add api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.2
+current_version = 2025.6.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/_reusable-docker-build-single.yaml

@@ -38,6 +38,8 @@ jobs:
       # Needed for attestation
       id-token: write
       attestations: write
+      # Needed for checkout
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: docker/setup-qemu-action@v3.6.0

.github/workflows/ci-main-daily.yml

@@ -9,6 +9,7 @@ on:
 
 jobs:
   test-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/ci-main.yml

@@ -247,11 +247,13 @@ jobs:
       # Needed for attestation
       id-token: write
       attestations: write
+      # Needed for checkout
+      contents: read
     needs: ci-core-mark
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
     with:
-      image_name: ghcr.io/goauthentik/dev-server
+      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
       release: false
   pr-comment:
     needs:

.github/workflows/ci-outpost.yml

@@ -59,6 +59,7 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     timeout-minutes: 120
     needs:
       - ci-outpost-mark

.github/workflows/ci-website.yml

@@ -63,6 +63,7 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   build-container:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -122,3 +123,4 @@ jobs:
       - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
+          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}

.github/workflows/repo-mirror-cleanup.yml

@@ -0,0 +1,21 @@
+name: "authentik-repo-mirror-cleanup"
+
+on:
+  workflow_dispatch:
+
+jobs:
+  to_internal:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - if: ${{ env.MIRROR_KEY != '' }}
+        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        with:
+          target_repo_url: git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
+          args: --tags --force --prune
+        env:
+          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-mirror.yml

@@ -11,11 +11,10 @@ jobs:
         with:
           fetch-depth: 0
       - if: ${{ env.MIRROR_KEY != '' }}
-        uses: pixta-dev/repository-mirroring-action@v1
+        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
         with:
-          target_repo_url:
-            git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key:
-            ${{ secrets.GH_MIRROR_KEY }}
+          target_repo_url: git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
+          args: --tags --force
         env:
           MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/translation-extract-compile.yml

@@ -16,6 +16,7 @@ env:
 
 jobs:
   compile:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.vscode/settings.json

@@ -6,13 +6,15 @@
         "!Context scalar",
         "!Enumerate sequence",
         "!Env scalar",
+        "!Env sequence",
         "!Find sequence",
         "!Format sequence",
         "!If sequence",
         "!Index scalar",
         "!KeyOf scalar",
         "!Value scalar",
-        "!AtIndex scalar"
+        "!AtIndex scalar",
+        "!ParseJSON scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",

Dockerfile

@@ -75,7 +75,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.14 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.17 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
 

Makefile

@@ -150,9 +150,9 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-	mkdir -p web/node_modules/@goauthentik/api
-	cd ${PWD}/${GEN_API_TS} && npm i
-	\cp -rf ${PWD}/${GEN_API_TS}/* web/node_modules/@goauthentik/api
+
+	cd ${PWD}/${GEN_API_TS} && npm link
+	cd ${PWD}/web && npm link @goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.6.2"
+__version__ = "2025.6.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/tests/fixtures/tags.yaml

@@ -37,6 +37,7 @@ entries:
     - attrs:
           attributes:
               env_null: !Env [bar-baz, null]
+              json_parse: !ParseJSON '{"foo": "bar"}'
               policy_pk1:
                   !Format [
                       "%s-%s",

authentik/blueprints/tests/test_serializer_models.py

@@ -5,7 +5,6 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase
 
-from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken
 
@@ -22,10 +21,13 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
             return
         model_class = test_model()
         self.assertTrue(isinstance(model_class, SerializerModel))
+        # Models that have subclasses don't have to have a serializer
+        if len(test_model.__subclasses__()) > 0:
+            return
         self.assertIsNotNone(model_class.serializer)
         if model_class.serializer.Meta().model == RefreshToken:
             return
-        self.assertEqual(model_class.serializer.Meta().model, test_model)
+        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))
 
     return tester
 
@@ -34,6 +36,6 @@ for app in apps.get_app_configs():
     if not app.label.startswith("authentik"):
         continue
     for model in app.get_models():
-        if not is_model_allowed(model):
+        if not issubclass(model, SerializerModel):
             continue
         setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))

authentik/blueprints/tests/test_v1.py

@@ -215,6 +215,7 @@ class TestBlueprintsV1(TransactionTestCase):
                     },
                     "nested_context": "context-nested-value",
                     "env_null": None,
+                    "json_parse": {"foo": "bar"},
                     "at_index_sequence": "foo",
                     "at_index_sequence_default": "non existent",
                     "at_index_mapping": 2,

authentik/blueprints/v1/common.py

@@ -6,6 +6,7 @@ from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
 from functools import reduce
+from json import JSONDecodeError, loads
 from operator import ixor
 from os import getenv
 from typing import Any, Literal, Union
@@ -291,6 +292,22 @@ class Context(YAMLTag):
         return value
 
 
+class ParseJSON(YAMLTag):
+    """Parse JSON from context/env/etc value"""
+
+    raw: str
+
+    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
+        super().__init__()
+        self.raw = node.value
+
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+        try:
+            return loads(self.raw)
+        except JSONDecodeError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
+
+
 class Format(YAMLTag):
     """Format a string"""
 
@@ -666,6 +683,7 @@ class BlueprintLoader(SafeLoader):
         self.add_constructor("!Value", Value)
         self.add_constructor("!Index", Index)
         self.add_constructor("!AtIndex", AtIndex)
+        self.add_constructor("!ParseJSON", ParseJSON)
 
 
 class EntryInvalidError(SentryIgnoredException):

authentik/blueprints/v1/importer.py

@@ -43,6 +43,7 @@ from authentik.core.models import (
 )
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
+from authentik.enterprise.providers.apple_psso.models import AppleNonce
 from authentik.enterprise.providers.google_workspace.models import (
     GoogleWorkspaceProviderGroup,
     GoogleWorkspaceProviderUser,
@@ -135,6 +136,7 @@ def excluded_models() -> list[type[Model]]:
         EndpointDeviceConnection,
         DeviceToken,
         StreamEvent,
+        AppleNonce,
     )
 
 

authentik/core/api/users.py

@@ -407,7 +407,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             StrField(User, "path"),
             BoolField(User, "is_active", nullable=True),
             ChoiceSearchField(User, "type"),
-            JSONSearchField(User, "attributes"),
+            JSONSearchField(User, "attributes", suggest_nested=False),
         ]
 
     def get_queryset(self):

authentik/core/api/utils.py

@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from django.db import models
 from django.db.models import Model
 from drf_spectacular.extensions import OpenApiSerializerFieldExtension
 from drf_spectacular.plumbing import build_basic_type
@@ -30,7 +31,27 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
+class JSONDictField(JSONField):
+    """JSON Field which only allows dictionaries"""
+
+    default_validators = [is_dict]
+
+
+class JSONExtension(OpenApiSerializerFieldExtension):
+    """Generate API Schema for JSON fields as"""
+
+    target_class = "authentik.core.api.utils.JSONDictField"
+
+    def map_serializer_field(self, auto_schema, direction):
+        return build_basic_type(OpenApiTypes.OBJECT)
+
+
 class ModelSerializer(BaseModelSerializer):
+
+    # By default, JSON fields we have are used to store dictionaries
+    serializer_field_mapping = BaseModelSerializer.serializer_field_mapping.copy()
+    serializer_field_mapping[models.JSONField] = JSONDictField
+
     def create(self, validated_data):
         instance = super().create(validated_data)
 
@@ -71,21 +92,6 @@ class ModelSerializer(BaseModelSerializer):
         return instance
 
 
-class JSONDictField(JSONField):
-    """JSON Field which only allows dictionaries"""
-
-    default_validators = [is_dict]
-
-
-class JSONExtension(OpenApiSerializerFieldExtension):
-    """Generate API Schema for JSON fields as"""
-
-    target_class = "authentik.core.api.utils.JSONDictField"
-
-    def map_serializer_field(self, auto_schema, direction):
-        return build_basic_type(OpenApiTypes.OBJECT)
-
-
 class PassiveSerializer(Serializer):
     """Base serializer class which doesn't implement create/update methods"""
 

authentik/core/models.py

@@ -1082,6 +1082,12 @@ class AuthenticatedSession(SerializerModel):
 
     user = models.ForeignKey(User, on_delete=models.CASCADE)
 
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.core.api.authenticated_sessions import AuthenticatedSessionSerializer
+
+        return AuthenticatedSessionSerializer
+
     class Meta:
         verbose_name = _("Authenticated Session")
         verbose_name_plural = _("Authenticated Sessions")

authentik/enterprise/providers/apple_psso/api/providers.py

@@ -0,0 +1,32 @@
+"""Apple Platform SSO Provider API Views"""
+
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.apple_psso.models import ApplePlatformSSOProvider
+
+
+class ApplePlatformSSOProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """ApplePlatformSSOProvider Serializer"""
+
+    class Meta:
+        model = ApplePlatformSSOProvider
+        fields = [
+            "pk",
+            "name",
+        ]
+        extra_kwargs = {}
+
+
+class ApplePlatformSSOProviderViewSet(UsedByMixin, ModelViewSet):
+    """ApplePlatformSSOProvider Viewset"""
+
+    queryset = ApplePlatformSSOProvider.objects.all()
+    serializer_class = ApplePlatformSSOProviderSerializer
+    filterset_fields = [
+        "name",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/providers/apple_psso/apps.py

@@ -0,0 +1,13 @@
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderApplePSSOConfig(EnterpriseConfig):
+
+    name = "authentik.enterprise.providers.apple_psso"
+    label = "authentik_providers_apple_psso"
+    verbose_name = "authentik Enterprise.Providers.Apple Platform SSO"
+    default = True
+    mountpoints = {
+        "authentik.enterprise.providers.apple_psso.urls": "endpoint/apple/sso/",
+        "authentik.enterprise.providers.apple_psso.urls_root": "",
+    }

authentik/enterprise/providers/apple_psso/http.py

@@ -0,0 +1,118 @@
+from base64 import urlsafe_b64encode
+from json import dumps
+from secrets import token_bytes
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.primitives.kdf.concatkdf import ConcatKDFHash
+from django.http import HttpResponse
+from jwcrypto.common import base64url_decode, base64url_encode
+
+from authentik.enterprise.providers.apple_psso.models import AppleDevice
+
+
+def length_prefixed(data: bytes) -> bytes:
+    length = len(data)
+    return length.to_bytes(4, "big") + data
+
+
+def build_apu(public_key: ec.EllipticCurvePublicKey):
+    # X9.63 representation: 0x04 || X || Y
+    public_numbers = public_key.public_numbers()
+
+    x_bytes = public_numbers.x.to_bytes(32, "big")
+    y_bytes = public_numbers.y.to_bytes(32, "big")
+
+    x963 = bytes([0x04]) + x_bytes + y_bytes
+
+    result = length_prefixed(b"APPLE") + length_prefixed(x963)
+
+    return result
+
+
+def encrypt_token_with_a256_gcm(body: dict, device_encryption_key: str, apv: bytes) -> str:
+    ephemeral_key = ec.generate_private_key(curve=ec.SECP256R1())
+    device_public_key = serialization.load_pem_public_key(
+        device_encryption_key.encode(), backend=default_backend()
+    )
+
+    shared_secret_z = ephemeral_key.exchange(ec.ECDH(), device_public_key)
+
+    apu = build_apu(ephemeral_key.public_key())
+
+    jwe_header = {
+        "enc": "A256GCM",
+        "kid": "ephemeralKey",
+        "epk": {
+            "x": base64url_encode(
+                ephemeral_key.public_key().public_numbers().x.to_bytes(32, "big")
+            ),
+            "y": base64url_encode(
+                ephemeral_key.public_key().public_numbers().y.to_bytes(32, "big")
+            ),
+            "kty": "EC",
+            "crv": "P-256",
+        },
+        "typ": "platformsso-login-response+jwt",
+        "alg": "ECDH-ES",
+        "apu": base64url_encode(apu),
+        "apv": base64url_encode(apv),
+    }
+
+    party_u_info = length_prefixed(apu)
+    party_v_info = length_prefixed(apv)
+    supp_pub_info = (256).to_bytes(4, "big")
+
+    other_info = length_prefixed(b"A256GCM") + party_u_info + party_v_info + supp_pub_info
+
+    ckdf = ConcatKDFHash(
+        algorithm=hashes.SHA256(),
+        length=32,
+        otherinfo=other_info,
+    )
+
+    derived_key = ckdf.derive(shared_secret_z)
+
+    nonce = token_bytes(12)
+
+    header_json = dumps(jwe_header, separators=(",", ":")).encode()
+    aad = urlsafe_b64encode(header_json).rstrip(b"=")
+
+    aesgcm = AESGCM(derived_key)
+    ciphertext = aesgcm.encrypt(nonce, dumps(body).encode(), aad)
+
+    ciphertext_body = ciphertext[:-16]
+    tag = ciphertext[-16:]
+
+    # base64url encoding
+    protected_b64 = urlsafe_b64encode(header_json).rstrip(b"=")
+    iv_b64 = urlsafe_b64encode(nonce).rstrip(b"=")
+    ciphertext_b64 = urlsafe_b64encode(ciphertext_body).rstrip(b"=")
+    tag_b64 = urlsafe_b64encode(tag).rstrip(b"=")
+
+    jwe_compact = b".".join(
+        [
+            protected_b64,
+            b"",
+            iv_b64,
+            ciphertext_b64,
+            tag_b64,
+        ]
+    )
+    return jwe_compact.decode()
+
+
+class JWEResponse(HttpResponse):
+
+    def __init__(
+        self,
+        data: dict,
+        device: AppleDevice,
+        apv: str,
+    ):
+        super().__init__(
+            content=encrypt_token_with_a256_gcm(data, device.encryption_key, base64url_decode(apv)),
+            content_type="application/platformsso-login-response+jwt",
+        )

authentik/enterprise/providers/apple_psso/migrations/0001_initial.py

@@ -0,0 +1,36 @@
+# Generated by Django 5.1.11 on 2025-06-28 00:12
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0028_migrate_session"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ApplePlatformSSOProvider",
+            fields=[
+                (
+                    "oauth2provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_providers_oauth2.oauth2provider",
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+            bases=("authentik_providers_oauth2.oauth2provider",),
+        ),
+    ]

authentik/enterprise/providers/apple_psso/migrations/0002_appledevice_appledeviceuser_appledevice_users_and_more.py

