ny4xMDUgMjg4IDI2OS42OVYzODYuNjdDMjg4IDM5Mi4zOTEgMjg0Ljk0NiAzOTcuNjc2IDI3OS45ODkgNDAwLjUzM0wyNjMuOTg5IDQwOS43NTNDMjU5LjA0NCA0MTIuNjAzIDI1Mi45NTYgNDEyLjYwMyAyNDguMDExIDQwOS43NTNMMjMyLjAxMSA0MDAuNTMzQzIyNy4wNTQgMzk3LjY3NiAyMjQgMzkyLjM5MSAyMjQgMzg2LjY3VjM3MkMyMjQgMzY5Ljg3OCAyMjQuODQzIDM2Ny44NDQgMjI2LjM0MyAzNjYuMzQzTDIzNiAzNTYuNjg2VjM1NS4zMTRMMjI2LjM0MyAzNDUuNjU3QzIyNC44NDMgMzQ0LjE1NyAyMjQgMzQyLjEyMiAyMjQgMzQwVjMzMkMyMjQgMzI5Ljg3OCAyMjQuODQzIDMyNy44NDQgMjI2LjM0MyAzMjYuMzQzTDIzNiAzMTYuNjg2VjMxNS4zMTRMMjI2LjM0MyAzMDUuNjU3QzIyNC44NDMgMzA0LjE1NyAyMjQgMzAyLjEyMiAyMjQgMzAwVjI2OS42OUMxOTMuNDgxIDI1Ny4xMDUgMTcyIDIyNy4wNjEgMTcyIDE5MlpNMjU2IDEyNEMyMTguNDQ1IDEyNCAxODggMTU0LjQ0NSAxODggMTkyQzE4OCAyMjkuNTU1IDIxOC40NDUgMjYwIDI1NiAyNjBDMjkzLjU1NSAyNjAgMzI0IDIyOS41NTUgMzI0IDE5MkMzMjQgMTU0LjQ0NSAyOTMuNTU1IDEyNCAyNTYgMTI0Wk0yNTYgMjc2QzI2MS40NzEgMjc2IDI2Ni44MiAyNzUuNDc3IDI3MiAyNzQuNDc4VjM4Ni42N0wyNTYgMzk1Ljg5TDI0MCAzODYuNjdWMzc1LjMxNEwyNDkuNjU3IDM2NS42NTdDMjUxLjE1NyAzNjQuMTU3IDI1MiAzNjIuMTIyIDI1MiAzNjBWMzUyQzI1MiAzNDkuODc4IDI1MS4xNTcgMzQ3Ljg0NCAyNDkuNjU3IDM0Ni4zNDNMMjQwIDMzNi42ODZWMzM1LjMxNEwyNDkuNjU3IDMyNS42NTdDMjUxLjE1NyAzMjQuMTU3IDI1MiAzMjIuMTIyIDI1MiAzMjBWMzEyQzI1MiAzMDkuODc4IDI1MS4xNTcgMzA3Ljg0NCAyNDkuNjU3IDMwNi4zNDNMMjQwIDI5Ni42ODZWMjc0LjQ3OEMyNDUuMTggMjc1LjQ3NyAyNTAuNTI5IDI3NiAyNTYgMjc2WiIgZmlsbD0iYmxhY2siLz48L2c+PC9nPjxkZWZzPjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUiIHgxPSIzOTMuODY1IiB5MT0iNjMuMjc5NiIgeDI9Ijk5LjIwNDMiIHkyPSI0MjkuOTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agc3RvcC1jb2xvcj0iIzRERkY4OCIvPjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iIzNERThDQSIvPjwvbGluZWFyR3JhZGllbnQ+PGNsaXBQYXRoIGlkPSJjbGlwMF83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMV83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMl83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PC9kZWZzPjwvc3ZnPg==",
-        "icon_light": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzc0ODRfODc0NSkiPjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMV83NDg0Xzg3NDUpIj48ZyBjbGlwLXBhdGg9InVybCgjY2xpcDJfNzQ4NF84NzQ1KSI+PHBhdGggZD0iTTI4MS45NjQgNi45NjE3MUMyNjUuODkzIC0yLjI5OTc0IDI0Ni4xMDcgLTIuMjk5NzQgMjMwLjAzNiA2Ljk2MTcxTDQ2LjAzNjUgMTEzLjAwMkMyOS45MjcxIDEyMi4yODYgMjAgMTM5LjQ2NiAyMCAxNTguMDZWMzUzLjk3MkMyMCAzNzIuNTY2IDI5LjkyNzEgMzg5Ljc0NSA0Ni4wMzY1IDM5OS4wMjlMMjMwLjAzNiA1MDUuMDdDMjQ2LjEwNyA1MTQuMzMxIDI2NS44OTMgNTE0LjMzMSAyODEuOTY0IDUwNS4wN0w0NjUuOTY0IDM5OS4wMjlDNDgyLjA3MyAzODkuNzQ1IDQ5MiAzNzIuNTY2IDQ5MiAzNTMuOTcyVjE1OC4wNkM0OTIgMTM5LjQ2NiA0ODIuMDczIDEyMi4yODYgNDY1Ljk2NCAxMTMuMDAyTDI4MS45NjQgNi45NjE3MVoiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUpIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00NTMuOTggMTMzLjc5OEwyNjkuOTggMjcuNzU3NEMyNjEuMzI3IDIyLjc3MDQgMjUwLjY3MyAyMi43NzA0IDI0Mi4wMiAyNy43NTc0TDU4LjAxOTYgMTMzLjc5OEM0OS4zNDUzIDEzOC43OTcgNDQgMTQ4LjA0NyA0NCAxNTguMDZWMzUzLjk3MkM0NCAzNjMuOTg0IDQ5LjM0NTMgMzczLjIzNCA1OC4wMTk2IDM3OC4yMzNMMjQyLjAyIDQ4NC4yNzRDMjUwLjY3MyA0ODkuMjYxIDI2MS4zMjcgNDg5LjI2MSAyNjkuOTggNDg0LjI3NEw0NTMuOTggMzc4LjIzM0M0NjIuNjU1IDM3My4yMzQgNDY4IDM2My45ODQgNDY4IDM1My45NzJWMTU4LjA2QzQ2OCAxNDguMDQ3IDQ2Mi42NTUgMTM4Ljc5NyA0NTMuOTggMTMzLjc5OFpNMjgxLjk2NCA2Ljk2MTcxQzI2NS44OTMgLTIuMjk5NzQgMjQ2LjEwNyAtMi4yOTk3NCAyMzAuMDM2IDYuOTYxNzFMNDYuMDM2NSAxMTMuMDAyQzI5LjkyNzEgMTIyLjI4NiAyMCAxMzkuNDY2IDIwIDE1OC4wNlYzNTMuOTcyQzIwIDM3Mi41NjYgMjkuOTI3MSAzODkuNzQ1IDQ2LjAzNjUgMzk5LjAyOUwyMzAuMDM2IDUwNS4wN0MyNDYuMTA3IDUxNC4zMzEgMjY1Ljg5MyA1MTQuMzMxIDI4MS45NjQgNTA1LjA3TDQ2NS45NjQgMzk5LjAyOUM0ODIuMDczIDM4OS43NDUgNDkyIDM3Mi41NjYgNDkyIDM1My45NzJWMTU4LjA2QzQ5MiAxMzkuNDY2IDQ4Mi4wNzMgMTIyLjI4NiA0NjUuOTY0IDExMy4wMDJMMjgxLjk2NCA2Ljk2MTcxWiIgZmlsbD0iYmxhY2siLz48L2c+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yNTYgMTQwQzI0Mi43NDUgMTQwIDIzMiAxNTAuNzQ1IDIzMiAxNjRDMjMyIDE3Ny4yNTUgMjQyLjc0NSAxODggMjU2IDE4OEMyNjkuMjU1IDE4OCAyODAgMTc3LjI1NSAyODAgMTY0QzI4MCAxNTAuNzQ1IDI2OS4yNTUgMTQwIDI1NiAxNDBaTTI0OCAxNjRDMjQ4IDE1OS41ODIgMjUxLjU4MiAxNTYgMjU2IDE1NkMyNjAuNDE4IDE1NiAyNjQgMTU5LjU4MiAyNjQgMTY0QzI2NCAxNjguNDE4IDI2MC40MTggMTcyIDI1NiAxNzJDMjUxLjU4MiAxNzIgMjQ4IDE2OC40MTggMjQ4IDE2NFoiIGZpbGw9ImJsYWNrIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xNzIgMTkyQzE3MiAxNDUuNjA4IDIwOS42MDggMTA4IDI1NiAxMDhDMzAyLjM5MiAxMDggMzQwIDE0NS42MDggMzQwIDE5MkMzNDAgMjI3LjA2MSAzMTguNTE5IDI1Ny4xMDUgMjg4IDI2OS42OVYzODYuNjdDMjg4IDM5Mi4zOTEgMjg0Ljk0NiAzOTcuNjc2IDI3OS45ODkgNDAwLjUzM0wyNjMuOTg5IDQwOS43NTNDMjU5LjA0NCA0MTIuNjAzIDI1Mi45NTYgNDEyLjYwMyAyNDguMDExIDQwOS43NTNMMjMyLjAxMSA0MDAuNTMzQzIyNy4wNTQgMzk3LjY3NiAyMjQgMzkyLjM5MSAyMjQgMzg2LjY3VjM3MkMyMjQgMzY5Ljg3OCAyMjQuODQzIDM2Ny44NDQgMjI2LjM0MyAzNjYuMzQzTDIzNiAzNTYuNjg2VjM1NS4zMTRMMjI2LjM0MyAzNDUuNjU3QzIyNC44NDMgMzQ0LjE1NyAyMjQgMzQyLjEyMiAyMjQgMzQwVjMzMkMyMjQgMzI5Ljg3OCAyMjQuODQzIDMyNy44NDQgMjI2LjM0MyAzMjYuMzQzTDIzNiAzMTYuNjg2VjMxNS4zMTRMMjI2LjM0MyAzMDUuNjU3QzIyNC44NDMgMzA0LjE1NyAyMjQgMzAyLjEyMiAyMjQgMzAwVjI2OS42OUMxOTMuNDgxIDI1Ny4xMDUgMTcyIDIyNy4wNjEgMTcyIDE5MlpNMjU2IDEyNEMyMTguNDQ1IDEyNCAxODggMTU0LjQ0NSAxODggMTkyQzE4OCAyMjkuNTU1IDIxOC40NDUgMjYwIDI1NiAyNjBDMjkzLjU1NSAyNjAgMzI0IDIyOS41NTUgMzI0IDE5MkMzMjQgMTU0LjQ0NSAyOTMuNTU1IDEyNCAyNTYgMTI0Wk0yNTYgMjc2QzI2MS40NzEgMjc2IDI2Ni44MiAyNzUuNDc3IDI3MiAyNzQuNDc4VjM4Ni42N0wyNTYgMzk1Ljg5TDI0MCAzODYuNjdWMzc1LjMxNEwyNDkuNjU3IDM2NS42NTdDMjUxLjE1NyAzNjQuMTU3IDI1MiAzNjIuMTIyIDI1MiAzNjBWMzUyQzI1MiAzNDkuODc4IDI1MS4xNTcgMzQ3Ljg0NCAyNDkuNjU3IDM0Ni4zNDNMMjQwIDMzNi42ODZWMzM1LjMxNEwyNDkuNjU3IDMyNS42NTdDMjUxLjE1NyAzMjQuMTU3IDI1MiAzMjIuMTIyIDI1MiAzMjBWMzEyQzI1MiAzMDkuODc4IDI1MS4xNTcgMzA3Ljg0NCAyNDkuNjU3IDMwNi4zNDNMMjQwIDI5Ni42ODZWMjc0LjQ3OEMyNDUuMTggMjc1LjQ3NyAyNTAuNTI5IDI3NiAyNTYgMjc2WiIgZmlsbD0iYmxhY2siLz48L2c+PC9nPjxkZWZzPjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUiIHgxPSIzOTMuODY1IiB5MT0iNjMuMjc5NiIgeDI9Ijk5LjIwNDMiIHkyPSI0MjkuOTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agc3RvcC1jb2xvcj0iIzRERkY4OCIvPjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iIzNERThDQSIvPjwvbGluZWFyR3JhZGllbnQ+PGNsaXBQYXRoIGlkPSJjbGlwMF83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMV83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMl83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PC9kZWZzPjwvc3ZnPg=="
-    }
-}
+	}
+}
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/email/migrations/0005_alter_emailstage_token_expiry.py
+++ b/authentik/stages/email/migrations/0005_alter_emailstage_token_expiry.py
@ -1,54 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-27 04:32
-
-import authentik.lib.utils.time
-from authentik.lib.utils.time import timedelta_from_string
-from django.db import migrations, models
-
-
-def convert_integer_to_string_format(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    EmailStage = apps.get_model("authentik_stages_email", "EmailStage")
-    for stage in EmailStage.objects.using(db_alias).all():
-        stage.token_expiry = f"minutes={stage.token_expiry}"
-        stage.save(using=db_alias)
-
-
-def convert_string_to_integer_format(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    EmailStage = apps.get_model("authentik_stages_email", "EmailStage")
-    for stage in EmailStage.objects.using(db_alias).all():
-        # Check if token_expiry is a string
-        if isinstance(stage.token_expiry, str):
-            try:
-                # Use the timedelta_from_string utility to convert to timedelta
-                # then convert to minutes by dividing seconds by 60
-                td = timedelta_from_string(stage.token_expiry)
-                minutes_value = int(td.total_seconds() / 60)
-                stage.token_expiry = minutes_value
-                stage.save(using=db_alias)
-            except (ValueError, TypeError):
-                # If the string can't be parsed or converted properly, skip
-                pass
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_stages_email", "0004_emailstage_activate_user_on_success"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="emailstage",
-            name="token_expiry",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-        migrations.RunPython(
-            convert_integer_to_string_format,
-            convert_string_to_integer_format,
-        ),
-    ]
--- a/authentik/stages/email/models.py
+++ b/authentik/stages/email/models.py
@ -14,7 +14,6 @@ from structlog.stdlib import get_logger