@@ -0,0 +1,94 @@
+# Generated by Django 5.1.11 on 2025-06-28 15:50
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_apple_psso", "0001_initial"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AppleDevice",
+            fields=[
+                (
+                    "endpoint_uuid",
+                    models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False),
+                ),
+                ("signing_key", models.TextField()),
+                ("encryption_key", models.TextField()),
+                ("key_exchange_key", models.TextField()),
+                ("sign_key_id", models.TextField()),
+                ("enc_key_id", models.TextField()),
+                ("creation_time", models.DateTimeField(auto_now_add=True)),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_apple_psso.appleplatformssoprovider",
+                    ),
+                ),
+            ],
+        ),
+        migrations.CreateModel(
+            name="AppleDeviceUser",
+            fields=[
+                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ("signing_key", models.TextField()),
+                ("encryption_key", models.TextField()),
+                ("sign_key_id", models.TextField()),
+                ("enc_key_id", models.TextField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_apple_psso.appledevice",
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="appledevice",
+            name="users",
+            field=models.ManyToManyField(
+                through="authentik_providers_apple_psso.AppleDeviceUser",
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.CreateModel(
+            name="AppleNonce",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                ("nonce", models.TextField()),
+            ],
+            options={
+                "abstract": False,
+                "indexes": [
+                    models.Index(fields=["expires"], name="authentik_p_expires_47d534_idx"),
+                    models.Index(fields=["expiring"], name="authentik_p_expirin_87253e_idx"),
+                    models.Index(
+                        fields=["expiring", "expires"], name="authentik_p_expirin_20a7c9_idx"
+                    ),
+                ],
+            },
+        ),
+    ]

authentik/enterprise/providers/apple_psso/migrations/0003_rename_sign_key_id_appledeviceuser_enclave_key_id_and_more.py

@@ -0,0 +1,34 @@
+# Generated by Django 5.1.11 on 2025-06-28 22:18
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_providers_apple_psso",
+            "0002_appledevice_appledeviceuser_appledevice_users_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="appledeviceuser",
+            old_name="sign_key_id",
+            new_name="enclave_key_id",
+        ),
+        migrations.RenameField(
+            model_name="appledeviceuser",
+            old_name="signing_key",
+            new_name="secure_enclave_key",
+        ),
+        migrations.RemoveField(
+            model_name="appledeviceuser",
+            name="enc_key_id",
+        ),
+        migrations.RemoveField(
+            model_name="appledeviceuser",
+            name="encryption_key",
+        ),
+    ]

authentik/enterprise/providers/apple_psso/models.py

@@ -0,0 +1,85 @@
+from uuid import uuid4
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from rest_framework.serializers import Serializer
+
+from authentik.core.models import ExpiringModel, User
+from authentik.crypto.models import CertificateKeyPair
+from authentik.providers.oauth2.models import (
+    ClientTypes,
+    IssuerMode,
+    OAuth2Provider,
+    RedirectURI,
+    RedirectURIMatchingMode,
+    ScopeMapping,
+)
+
+
+class ApplePlatformSSOProvider(OAuth2Provider):
+    """Integrate with Apple Platform SSO"""
+
+    def set_oauth_defaults(self):
+        """Ensure all OAuth2-related settings are correct"""
+        self.issuer_mode = IssuerMode.PER_PROVIDER
+        self.client_type = ClientTypes.PUBLIC
+        self.signing_key = CertificateKeyPair.objects.get(name="authentik Self-signed Certificate")
+        self.include_claims_in_id_token = True
+        scopes = ScopeMapping.objects.filter(
+            managed__in=[
+                "goauthentik.io/providers/oauth2/scope-openid",
+                "goauthentik.io/providers/oauth2/scope-profile",
+                "goauthentik.io/providers/oauth2/scope-email",
+                "goauthentik.io/providers/oauth2/scope-offline_access",
+                "goauthentik.io/providers/oauth2/scope-authentik_api",
+            ]
+        )
+        self.property_mappings.add(*list(scopes))
+        self.redirect_uris = [
+            RedirectURI(RedirectURIMatchingMode.STRICT, "io.goauthentik.endpoint:/oauth2redirect"),
+        ]
+
+    @property
+    def component(self) -> str:
+        return "ak-provider-apple-psso-form"
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.apple_psso.api.providers import (
+            ApplePlatformSSOProviderSerializer,
+        )
+
+        return ApplePlatformSSOProviderSerializer
+
+    class Meta:
+        verbose_name = _("Apple Platform SSO Provider")
+        verbose_name_plural = _("Apple Platform SSO Providers")
+
+
+class AppleDevice(models.Model):
+
+    endpoint_uuid = models.UUIDField(default=uuid4, primary_key=True)
+
+    signing_key = models.TextField()
+    encryption_key = models.TextField()
+    key_exchange_key = models.TextField()
+    sign_key_id = models.TextField()
+    enc_key_id = models.TextField()
+    creation_time = models.DateTimeField(auto_now_add=True)
+    provider = models.ForeignKey(ApplePlatformSSOProvider, on_delete=models.CASCADE)
+    users = models.ManyToManyField(User, through="AppleDeviceUser")
+
+
+class AppleDeviceUser(models.Model):
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True)
+
+    device = models.ForeignKey(AppleDevice, on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
+    secure_enclave_key = models.TextField()
+    enclave_key_id = models.TextField()
+
+
+class AppleNonce(ExpiringModel):
+    nonce = models.TextField()

authentik/enterprise/providers/apple_psso/urls.py

@@ -0,0 +1,15 @@
+from django.urls import path
+
+from authentik.enterprise.providers.apple_psso.views.nonce import NonceView
+from authentik.enterprise.providers.apple_psso.views.register import (
+    RegisterDeviceView,
+    RegisterUserView,
+)
+from authentik.enterprise.providers.apple_psso.views.token import TokenView
+
+urlpatterns = [
+    path("token/", TokenView.as_view(), name="token"),
+    path("nonce/", NonceView.as_view(), name="nonce"),
+    path("register/device/", RegisterDeviceView.as_view(), name="register-device"),
+    path("register/user/", RegisterUserView.as_view(), name="register-user"),
+]

authentik/enterprise/providers/apple_psso/urls_root.py

@@ -0,0 +1,7 @@
+from django.urls import path
+
+from authentik.enterprise.providers.apple_psso.views.site_association import AppleAppSiteAssociation
+
+urlpatterns = [
+    path(".well-known/apple-app-site-association", AppleAppSiteAssociation.as_view(), name="asa"),
+]

authentik/enterprise/providers/apple_psso/views/nonce.py

@@ -0,0 +1,25 @@
+from base64 import b64encode
+from datetime import timedelta
+from secrets import token_bytes
+
+from django.http import HttpRequest, JsonResponse
+from django.utils.decorators import method_decorator
+from django.utils.timezone import now
+from django.views import View
+from django.views.decorators.csrf import csrf_exempt
+
+from authentik.enterprise.providers.apple_psso.models import AppleNonce
+
+
+@method_decorator(csrf_exempt, name="dispatch")
+class NonceView(View):
+
+    def post(self, request: HttpRequest, *args, **kwargs):
+        nonce = AppleNonce.objects.create(
+            nonce=b64encode(token_bytes(32)).decode(), expires=now() + timedelta(minutes=5)
+        )
+        return JsonResponse(
+            {
+                "Nonce": nonce.nonce,
+            }
+        )

authentik/enterprise/providers/apple_psso/views/register.py

@@ -0,0 +1,92 @@
+from django.shortcuts import get_object_or_404
+from rest_framework.authentication import BaseAuthentication
+from rest_framework.fields import CharField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.api.authentication import TokenAuthentication
+from authentik.core.api.utils import PassiveSerializer
+from authentik.core.models import User
+from authentik.enterprise.providers.apple_psso.models import (
+    AppleDevice,
+    AppleDeviceUser,
+    ApplePlatformSSOProvider,
+)
+from authentik.lib.generators import generate_key
+
+
+class DeviceRegisterAuth(BaseAuthentication):
+    def authenticate(self, request):
+        # very temporary, lol
+        return (User(), None)
+
+
+class RegisterDeviceView(APIView):
+
+    class DeviceRegistration(PassiveSerializer):
+
+        device_uuid = CharField()
+        client_id = CharField()
+        device_signing_key = CharField()
+        device_encryption_key = CharField()
+        sign_key_id = CharField()
+        enc_key_id = CharField()
+
+    permission_classes = []
+    pagination_class = None
+    filter_backends = []
+    serializer_class = DeviceRegistration
+    authentication_classes = [DeviceRegisterAuth, TokenAuthentication]
+
+    def post(self, request: Request) -> Response:
+        data = self.DeviceRegistration(data=request.data)
+        data.is_valid(raise_exception=True)
+        provider = get_object_or_404(
+            ApplePlatformSSOProvider, client_id=data.validated_data["client_id"]
+        )
+        AppleDevice.objects.update_or_create(
+            endpoint_uuid=data.validated_data["device_uuid"],
+            defaults={
+                "signing_key": data.validated_data["device_signing_key"],
+                "encryption_key": data.validated_data["device_encryption_key"],
+                "sign_key_id": data.validated_data["sign_key_id"],
+                "enc_key_id": data.validated_data["enc_key_id"],
+                "key_exchange_key": generate_key(),
+                "provider": provider,
+            },
+        )
+        return Response()
+
+
+class RegisterUserView(APIView):
+
+    class UserRegistration(PassiveSerializer):
+
+        device_uuid = CharField()
+        user_secure_enclave_key = CharField()
+        enclave_key_id = CharField()
+
+    permission_classes = []
+    pagination_class = None
+    filter_backends = []
+    serializer_class = UserRegistration
+    authentication_classes = [TokenAuthentication]
+
+    def post(self, request: Request) -> Response:
+        data = self.UserRegistration(data=request.data)
+        data.is_valid(raise_exception=True)
+        device = get_object_or_404(AppleDevice, endpoint_uuid=data.validated_data["device_uuid"])
+        AppleDeviceUser.objects.update_or_create(
+            device=device,
+            user=request.user,
+            defaults={
+                "secure_enclave_key": data.validated_data["user_secure_enclave_key"],
+                "enclave_key_id": data.validated_data["enclave_key_id"],
+            },
+        )
+        return Response(
+            {
+                "username": request.user.username,
+            }
+        )

authentik/enterprise/providers/apple_psso/views/site_association.py

@@ -0,0 +1,16 @@
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+
+class AppleAppSiteAssociation(View):
+    def get(self, request: HttpRequest) -> HttpResponse:
+        return JsonResponse(
+            {
+                "authsrv": {
+                    "apps": [
+                        "232G855Y8N.io.goauthentik.endpoint",
+                        "232G855Y8N.io.goauthentik.endpoint.psso",
+                    ]
+                }
+            }
+        )

authentik/enterprise/providers/apple_psso/views/token.py

@@ -0,0 +1,140 @@
+from datetime import timedelta
+
+from django.http import Http404, HttpRequest, HttpResponse
+from django.utils.decorators import method_decorator
+from django.utils.timezone import now
+from django.views import View
+from django.views.decorators.csrf import csrf_exempt
+from jwt import PyJWT, decode
+from rest_framework.exceptions import ValidationError
+from structlog.stdlib import get_logger
+
+from authentik.core.models import AuthenticatedSession, Session, User
+from authentik.core.sessions import SessionStore
+from authentik.enterprise.providers.apple_psso.http import JWEResponse
+from authentik.enterprise.providers.apple_psso.models import (
+    AppleDevice,
+    AppleDeviceUser,
+    AppleNonce,
+    ApplePlatformSSOProvider,
+)
+from authentik.events.models import Event, EventAction
+from authentik.events.signals import SESSION_LOGIN_EVENT
+from authentik.providers.oauth2.constants import TOKEN_TYPE
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import RefreshToken
+from authentik.root.middleware import SessionMiddleware
+
+LOGGER = get_logger()
+
+
+@method_decorator(csrf_exempt, name="dispatch")
+class TokenView(View):
+
+    device: AppleDevice
+    provider: ApplePlatformSSOProvider
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        version = request.POST.get("platform_sso_version")
+        assertion = request.POST.get("assertion", request.POST.get("request"))
+        if not assertion:
+            return HttpResponse(status=400)
+
+        decode_unvalidated = PyJWT().decode_complete(assertion, options={"verify_signature": False})
+        LOGGER.debug(decode_unvalidated["header"])
+        expected_kid = decode_unvalidated["header"]["kid"]
+
+        self.device = AppleDevice.objects.filter(sign_key_id=expected_kid).first()
+        if not self.device:
+            raise Http404
+        self.provider = self.device.provider
+
+        # Properly decode the JWT with the key from the device
+        decoded = decode(
+            assertion, self.device.signing_key, algorithms=["ES256"], options={"verify_aud": False}
+        )
+        LOGGER.debug(decoded)
+
+        LOGGER.debug("got device", device=self.device)
+
+        # Check that the nonce hasn't been used before
+        nonce = AppleNonce.objects.filter(nonce=decoded["request_nonce"]).first()
+        if not nonce:
+            return HttpResponse(status=400)
+        nonce.delete()
+
+        handler_func = (
+            f"handle_v{version}_{decode_unvalidated["header"]["typ"]}".replace("-", "_")
+            .replace("+", "_")
+            .replace(".", "_")
+        )
+        handler = getattr(self, handler_func, None)
+        if not handler:
+            LOGGER.debug("Handler not found", handler=handler_func)
+            return HttpResponse(status=400)
+        LOGGER.debug("sending to handler", handler=handler_func)
+        return handler(decoded)
+
+    def validate_device_user_response(self, assertion: str) -> tuple[AppleDeviceUser, dict] | None:
+        """Decode an embedded assertion and validate it by looking up the matching device user"""
+        decode_unvalidated = PyJWT().decode_complete(assertion, options={"verify_signature": False})
+        expected_kid = decode_unvalidated["header"]["kid"]
+
+        device_user = AppleDeviceUser.objects.filter(
+            device=self.device, enclave_key_id=expected_kid
+        ).first()
+        if not device_user:
+            return None
+        return device_user, decode(
+            assertion,
+            device_user.secure_enclave_key,
+            audience="apple-platform-sso",
+            algorithms=["ES256"],
+        )
+
+    def create_auth_session(self, user: User):
+        event = Event.new(EventAction.LOGIN).from_http(self.request, user=user)
+        store = SessionStore()
+        store[SESSION_LOGIN_EVENT] = event
+        store.save()
+        session = Session.objects.filter(session_key=store.session_key).first()
+        AuthenticatedSession.objects.create(session=session, user=user)
+        session = SessionMiddleware.encode_session(store.session_key, user)
+        return session
+
+    def handle_v1_0_platformsso_login_request_jwt(self, decoded: dict):
+        user = None
+        if decoded["grant_type"] == "urn:ietf:params:oauth:grant-type:jwt-bearer":
+            # Decode and validate inner assertion
+            user, inner = self.validate_device_user_response(decoded["assertion"])
+            if inner["nonce"] != decoded["nonce"]:
+                LOGGER.warning("Mis-matched nonce to outer assertion")
+                raise ValidationError("Invalid request")
+
+        refresh_token = RefreshToken(
+            user=user.user,
+            scope=decoded["scope"],
+            expires=now() + timedelta(hours=8),
+            provider=self.provider,
+            auth_time=now(),
+            session=None,
+        )
+        id_token = IDToken.new(
+            self.provider,
+            refresh_token,
+            self.request,
+        )
+        id_token.nonce = decoded["nonce"]
+        refresh_token.id_token = id_token
+        refresh_token.save()
+        return JWEResponse(
+            {
+                "refresh_token": refresh_token.token,
+                "refresh_token_expires_in": int((refresh_token.expires - now()).total_seconds()),
+                "id_token": refresh_token.id_token.to_jwt(self.provider),
+                "token_type": TOKEN_TYPE,
+                "session_key": self.create_auth_session(user.user),
+            },
+            device=self.device,
+            apv=decoded["jwe_crypto"]["apv"],
+        )