 from authentik.flows.models import Stage
 from authentik.lib.config import CONFIG
-from authentik.lib.utils.time import timedelta_string_validator

 LOGGER = get_logger()

@ -75,10 +74,8 @@ class EmailStage(Stage):
        default=False, help_text=_("Activate users upon completion of stage.")
    )

-    token_expiry = models.TextField(
-        default="minutes=30",
-        validators=[timedelta_string_validator],
-        help_text=_("Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."),
+    token_expiry = models.IntegerField(
+        default=30, help_text=_("Time in minutes the token sent is valid.")
    )
    subject = models.TextField(default="authentik")
    template = models.TextField(default=EmailTemplates.PASSWORD_RESET)
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -22,7 +22,6 @@ from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, PLAN_CONTEXT_PENDI
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
 from authentik.lib.utils.errors import exception_to_string
-from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -74,8 +73,8 @@ class EmailStageView(ChallengeStageView):
        """Get token"""
        pending_user = self.get_pending_user()
        current_stage: EmailStage = self.executor.current_stage
-        valid_delta = timedelta_from_string(current_stage.token_expiry) + timedelta(
-            minutes=1
+        valid_delta = timedelta(
+            minutes=current_stage.token_expiry + 1
        )  # + 1 because django timesince always rounds down
        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
        # Don't check for validity here, we only care if the token exists
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -12,7 +12,6 @@ from structlog.stdlib import get_logger

 from authentik.events.models import Event, EventAction, TaskStatus
 from authentik.events.system_tasks import SystemTask
-from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
 from authentik.stages.email.models import EmailStage
@ -33,10 +32,9 @@ def send_mails(
        Celery group promise for the email sending tasks
    """
    tasks = []
-    # Use the class path instead of the class itself for serialization
-    stage_class_path = class_to_path(stage.__class__)
+    stage_class = stage.__class__
    for message in messages:
-        tasks.append(send_mail.s(message.__dict__, stage_class_path, str(stage.pk)))
+        tasks.append(send_mail.s(message.__dict__, stage_class, str(stage.pk)))
    lazy_group = group(*tasks)
    promise = lazy_group()
    return promise
@ -63,7 +61,7 @@ def get_email_body(email: EmailMultiAlternatives) -> str:
 def send_mail(
    self: SystemTask,
    message: dict[Any, Any],
-    stage_class_path: str | None = None,
+    stage_class: EmailStage | AuthenticatorEmailStage = EmailStage,
    email_stage_pk: str | None = None,
 ):
    """Send Email for Email Stage. Retries are scheduled automatically."""
@ -71,10 +69,9 @@ def send_mail(
    message_id = make_msgid(domain=DNS_NAME)
    self.set_uid(slugify(message_id.replace(".", "_").replace("@", "_")))
    try:
-        if not stage_class_path or not email_stage_pk:
-            stage = EmailStage(use_global_settings=True)
+        if not email_stage_pk:
+            stage: EmailStage | AuthenticatorEmailStage = stage_class(use_global_settings=True)
        else:
-            stage_class = path_to_class(stage_class_path)
            stages = stage_class.objects.filter(pk=email_stage_pk)
            if not stages.exists():
                self.set_status(
--- a/authentik/stages/email/tests/test_tasks.py
+++ b/authentik/stages/email/tests/test_tasks.py
@ -1,58 +0,0 @@
-"""Test email stage tasks"""
-
-from unittest.mock import patch
-
-from django.core.mail import EmailMultiAlternatives
-from django.test import TestCase
-
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.utils.reflection import class_to_path
-from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
-from authentik.stages.email.models import EmailStage
-from authentik.stages.email.tasks import get_email_body, send_mails
-
-
-class TestEmailTasks(TestCase):
-    """Test email stage tasks"""
-
-    def setUp(self):
-        self.user = create_test_admin_user()
-        self.stage = EmailStage.objects.create(
-            name="test-email",
-            use_global_settings=True,
-        )
-        self.auth_stage = AuthenticatorEmailStage.objects.create(
-            name="test-auth-email",
-            use_global_settings=True,
-        )
-
-    def test_get_email_body_html(self):
-        """Test get_email_body with HTML alternative"""
-        message = EmailMultiAlternatives()
-        message.body = "plain text"
-        message.attach_alternative("<p>html content</p>", "text/html")
-        self.assertEqual(get_email_body(message), "<p>html content</p>")
-
-    def test_get_email_body_plain(self):
-        """Test get_email_body with plain text only"""
-        message = EmailMultiAlternatives()
-        message.body = "plain text"
-        self.assertEqual(get_email_body(message), "plain text")
-
-    def test_send_mails_email_stage(self):
-        """Test send_mails with EmailStage"""
-        message = EmailMultiAlternatives()
-        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
-            send_mails(self.stage, message)
-            mock_send.s.assert_called_once_with(
-                message.__dict__, class_to_path(EmailStage), str(self.stage.pk)
-            )
-
-    def test_send_mails_authenticator_stage(self):
-        """Test send_mails with AuthenticatorEmailStage"""
-        message = EmailMultiAlternatives()
-        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
-            send_mails(self.auth_stage, message)
-            mock_send.s.assert_called_once_with(
-                message.__dict__, class_to_path(AuthenticatorEmailStage), str(self.auth_stage.pk)
-            )
--- a/blueprints/default/flow-default-authenticator-totp-setup.yaml
+++ b/blueprints/default/flow-default-authenticator-totp-setup.yaml
@ -5,7 +5,7 @@ entries:
 - attrs:
    designation: stage_configuration
    name: default-authenticator-totp-setup
-    title: Set up Two-Factor authentication
+    title: Setup Two-Factor authentication
    authentication: require_authenticated
  identifiers:
    slug: default-authenticator-totp-setup
--- a/blueprints/example/flows-recovery-email-verification.yaml
+++ b/blueprints/example/flows-recovery-email-verification.yaml
@ -57,7 +57,7 @@ entries:
      use_ssl: false
      timeout: 10
      from_address: system@authentik.local
-      token_expiry: minutes=30
+      token_expiry: 30
      subject: authentik
      template: email/password_reset.html
      activate_user_on_success: true
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.2.1 Blueprint schema",
+    "title": "authentik 2025.2.0 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -6661,16 +6661,6 @@
                    "title": "Token",
                    "description": "Authentication token"
                },
-                "compatibility_mode": {
-                    "type": "string",
-                    "enum": [
-                        "default",
-                        "aws",
-                        "slack"
-                    ],
-                    "title": "SCIM Compatibility Mode",
-                    "description": "Alter authentik behavior for vendor-specific SCIM implementations."
-                },
                "exclude_users_service_account": {
                    "type": "boolean",
                    "title": "Exclude users service account"
@ -6679,11 +6669,6 @@
                    "type": "string",
                    "format": "uuid",
                    "title": "Filter group"
-                },
-                "dry_run": {
-                    "type": "boolean",
-                    "title": "Dry run",
-                    "description": "When enabled, provider will not modify or create objects in the remote system."
                }
            },
            "required": []
@ -11379,10 +11364,11 @@
                    "title": "From address"
                },
                "token_expiry": {
-                    "type": "string",
-                    "minLength": 1,
+                    "type": "integer",
+                    "minimum": -2147483648,
+                    "maximum": 2147483647,
                    "title": "Token expiry",
-                    "description": "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+                    "description": "Time in minutes the token sent is valid."
                },
                "subject": {
                    "type": "string",
@ -14210,11 +14196,6 @@
                    "type": "string",
                    "minLength": 1,
                    "title": "Default group email domain"
-                },
-                "dry_run": {
-                    "type": "boolean",
-                    "title": "Dry run",
-                    "description": "When enabled, provider will not modify or create objects in the remote system."
                }
            },
            "required": []
@ -14363,11 +14344,6 @@
                        "suspend"
                    ],
                    "title": "Group delete action"
-                },
-                "dry_run": {
-                    "type": "boolean",
-                    "title": "Dry run",
-                    "description": "When enabled, provider will not modify or create objects in the remote system."
                }
            },
            "required": []
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.0}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -1,12 +1,12 @@
 module goauthentik.io

-go 1.23.0
+go 1.23

-toolchain go1.24.0
+toolchain go1.23.0

 require (
 	beryju.io/ldap v0.1.0
-	github.com/coreos/go-oidc/v3 v3.13.0
+	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/getsentry/sentry-go v0.31.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.10
@ -22,17 +22,17 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.0
-	github.com/prometheus/client_golang v1.21.1
-	github.com/redis/go-redis/v9 v9.7.1
+	github.com/prometheus/client_golang v1.20.5
+	github.com/redis/go-redis/v9 v9.7.0
 	github.com/sethvargo/go-envconfig v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025021.4
+	goauthentik.io/api/v3 v3.2024123.6
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.12.0
+	golang.org/x/oauth2 v0.26.0
+	golang.org/x/sync v0.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@ -48,7 +48,7 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@ -62,23 +62,23 @@ require (
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/protobuf v1.36.1 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -55,8 +55,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
-github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
+github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -84,8 +84,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
 github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@ -207,8 +207,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
+github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@ -239,17 +239,17 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
-github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.7.1 h1:4LhKRCIduqXqtvCUlaq9c8bdHOkICjDMrr1+Zb3osAc=
-github.com/redis/go-redis/v9 v9.7.1/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
+github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
+github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025021.4 h1:KFap2KW+8CwhOxjBkRnRB4flvuHEMw24+fZei9dOhzw=
-goauthentik.io/api/v3 v3.2025021.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024123.6 h1:AGOCa7Fc/9eONCPEW4sEhTiyEBvxN57Lfqz1zm6Gy98=
+goauthentik.io/api/v3 v3.2024123.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -312,9 +312,8 @@ golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -386,17 +385,16 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -411,8 +409,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -449,9 +447,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -472,9 +469,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -599,8 +595,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.2.1"
+const VERSION = "2025.2.0"
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1004.0",
+                "aws-cdk": "^2.179.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1004.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1004.0.tgz",
-            "integrity": "sha512-3E5ICmSc7ZCZCwLX7NY+HFmmdUYgRaL+67h/BDoDQmkhx9StC8wG4xgzHFY9k8WQS0+ib/MP28f2d9yzHtQLlQ==",
+            "version": "2.179.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.179.0.tgz",
+            "integrity": "sha512-aA2+8S2g4UBQHkUEt0mYd16VLt/ucR+QfyUJi34LDKRAhOCNDjPCZ4z9z/JEDyuni0BdzsYA55pnpDN9tMULpA==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1004.0",
+        "aws-cdk": "^2.179.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.2.1
+    Default: 2025.2.0
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/lifecycle/wait_for_db.py
+++ b/lifecycle/wait_for_db.py
@ -63,9 +63,7 @@ def wait_for_db():
    # Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
    if CONFIG.get("secret_key") is None or len(CONFIG.get("secret_key")) == 0:
        CONFIG.log("info", "----------------------------------------------------------------------")
-        CONFIG.log(
-            "info", "Secret key missing, check https://docs.goauthentik.io/docs/install-config/"
-        )
+        CONFIG.log("info", "Secret key missing, check https://goauthentik.io/docs/installation/.")
        CONFIG.log("info", "----------------------------------------------------------------------")
        sysexit(1)
    check_postgres()
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-13 00:10+0000\n"
+"POT-Creation-Date: 2025-02-14 14:49+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -109,10 +109,6 @@ msgstr ""
 msgid "Extra description not available"
 msgstr ""