authentik/enterprise/settings.py

@@ -15,6 +15,7 @@ CELERY_BEAT_SCHEDULE = {
 TENANT_APPS = [
     "authentik.enterprise.audit",
     "authentik.enterprise.policies.unique_password",
+    "authentik.enterprise.providers.apple_psso",
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
     "authentik.enterprise.providers.ssf",

authentik/events/models.py

@@ -193,17 +193,32 @@ class Event(SerializerModel, ExpiringModel):
             brand: Brand = request.brand
             self.brand = sanitize_dict(model_to_dict(brand))
         if hasattr(request, "user"):
-            original_user = None
-            if hasattr(request, "session"):
-                original_user = request.session.get(SESSION_KEY_IMPERSONATE_ORIGINAL_USER, None)
-            self.user = get_user(request.user, original_user)
+            self.user = get_user(request.user)
         if user:
             self.user = get_user(user)
-        # Check if we're currently impersonating, and add that user
         if hasattr(request, "session"):
+            from authentik.flows.views.executor import SESSION_KEY_PLAN
+
+            # Check if we're currently impersonating, and add that user
             if SESSION_KEY_IMPERSONATE_ORIGINAL_USER in request.session:
                 self.user = get_user(request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER])
                 self.user["on_behalf_of"] = get_user(request.session[SESSION_KEY_IMPERSONATE_USER])
+            # Special case for events that happen during a flow, the user might not be authenticated
+            # yet but is a pending user instead
+            if SESSION_KEY_PLAN in request.session:
+                from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+
+                plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+                pending_user = plan.context.get(PLAN_CONTEXT_PENDING_USER, None)
+                # Only save `authenticated_as` if there's a different pending user in the flow
+                # than the user that is authenticated
+                if pending_user and (
+                    (pending_user.pk and pending_user.pk != self.user.get("pk"))
+                    or (not pending_user.pk)
+                ):
+                    orig_user = self.user.copy()
+
+                    self.user = {"authenticated_as": orig_user, **get_user(pending_user)}
         # User 255.255.255.255 as fallback if IP cannot be determined
         self.client_ip = ClientIPMiddleware.get_client_ip(request)
         # Enrich event data

authentik/events/tests/test_event.py

@@ -8,9 +8,11 @@ from django.views.debug import SafeExceptionReporterFilter
 from guardian.shortcuts import get_anonymous_user
 
 from authentik.brands.models import Brand
-from authentik.core.models import Group
+from authentik.core.models import Group, User
+from authentik.core.tests.utils import create_test_user
 from authentik.events.models import Event
-from authentik.flows.views.executor import QS_QUERY
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.views.executor import QS_QUERY, SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 
@@ -116,3 +118,92 @@ class TestEvents(TestCase):
                 "pk": brand.pk.hex,
             },
         )
+
+    def test_from_http_flow_pending_user(self):
+        """Test request from flow request with a pending user"""
+        user = create_test_user()
+
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        request = self.factory.get("/")
+        request.session = session
+        request.user = user
+
+        event = Event.new("unittest").from_http(request)
+        self.assertEqual(
+            event.user,
+            {
+                "email": user.email,
+                "pk": user.pk,
+                "username": user.username,
+            },
+        )
+
+    def test_from_http_flow_pending_user_anon(self):
+        """Test request from flow request with a pending user"""
+        user = create_test_user()
+        anon = get_anonymous_user()
+
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        request = self.factory.get("/")
+        request.session = session
+        request.user = anon
+
+        event = Event.new("unittest").from_http(request)
+        self.assertEqual(
+            event.user,
+            {
+                "authenticated_as": {
+                    "pk": anon.pk,
+                    "is_anonymous": True,
+                    "username": "AnonymousUser",
+                    "email": "",
+                },
+                "email": user.email,
+                "pk": user.pk,
+                "username": user.username,
+            },
+        )
+
+    def test_from_http_flow_pending_user_fake(self):
+        """Test request from flow request with a pending user"""
+        user = User(
+            username=generate_id(),
+            email=generate_id(),
+        )
+        anon = get_anonymous_user()
+
+        session = self.client.session
+        plan = FlowPlan(generate_id())
+        plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        request = self.factory.get("/")
+        request.session = session
+        request.user = anon
+
+        event = Event.new("unittest").from_http(request)
+        self.assertEqual(
+            event.user,
+            {
+                "authenticated_as": {
+                    "pk": anon.pk,
+                    "is_anonymous": True,
+                    "username": "AnonymousUser",
+                    "email": "",
+                },
+                "email": user.email,
+                "pk": user.pk,
+                "username": user.username,
+            },
+        )

authentik/events/utils.py

@@ -74,8 +74,8 @@ def model_to_dict(model: Model) -> dict[str, Any]:
     }
 
 
-def get_user(user: User | AnonymousUser, original_user: User | None = None) -> dict[str, Any]:
-    """Convert user object to dictionary, optionally including the original user"""
+def get_user(user: User | AnonymousUser) -> dict[str, Any]:
+    """Convert user object to dictionary"""
     if isinstance(user, AnonymousUser):
         try:
             user = get_anonymous_user()
@@ -88,10 +88,6 @@ def get_user(user: User | AnonymousUser, original_user: User | None = None) -> d
     }
     if user.username == settings.ANONYMOUS_USER_NAME:
         user_data["is_anonymous"] = True
-    if original_user:
-        original_data = get_user(original_user)
-        original_data["on_behalf_of"] = user_data
-        return original_data
     return user_data
 
 

authentik/providers/oauth2/views/token.py

@@ -555,6 +555,8 @@ class TokenView(View):
 
     provider: OAuth2Provider | None = None
     params: TokenParams | None = None
+    params_class = TokenParams
+    provider_class = OAuth2Provider
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
         response = super().dispatch(request, *args, **kwargs)
@@ -574,12 +576,14 @@ class TokenView(View):
                 op="authentik.providers.oauth2.post.parse",
             ):
                 client_id, client_secret = extract_client_auth(request)
-                self.provider = OAuth2Provider.objects.filter(client_id=client_id).first()
+                self.provider = self.provider_class.objects.filter(client_id=client_id).first()
                 if not self.provider:
                     LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
                     raise TokenError("invalid_client")
                 CTX_AUTH_VIA.set("oauth_client_secret")
-                self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
+                self.params = self.params_class.parse(
+                    request, self.provider, client_id, client_secret
+                )
 
             with start_span(
                 op="authentik.providers.oauth2.post.response",

authentik/providers/rac/consumer_client.py

@@ -66,7 +66,10 @@ class RACClientConsumer(AsyncWebsocketConsumer):
     def init_outpost_connection(self):
         """Initialize guac connection settings"""
         self.token = (
-            ConnectionToken.filter_not_expired(token=self.scope["url_route"]["kwargs"]["token"])
+            ConnectionToken.filter_not_expired(
+                token=self.scope["url_route"]["kwargs"]["token"],
+                session__session__session_key=self.scope["session"].session_key,
+            )
             .select_related("endpoint", "provider", "session", "session__user")
             .first()
         )

authentik/providers/rac/tests/test_views.py

@@ -87,3 +87,22 @@ class TestRACViews(APITestCase):
         )
         body = loads(flow_response.content)
         self.assertEqual(body["component"], "ak-stage-access-denied")
+
+    def test_different_session(self):
+        """Test request"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse(
+                "authentik_providers_rac:start",
+                kwargs={"app": self.app.slug, "endpoint": str(self.endpoint.pk)},
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        flow_response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+        body = loads(flow_response.content)
+        next_url = body["to"]
+        self.client.logout()
+        final_response = self.client.get(next_url)
+        self.assertEqual(final_response.url, reverse("authentik_core:if-user"))

authentik/providers/rac/views.py

@@ -68,7 +68,10 @@ class RACInterface(InterfaceView):
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
         # Early sanity check to ensure token still exists
-        token = ConnectionToken.filter_not_expired(token=self.kwargs["token"]).first()
+        token = ConnectionToken.filter_not_expired(
+            token=self.kwargs["token"],
+            session__session__session_key=request.session.session_key,
+        ).first()
         if not token:
             return redirect("authentik_core:if-user")
         self.token = token

authentik/root/middleware.py

@@ -61,6 +61,22 @@ class SessionMiddleware(UpstreamSessionMiddleware):
             pass
         return session_key
 
+    @staticmethod
+    def encode_session(session_key: str, user: User):
+        payload = {
+            "sid": session_key,
+            "iss": "authentik",
+            "sub": "anonymous",
+            "authenticated": user.is_authenticated,
+            "acr": ACR_AUTHENTIK_SESSION,
+        }
+        if user.is_authenticated:
+            payload["sub"] = user.uid
+        value = encode(payload=payload, key=SIGNING_HASH)
+        if settings.TEST:
+            value = session_key
+        return value
+
     def process_request(self, request: HttpRequest):
         raw_session = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
         session_key = SessionMiddleware.decode_session_key(raw_session)
@@ -117,21 +133,9 @@ class SessionMiddleware(UpstreamSessionMiddleware):
                             "request completed. The user may have logged "
                             "out in a concurrent request, for example."
                         ) from None
-                    payload = {
-                        "sid": request.session.session_key,
-                        "iss": "authentik",
-                        "sub": "anonymous",
-                        "authenticated": request.user.is_authenticated,
-                        "acr": ACR_AUTHENTIK_SESSION,
-                    }
-                    if request.user.is_authenticated:
-                        payload["sub"] = request.user.uid
-                    value = encode(payload=payload, key=SIGNING_HASH)
-                    if settings.TEST:
-                        value = request.session.session_key
                     response.set_cookie(
                         settings.SESSION_COOKIE_NAME,
-                        value,
+                        SessionMiddleware.encode_session(request.session.session_key, request.user),
                         max_age=max_age,
                         expires=expires,
                         domain=settings.SESSION_COOKIE_DOMAIN,

authentik/stages/email/templates/email/account_confirmation.html

@@ -27,7 +27,6 @@
     </table>
   </td>
 </tr>
-<td>
 {% endblock %}
 
 {% block sub_content %}

authentik/tenants/api/settings.py

@@ -1,6 +1,7 @@
 """Serializer for tenants models"""
 
 from django_tenants.utils import get_public_schema_name
+from rest_framework.fields import JSONField
 from rest_framework.generics import RetrieveUpdateAPIView
 from rest_framework.permissions import SAFE_METHODS
 
@@ -12,6 +13,8 @@ from authentik.tenants.models import Tenant
 class SettingsSerializer(ModelSerializer):
     """Settings Serializer"""
 
+    footer_links = JSONField(required=False)
+
     class Meta:
         model = Tenant
         fields = [

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.6.2 Blueprint schema",
+    "title": "authentik 2025.6.3 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -496,6 +496,46 @@
                         }
                     }
                 },
+                {
+                    "type": "object",
+                    "required": [
+                        "model",
+                        "identifiers"
+                    ],
+                    "properties": {
+                        "model": {
+                            "const": "authentik_providers_apple_psso.appleplatformssoprovider"
+                        },
+                        "id": {
+                            "type": "string"
+                        },
+                        "state": {
+                            "type": "string",
+                            "enum": [
+                                "absent",
+                                "created",
+                                "must_created",
+                                "present"
+                            ],
+                            "default": "present"
+                        },
+                        "conditions": {
+                            "type": "array",
+                            "items": {
+                                "type": "boolean"
+                            }
+                        },
+                        "permissions": {
+                            "$ref": "#/$defs/model_authentik_providers_apple_psso.appleplatformssoprovider_permissions"
+                        },
+                        "attrs": {
+                            "$ref": "#/$defs/model_authentik_providers_apple_psso.appleplatformssoprovider"
+                        },
+                        "identifiers": {
+                            "$ref": "#/$defs/model_authentik_providers_apple_psso.appleplatformssoprovider"
+                        }
+                    }
+                },
                 {
                     "type": "object",
                     "required": [
@@ -5028,6 +5068,22 @@
                             "authentik_policies_unique_password.delete_userpasswordhistory",
                             "authentik_policies_unique_password.view_uniquepasswordpolicy",
                             "authentik_policies_unique_password.view_userpasswordhistory",
+                            "authentik_providers_apple_psso.add_appledevice",
+                            "authentik_providers_apple_psso.add_appledeviceuser",
+                            "authentik_providers_apple_psso.add_applenonce",
+                            "authentik_providers_apple_psso.add_appleplatformssoprovider",
+                            "authentik_providers_apple_psso.change_appledevice",
+                            "authentik_providers_apple_psso.change_appledeviceuser",
+                            "authentik_providers_apple_psso.change_applenonce",
+                            "authentik_providers_apple_psso.change_appleplatformssoprovider",
+                            "authentik_providers_apple_psso.delete_appledevice",
+                            "authentik_providers_apple_psso.delete_appledeviceuser",
+                            "authentik_providers_apple_psso.delete_applenonce",
+                            "authentik_providers_apple_psso.delete_appleplatformssoprovider",
+                            "authentik_providers_apple_psso.view_appledevice",
+                            "authentik_providers_apple_psso.view_appledeviceuser",
+                            "authentik_providers_apple_psso.view_applenonce",
+                            "authentik_providers_apple_psso.view_appleplatformssoprovider",
                             "authentik_providers_google_workspace.add_googleworkspaceprovider",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidergroup",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidermapping",
@@ -5599,6 +5655,43 @@
                 }
             }
         },
+        "model_authentik_providers_apple_psso.appleplatformssoprovider": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                }
+            },
+            "required": []
+        },
+        "model_authentik_providers_apple_psso.appleplatformssoprovider_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_appleplatformssoprovider",
+                            "change_appleplatformssoprovider",
+                            "delete_appleplatformssoprovider",
+                            "view_appleplatformssoprovider"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
         "model_authentik_providers_google_workspace.googleworkspaceprovider": {
             "type": "object",
             "properties": {
@@ -7342,6 +7435,7 @@
                         "authentik.enterprise",
                         "authentik.enterprise.audit",
                         "authentik.enterprise.policies.unique_password",
+                        "authentik.enterprise.providers.apple_psso",
                         "authentik.enterprise.providers.google_workspace",
                         "authentik.enterprise.providers.microsoft_entra",
                         "authentik.enterprise.providers.ssf",
@@ -7452,6 +7546,7 @@
                         "authentik_core.token",
                         "authentik_enterprise.license",
                         "authentik_policies_unique_password.uniquepasswordpolicy",
+                        "authentik_providers_apple_psso.appleplatformssoprovider",
                         "authentik_providers_google_workspace.googleworkspaceprovider",
                         "authentik_providers_google_workspace.googleworkspaceprovidermapping",
                         "authentik_providers_microsoft_entra.microsoftentraprovider",
@@ -9674,6 +9769,22 @@
                             "authentik_policies_unique_password.delete_userpasswordhistory",
                             "authentik_policies_unique_password.view_uniquepasswordpolicy",
                             "authentik_policies_unique_password.view_userpasswordhistory",
+                            "authentik_providers_apple_psso.add_appledevice",
+                            "authentik_providers_apple_psso.add_appledeviceuser",
+                            "authentik_providers_apple_psso.add_applenonce",
+                            "authentik_providers_apple_psso.add_appleplatformssoprovider",
+                            "authentik_providers_apple_psso.change_appledevice",
+                            "authentik_providers_apple_psso.change_appledeviceuser",
+                            "authentik_providers_apple_psso.change_applenonce",
+                            "authentik_providers_apple_psso.change_appleplatformssoprovider",
+                            "authentik_providers_apple_psso.delete_appledevice",
+                            "authentik_providers_apple_psso.delete_appledeviceuser",
+                            "authentik_providers_apple_psso.delete_applenonce",
+                            "authentik_providers_apple_psso.delete_appleplatformssoprovider",
+                            "authentik_providers_apple_psso.view_appledevice",
+                            "authentik_providers_apple_psso.view_appledeviceuser",
+                            "authentik_providers_apple_psso.view_applenonce",
+                            "authentik_providers_apple_psso.view_appleplatformssoprovider",
                             "authentik_providers_google_workspace.add_googleworkspaceprovider",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidergroup",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidermapping",