-#: authentik/core/api/groups.py
-msgid "Cannot set group as parent of itself."
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -156,14 +152,6 @@ msgstr ""
 msgid "Remove user from group"
 msgstr ""

-#: authentik/core/models.py
-msgid "Enable superuser status"
-msgstr ""
-
-#: authentik/core/models.py
-msgid "Disable superuser status"
-msgstr ""
-
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr ""
@ -512,6 +500,57 @@ msgstr ""
 msgid "Microsoft Entra Provider Mappings"
 msgstr ""

+#: authentik/enterprise/providers/rac/models.py
+#: authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Providers"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr ""
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr ""
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -612,7 +651,7 @@ msgstr ""
 msgid "Slack Webhook (Slack/Discord)"
 msgstr ""

-#: authentik/events/models.py authentik/stages/authenticator_validate/models.py
+#: authentik/events/models.py
 msgid "Email"
 msgstr ""

@ -865,12 +904,6 @@ msgstr ""
 msgid "Invalid next URL"
 msgstr ""

-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr ""
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr ""
@ -885,10 +918,6 @@ msgstr ""
 msgid "Syncing page {page} of groups"
 msgstr ""

-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr ""
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@ -1076,14 +1105,6 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr ""

-#: authentik/policies/geoip/models.py
-msgid "Distance from previous authentication is larger than threshold."
-msgstr ""
-
-#: authentik/policies/geoip/models.py
-msgid "Distance is further than possible."
-msgstr ""
-
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr ""
@ -1375,14 +1396,6 @@ msgstr ""
 msgid "ES256 (Asymmetric Encryption)"
 msgstr ""

-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr ""
@ -1630,56 +1643,6 @@ msgstr ""
 msgid "Proxy Providers"
 msgstr ""

-#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Providers"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr ""
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr ""
-
-#: authentik/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr ""
-
-#: authentik/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr ""
-
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@ -1883,18 +1846,6 @@ msgstr ""
 msgid "SAML Providers from Metadata"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Default"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "AWS"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "Slack"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr ""
@ -1903,14 +1854,6 @@ msgstr ""
 msgid "Authentication token"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "SCIM Compatibility Mode"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "Alter authentik behavior for vendor-specific SCIM implementations."
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr ""
@ -2543,99 +2486,6 @@ msgstr ""
 msgid "Duo Devices"
 msgstr ""

-#: authentik/stages/authenticator_email/models.py
-msgid "Email OTP"
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stage"
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stages"
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Device"
-msgstr ""
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Devices"
-msgstr ""
-
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr ""
-
-#: authentik/stages/authenticator_email/stage.py
-msgid "Invalid email"
-msgstr ""
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-msgid ""
-"\n"
-"          Email MFA code.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#, python-format
-msgid ""
-"\n"
-"    If you did not request this code, please ignore this email. The code "
-"above is valid for %(expires)s.\n"
-"    "
-msgstr ""
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr ""
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-msgid ""
-"\n"
-"Email MFA code\n"
-msgstr ""
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#, python-format
-msgid ""
-"\n"
-"If you did not request this code, please ignore this email. The code above "
-"is valid for %(expires)s.\n"
-msgstr ""
-
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2668,6 +2518,11 @@ msgstr ""
 msgid "SMS Devices"
 msgstr ""

+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr ""
+
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr ""
@ -2890,10 +2745,20 @@ msgstr ""
 msgid "Account Confirmation"
 msgstr ""

+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr ""

+#: authentik/stages/email/models.py
+msgid "Time in minutes the token sent is valid."
+msgstr ""
+
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr ""
@ -2902,6 +2767,10 @@ msgstr ""
 msgid "Email Stages"
 msgstr ""

+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr ""
+
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr ""
@ -2976,6 +2845,14 @@ msgid ""
 "This email was sent from the notification transport %(name)s.\n"
 msgstr ""

+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -2993,6 +2870,11 @@ msgid ""
 "    "
 msgstr ""

+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@ -9,9 +9,9 @@
 # Kyllian Delaye-Maillot, 2023
 # Manuel Viens, 2023
 # Mordecai, 2023
+# Charles Leclerc, 2024
 # nerdinator <florian.dupret@gmail.com>, 2024
 # Tina, 2024
-# Charles Leclerc, 2025
 # Marc Schmitt, 2025
 # 
 #, fuzzy
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-13 00:10+0000\n"
+"POT-Creation-Date: 2025-02-14 14:49+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@ -129,10 +129,6 @@ msgstr "L'utilisateur n'a pas accès à l'application."
 msgid "Extra description not available"
 msgstr "Description supplémentaire indisponible"

-#: authentik/core/api/groups.py
-msgid "Cannot set group as parent of itself."
-msgstr "Impossible de définir le groupe en tant que parent de lui-même."
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -181,14 +177,6 @@ msgstr "Ajouter un utilisateur au groupe"
 msgid "Remove user from group"
 msgstr "Retirer l'utilisateur du groupe"

-#: authentik/core/models.py
-msgid "Enable superuser status"
-msgstr "Activer le statut super-utilisateur"
-
-#: authentik/core/models.py
-msgid "Disable superuser status"
-msgstr "Désactiver le statut super-utilisateur"
-
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Nom d'affichage de l'utilisateur"
@ -565,6 +553,61 @@ msgstr "Mappage de propriété Microsoft Entra"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Mappages de propriété Microsoft Entra"

+#: authentik/enterprise/providers/rac/models.py
+#: authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Détermine la durée de la session. La valeur par défaut de 0 signifie que la "
+"session dure jusqu'à la fermeture du navigateur. (Format : "
+"hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+"Si activé, les jetons de connexion seront supprimés lors de la déconnexion."
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "Fournisseur RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "Fournisseurs RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "Point de terminaison RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "Points de terminaison RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "Mappage de propriété fournisseur RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "Mappages de propriété fournisseur RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "Jeton de connexion RAC"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "Jeton de connexions RAC"
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Limite maximum de connection atteinte."
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -672,7 +715,6 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Webhook Slack (ou Discord)"

 #: authentik/events/models.py
-#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "Courriel"

@ -948,14 +990,6 @@ msgstr "Jetons du flux"
 msgid "Invalid next URL"
 msgstr "URL suivante invalide"

-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr ""
-"Si activé, le fournisseur ne changera ou ne créera pas d'objets auprès du "
-"système distant."
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "Démarrage d'une synchronisation complète du fournisseur"
@ -970,10 +1004,6 @@ msgstr "Synchronisation de la page {page} d'utilisateurs"
 msgid "Syncing page {page} of groups"
 msgstr "Synchronisation de la page {page} de groupes"

-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr "Abandon de la requête de mutation en raison d'une simulation"
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@ -1189,16 +1219,6 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr "L'IP du client ne fait pas partie d'un pays autorisé."

-#: authentik/policies/geoip/models.py
-msgid "Distance from previous authentication is larger than threshold."
-msgstr ""
-"La distance par rapport à l'authentification précédente est supérieure au "
-"seuil."
-
-#: authentik/policies/geoip/models.py
-msgid "Distance is further than possible."
-msgstr "La distance est plus grande que possible."
-
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "Politique GeoIP"
@ -1522,14 +1542,6 @@ msgstr "RS256 (chiffrement asymétrique)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (Chiffrement Asymétrique)"

-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384 (chiffrement asymétrique)"
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512 (chiffrement asymétrique)"
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "Portées utilisées par le client"
@ -1813,60 +1825,6 @@ msgstr "Fournisseur Proxy"
 msgid "Proxy Providers"
 msgstr "Fournisseur de Proxy"

-#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Détermine la durée de la session. La valeur par défaut de 0 signifie que la "
-"session dure jusqu'à la fermeture du navigateur. (Format : "
-"hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-"Si activé, les jetons de connexion seront supprimés lors de la déconnexion."
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "Fournisseur RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "Fournisseurs RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "Point de terminaison RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "Points de terminaison RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "Mappage de propriété fournisseur RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "Mappages de propriété fournisseur RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "Jeton de connexion RAC"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "Jeton de connexions RAC"
-
-#: authentik/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Limite maximum de connection atteinte."
-
-#: authentik/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
-
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@ -2097,18 +2055,6 @@ msgstr "Fournisseur SAML depuis métadonnées"
 msgid "SAML Providers from Metadata"
 msgstr "Fournisseurs SAML depuis métadonnées"

-#: authentik/providers/scim/models.py
-msgid "Default"
-msgstr "Par défaut"
-
-#: authentik/providers/scim/models.py
-msgid "AWS"
-msgstr "AWS"
-
-#: authentik/providers/scim/models.py
-msgid "Slack"
-msgstr "Slack"
-
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "URL de base pour les requêtes SCIM, se terminant généralement par /v2"
@ -2117,16 +2063,6 @@ msgstr "URL de base pour les requêtes SCIM, se terminant généralement par /v2
 msgid "Authentication token"
 msgstr "Jeton d'authentification"

-#: authentik/providers/scim/models.py
-msgid "SCIM Compatibility Mode"
-msgstr "Mode de compatibilité SCIM"
-
-#: authentik/providers/scim/models.py
-msgid "Alter authentik behavior for vendor-specific SCIM implementations."
-msgstr ""
-"Change le comportement d'authentik en fonction des spécificités "
-"d'implémentations des fournisseurs SCIM."
-
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "Fournisseur SCIM"
@ -2805,113 +2741,6 @@ msgstr "Appareil Duo"
 msgid "Duo Devices"
 msgstr "Appareils Duo"

-#: authentik/stages/authenticator_email/models.py
-msgid "Email OTP"
-msgstr "OTP Courriel"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Si activé, les paramètres globaux de connexion courriel seront utilisés et "
-"les paramètres de connexion ci-dessous seront ignorés."
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
-msgstr ""
-"Durée de validité du jeton envoyé (Format : hours=3,minutes=17,seconds=300)."
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stage"
-msgstr "Étape de configuration de l'authentificateur courriel"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stages"
-msgstr "Étapes de configuration de l'authentificateur courriel"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "Une erreur s'est produite lors de la modélisation du couriel"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Device"
-msgstr "Équipement courriel"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Devices"
-msgstr "Équipements courriel"
-
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "Le Code ne correspond pas"
-
-#: authentik/stages/authenticator_email/stage.py
-msgid "Invalid email"
-msgstr "Courriel invalide"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Salut %(username)s,\n"
-"     "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-msgid ""
-"\n"
-"          Email MFA code.\n"
-"          "
-msgstr ""
-"\n"
-"          Code MFA envoyé par courriel.\n"
-"          "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#, python-format
-msgid ""
-"\n"
-"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
-"    "
-msgstr ""
-"\n"
-"    Si vous n'avez pas demandé ce code, veuillez ignorer ce courriel. Le code ci-dessus est valid pendant %(expires)s.\n"
-"    "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Bonjour %(username)s,"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-msgid ""
-"\n"
-"Email MFA code\n"
-msgstr ""
-"\n"
-"Code MFA envoyé par e-mail\n"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#, python-format
-msgid ""
-"\n"
-"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
-msgstr ""
-"\n"
-"Si vous n'avez pas demandé ce code, veuillez ignorer ce courriel. Le code ci-dessus est valid pendant %(expires)s.\n"
-
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2949,6 +2778,11 @@ msgstr "Appareil SMS"
 msgid "SMS Devices"
 msgstr "Appareils SMS"

+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "Le Code ne correspond pas"
+
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Numéro de téléphone invalide"
@ -3187,10 +3021,22 @@ msgstr "Réinitialiser le Mot de Passe"
 msgid "Account Confirmation"
 msgstr "Confirmation du Compte"

+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Si activé, les paramètres globaux de connexion courriel seront utilisés et "
+"les paramètres de connexion ci-dessous seront ignorés."
+
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Activer les utilisateurs à la complétion de l'étape."

+#: authentik/stages/email/models.py
+msgid "Time in minutes the token sent is valid."
+msgstr "Temps en minutes durant lequel le jeton envoyé est valide."
+
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "Étape Email"
@ -3199,6 +3045,10 @@ msgstr "Étape Email"
 msgid "Email Stages"
 msgstr "Étape Email"

+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "Une erreur s'est produite lors de la modélisation du couriel"
+
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Email vérifié avec succès."
@ -3283,6 +3133,17 @@ msgstr ""
 "\n"
 "Cet email a été envoyé depuis le transport de notification %(name)s.\n"

+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Salut %(username)s,\n"
+"     "
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -3304,6 +3165,11 @@ msgstr ""
 "    Si vous n'avez pas requis de changement de mot de passe, veuillez ignorer cet e-mail. Le lien ci-dessus est valide pendant %(expires)s.\n"
 "    "

+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Bonjour %(username)s,"
+
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/nl/LC_MESSAGES/django.mo
+++ b/locale/nl/LC_MESSAGES/django.mo
--- a/locale/ru/LC_MESSAGES/django.mo
+++ b/locale/ru/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -7,7 +7,7 @@
 # Chen Zhikai, 2022
 # 刘松, 2022
 # Tianhao Chai <cth451@gmail.com>, 2024
-# Jens L. <jens@goauthentik.io>, 2025
+# Jens L. <jens@goauthentik.io>, 2024
 # deluxghost, 2025
 # 
 #, fuzzy
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-13 00:10+0000\n"
+"POT-Creation-Date: 2025-02-14 14:49+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -118,10 +118,6 @@ msgstr "用户没有访问此应用程序的权限。"
 msgid "Extra description not available"
 msgstr "额外描述不可用"

-#: authentik/core/api/groups.py
-msgid "Cannot set group as parent of itself."
-msgstr "无法设置组自身为父级。"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -166,14 +162,6 @@ msgstr "添加用户到组"
 msgid "Remove user from group"
 msgstr "从组中删除用户"

-#: authentik/core/models.py
-msgid "Enable superuser status"
-msgstr "启用超级用户状态"
-
-#: authentik/core/models.py
-msgid "Disable superuser status"
-msgstr "禁用超级用户状态"
-
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "用户的显示名称。"
@ -522,6 +510,57 @@ msgstr "Microsoft Entra 提供程序映射"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra 提供程序映射"

+#: authentik/enterprise/providers/rac/models.py
+#: authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "启用时，连接令牌将会在断开连接时被删除。"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC 提供程序"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC 提供程序"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC 端点"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC 端点"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC 连接令牌"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC 连接令牌"
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "已达到最大连接数。"
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "（您已经在另一个标签页/窗口连接了）"
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -623,7 +662,6 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook（Slack/Discord）"