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
     restart: unless-stopped
     command: server
     environment:
@@ -55,7 +55,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -23,13 +23,13 @@ require (
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.10.0
+	github.com/redis/go-redis/v9 v9.11.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025062.4
+	goauthentik.io/api/v3 v3.2025063.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.15.0

go.sum

@@ -251,8 +251,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs=
-github.com/redis/go-redis/v9 v9.10.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.11.0 h1:E3S08Gl/nJNn5vkxd2i78wZxWAPNZgUNTp8WIJUAiIs=
+github.com/redis/go-redis/v9 v9.11.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -298,8 +298,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025062.4 h1:HuyL12kKserXT2w+wCDUYNRSeyCCGX81wU9SRCPuxDo=
-goauthentik.io/api/v3 v3.2025062.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025063.1 h1:zvKhZTESgMY/SNiLuTs7G0YleBnev1v7+S9Xd6PZ9bc=
+goauthentik.io/api/v3 v3.2025063.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.6.2"
+const VERSION = "2025.6.3"

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1019.1",
+                "aws-cdk": "^2.1019.2",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1019.1",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1019.1.tgz",
-            "integrity": "sha512-G2jxKuTsYTrYZX80CDApCrKcZ+AuFxxd+b0dkb0KEkfUsela7RqrDGLm5wOzSCIc3iH6GocR8JDVZuJ+0nNuKg==",
+            "version": "2.1019.2",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1019.2.tgz",
+            "integrity": "sha512-LkWZ3IKBkfCPTCu60t4Wb9JMSkb+0Uzk+HIxZeW5sFohq8bxDGV0OP1hcqEC2+KbVYRn7q+YhMeSJ/FOQcgpiw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1019.1",
+        "aws-cdk": "^2.1019.2",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.6.2
+    Default: 2025.6.3
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-19 00:10+0000\n"
+"POT-Creation-Date: 2025-06-25 00:10+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -109,10 +109,6 @@ msgstr ""
 msgid "User does not have access to application."
 msgstr ""
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr ""
-
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr ""

locale/it/LC_MESSAGES/django.po

@@ -11,18 +11,18 @@
 # Nicola Mersi, 2024
 # tmassimi, 2024
 # Marc Schmitt, 2024
-# albanobattistella <albanobattistella@gmail.com>, 2024
 # Matteo Piccina <altermatte@gmail.com>, 2025
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
+# albanobattistella <albanobattistella@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-05-28 11:25+0000\n"
+"POT-Creation-Date: 2025-06-25 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
+"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -116,7 +116,7 @@ msgstr "Certificato Web utilizzato dal server Web authentik Core."
 
 #: authentik/brands/models.py
 msgid "Certificates used for client authentication."
-msgstr ""
+msgstr "Certificati utilizzati per l'autenticazione del client."
 
 #: authentik/brands/models.py
 msgid "Brand"
@@ -130,10 +130,6 @@ msgstr "Brands"
 msgid "User does not have access to application."
 msgstr "L'utente non ha accesso all'applicazione."
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "Descrizione extra non disponibile"
-
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr "Impossibile impostare il gruppo come padre di se stesso."
@@ -294,15 +290,15 @@ msgid ""
 msgstr ""
 "Collegamento a un utente con indirizzo email identico. Può avere "
 "implicazioni sulla sicurezza quando una fonte non convalida gli indirizzi "
-"e-mail."
+"email."
 
 #: authentik/core/models.py
 msgid ""
 "Use the user's email address, but deny enrollment when the email address "
 "already exists."
 msgstr ""
-"Usa l'indirizzo e-mail dell'utente, ma nega l'iscrizione quando l'indirizzo "
-"e-mail esiste già."
+"Usa l'indirizzo email dell'utente, ma nega l'iscrizione quando l'indirizzo "
+"email esiste già."
 
 #: authentik/core/models.py
 msgid ""
@@ -682,26 +678,29 @@ msgid ""
 "option has a higher priority than the `client_certificate` option on "
 "`Brand`."
 msgstr ""
+"Configura le autorità di certificazione per convalidare il certificato. "
+"Questa opzione ha una priorità maggiore rispetto all'opzione "
+"`client_certificate` su `Brand`."
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stage"
-msgstr ""
+msgstr "Fase di TLS reciproca"
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stages"
-msgstr ""
+msgstr "Fasi di TLS reciproche"
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Permissions to pass Certificates for outposts."
-msgstr ""
+msgstr " Permessi di trasmissione dei Certificati per gli avamposti."
 
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "Certificate required but no certificate was given."
-msgstr ""
+msgstr " Il certificato è stato richiesto ma non è stato consegnato."
 
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "No user found for certificate."
-msgstr ""
+msgstr "Nessun utente trovato per il certificato."
 
 #: authentik/enterprise/stages/source/models.py
 msgid ""
@@ -834,6 +833,14 @@ msgstr ""
 "Definisci a quale gruppo di utenti deve essere inviata e mostrata questa "
 "notifica. Se lasciato vuoto, la notifica non verrà inviata."
 
+#: authentik/events/models.py
+msgid ""
+"When enabled, notification will be sent to user the user that triggered the "
+"event.When destination_group is configured, notification is sent to both."
+msgstr ""
+"Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento."
+" Se destination_group è configurato, la notifica verrà inviata a entrambi."
+
 #: authentik/events/models.py
 msgid "Notification Rule"
 msgstr "Regola di notifica"
@@ -1050,16 +1057,16 @@ msgstr "Avvio della sincronizzazione completa del provider"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr ""
+msgstr "Sincronizzazione degli utenti"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr ""
+msgstr "Sincronizzazione dei gruppi"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of groups"
-msgstr "Sincronizzando pagina {page} dei gruppi"
+msgid "Syncing page {page} of {object_type}"
+msgstr "Sincronizzazione della pagina {page} di {object_type}"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
@@ -2461,6 +2468,10 @@ msgstr "Gruppo di aggiunta DN"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "Considerare gli oggetti corrispondenti a questo filtro come Utenti."
 
+#: authentik/sources/ldap/models.py
+msgid "Attribute which matches the value of `group_membership_field`."
+msgstr "Attributo che corrisponde al valore di `group_membership_field`."
+
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "Campo che contiene i membri di un gruppo."
@@ -2502,6 +2513,8 @@ msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
 msgstr ""
+"Elimina gli utenti e i gruppi authentik precedentemente forniti da questa "
+"fonte, ma che ora mancano."
 
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@@ -2523,6 +2536,8 @@ msgstr "Mappature delle proprietà della sorgente LDAP"
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
 msgstr ""
+"ID univoco utilizzato per verificare se questo oggetto esiste ancora nella "
+"directory."
 
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
@@ -2920,7 +2935,7 @@ msgstr "Connessioni sorgente SAML di gruppo"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr ""
+msgstr "Continua su {source_name}"
 
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@@ -2988,8 +3003,8 @@ msgstr "Fasi di configurazione dell'autenticatore email"
 #: authentik/stages/email/stage.py
 msgid "Exception occurred while rendering E-mail template"
 msgstr ""
-"Eccezione verificatasi durante la visualizzazione del modello di posta "
-"elettronica"
+"Si è verificata un'eccezione durante la visualizzazione del modello di posta"
+" elettronica"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
@@ -3028,7 +3043,7 @@ msgid ""
 "          "
 msgstr ""
 "\n"
-"          Codice MFA via e-mail.\n"
+"          Codice MFA via email.\n"
 "          "
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
@@ -3054,7 +3069,7 @@ msgid ""
 "Email MFA code\n"
 msgstr ""
 "\n"
-"Codice e-mail MFA\n"
+"Codice email MFA\n"
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #, python-format
@@ -3321,7 +3336,7 @@ msgstr "Consensi utente"
 
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr ""
+msgstr "Token di consenso non valido, viene nuovamente visualizzato il prompt"
 
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@@ -3341,11 +3356,11 @@ msgstr "Fasi fittizie"
 
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr ""
+msgstr "Continua per confermare questo indirizzo email."
 
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr ""
+msgstr "Il collegamento è già stato utilizzato. Richiedine uno nuovo."
 
 #: authentik/stages/email/models.py
 msgid "Password Reset"
@@ -3365,7 +3380,7 @@ msgstr "Fase email"
 
 #: authentik/stages/email/models.py
 msgid "Email Stages"
-msgstr "Fasi Email"
+msgstr "Fasi email"
 
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
@@ -3467,7 +3482,7 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"   Se non hai richiesto una modifica della password, ignora questa e-mail. Il link sopra è valido per %(expires)s.\n"
+"   Se non hai richiesto una modifica della password, ignora questa email. Il link sopra è valido per %(expires)s.\n"
 "    "
 
 #: authentik/stages/email/templates/email/password_reset.txt
@@ -3485,11 +3500,11 @@ msgid ""
 "If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
 "\n"
-"Se non hai richiesto una modifica della password, ignora questa e-mail. Il link sopra è valido per %(expires)s.\n"
+"Se non hai richiesto una modifica della password, ignora questa email. Il link sopra è valido per %(expires)s.\n"
 
 #: authentik/stages/email/templates/email/setup.html
 msgid "authentik Test-Email"
-msgstr "e-mail di prova di authentik"
+msgstr "email di prova di authentik"
 
 #: authentik/stages/email/templates/email/setup.html
 msgid ""
@@ -3498,7 +3513,7 @@ msgid ""
 "                    "
 msgstr ""
 "\n"
-"                    Questa è un'e-mail di prova per informarti che hai configurato correttamente le e-mail di authentik.\n"
+"                    Questa è un'email di prova per informarti che hai configurato correttamente le email di authentik.\n"
 "                    "
 
 #: authentik/stages/email/templates/email/setup.txt
@@ -3507,7 +3522,7 @@ msgid ""
 "This is a test email to inform you, that you've successfully configured authentik emails.\n"
 msgstr ""
 "\n"
-"Questa è un'e-mail di prova per informarti che hai configurato correttamente le e-mail di authentik.\n"
+"Questa è un'email di prova per informarti che hai configurato correttamente le email di authentik.\n"
 
 #: authentik/stages/identification/api.py
 msgid "When no user fields are selected, at least one source must be selected"
@@ -3710,7 +3725,7 @@ msgstr ""
 
 #: authentik/stages/prompt/models.py
 msgid "Email: Text field with Email type."
-msgstr "E-mail: Campo di testo con il tipo di e-mail."
+msgstr "Email: Campo di testo con il tipo di email."
 
 #: authentik/stages/prompt/models.py
 msgid ""
@@ -3865,10 +3880,6 @@ msgstr "Fasi di accesso utente"
 msgid "No Pending user to login."
 msgstr "Nessun utente in attesa di accesso."
 
-#: authentik/stages/user_login/stage.py
-msgid "Successfully logged in!"
-msgstr "Accesso effettuato!"
-
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "Fase di disconnessione dell'utente"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-04 00:12+0000\n"
+"POT-Creation-Date: 2025-06-25 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -118,10 +118,6 @@ msgstr "品牌"
 msgid "User does not have access to application."
 msgstr "用户没有访问此应用程序的权限。"
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "额外描述不可用"
-
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr "无法设置组自身为父级。"
@@ -775,6 +771,12 @@ msgid ""
 "If left empty, Notification won't ben sent."
 msgstr "定义此通知应该发送到哪些用户组。如果留空，则不会发送通知。"
 
+#: authentik/events/models.py
+msgid ""
+"When enabled, notification will be sent to user the user that triggered the "
+"event.When destination_group is configured, notification is sent to both."
+msgstr "启用时，通知会被发送到触发事件的用户。当配置了 destination_group 时，通知也会同时发送到对应组。"
+
 #: authentik/events/models.py
 msgid "Notification Rule"
 msgstr "通知规则"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-04 00:12+0000\n"
+"POT-Creation-Date: 2025-06-25 00:10+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -117,10 +117,6 @@ msgstr "品牌"
 msgid "User does not have access to application."
 msgstr "用户没有访问此应用程序的权限。"
 
-#: authentik/core/api/devices.py
-msgid "Extra description not available"
-msgstr "额外描述不可用"
-
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr "无法设置组自身为父级。"
@@ -774,6 +770,12 @@ msgid ""
 "If left empty, Notification won't ben sent."
 msgstr "定义此通知应该发送到哪些用户组。如果留空，则不会发送通知。"
 
+#: authentik/events/models.py
+msgid ""
+"When enabled, notification will be sent to user the user that triggered the "
+"event.When destination_group is configured, notification is sent to both."
+msgstr "启用时，通知会被发送到触发事件的用户。当配置了 destination_group 时，通知也会同时发送到对应组。"
+
 #: authentik/events/models.py
 msgid "Notification Rule"
 msgstr "通知规则"

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.6.2",
+    "version": "2025.6.3",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2025.6.2",
+            "version": "2025.6.3",
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                 "prettier": "^3.3.3",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.6.2",
+    "version": "2025.6.3",
     "private": true,
     "type": "module",
     "devDependencies": {

packages/esbuild-plugin-live-reload/.gitignore

@@ -1,3 +1,4 @@
 README.md
 node_modules
 _media
+!.github/README.md

packages/esbuild-plugin-live-reload/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/esbuild-plugin-live-reload",
-    "version": "1.0.5",
+    "version": "1.0.6",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/esbuild-plugin-live-reload",
-            "version": "1.0.5",
+            "version": "1.0.6",
             "license": "MIT",
             "dependencies": {
                 "find-free-ports": "^3.1.1"

packages/esbuild-plugin-live-reload/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/esbuild-plugin-live-reload",
-    "version": "1.0.5",
+    "version": "1.0.6",
     "description": "ESBuild + browser refresh. Build completes, page reloads.",
     "license": "MIT",
     "scripts": {