 #: authentik/events/models.py
-#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "电子邮箱"

@ -878,12 +916,6 @@ msgstr "流程令牌"
 msgid "Invalid next URL"
 msgstr "无效的 next URL"

-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr "启用时，提供程序将不会在远程系统上修改或创建对象。"
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "开始全量提供程序同步"
@ -898,10 +930,6 @@ msgstr "正在同步用户页面 {page}"
 msgid "Syncing page {page} of groups"
 msgstr "正在同步群组页面 {page}"

-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr "由于启用了试运行，已放弃变更请求"
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@ -1091,14 +1119,6 @@ msgstr "GeoIP：无法在城市数据库中找到客户端 IP。"
 msgid "Client IP is not in an allowed country."
 msgstr "客户端 IP 不在受允许的地区。"

-#: authentik/policies/geoip/models.py
-msgid "Distance from previous authentication is larger than threshold."
-msgstr "与上一次身份验证的距离超过阈值。"
-
-#: authentik/policies/geoip/models.py
-msgid "Distance is further than possible."
-msgstr "距离大幅超过可能值。"
-
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP 策略"
@ -1399,14 +1419,6 @@ msgstr "RS256（非对称加密）"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256（非对称加密）"

-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384（非对称加密）"
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512（非对称加密）"
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "客户端使用的作用域"
@ -1656,56 +1668,6 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"

-#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
-
-#: authentik/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "启用时，连接令牌将会在断开连接时被删除。"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC 提供程序"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC 提供程序"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC 端点"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC 端点"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC 连接令牌"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC 连接令牌"
-
-#: authentik/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "已达到最大连接数。"
-
-#: authentik/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "（您已经在另一个标签页/窗口连接了）"
-
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "用于哈希处理数据包的客户端服务端共享密钥。"
@ -1909,18 +1871,6 @@ msgstr "来自元数据的 SAML 提供程序"
 msgid "SAML Providers from Metadata"
 msgstr "来自元数据的 SAML 提供程序"

-#: authentik/providers/scim/models.py
-msgid "Default"
-msgstr "默认"
-
-#: authentik/providers/scim/models.py
-msgid "AWS"
-msgstr "AWS"
-
-#: authentik/providers/scim/models.py
-msgid "Slack"
-msgstr "Slack"
-
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "SCIM 请求的基础 URL，通常以 /v2 结尾"
@ -1929,14 +1879,6 @@ msgstr "SCIM 请求的基础 URL，通常以 /v2 结尾"
 msgid "Authentication token"
 msgstr "身份验证令牌"

-#: authentik/providers/scim/models.py
-msgid "SCIM Compatibility Mode"
-msgstr "SCIM 兼容模式"
-
-#: authentik/providers/scim/models.py
-msgid "Alter authentik behavior for vendor-specific SCIM implementations."
-msgstr "更改 authentik 的行为，以兼容特定厂商的 SCIM 实现。"
-
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "SCIM 提供程序"
@ -2579,110 +2521,6 @@ msgstr "Duo 设备"
 msgid "Duo Devices"
 msgstr "Duo 设备"

-#: authentik/stages/authenticator_email/models.py
-msgid "Email OTP"
-msgstr "电子邮件 OTP"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
-msgstr "发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stage"
-msgstr "电子邮件身份验证器设置阶段"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stages"
-msgstr "电子邮件身份验证器设置阶段"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "渲染电子邮件模板时发生异常"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Device"
-msgstr "电子邮件设备"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Devices"
-msgstr "电子邮件设备"
-
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "代码不匹配"
-
-#: authentik/stages/authenticator_email/stage.py
-msgid "Invalid email"
-msgstr "无效电子邮件"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 您好，\n"
-"      "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-msgid ""
-"\n"
-"          Email MFA code.\n"
-"          "
-msgstr ""
-"\n"
-"          电子邮件 MFA 代码。\n"
-"          "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#, python-format
-msgid ""
-"\n"
-"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
-"    "
-msgstr ""
-"\n"
-"    如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
-"    "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "您好 %(username)s，"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-msgid ""
-"\n"
-"Email MFA code\n"
-msgstr ""
-"\n"
-"电子邮件 MFA 代码\n"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#, python-format
-msgid ""
-"\n"
-"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
-msgstr ""
-"\n"
-"如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
-
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2715,6 +2553,11 @@ msgstr "短信设备"
 msgid "SMS Devices"
 msgstr "短信设备"

+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "代码不匹配"
+
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "无效电话号码"
@ -2937,10 +2780,20 @@ msgstr "密码重置"
 msgid "Account Confirmation"
 msgstr "账户确认"

+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
+
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "完成阶段后激活用户。"

+#: authentik/stages/email/models.py
+msgid "Time in minutes the token sent is valid."
+msgstr "发出令牌的有效时间（单位为分钟）。"
+
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "电子邮件阶段"
@ -2949,6 +2802,10 @@ msgstr "电子邮件阶段"
 msgid "Email Stages"
 msgstr "电子邮件阶段"

+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "渲染电子邮件模板时发生异常"
+
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "已成功验证电子邮件。"
@ -3029,6 +2886,17 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"

+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 您好，\n"
+"      "
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -3050,6 +2918,11 @@ msgstr ""
 "    如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
 "    "

+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "您好 %(username)s，"
+
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/zh_CN/LC_MESSAGES/django.mo
+++ b/locale/zh_CN/LC_MESSAGES/django.mo
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -6,7 +6,7 @@
 # Translators:
 # Chen Zhikai, 2022
 # 刘松, 2022
-# Jens L. <jens@goauthentik.io>, 2025
+# Jens L. <jens@goauthentik.io>, 2024
 # deluxghost, 2025
 # 
 #, fuzzy
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-13 00:10+0000\n"
+"POT-Creation-Date: 2025-02-14 14:49+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -117,10 +117,6 @@ msgstr "用户没有访问此应用程序的权限。"
 msgid "Extra description not available"
 msgstr "额外描述不可用"

-#: authentik/core/api/groups.py
-msgid "Cannot set group as parent of itself."
-msgstr "无法设置组自身为父级。"
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -165,14 +161,6 @@ msgstr "添加用户到组"
 msgid "Remove user from group"
 msgstr "从组中删除用户"

-#: authentik/core/models.py
-msgid "Enable superuser status"
-msgstr "启用超级用户状态"
-
-#: authentik/core/models.py
-msgid "Disable superuser status"
-msgstr "禁用超级用户状态"
-
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "用户的显示名称。"
@ -521,6 +509,57 @@ msgstr "Microsoft Entra 提供程序映射"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra 提供程序映射"

+#: authentik/enterprise/providers/rac/models.py
+#: authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "启用时，连接令牌将会在断开连接时被删除。"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC 提供程序"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC 提供程序"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC 端点"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC 端点"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC 连接令牌"
+
+#: authentik/enterprise/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC 连接令牌"
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "已达到最大连接数。"
+
+#: authentik/enterprise/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "（您已经在另一个标签页/窗口连接了）"
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -622,7 +661,6 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook（Slack/Discord）"

 #: authentik/events/models.py
-#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "电子邮箱"

@ -877,12 +915,6 @@ msgstr "流程令牌"
 msgid "Invalid next URL"
 msgstr "无效的 next URL"

-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr "启用时，提供程序将不会在远程系统上修改或创建对象。"
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "开始全量提供程序同步"
@ -897,10 +929,6 @@ msgstr "正在同步用户页面 {page}"
 msgid "Syncing page {page} of groups"
 msgstr "正在同步群组页面 {page}"

-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr "由于启用了试运行，已放弃变更请求"
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@ -1090,14 +1118,6 @@ msgstr "GeoIP：无法在城市数据库中找到客户端 IP。"
 msgid "Client IP is not in an allowed country."
 msgstr "客户端 IP 不在受允许的地区。"