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.6.2"
+version = "2025.6.3"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@@ -17,10 +17,10 @@ dependencies = [
     "django-countries==7.6.1",
     "django-cte==2.0.0",
     "django-filter==25.1",
-    "django-guardian==3.0.0",
+    "django-guardian==3.0.3",
     "django-model-utils==5.0.0",
     "django-pglock==1.7.2",
-    "django-prometheus==2.4.0",
+    "django-prometheus==2.4.1",
     "django-redis==6.0.0",
     "django-storages[s3]==1.14.6",
     "django-tenants==3.8.0",
@@ -36,7 +36,7 @@ dependencies = [
     "flower==2.0.1",
     "geoip2==5.1.0",
     "geopy==2.4.1",
-    "google-api-python-client==2.173.0",
+    "google-api-python-client==2.174.0",
     "gssapi==1.9.0",
     "gunicorn==23.0.0",
     "jsonpatch==1.33",
@@ -44,7 +44,7 @@ dependencies = [
     "kubernetes==33.1.0",
     "ldap3==2.9.1",
     "lxml==5.4.0",
-    "msgraph-sdk==1.34.0",
+    "msgraph-sdk==1.35.0",
     "opencontainers==0.0.14",
     "packaging==25.0",
     "paramiko==3.5.1",
@@ -57,7 +57,7 @@ dependencies = [
     "pyyaml==6.0.2",
     "requests-oauthlib==2.0.0",
     "scim2-filter-parser==0.7.0",
-    "sentry-sdk==2.30.0",
+    "sentry-sdk==2.32.0",
     "service-identity==24.2.0",
     "setproctitle==1.3.6",
     "structlog==25.4.0",
@@ -67,7 +67,7 @@ dependencies = [
     "ua-parser==1.0.1",
     "unidecode==1.4.0",
     "urllib3<3",
-    "uvicorn[standard]==0.34.3",
+    "uvicorn[standard]==0.35.0",
     "watchdog==6.0.0",
     "webauthn==2.6.0",
     "wsproto==1.2.0",

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.6.2
+  version: 2025.6.3
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -24864,6 +24864,7 @@ paths:
           - authentik_policies_password.passwordpolicy
           - authentik_policies_reputation.reputationpolicy
           - authentik_policies_unique_password.uniquepasswordpolicy
+          - authentik_providers_apple_psso.appleplatformssoprovider
           - authentik_providers_google_workspace.googleworkspaceprovider
           - authentik_providers_google_workspace.googleworkspaceprovidermapping
           - authentik_providers_ldap.ldapprovider
@@ -25113,6 +25114,7 @@ paths:
           - authentik_policies_password.passwordpolicy
           - authentik_policies_reputation.reputationpolicy
           - authentik_policies_unique_password.uniquepasswordpolicy
+          - authentik_providers_apple_psso.appleplatformssoprovider
           - authentik_providers_google_workspace.googleworkspaceprovider
           - authentik_providers_google_workspace.googleworkspaceprovidermapping
           - authentik_providers_ldap.ldapprovider
@@ -41212,6 +41214,7 @@ components:
       - authentik.enterprise
       - authentik.enterprise.audit
       - authentik.enterprise.policies.unique_password
+      - authentik.enterprise.providers.apple_psso
       - authentik.enterprise.providers.google_workspace
       - authentik.enterprise.providers.microsoft_entra
       - authentik.enterprise.providers.ssf
@@ -41258,6 +41261,15 @@ components:
       - redirect_uri
       - scope
       - state
+    ApplePlatformSSOProviderRequest:
+      type: object
+      description: ApplePlatformSSOProvider Serializer
+      properties:
+        name:
+          type: string
+          minLength: 1
+      required:
+      - name
     Application:
       type: object
       description: Application Serializer
@@ -41338,7 +41350,9 @@ components:
         app:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - app
       - name
@@ -41353,7 +41367,9 @@ components:
         app:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - app
       - name
@@ -41942,7 +41958,9 @@ components:
         friendly_name:
           type: string
           nullable: true
-        credentials: {}
+        credentials:
+          type: object
+          additionalProperties: {}
       required:
       - component
       - credentials
@@ -41972,7 +41990,9 @@ components:
           type: string
           nullable: true
           minLength: 1
-        credentials: {}
+        credentials:
+          type: object
+          additionalProperties: {}
       required:
       - credentials
       - name
@@ -42777,7 +42797,9 @@ components:
         path:
           type: string
           default: ''
-        context: {}
+        context:
+          type: object
+          additionalProperties: {}
         last_applied:
           type: string
           format: date-time
@@ -42797,6 +42819,8 @@ components:
             type: string
           readOnly: true
         metadata:
+          type: object
+          additionalProperties: {}
           readOnly: true
         content:
           type: string
@@ -42818,7 +42842,9 @@ components:
         path:
           type: string
           default: ''
-        context: {}
+        context:
+          type: object
+          additionalProperties: {}
         enabled:
           type: boolean
         content:
@@ -42898,7 +42924,9 @@ components:
             type: string
             format: uuid
           description: Certificates used for client authentication.
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - brand_uuid
       - domain
@@ -42968,7 +42996,9 @@ components:
             type: string
             format: uuid
           description: Certificates used for client authentication.
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - domain
     Cache:
@@ -44609,7 +44639,9 @@ components:
           $ref: '#/components/schemas/ProtocolEnum'
         host:
           type: string
-        settings: {}
+        settings:
+          type: object
+          additionalProperties: {}
         property_mappings:
           type: array
           items:
@@ -44680,7 +44712,9 @@ components:
         host:
           type: string
           minLength: 1
-        settings: {}
+        settings:
+          type: object
+          additionalProperties: {}
         property_mappings:
           type: array
           items:
@@ -44744,12 +44778,16 @@ components:
           format: uuid
           readOnly: true
           title: Event uuid
-        user: {}
+        user:
+          type: object
+          additionalProperties: {}
         action:
           $ref: '#/components/schemas/EventActions'
         app:
           type: string
-        context: {}
+        context:
+          type: object
+          additionalProperties: {}
         client_ip:
           type: string
           nullable: true
@@ -44760,7 +44798,9 @@ components:
         expires:
           type: string
           format: date-time
-        brand: {}
+        brand:
+          type: object
+          additionalProperties: {}
       required:
       - action
       - app
@@ -44905,13 +44945,17 @@ components:
       type: object
       description: Event Serializer
       properties:
-        user: {}
+        user:
+          type: object
+          additionalProperties: {}
         action:
           $ref: '#/components/schemas/EventActions'
         app:
           type: string
           minLength: 1
-        context: {}
+        context:
+          type: object
+          additionalProperties: {}
         client_ip:
           type: string
           nullable: true
@@ -44919,7 +44963,9 @@ components:
         expires:
           type: string
           format: date-time
-        brand: {}
+        brand:
+          type: object
+          additionalProperties: {}
       required:
       - action
       - app
@@ -45894,7 +45940,9 @@ components:
           type: string
           format: email
           maxLength: 254
-        credentials: {}
+        credentials:
+          type: object
+          additionalProperties: {}
         scopes:
           type: string
         exclude_users_service_account:
@@ -45945,6 +45993,8 @@ components:
         provider:
           type: integer
         attributes:
+          type: object
+          additionalProperties: {}
           readOnly: true
       required:
       - attributes
@@ -46059,7 +46109,9 @@ components:
           format: email
           minLength: 1
           maxLength: 254
-        credentials: {}
+        credentials:
+          type: object
+          additionalProperties: {}
         scopes:
           type: string
           minLength: 1
@@ -46104,6 +46156,8 @@ components:
         provider:
           type: integer
         attributes:
+          type: object
+          additionalProperties: {}
           readOnly: true
       required:
       - attributes
@@ -47432,6 +47486,8 @@ components:
           description: Return internal model name
           readOnly: true
         kubeconfig:
+          type: object
+          additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
         verify_ssl:
@@ -47456,6 +47512,8 @@ components:
           description: If enabled, use the local connection. Required Docker socket/Kubernetes
             Integration
         kubeconfig:
+          type: object
+          additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
         verify_ssl:
@@ -48392,6 +48450,8 @@ components:
         provider:
           type: integer
         attributes:
+          type: object
+          additionalProperties: {}
           readOnly: true
       required:
       - attributes
@@ -48548,6 +48608,8 @@ components:
         provider:
           type: integer
         attributes:
+          type: object
+          additionalProperties: {}
           readOnly: true
       required:
       - attributes
@@ -48664,6 +48726,7 @@ components:
       - authentik_core.token
       - authentik_enterprise.license
       - authentik_policies_unique_password.uniquepasswordpolicy
+      - authentik_providers_apple_psso.appleplatformssoprovider
       - authentik_providers_google_workspace.googleworkspaceprovider
       - authentik_providers_google_workspace.googleworkspaceprovidermapping
       - authentik_providers_microsoft_entra.microsoftentraprovider
@@ -49460,7 +49523,9 @@ components:
           type: string
         oidc_jwks_url:
           type: string
-        oidc_jwks: {}
+        oidc_jwks:
+          type: object
+          additionalProperties: {}
         authorization_code_auth_method:
           allOf:
           - $ref: '#/components/schemas/AuthorizationCodeAuthMethodEnum'
@@ -49634,7 +49699,9 @@ components:
           type: string
         oidc_jwks_url:
           type: string
-        oidc_jwks: {}
+        oidc_jwks:
+          type: object
+          additionalProperties: {}
         authorization_code_auth_method:
           allOf:
           - $ref: '#/components/schemas/AuthorizationCodeAuthMethodEnum'
@@ -52319,7 +52386,9 @@ components:
         app:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
     PatchedApplicationRequest:
       type: object
       description: Application Serializer
@@ -52471,7 +52540,9 @@ components:
           type: string
           nullable: true
           minLength: 1
-        credentials: {}
+        credentials:
+          type: object
+          additionalProperties: {}
     PatchedAuthenticatorSMSStageRequest:
       type: object
       description: AuthenticatorSMSStage Serializer
@@ -52658,7 +52729,9 @@ components:
         path:
           type: string
           default: ''
-        context: {}
+        context:
+          type: object
+          additionalProperties: {}
         enabled:
           type: boolean
         content:
@@ -52729,7 +52802,9 @@ components:
             type: string
             format: uuid
           description: Certificates used for client authentication.
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
     PatchedCaptchaStageRequest:
       type: object
       description: CaptchaStage Serializer
@@ -53005,7 +53080,9 @@ components:
         host:
           type: string
           minLength: 1
-        settings: {}
+        settings:
+          type: object
+          additionalProperties: {}
         property_mappings:
           type: array
           items:
@@ -53057,13 +53134,17 @@ components:
       type: object
       description: Event Serializer
       properties:
-        user: {}
+        user:
+          type: object
+          additionalProperties: {}
         action:
           $ref: '#/components/schemas/EventActions'
         app:
           type: string
           minLength: 1
-        context: {}
+        context:
+          type: object
+          additionalProperties: {}
         client_ip:
           type: string
           nullable: true
@@ -53071,7 +53152,9 @@ components:
         expires:
           type: string
           format: date-time
-        brand: {}
+        brand:
+          type: object
+          additionalProperties: {}
     PatchedExpressionPolicyRequest:
       type: object
       description: Group Membership Policy Serializer
@@ -53254,7 +53337,9 @@ components:
           format: email
           minLength: 1
           maxLength: 254
-        credentials: {}
+        credentials:
+          type: object
+          additionalProperties: {}
         scopes:
           type: string
           minLength: 1
@@ -53638,6 +53723,8 @@ components:
           description: If enabled, use the local connection. Required Docker socket/Kubernetes
             Integration
         kubeconfig:
+          type: object
+          additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
         verify_ssl:
@@ -54221,7 +54308,9 @@ components:
           type: string
         oidc_jwks_url:
           type: string
-        oidc_jwks: {}
+        oidc_jwks:
+          type: object
+          additionalProperties: {}
         authorization_code_auth_method:
           allOf:
           - $ref: '#/components/schemas/AuthorizationCodeAuthMethodEnum'
@@ -54700,7 +54789,9 @@ components:
           items:
             type: string
             format: uuid
-        settings: {}
+        settings:
+          type: object
+          additionalProperties: {}
         connection_expiry:
           type: string
           minLength: 1
@@ -55157,7 +55248,9 @@ components:
         source:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
     PatchedSCIMSourcePropertyMappingRequest:
       type: object
       description: SCIMSourcePropertyMapping Serializer
@@ -55218,7 +55311,9 @@ components:
         source:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
     PatchedSMSDeviceRequest:
       type: object
       description: Serializer for sms authenticator devices
@@ -55305,9 +55400,7 @@ components:
           minimum: 0
           description: Reputation cannot increase higher than this value. Zero or
             positive.
-        footer_links:
-          description: The option configures the footer links on the flow executor
-            pages.
+        footer_links: {}
         gdpr_compliance:
           type: boolean
           description: When enabled, all the events caused by a user will be deleted
@@ -56579,6 +56672,7 @@ components:
       type: string
     ProviderModelEnum:
       enum:
+      - authentik_providers_apple_psso.appleplatformssoprovider
       - authentik_providers_google_workspace.googleworkspaceprovider
       - authentik_providers_ldap.ldapprovider
       - authentik_providers_microsoft_entra.microsoftentraprovider
@@ -57119,7 +57213,9 @@ components:
           type: string
           description: Return internal model name
           readOnly: true
-        settings: {}
+        settings:
+          type: object
+          additionalProperties: {}
         outpost_set:
           type: array
           items:
@@ -57167,7 +57263,9 @@ components:
           items:
             type: string
             format: uuid
-        settings: {}
+        settings:
+          type: object
+          additionalProperties: {}
         connection_expiry:
           type: string
           minLength: 1
@@ -57577,8 +57675,12 @@ components:
           type: string
         ip:
           type: string
-        ip_geo_data: {}
-        ip_asn_data: {}
+        ip_geo_data:
+          type: object
+          additionalProperties: {}
+        ip_asn_data:
+          type: object
+          additionalProperties: {}
         score:
           type: integer
           maximum: 9223372036854775807
@@ -58651,6 +58753,8 @@ components:
         provider:
           type: integer
         attributes:
+          type: object
+          additionalProperties: {}
           readOnly: true
       required:
       - attributes
@@ -58741,6 +58845,8 @@ components:
         provider:
           type: integer
         attributes:
+          type: object
+          additionalProperties: {}
           readOnly: true
       required:
       - attributes
@@ -58855,7 +58961,9 @@ components:
         source:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - group
       - group_obj
@@ -58874,7 +58982,9 @@ components:
         source:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - group
       - id
@@ -58993,7 +59103,9 @@ components:
         source:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - id
       - source
@@ -59011,7 +59123,9 @@ components:
         source:
           type: string
           format: uuid
-        attributes: {}
+        attributes:
+          type: object
+          additionalProperties: {}
       required:
       - id
       - source
@@ -59404,9 +59518,7 @@ components:
           minimum: 0
           description: Reputation cannot increase higher than this value. Zero or
             positive.
-        footer_links:
-          description: The option configures the footer links on the flow executor
-            pages.
+        footer_links: {}
         gdpr_compliance:
           type: boolean
           description: When enabled, all the events caused by a user will be deleted
@@ -59458,9 +59570,7 @@ components:
           minimum: 0
           description: Reputation cannot increase higher than this value. Zero or
             positive.
-        footer_links:
-          description: The option configures the footer links on the flow executor
-            pages.
+        footer_links: {}
         gdpr_compliance:
           type: boolean
           description: When enabled, all the events caused by a user will be deleted
@@ -61775,6 +61885,7 @@ components:
       - worker_id
     modelRequest:
       oneOf:
+      - $ref: '#/components/schemas/ApplePlatformSSOProviderRequest'
       - $ref: '#/components/schemas/GoogleWorkspaceProviderRequest'
       - $ref: '#/components/schemas/LDAPProviderRequest'
       - $ref: '#/components/schemas/MicrosoftEntraProviderRequest'
@@ -61788,6 +61899,7 @@ components:
       discriminator:
         propertyName: provider_model
         mapping:
+          authentik_providers_apple_psso.appleplatformssoprovider: '#/components/schemas/ApplePlatformSSOProviderRequest'
           authentik_providers_google_workspace.googleworkspaceprovider: '#/components/schemas/GoogleWorkspaceProviderRequest'
           authentik_providers_ldap.ldapprovider: '#/components/schemas/LDAPProviderRequest'
           authentik_providers_microsoft_entra.microsoftentraprovider: '#/components/schemas/MicrosoftEntraProviderRequest'

scripts/api-ts-templates/tsconfig.mustache

@@ -9,8 +9,8 @@
         "strict": true,
         "newLine": "lf",
         "target": "ESNext",
-        "module": "ESNext",
-        "moduleResolution": "bundler",
+        "module": "NodeNext",
+        "moduleResolution": "NodeNext",
         "outDir": "dist",
         "skipDefaultLibCheck": true,
         "skipLibCheck": true,

tests/e2e/docker-compose.yml

@@ -7,7 +7,7 @@ services:
     network_mode: host
     restart: always
   mailpit:
-    image: docker.io/axllent/mailpit:v1.26.2
+    image: docker.io/axllent/mailpit:v1.27.0
     ports:
       - 1025:1025
       - 8025:8025

uv.lock

@@ -165,7 +165,7 @@ wheels = [
 
 [[package]]
 name = "authentik"
-version = "2025.6.2"
+version = "2025.6.3"
 source = { editable = "." }
 dependencies = [
     { name = "argon2-cffi" },
@@ -279,10 +279,10 @@ requires-dist = [
     { name = "django-countries", specifier = "==7.6.1" },
     { name = "django-cte", specifier = "==2.0.0" },
     { name = "django-filter", specifier = "==25.1" },
-    { name = "django-guardian", specifier = "==3.0.0" },
+    { name = "django-guardian", specifier = "==3.0.3" },
     { name = "django-model-utils", specifier = "==5.0.0" },
     { name = "django-pglock", specifier = "==1.7.2" },
-    { name = "django-prometheus", specifier = "==2.4.0" },
+    { name = "django-prometheus", specifier = "==2.4.1" },
     { name = "django-redis", specifier = "==6.0.0" },
     { name = "django-storages", extras = ["s3"], specifier = "==1.14.6" },
     { name = "django-tenants", specifier = "==3.8.0" },
@@ -298,7 +298,7 @@ requires-dist = [
     { name = "flower", specifier = "==2.0.1" },
     { name = "geoip2", specifier = "==5.1.0" },
     { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.173.0" },
+    { name = "google-api-python-client", specifier = "==2.174.0" },
     { name = "gssapi", specifier = "==1.9.0" },
     { name = "gunicorn", specifier = "==23.0.0" },
     { name = "jsonpatch", specifier = "==1.33" },
@@ -306,7 +306,7 @@ requires-dist = [
     { name = "kubernetes", specifier = "==33.1.0" },
     { name = "ldap3", specifier = "==2.9.1" },
     { name = "lxml", specifier = "==5.4.0" },
-    { name = "msgraph-sdk", specifier = "==1.34.0" },
+    { name = "msgraph-sdk", specifier = "==1.35.0" },
     { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
     { name = "packaging", specifier = "==25.0" },
     { name = "paramiko", specifier = "==3.5.1" },
@@ -319,7 +319,7 @@ requires-dist = [
     { name = "pyyaml", specifier = "==6.0.2" },
     { name = "requests-oauthlib", specifier = "==2.0.0" },
     { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.30.0" },
+    { name = "sentry-sdk", specifier = "==2.32.0" },
     { name = "service-identity", specifier = "==24.2.0" },
     { name = "setproctitle", specifier = "==1.3.6" },
     { name = "structlog", specifier = "==25.4.0" },
@@ -329,7 +329,7 @@ requires-dist = [
     { name = "ua-parser", specifier = "==1.0.1" },
     { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
-    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.3" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.35.0" },
     { name = "watchdog", specifier = "==6.0.0" },
     { name = "webauthn", specifier = "==2.6.0" },
     { name = "wsproto", specifier = "==1.2.0" },
@@ -574,30 +574,30 @@ wheels = [
 
 [[package]]
 name = "boto3"
-version = "1.38.38"
+version = "1.38.43"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "botocore" },
     { name = "jmespath" },
     { name = "s3transfer" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/98/a1/f2b68cba5d1907e004f4d88a028eda35a4f619c1e81d764e5cf58491eb46/boto3-1.38.38.tar.gz", hash = "sha256:0fe6b7d1974851588ec1edd39c66d9525d539133e02c7f985f9ebec5e222c0db", size = 111847, upload-time = "2025-06-17T19:33:03.097Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/90/96/c99c9dac902faae3896558809d130b1bf02df8abb6e4553ad87d018910f9/boto3-1.38.43.tar.gz", hash = "sha256:9b0ff0b34c9cf7328546c532c20b081f09055ff485f4d57c19146c36877048c5", size = 111845, upload-time = "2025-06-24T19:29:02.978Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/e4/dc/43d4ab839b84876bdf7baeba0a3ffcef4c3d52d81f3ce1979b4195c0e213/boto3-1.38.38-py3-none-any.whl", hash = "sha256:6f4163cd9e030afd1059e8a6daa178835165b79eb0b5325a8cd447020b895921", size = 139934, upload-time = "2025-06-17T19:33:00.621Z" },
+    { url = "https://files.pythonhosted.org/packages/de/67/42355b452a5aa622205c321217cba61a85746f0d93984788116a43120821/boto3-1.38.43-py3-none-any.whl", hash = "sha256:2e3411bb43285caad1c8e1a3186d025ba65a6342e26bad493f6b8feb3d1a1680", size = 139922, upload-time = "2025-06-24T19:29:01.545Z" },
 ]
 
 [[package]]
 name = "botocore"
-version = "1.38.38"
+version = "1.38.43"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "jmespath" },
     { name = "python-dateutil" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/22/f5/d05258ac4ae68769a956779192bfbd322e571ef9fc17a27f02d35c026b4b/botocore-1.38.38.tar.gz", hash = "sha256:acf9ae5b2d99c1f416f94fa5b4f8c044ecb76ffcb7fb1b1daec583f36892a8e2", size = 14009715, upload-time = "2025-06-17T19:32:52.705Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/1d/ff/8ace3f46fa1a32c09ee994b5401c7853613a283e134449fdc136bb753b40/botocore-1.38.43.tar.gz", hash = "sha256:c453c5c16c157c5427058bb3cc2c5ad35ee2e43336f0ccbfcc6092c5635505c6", size = 14044468, upload-time = "2025-06-24T19:28:52.803Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7b/c6/74f27ffe941dc1438b7fef620b402b982a9f9ab90a04ee47bd0314a02384/botocore-1.38.38-py3-none-any.whl", hash = "sha256:aa5cc63bf885819d862852edb647d6276fe423c60113e8db375bb7ad8d88a5d9", size = 13669107, upload-time = "2025-06-17T19:32:47.503Z" },
+    { url = "https://files.pythonhosted.org/packages/15/12/0ebcfb91738d0cf9560220ee4e0db351acab14026fac74bbce9ab3881fd9/botocore-1.38.43-py3-none-any.whl", hash = "sha256:2ee60ac0b08e80e9be2aa2841d42e438d5bc4f82549560a682837655097a3db7", size = 13706448, upload-time = "2025-06-24T19:28:47.877Z" },
 ]
 
 [[package]]
@@ -777,14 +777,14 @@ wheels = [
 
 [[package]]
 name = "click-plugins"
-version = "1.1.1"
+version = "1.1.1.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "click" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5f/1d/45434f64ed749540af821fd7e42b8e4d23ac04b1eda7c26613288d6cd8a8/click-plugins-1.1.1.tar.gz", hash = "sha256:46ab999744a9d831159c3411bb0c79346d94a444df9a3a3742e9ed63645f264b", size = 8164, upload-time = "2019-04-04T04:27:04.82Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c3/a4/34847b59150da33690a36da3681d6bbc2ec14ee9a846bc30a6746e5984e4/click_plugins-1.1.1.2.tar.gz", hash = "sha256:d7af3984a99d243c131aa1a828331e7630f4a88a9741fd05c927b204bcf92261", size = 8343, upload-time = "2025-06-25T00:47:37.555Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/e9/da/824b92d9942f4e472702488857914bdd50f73021efea15b4cad9aca8ecef/click_plugins-1.1.1-py2.py3-none-any.whl", hash = "sha256:5d262006d3222f5057fd81e1623d4443e41dcda5dc815c06b442aa3c02889fc8", size = 7497, upload-time = "2019-04-04T04:27:03.36Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/9a/2abecb28ae875e39c8cad711eb1186d8d14eab564705325e77e4e6ab9ae5/click_plugins-1.1.1.2-py2.py3-none-any.whl", hash = "sha256:008d65743833ffc1f5417bf0e78e8d2c23aab04d9745ba817bd3e71b0feb6aa6", size = 11051, upload-time = "2025-06-25T00:47:36.731Z" },
 ]
 
 [[package]]
@@ -1021,14 +1021,14 @@ wheels = [
 
 [[package]]
 name = "django-guardian"
-version = "3.0.0"
+version = "3.0.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "django" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/30/82/2c76cdf77eae3cb0c3df394686daf8f84bcd604c0da7a26fa19f5fe74ed4/django_guardian-3.0.0.tar.gz", hash = "sha256:0c79d55c4af2cfc14fbd19539846a1ebfed2a38198b7697e0f5177b7f654e1cd", size = 79895, upload-time = "2025-05-07T19:33:23.328Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/30/c2/3ed43813dd7313f729dbaa829b4f9ed4a647530151f672cfb5f843c12edf/django_guardian-3.0.3.tar.gz", hash = "sha256:4e59eab4d836da5a027cf0c176d14bc2a4e22cbbdf753159a03946c08c8a196d", size = 85410, upload-time = "2025-06-25T20:42:17.475Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a5/81/a2f3d3245d1f4cf446d78863526fba0b1b140d60784095a5cc2d4e8ac709/django_guardian-3.0.0-py3-none-any.whl", hash = "sha256:f3ebe3cc7f486e267041b780c3429ad5db72c909df40c2f74adb1b059582a3cd", size = 112672, upload-time = "2025-05-07T19:33:21.719Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/13/e6f629a978ef5fab8b8d2760cacc3e451016cef952cf4c049d672c5c6b07/django_guardian-3.0.3-py3-none-any.whl", hash = "sha256:d2164cea9f03c369d7ade21802710f3ab23ca6734bcc7dfcfb385906783916c7", size = 118198, upload-time = "2025-06-25T20:42:15.377Z" },
 ]
 
 [[package]]
@@ -1070,14 +1070,15 @@ wheels = [
 
 [[package]]
 name = "django-prometheus"
-version = "2.4.0"
+version = "2.4.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
+    { name = "django" },
     { name = "prometheus-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e8/b9/c758675671d71a1800feaad5c5fbcdecbd8d34296b63f9dc5662db39abda/django_prometheus-2.4.0.tar.gz", hash = "sha256:67da5c73d8e859aa73f6e11f52341c482691b17f8bd9844157cff6cdf51ce9bc", size = 24393, upload-time = "2025-06-18T18:06:28.673Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/98/f4/cb39ddd2a41e07a274c4e162c076e906ae232d63b66bbabdea0300878877/django_prometheus-2.4.1.tar.gz", hash = "sha256:073628243d2a6de6a8a8c20e5b512872dfb85d66e1b60b28bcf1eca0155dad95", size = 24464, upload-time = "2025-06-25T15:45:37.149Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/38/05/d980950fb8c3f6f96c644599b1a025fb50e827477b1acf36daef72aa7e76/django_prometheus-2.4.0-py2.py3-none-any.whl", hash = "sha256:5b46b5f07b02ba8dd7abdb03a3c39073e8fd9120e2293a1ecb949bbb865378ac", size = 29528, upload-time = "2025-06-18T18:06:27.079Z" },
+    { url = "https://files.pythonhosted.org/packages/01/50/9c5e022fa92574e5d20606687f15a2aa255e10512a17d11a8216fa117f72/django_prometheus-2.4.1-py2.py3-none-any.whl", hash = "sha256:7fe5af7f7c9ad9cd8a429fe0f3f1bf651f0e244f77162147869eab7ec09cc5e7", size = 29541, upload-time = "2025-06-25T15:45:35.433Z" },
 ]
 
 [[package]]
@@ -1402,7 +1403,7 @@ wheels = [
 
 [[package]]
 name = "google-api-python-client"
-version = "2.173.0"
+version = "2.174.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "google-api-core" },
@@ -1411,9 +1412,9 @@ dependencies = [
     { name = "httplib2" },
     { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/8f/7e/7c6e43e54f611f0f97f1678ea567fe06fecd545bd574db05e204e5b136fe/google_api_python_client-2.173.0.tar.gz", hash = "sha256:b537bc689758f4be3e6f40d59a6c0cd305abafdea91af4bc66ec31d40c08c804", size = 13091318, upload-time = "2025-06-19T19:39:05.881Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/1a/fd/860fef0cf3edbad828e2ab4d2ddee5dfe8e595b6da748ac6c77e95bc7bef/google_api_python_client-2.174.0.tar.gz", hash = "sha256:9eb7616a820b38a9c12c5486f9b9055385c7feb18b20cbafc5c5a688b14f3515", size = 13127872, upload-time = "2025-06-25T19:27:12.977Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/e6/c9/dc9ca0537ee2ddac0f0b1e458903afe3f490a0f90dfd4b1b16eb339cdfbb/google_api_python_client-2.173.0-py3-none-any.whl", hash = "sha256:16a8e81c772dd116f5c4ee47d83643149e1367dc8fb4f47cb471fbcb5c7d7ac7", size = 13612778, upload-time = "2025-06-19T19:39:03.283Z" },
+    { url = "https://files.pythonhosted.org/packages/16/2d/4250b81e8f5309b58650660f403584db6f64067acac74475893a8f33348d/google_api_python_client-2.174.0-py3-none-any.whl", hash = "sha256:f695205ceec97bfaa1590a14282559c4109326c473b07352233a3584cdbf4b89", size = 13650466, upload-time = "2025-06-25T19:27:10.426Z" },
 ]
 