-#: authentik/policies/geoip/models.py
-msgid "Distance from previous authentication is larger than threshold."
-msgstr "与上一次身份验证的距离超过阈值。"
-
-#: authentik/policies/geoip/models.py
-msgid "Distance is further than possible."
-msgstr "距离大幅超过可能值。"
-
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP 策略"
@ -1398,14 +1418,6 @@ msgstr "RS256（非对称加密）"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256（非对称加密）"

-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384（非对称加密）"
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512（非对称加密）"
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "客户端使用的作用域"
@ -1655,56 +1667,6 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"

-#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
-
-#: authentik/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "启用时，连接令牌将会在断开连接时被删除。"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC 提供程序"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC 提供程序"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC 端点"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC 端点"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC 连接令牌"
-
-#: authentik/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC 连接令牌"
-
-#: authentik/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "已达到最大连接数。"
-
-#: authentik/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "（您已经在另一个标签页/窗口连接了）"
-
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "在客户端和服务端之间共享密钥以哈希数据包。"
@ -1908,18 +1870,6 @@ msgstr "来自元数据的 SAML 提供程序"
 msgid "SAML Providers from Metadata"
 msgstr "来自元数据的 SAML 提供程序"

-#: authentik/providers/scim/models.py
-msgid "Default"
-msgstr "默认"
-
-#: authentik/providers/scim/models.py
-msgid "AWS"
-msgstr "AWS"
-
-#: authentik/providers/scim/models.py
-msgid "Slack"
-msgstr "Slack"
-
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
 msgstr "SCIM 请求的基础 URL，通常以 /v2 结尾"
@ -1928,14 +1878,6 @@ msgstr "SCIM 请求的基础 URL，通常以 /v2 结尾"
 msgid "Authentication token"
 msgstr "身份验证令牌"

-#: authentik/providers/scim/models.py
-msgid "SCIM Compatibility Mode"
-msgstr "SCIM 兼容模式"
-
-#: authentik/providers/scim/models.py
-msgid "Alter authentik behavior for vendor-specific SCIM implementations."
-msgstr "更改 authentik 的行为，以兼容特定厂商的 SCIM 实现。"
-
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
 msgstr "SCIM 提供程序"
@ -2578,110 +2520,6 @@ msgstr "Duo 设备"
 msgid "Duo Devices"
 msgstr "Duo 设备"

-#: authentik/stages/authenticator_email/models.py
-msgid "Email OTP"
-msgstr "电子邮件 OTP"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/email/models.py
-msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
-msgstr "发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stage"
-msgstr "电子邮件身份验证器设置阶段"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Authenticator Setup Stages"
-msgstr "电子邮件身份验证器设置阶段"
-
-#: authentik/stages/authenticator_email/models.py
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "渲染电子邮件模板时发生异常"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Device"
-msgstr "电子邮件设备"
-
-#: authentik/stages/authenticator_email/models.py
-msgid "Email Devices"
-msgstr "电子邮件设备"
-
-#: authentik/stages/authenticator_email/stage.py
-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "代码不匹配"
-
-#: authentik/stages/authenticator_email/stage.py
-msgid "Invalid email"
-msgstr "无效电子邮件"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 您好，\n"
-"      "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-msgid ""
-"\n"
-"          Email MFA code.\n"
-"          "
-msgstr ""
-"\n"
-"          电子邮件 MFA 代码。\n"
-"          "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.html
-#, python-format
-msgid ""
-"\n"
-"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
-"    "
-msgstr ""
-"\n"
-"    如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
-"    "
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "您好 %(username)s，"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-msgid ""
-"\n"
-"Email MFA code\n"
-msgstr ""
-"\n"
-"电子邮件 MFA 代码\n"
-
-#: authentik/stages/authenticator_email/templates/email/email_otp.txt
-#, python-format
-msgid ""
-"\n"
-"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
-msgstr ""
-"\n"
-"如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
-
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2714,6 +2552,11 @@ msgstr "短信设备"
 msgid "SMS Devices"
 msgstr "短信设备"

+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "代码不匹配"
+
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "无效电话号码"
@ -2936,10 +2779,20 @@ msgstr "密码重置"
 msgid "Account Confirmation"
 msgstr "账户确认"

+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
+
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "完成阶段后激活用户。"

+#: authentik/stages/email/models.py
+msgid "Time in minutes the token sent is valid."
+msgstr "发出令牌的有效时间（单位为分钟）。"
+
 #: authentik/stages/email/models.py
 msgid "Email Stage"
 msgstr "电子邮件阶段"
@ -2948,6 +2801,10 @@ msgstr "电子邮件阶段"
 msgid "Email Stages"
 msgstr "电子邮件阶段"

+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "渲染电子邮件模板时发生异常"
+
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "已成功验证电子邮件。"
@ -3028,6 +2885,17 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"

+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 您好，\n"
+"      "
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -3049,6 +2917,11 @@ msgstr ""
 "    如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
 "    "

+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "您好 %(username)s，"
+
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.2.1",
+    "version": "2025.2.0",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,35 +1,9 @@
 [tool.poetry]
 name = "authentik"
-version = "2025.2.1"
+version = "2025.2.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