 [[package]]
@@ -2071,7 +2072,7 @@ wheels = [
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.34.0"
+version = "1.35.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "azure-identity" },
@@ -2081,54 +2082,50 @@ dependencies = [
     { name = "microsoft-kiota-serialization-text" },
     { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/92/7a/c69b4fc4b9c02a6d14eddc96b91319dd7e91f0987245d4243a74b9c17fcf/msgraph_sdk-1.34.0.tar.gz", hash = "sha256:f71a81d3291f49d3610220de47bbbb6321aa62f7129d17a958f301b9acadfe99", size = 5968516, upload-time = "2025-06-18T11:43:33.287Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/33/49/25df000defb136542400bbe3096b3e1dab384e5b02fec4c6c4cb4a433296/msgraph_sdk-1.35.0.tar.gz", hash = "sha256:513f77d3332618af35d2f456ff26e2050f136abc8856858a69d63e811480eddd", size = 5967030, upload-time = "2025-06-25T10:28:30.599Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f2/0c/75f8066eca60fe9b2d5e1dd868b592533671b7b5cc711e655afd5c44d259/msgraph_sdk-1.34.0-py3-none-any.whl", hash = "sha256:d6daea012b78a7a4dd07fabb782ae00e4a9fe4f8d6016e8037769962533aa8ae", size = 24491410, upload-time = "2025-06-18T11:43:30.824Z" },
+    { url = "https://files.pythonhosted.org/packages/72/ae/a0ea8742af0c99c9f53d82bca19f027f10d747874f725fa2f8d165eb60b3/msgraph_sdk-1.35.0-py3-none-any.whl", hash = "sha256:0e2305a0d6d8343f3a29aa227183c6acc6191f4dfda8522ea41d97e7fe25a0d1", size = 24490922, upload-time = "2025-06-25T10:28:28.127Z" },
 ]
 