-[tool.bandit]
-exclude_dirs = ["**/node_modules/**"]
-
-[tool.codespell]
-skip = [
-    "**/node_modules",
-    "**/package-lock.json",
-    "schema.yml",
-    "unittest.xml",
-    "./blueprints/schema.json",
-    "go.sum",
-    "locale",
-    "**/dist",
-    "**/storybook-static",
-    "**/web/src/locales",
-    "**/web/xliff",
-    "./web/storybook-static",
-    "./website/build",
-    "./gen-ts-api",
-    "./gen-py-api",
-    "./gen-go-api",
-    "*.api.mdx",
-    "./htmlcov",
-]
-dictionary = ".github/codespell-dictionary.txt,-"
-ignore-words = ".github/codespell-words.txt"
 [tool.black]
 line-length = 100
 target-version = ['py312']
@ -149,9 +123,7 @@ kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
 msgraph-sdk = "*"
-opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = [
-    "reggie",
-] }
+opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = ["reggie"] }
 packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.2.1
+  version: 2025.2.0
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -35146,7 +35146,7 @@ paths:
      - in: query
        name: token_expiry
        schema:
-          type: string
+          type: integer
      - in: query
        name: use_global_settings
        schema:
@ -41582,12 +41582,6 @@ components:
      - confidential
      - public
      type: string
-    CompatibilityModeEnum:
-      enum:
-      - default
-      - aws
-      - slack
-      type: string
    Config:
      type: object
      description: Serialize authentik Config into DRF Object
@ -42780,8 +42774,10 @@ components:
          format: email
          maxLength: 254
        token_expiry:
-          type: string
-          description: 'Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).'
+          type: integer
+          maximum: 2147483647
+          minimum: -2147483648
+          description: Time in minutes the token sent is valid.
        subject:
          type: string
        template:
@ -42837,9 +42833,10 @@ components:
          minLength: 1
          maxLength: 254
        token_expiry:
-          type: string
-          minLength: 1
-          description: 'Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).'
+          type: integer
+          maximum: 2147483647
+          minimum: -2147483648
+          description: Time in minutes the token sent is valid.
        subject:
          type: string
          minLength: 1
@ -44157,10 +44154,6 @@ components:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
        default_group_email_domain:
          type: string
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
      required:
      - assigned_backchannel_application_name
      - assigned_backchannel_application_slug
@ -44324,10 +44317,6 @@ components:
        default_group_email_domain:
          type: string
          minLength: 1
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
      required:
      - credentials
      - default_group_email_domain
@ -46408,10 +46397,6 @@ components:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
        group_delete_action:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
      required:
      - assigned_backchannel_application_name
      - assigned_backchannel_application_slug
@ -46572,10 +46557,6 @@ components:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
        group_delete_action:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
      required:
      - client_id
      - client_secret
@ -50392,9 +50373,10 @@ components:
          minLength: 1
          maxLength: 254
        token_expiry:
-          type: string
-          minLength: 1
-          description: 'Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).'
+          type: integer
+          maximum: 2147483647
+          minimum: -2147483648
+          description: Time in minutes the token sent is valid.
        subject:
          type: string
          minLength: 1
@ -50697,10 +50679,6 @@ components:
        default_group_email_domain:
          type: string
          minLength: 1
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
    PatchedGroupKerberosSourceConnectionRequest:
      type: object
      description: OAuth Group-Source connection Serializer
@ -51282,10 +51260,6 @@ components:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
        group_delete_action:
          $ref: '#/components/schemas/OutgoingSyncDeleteAction'
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
    PatchedNotificationRequest:
      type: object
      description: Notification Serializer
@ -52447,21 +52421,12 @@ components:
          type: string
          minLength: 1
          description: Authentication token
-        compatibility_mode:
-          allOf:
-          - $ref: '#/components/schemas/CompatibilityModeEnum'
-          title: SCIM Compatibility Mode
-          description: Alter authentik behavior for vendor-specific SCIM implementations.
        exclude_users_service_account:
          type: boolean
        filter_group:
          type: string
          format: uuid
          nullable: true
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
    PatchedSCIMSourceGroupRequest:
      type: object
      description: SCIMSourceGroup Serializer
@ -55852,21 +55817,12 @@ components:
        token:
          type: string
          description: Authentication token
-        compatibility_mode:
-          allOf:
-          - $ref: '#/components/schemas/CompatibilityModeEnum'
-          title: SCIM Compatibility Mode
-          description: Alter authentik behavior for vendor-specific SCIM implementations.
        exclude_users_service_account:
          type: boolean
        filter_group:
          type: string
          format: uuid
          nullable: true
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
      required:
      - assigned_backchannel_application_name
      - assigned_backchannel_application_slug
@ -55947,21 +55903,12 @@ components:
          type: string
          minLength: 1
          description: Authentication token
-        compatibility_mode:
-          allOf:
-          - $ref: '#/components/schemas/CompatibilityModeEnum'
-          title: SCIM Compatibility Mode
-          description: Alter authentik behavior for vendor-specific SCIM implementations.
        exclude_users_service_account:
          type: boolean
        filter_group:
          type: string
          format: uuid
          nullable: true
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
      required:
      - name
      - token
@ -57158,9 +57105,6 @@ components:
        sync_object_id:
          type: string
          minLength: 1
-        override_dry_run:
-          type: boolean
-          default: false
      required:
      - sync_object_id
      - sync_object_model
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	2de11f8a69	release: 2025.2.0-rc2	2025-02-20 23:47:15 +01:00
gcp-cherry-pick-bot[bot]	b2dcf94aba	policies/geoip: fix math in impossible travel (cherry-pick #13141 ) (#13145 ) policies/geoip: fix math in impossible travel (#13141) * policies/geoip: fix math in impossible travel * fix threshold --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 23:46:21 +01:00
gcp-cherry-pick-bot[bot]	adb532fc5d	enterprise/stages/source: fix Source stage not executing authentication/enrollment flow (cherry-pick #12875 ) (#13146 ) enterprise/stages/source: fix Source stage not executing authentication/enrollment flow (#12875) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 23:45:43 +01:00
gcp-cherry-pick-bot[bot]	5d3b35d1ba	revert: rbac: exclude permissions for internal models (#12803 ) (cherry-pick #13138 ) (#13140 ) revert: rbac: exclude permissions for internal models (#12803) (#13138) Revert "rbac: exclude permissions for internal models (#12803)" This reverts commit `e08ccf4ca0`. Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 16:07:21 +01:00
gcp-cherry-pick-bot[bot]	433a94d9ee	web/flows: fix error on interactive Captcha stage when retrying captcha (cherry-pick #13119 ) (#13139 ) web/flows: fix error on interactive Captcha stage when retrying captcha (#13119) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-20 15:12:03 +01:00
gcp-cherry-pick-bot[bot]	f28d622d10	cmd: set version in outposts (cherry-pick #13116 ) (#13122 ) cmd: set version in outposts (#13116) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 18:20:28 +01:00
gcp-cherry-pick-bot[bot]	50a68c22c5	sources/oauth: add group sync for azure_ad (cherry-pick #12894 ) (#13123 ) sources/oauth: add group sync for azure_ad (#12894) * sources/oauth: add group sync for azure_ad * make group sync optional --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 18:20:16 +01:00
gcp-cherry-pick-bot[bot]	13c99c8546	web/user: fix opening application with Enter not respecting new tab setting (cherry-pick #13115 ) (#13118 ) web/user: fix opening application with Enter not respecting new tab setting (#13115) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 17:57:18 +01:00
gcp-cherry-pick-bot[bot]	7243add30f	web/admin: update Application Wizard button placement (cherry-pick #12771 ) (#13121 ) web/admin: update Application Wizard button placement (#12771) * web: Add InvalidationFlow to Radius Provider dialogues ## What - Bugfix: adds the InvalidationFlow to the Radius Provider dialogues - Repairs: `{"invalidation_flow":["This field is required."]}` message, which was not propagated to the Notification. - Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/` ## Note Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the Property Mappings to the wizard, and yes, I know I'm going to have pain with the new version of the wizard. But this is a serious bug; you can't make Radius servers with either of the current dialogues at the moment. * This (temporary) change is needed to prevent the unit tests from failing. \# What \# Why \# How \# Designs \# Test Steps \# Other Notes * Revert "This (temporary) change is needed to prevent the unit tests from failing." This reverts commit `dddde09be5`. * web: Make using the wizard the default for new applications # What 1. I removed the "Wizard Hint" bar and migrated the "Create With Wizard" button down to the default position as "Create With Provider," moving the "Create" button to a secondary position. Primary coloring has been kept for both. 2. Added an alert to the "Create" legacy dialog: > Using this form will only create an Application. In order to authenticate with the application, > you will have to manually pair it with a Provider. 3. Updated the subtitle on the Wizard dialog: ``` diff - wizardDescription = msg("Create a new application"); + wizardDescription = msg("Create a new application and configure a provider for it."); ``` 4. Updated the User page so that, if the User is-a Administrator and the number of Applications in the system is zero, the user will be invited to create a new Application using the Wizard rather than the legacy Form: ```diff renderNewAppButton() { const href = paramURL("/core/applications", { - createForm: true, + createWizard: true, }); ``` 5. Fixed a bug where, on initial render, if the `this.brand` field was not available, an error would appear in the console. The effects were usually harmless, as brand information came quickly and filled in before the user could notice, but it looked bad in the debugger. 6. Fixed a bug in testing where the wizard page "Configure Policy Bindings" had been changed to "Configure Policy/User/Group Binding". # Testing Since the wizard OUID didn't change (`data-ouia-component-id="start-application-wizard"`), the E2E tests for "Application Wizard" completed without any substantial changes to the routine or to the tests. ``` sh npm run test:e2e:watch -- --spec ./tests/specs/new-application-by-wizard.ts ``` # User documentation changes required. These changes were made at the request of docs, as an initial draft to show how the page looks with the Application Wizard as he default tool for creating new Applications. # Developer documentation changes required. None. Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>	2025-02-19 17:57:03 +01:00
gcp-cherry-pick-bot[bot]	6611a64a62	web: bump API Client version (cherry-pick #13113 ) (#13114 ) web: bump API Client version (#13113) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>	2025-02-19 13:16:48 +01:00
gcp-cherry-pick-bot[bot]	5262f61483	providers/rac: move to open source (cherry-pick #13015 ) (#13112 ) providers/rac: move to open source (#13015) * move RAC to open source * move web out of enterprise * remove enterprise license requirements from RAC * format --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>	2025-02-19 13:16:18 +01:00
Jens Langhammer	9dcbb4af9e	release: 2025.2.0-rc1	2025-02-19 02:36:48 +01:00
gcp-cherry-pick-bot[bot]	0665bfac58	website/docs: add 2025.2 release notes (cherry-pick #13002 ) (#13108 ) website/docs: add 2025.2 release notes (#13002) * website/docs: add 2025.2 release notes * make compile * ffs * ffs --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-19 02:12:47 +01:00
gcp-cherry-pick-bot[bot]	790e0c4d80	core: clear expired database sessions (cherry-pick #13105 ) (#13106 ) core: clear expired database sessions (#13105) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2025-02-18 23:22:21 +01:00