 [[package]]
 name = "multidict"
-version = "6.5.0"
+version = "6.5.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/46/b5/59f27b4ce9951a4bce56b88ba5ff5159486797ab18863f2b4c1c5e8465bd/multidict-6.5.0.tar.gz", hash = "sha256:942bd8002492ba819426a8d7aefde3189c1b87099cdf18aaaefefcf7f3f7b6d2", size = 98512, upload-time = "2025-06-17T14:15:56.556Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5c/43/2d90c414d9efc4587d6e7cebae9f2c2d8001bcb4f89ed514ae837e9dcbe6/multidict-6.5.1.tar.gz", hash = "sha256:a835ea8103f4723915d7d621529c80ef48db48ae0c818afcabe0f95aa1febc3a", size = 98690, upload-time = "2025-06-24T22:16:05.117Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/1a/c9/092c4e9402b6d16de761cff88cb842a5c8cc50ccecaf9c4481ba53264b9e/multidict-6.5.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:53d92df1752df67a928fa7f884aa51edae6f1cf00eeb38cbcf318cf841c17456", size = 73486, upload-time = "2025-06-17T14:14:37.238Z" },
-    { url = "https://files.pythonhosted.org/packages/08/f9/6f7ddb8213f5fdf4db48d1d640b78e8aef89b63a5de8a2313286db709250/multidict-6.5.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:680210de2c38eef17ce46b8df8bf2c1ece489261a14a6e43c997d49843a27c99", size = 43745, upload-time = "2025-06-17T14:14:38.32Z" },
-    { url = "https://files.pythonhosted.org/packages/f3/a7/b9be0163bfeee3bb08a77a1705e24eb7e651d594ea554107fac8a1ca6a4d/multidict-6.5.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:e279259bcb936732bfa1a8eec82b5d2352b3df69d2fa90d25808cfc403cee90a", size = 42135, upload-time = "2025-06-17T14:14:39.897Z" },
-    { url = "https://files.pythonhosted.org/packages/8e/30/93c8203f943a417bda3c573a34d5db0cf733afdfffb0ca78545c7716dbd8/multidict-6.5.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d1c185fc1069781e3fc8b622c4331fb3b433979850392daa5efbb97f7f9959bb", size = 238585, upload-time = "2025-06-17T14:14:41.332Z" },
-    { url = "https://files.pythonhosted.org/packages/9d/fe/2582b56a1807604774f566eeef183b0d6b148f4b89d1612cd077567b2e1e/multidict-6.5.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:6bb5f65ff91daf19ce97f48f63585e51595539a8a523258b34f7cef2ec7e0617", size = 236174, upload-time = "2025-06-17T14:14:42.602Z" },
-    { url = "https://files.pythonhosted.org/packages/9b/c4/d8b66d42d385bd4f974cbd1eaa8b265e6b8d297249009f312081d5ded5c7/multidict-6.5.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d8646b4259450c59b9286db280dd57745897897284f6308edbdf437166d93855", size = 250145, upload-time = "2025-06-17T14:14:43.944Z" },
-    { url = "https://files.pythonhosted.org/packages/bc/64/62feda5093ee852426aae3df86fab079f8bf1cdbe403e1078c94672ad3ec/multidict-6.5.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d245973d4ecc04eea0a8e5ebec7882cf515480036e1b48e65dffcfbdf86d00be", size = 243470, upload-time = "2025-06-17T14:14:45.343Z" },
-    { url = "https://files.pythonhosted.org/packages/67/dc/9f6fa6e854625cf289c0e9f4464b40212a01f76b2f3edfe89b6779b4fb93/multidict-6.5.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a133e7ddc9bc7fb053733d0ff697ce78c7bf39b5aec4ac12857b6116324c8d75", size = 236968, upload-time = "2025-06-17T14:14:46.609Z" },
-    { url = "https://files.pythonhosted.org/packages/46/ae/4b81c6e3745faee81a156f3f87402315bdccf04236f75c03e37be19c94ff/multidict-6.5.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:80d696fa38d738fcebfd53eec4d2e3aeb86a67679fd5e53c325756682f152826", size = 236575, upload-time = "2025-06-17T14:14:47.929Z" },
-    { url = "https://files.pythonhosted.org/packages/8a/fa/4089d7642ea344226e1bfab60dd588761d4791754f8072e911836a39bedf/multidict-6.5.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:20d30c9410ac3908abbaa52ee5967a754c62142043cf2ba091e39681bd51d21a", size = 247632, upload-time = "2025-06-17T14:14:49.525Z" },
-    { url = "https://files.pythonhosted.org/packages/16/ee/a353dac797de0f28fb7f078cc181c5f2eefe8dd16aa11a7100cbdc234037/multidict-6.5.0-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:6c65068cc026f217e815fa519d8e959a7188e94ec163ffa029c94ca3ef9d4a73", size = 243520, upload-time = "2025-06-17T14:14:50.83Z" },
-    { url = "https://files.pythonhosted.org/packages/50/ec/560deb3d2d95822d6eb1bcb1f1cb728f8f0197ec25be7c936d5d6a5d133c/multidict-6.5.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:e355ac668a8c3e49c2ca8daa4c92f0ad5b705d26da3d5af6f7d971e46c096da7", size = 248551, upload-time = "2025-06-17T14:14:52.229Z" },
-    { url = "https://files.pythonhosted.org/packages/10/85/ddf277e67c78205f6695f2a7639be459bca9cc353b962fd8085a492a262f/multidict-6.5.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:08db204213d0375a91a381cae0677ab95dd8c67a465eb370549daf6dbbf8ba10", size = 258362, upload-time = "2025-06-17T14:14:53.934Z" },
-    { url = "https://files.pythonhosted.org/packages/02/fc/d64ee1df9b87c5210f2d4c419cab07f28589c81b4e5711eda05a122d0614/multidict-6.5.0-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:ffa58e3e215af8f6536dc837a990e456129857bb6fd546b3991be470abd9597a", size = 253862, upload-time = "2025-06-17T14:14:55.323Z" },
-    { url = "https://files.pythonhosted.org/packages/c9/7c/a2743c00d9e25f4826d3a77cc13d4746398872cf21c843eef96bb9945665/multidict-6.5.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:3e86eb90015c6f21658dbd257bb8e6aa18bdb365b92dd1fba27ec04e58cdc31b", size = 247391, upload-time = "2025-06-17T14:14:57.293Z" },
-    { url = "https://files.pythonhosted.org/packages/9b/03/7773518db74c442904dbd349074f1e7f2a854cee4d9529fc59e623d3949e/multidict-6.5.0-cp313-cp313-win32.whl", hash = "sha256:f34a90fbd9959d0f857323bd3c52b3e6011ed48f78d7d7b9e04980b8a41da3af", size = 41115, upload-time = "2025-06-17T14:14:59.33Z" },
-    { url = "https://files.pythonhosted.org/packages/eb/9a/6fc51b1dc11a7baa944bc101a92167d8b0f5929d376a8c65168fc0d35917/multidict-6.5.0-cp313-cp313-win_amd64.whl", hash = "sha256:fcb2aa79ac6aef8d5b709bbfc2fdb1d75210ba43038d70fbb595b35af470ce06", size = 44768, upload-time = "2025-06-17T14:15:00.427Z" },
-    { url = "https://files.pythonhosted.org/packages/82/2d/0d010be24b663b3c16e3d3307bbba2de5ae8eec496f6027d5c0515b371a8/multidict-6.5.0-cp313-cp313-win_arm64.whl", hash = "sha256:6dcee5e7e92060b4bb9bb6f01efcbb78c13d0e17d9bc6eec71660dd71dc7b0c2", size = 41770, upload-time = "2025-06-17T14:15:01.854Z" },
-    { url = "https://files.pythonhosted.org/packages/aa/d1/a71711a5f32f84b7b036e82182e3250b949a0ce70d51a2c6a4079e665449/multidict-6.5.0-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:cbbc88abea2388fde41dd574159dec2cda005cb61aa84950828610cb5010f21a", size = 80450, upload-time = "2025-06-17T14:15:02.968Z" },
-    { url = "https://files.pythonhosted.org/packages/0f/a2/953a9eede63a98fcec2c1a2c1a0d88de120056219931013b871884f51b43/multidict-6.5.0-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:70b599f70ae6536e5976364d3c3cf36f40334708bd6cebdd1e2438395d5e7676", size = 46971, upload-time = "2025-06-17T14:15:04.149Z" },
-    { url = "https://files.pythonhosted.org/packages/44/61/60250212953459edda2c729e1d85130912f23c67bd4f585546fe4bdb1578/multidict-6.5.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:828bab777aa8d29d59700018178061854e3a47727e0611cb9bec579d3882de3b", size = 45548, upload-time = "2025-06-17T14:15:05.666Z" },
-    { url = "https://files.pythonhosted.org/packages/11/b6/e78ee82e96c495bc2582b303f68bed176b481c8d81a441fec07404fce2ca/multidict-6.5.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a9695fc1462f17b131c111cf0856a22ff154b0480f86f539d24b2778571ff94d", size = 238545, upload-time = "2025-06-17T14:15:06.88Z" },
-    { url = "https://files.pythonhosted.org/packages/5a/0f/6132ca06670c8d7b374c3a4fd1ba896fc37fbb66b0de903f61db7d1020ec/multidict-6.5.0-cp313-cp313t-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:0b5ac6ebaf5d9814b15f399337ebc6d3a7f4ce9331edd404e76c49a01620b68d", size = 229931, upload-time = "2025-06-17T14:15:08.24Z" },
-    { url = "https://files.pythonhosted.org/packages/c0/63/d9957c506e6df6b3e7a194f0eea62955c12875e454b978f18262a65d017b/multidict-6.5.0-cp313-cp313t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:84a51e3baa77ded07be4766a9e41d977987b97e49884d4c94f6d30ab6acaee14", size = 248181, upload-time = "2025-06-17T14:15:09.907Z" },
-    { url = "https://files.pythonhosted.org/packages/43/3f/7d5490579640db5999a948e2c41d4a0efd91a75989bda3e0a03a79c92be2/multidict-6.5.0-cp313-cp313t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8de67f79314d24179e9b1869ed15e88d6ba5452a73fc9891ac142e0ee018b5d6", size = 241846, upload-time = "2025-06-17T14:15:11.596Z" },
-    { url = "https://files.pythonhosted.org/packages/e1/f7/252b1ce949ece52bba4c0de7aa2e3a3d5964e800bce71fb778c2e6c66f7c/multidict-6.5.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:17f78a52c214481d30550ec18208e287dfc4736f0c0148208334b105fd9e0887", size = 232893, upload-time = "2025-06-17T14:15:12.946Z" },
-    { url = "https://files.pythonhosted.org/packages/45/7e/0070bfd48c16afc26e056f2acce49e853c0d604a69c7124bc0bbdb1bcc0a/multidict-6.5.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2966d0099cb2e2039f9b0e73e7fd5eb9c85805681aa2a7f867f9d95b35356921", size = 228567, upload-time = "2025-06-17T14:15:14.267Z" },
-    { url = "https://files.pythonhosted.org/packages/2a/31/90551c75322113ebf5fd9c5422e8641d6952f6edaf6b6c07fdc49b1bebdd/multidict-6.5.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:86fb42ed5ed1971c642cc52acc82491af97567534a8e381a8d50c02169c4e684", size = 246188, upload-time = "2025-06-17T14:15:15.985Z" },
-    { url = "https://files.pythonhosted.org/packages/cc/e2/aa4b02a55e7767ff292871023817fe4db83668d514dab7ccbce25eaf7659/multidict-6.5.0-cp313-cp313t-musllinux_1_2_armv7l.whl", hash = "sha256:4e990cbcb6382f9eae4ec720bcac6a1351509e6fc4a5bb70e4984b27973934e6", size = 235178, upload-time = "2025-06-17T14:15:17.395Z" },
-    { url = "https://files.pythonhosted.org/packages/7d/5c/f67e726717c4b138b166be1700e2b56e06fbbcb84643d15f9a9d7335ff41/multidict-6.5.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:d99a59d64bb1f7f2117bec837d9e534c5aeb5dcedf4c2b16b9753ed28fdc20a3", size = 243422, upload-time = "2025-06-17T14:15:18.939Z" },
-    { url = "https://files.pythonhosted.org/packages/e5/1c/15fa318285e26a50aa3fa979bbcffb90f9b4d5ec58882d0590eda067d0da/multidict-6.5.0-cp313-cp313t-musllinux_1_2_ppc64le.whl", hash = "sha256:e8ef15cc97c9890212e1caf90f0d63f6560e1e101cf83aeaf63a57556689fb34", size = 254898, upload-time = "2025-06-17T14:15:20.31Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/3d/d6c6d1c2e9b61ca80313912d30bb90d4179335405e421ef0a164eac2c0f9/multidict-6.5.0-cp313-cp313t-musllinux_1_2_s390x.whl", hash = "sha256:b8a09aec921b34bd8b9f842f0bcfd76c6a8c033dc5773511e15f2d517e7e1068", size = 247129, upload-time = "2025-06-17T14:15:21.665Z" },
-    { url = "https://files.pythonhosted.org/packages/29/15/1568258cf0090bfa78d44be66247cfdb16e27dfd935c8136a1e8632d3057/multidict-6.5.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:ff07b504c23b67f2044533244c230808a1258b3493aaf3ea2a0785f70b7be461", size = 243841, upload-time = "2025-06-17T14:15:23.38Z" },
-    { url = "https://files.pythonhosted.org/packages/65/57/64af5dbcfd61427056e840c8e520b502879d480f9632fbe210929fd87393/multidict-6.5.0-cp313-cp313t-win32.whl", hash = "sha256:9232a117341e7e979d210e41c04e18f1dc3a1d251268df6c818f5334301274e1", size = 46761, upload-time = "2025-06-17T14:15:24.733Z" },
-    { url = "https://files.pythonhosted.org/packages/26/a8/cac7f7d61e188ff44f28e46cb98f9cc21762e671c96e031f06c84a60556e/multidict-6.5.0-cp313-cp313t-win_amd64.whl", hash = "sha256:44cb5c53fb2d4cbcee70a768d796052b75d89b827643788a75ea68189f0980a1", size = 52112, upload-time = "2025-06-17T14:15:25.906Z" },
-    { url = "https://files.pythonhosted.org/packages/51/9f/076533feb1b5488d22936da98b9c217205cfbf9f56f7174e8c5c86d86fe6/multidict-6.5.0-cp313-cp313t-win_arm64.whl", hash = "sha256:51d33fafa82640c0217391d4ce895d32b7e84a832b8aee0dcc1b04d8981ec7f4", size = 44358, upload-time = "2025-06-17T14:15:27.117Z" },
-    { url = "https://files.pythonhosted.org/packages/44/d8/45e8fc9892a7386d074941429e033adb4640e59ff0780d96a8cf46fe788e/multidict-6.5.0-py3-none-any.whl", hash = "sha256:5634b35f225977605385f56153bd95a7133faffc0ffe12ad26e10517537e8dfc", size = 12181, upload-time = "2025-06-17T14:15:55.156Z" },
+    { url = "https://files.pythonhosted.org/packages/19/3f/c2e07031111d2513d260157933a8697ad52a935d8a2a2b8b7b317ddd9a96/multidict-6.5.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:98011312f36d1e496f15454a95578d1212bc2ffc25650a8484752b06d304fd9b", size = 73588, upload-time = "2025-06-24T22:14:54.332Z" },
+    { url = "https://files.pythonhosted.org/packages/95/bb/f47aa21827202a9f889fd66de9a1db33d0e4bbaaa2567156e4efb3cc0e5e/multidict-6.5.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:bae589fb902b47bd94e6f539b34eefe55a1736099f616f614ec1544a43f95b05", size = 43756, upload-time = "2025-06-24T22:14:55.748Z" },
+    { url = "https://files.pythonhosted.org/packages/9f/ec/24549de092c9b0bc3167e0beb31a11be58e8595dbcfed2b7821795bb3923/multidict-6.5.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6eb3bf26cd94eb306e4bc776d0964cc67a7967e4ad9299309f0ff5beec3c62be", size = 42222, upload-time = "2025-06-24T22:14:57.418Z" },
+    { url = "https://files.pythonhosted.org/packages/13/45/54452027ebc0ba660667aab67ae11afb9aaba91f4b5d63cddef045279d94/multidict-6.5.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:e5e1a5a99c72d1531501406fcc06b6bf699ebd079dacd6807bb43fc0ff260e5c", size = 253014, upload-time = "2025-06-24T22:14:58.738Z" },
+    { url = "https://files.pythonhosted.org/packages/97/3c/76e7b4c0ce3a8bb43efca679674fba421333fbc8429134072db80e13dcb8/multidict-6.5.1-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:38755bcba18720cb2338bea23a5afcff234445ee75fa11518f6130e22f2ab970", size = 235939, upload-time = "2025-06-24T22:15:00.138Z" },
+    { url = "https://files.pythonhosted.org/packages/86/ce/48e3123a9af61ff2f60e3764b0b15cf4fca22b1299aac281252ac3a590d6/multidict-6.5.1-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f42fef9bcba3c32fd4e4a23c5757fc807d218b249573aaffa8634879f95feb73", size = 262940, upload-time = "2025-06-24T22:15:01.52Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/ab/bccd739faf87051b55df619a0967c8545b4d4a4b90258c5f564ab1752f15/multidict-6.5.1-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:071b962f4cc87469cda90c7cc1c077b76496878b39851d7417a3d994e27fe2c6", size = 260652, upload-time = "2025-06-24T22:15:02.988Z" },
+    { url = "https://files.pythonhosted.org/packages/9a/9c/01f654aad28a5d0d74f2678c1541ae15e711f99603fd84c780078205966e/multidict-6.5.1-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:627ba4b7ce7c0115981f0fd91921f5d101dfb9972622178aeef84ccce1c2bbf3", size = 250011, upload-time = "2025-06-24T22:15:04.317Z" },
+    { url = "https://files.pythonhosted.org/packages/5c/bc/edf08906e1db7385c6bf36e4179957307f50c44a889493e9b251255be79c/multidict-6.5.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:05dcaed3e5e54f0d0f99a39762b0195274b75016cbf246f600900305581cf1a2", size = 248242, upload-time = "2025-06-24T22:15:06.035Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/c3/1ad054b88b889fda8b62ea9634ac7082567e8dc42b9b794a2c565ef102ab/multidict-6.5.1-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:11f5ecf3e741a18c578d118ad257c5588ca33cc7c46d51c0487d7ae76f072c32", size = 244683, upload-time = "2025-06-24T22:15:07.731Z" },
+    { url = "https://files.pythonhosted.org/packages/57/63/119a76b2095e1bb765816175cafeac7b520f564691abef2572fb80f4f246/multidict-6.5.1-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:b948eb625411c20b15088fca862c51a39140b9cf7875b5fb47a72bb249fa2f42", size = 257626, upload-time = "2025-06-24T22:15:09.013Z" },
+    { url = "https://files.pythonhosted.org/packages/26/a9/b91a76af5ff49bd088ee76d11eb6134227f5ea50bcd5f6738443b2fe8e05/multidict-6.5.1-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:fc993a96dfc8300befd03d03df46efdb1d8d5a46911b014e956a4443035f470d", size = 251077, upload-time = "2025-06-24T22:15:10.366Z" },
+    { url = "https://files.pythonhosted.org/packages/2a/fe/b1dc57aaa4de9f5a27543e28bd1f8bff00a316888b7344b5d33258b14b0a/multidict-6.5.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ee2d333380f22d35a56c6461f4579cfe186e143cd0b010b9524ac027de2a34cd", size = 244715, upload-time = "2025-06-24T22:15:11.76Z" },
+    { url = "https://files.pythonhosted.org/packages/51/55/47a82690f71d0141eea49a623bbcc00a4d28770efc7cba8ead75602c9b90/multidict-6.5.1-cp313-cp313-win32.whl", hash = "sha256:5891e3327e6a426ddd443c87339b967c84feb8c022dd425e0c025fa0fcd71e68", size = 41156, upload-time = "2025-06-24T22:15:13.139Z" },
+    { url = "https://files.pythonhosted.org/packages/25/b3/43306e4d7d3a9898574d1dc156b9607540dad581b1d767c992030751b82d/multidict-6.5.1-cp313-cp313-win_amd64.whl", hash = "sha256:fcdaa72261bff25fad93e7cb9bd7112bd4bac209148e698e380426489d8ed8a9", size = 44933, upload-time = "2025-06-24T22:15:14.639Z" },
+    { url = "https://files.pythonhosted.org/packages/30/e2/34cb83c8a4e01b28e2abf30dc90178aa63c9db042be22fa02472cb744b86/multidict-6.5.1-cp313-cp313-win_arm64.whl", hash = "sha256:84292145303f354a35558e601c665cdf87059d87b12777417e2e57ba3eb98903", size = 41967, upload-time = "2025-06-24T22:15:15.856Z" },
+    { url = "https://files.pythonhosted.org/packages/64/08/17d2de9cf749ea9589ecfb7532ab4988e8b113b7624826dba6b7527a58f3/multidict-6.5.1-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:f8316e58db799a1972afbc46770dfaaf20b0847003ab80de6fcb9861194faa3f", size = 80513, upload-time = "2025-06-24T22:15:16.946Z" },
+    { url = "https://files.pythonhosted.org/packages/3e/b9/c9392465a21f7dff164633348b4cf66eef55c4ee48bdcdc00f0a71792779/multidict-6.5.1-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:d3468f0db187aca59eb56e0aa9f7c8c5427bcb844ad1c86557b4886aeb4484d8", size = 46854, upload-time = "2025-06-24T22:15:18.116Z" },
+    { url = "https://files.pythonhosted.org/packages/2e/24/d79cbed5d0573304bc907dff0e5ad8788a4de891eec832809812b319930e/multidict-6.5.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:228533a5f99f1248cd79f6470779c424d63bc3e10d47c82511c65cc294458445", size = 45724, upload-time = "2025-06-24T22:15:19.241Z" },
+    { url = "https://files.pythonhosted.org/packages/ec/22/232be6c077183719c78131f0e3c3d7134eb2d839e6e50e1c1e69e5ef5965/multidict-6.5.1-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:527076fdf5854901b1246c589af9a8a18b4a308375acb0020b585f696a10c794", size = 251895, upload-time = "2025-06-24T22:15:20.564Z" },
+    { url = "https://files.pythonhosted.org/packages/57/80/85985e1441864b946e79538355b7b47f36206bf6bbaa2fa6d74d8232f2ab/multidict-6.5.1-cp313-cp313t-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:9a17a17bad5c22f43e6a6b285dd9c16b1e8f8428202cd9bc22adaac68d0bbfed", size = 229357, upload-time = "2025-06-24T22:15:21.949Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/14/0024d1428b05aedaeea211da232aa6b6ad5c556a8a38b0942df1e54e1fa5/multidict-6.5.1-cp313-cp313t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:efd1951edab4a6cb65108d411867811f2b283f4b972337fb4269e40142f7f6a6", size = 259262, upload-time = "2025-06-24T22:15:23.455Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/cc/3fe63d61ffc9a48d62f36249e228e330144d990ac01f61169b615a3be471/multidict-6.5.1-cp313-cp313t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:c07d5f38b39acb4f8f61a7aa4166d140ed628245ff0441630df15340532e3b3c", size = 257998, upload-time = "2025-06-24T22:15:24.907Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/e4/46b38b9a565ccc5d86f55787090670582d51ab0a0d37cfeaf4313b053f7b/multidict-6.5.1-cp313-cp313t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:8a6605dc74cd333be279e1fcb568ea24f7bdf1cf09f83a77360ce4dd32d67f14", size = 247951, upload-time = "2025-06-24T22:15:26.274Z" },
+    { url = "https://files.pythonhosted.org/packages/af/78/58a9bc0674401f1f26418cd58a5ebf35ce91ead76a22b578908acfe0f4e2/multidict-6.5.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:8d64e30ae9ba66ce303a567548a06d64455d97c5dff7052fe428d154274d7174", size = 246786, upload-time = "2025-06-24T22:15:27.695Z" },
+    { url = "https://files.pythonhosted.org/packages/66/24/51142ccee295992e22881cccc54b291308423bbcc836fcf4d2edef1a88d0/multidict-6.5.1-cp313-cp313t-musllinux_1_2_armv7l.whl", hash = "sha256:2fb5dde79a7f6d98ac5e26a4c9de77ccd2c5224a7ce89aeac6d99df7bbe06464", size = 235030, upload-time = "2025-06-24T22:15:29.391Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/9a/a6f7b75460d3e35b16bf7745c9e3ebb3293324a4295e586563bf50d361f4/multidict-6.5.1-cp313-cp313t-musllinux_1_2_ppc64le.whl", hash = "sha256:8a0d22e8b07cf620e9aeb1582340d00f0031e6a1f3e39d9c2dcbefa8691443b4", size = 253964, upload-time = "2025-06-24T22:15:31.689Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/f8/0b690674bf8f78604eb0a2b0a85d1380ff3003f270440d40def2a3de8cf4/multidict-6.5.1-cp313-cp313t-musllinux_1_2_s390x.whl", hash = "sha256:0120ed5cff2082c7a0ed62a8f80f4f6ac266010c722381816462f279bfa19487", size = 247370, upload-time = "2025-06-24T22:15:33.114Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/7d/ca55049d1041c517f294c1755c786539cb7a8dc5033361f20ce3a3d817be/multidict-6.5.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:3dea06ba27401c4b54317aa04791182dc9295e7aa623732dd459071a0e0f65db", size = 242920, upload-time = "2025-06-24T22:15:34.669Z" },
+    { url = "https://files.pythonhosted.org/packages/1e/65/f4afa14f0921751864bb3ef80267f15ecae423483e8da9bc5d3757632bfa/multidict-6.5.1-cp313-cp313t-win32.whl", hash = "sha256:93b21be44f3cfee3be68ed5cd8848a3c0420d76dbd12d74f7776bde6b29e5f33", size = 46968, upload-time = "2025-06-24T22:15:36.023Z" },
+    { url = "https://files.pythonhosted.org/packages/00/0a/13d08be1ca1523df515fb4efd3cf10f153e62d533f55c53f543cd73041e8/multidict-6.5.1-cp313-cp313t-win_amd64.whl", hash = "sha256:c5c18f8646a520cc34d00f65f9f6f77782b8a8c59fd8de10713e0de7f470b5d0", size = 52353, upload-time = "2025-06-24T22:15:37.247Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/dd/84aaf725b236677597a9570d8c1c99af0ba03712149852347969e014d826/multidict-6.5.1-cp313-cp313t-win_arm64.whl", hash = "sha256:eb27128141474a1d545f0531b496c7c2f1c4beff50cb5a828f36eb62fef16c67", size = 44500, upload-time = "2025-06-24T22:15:38.445Z" },
+    { url = "https://files.pythonhosted.org/packages/07/9f/d4719ce55a1d8bf6619e8bb92f1e2e7399026ea85ae0c324ec77ee06c050/multidict-6.5.1-py3-none-any.whl", hash = "sha256:895354f4a38f53a1df2cc3fa2223fa714cff2b079a9f018a76cad35e7f0f044c", size = 12185, upload-time = "2025-06-24T22:16:03.816Z" },
 ]
 
 [[package]]
@@ -2151,11 +2148,11 @@ wheels = [
 
 [[package]]
 name = "oauthlib"
-version = "3.3.0"
+version = "3.3.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/98/8a/6ea75ff7acf89f43afb157604429af4661a9840b1f2cece602b6a13c1893/oauthlib-3.3.0.tar.gz", hash = "sha256:4e707cf88d7dfc22a8cce22ca736a2eef9967c1dd3845efc0703fc922353eeb2", size = 190292, upload-time = "2025-06-17T23:19:18.309Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/0b/5f/19930f824ffeb0ad4372da4812c50edbd1434f678c90c2733e1188edfc63/oauthlib-3.3.1.tar.gz", hash = "sha256:0f0f8aa759826a193cf66c12ea1af1637f87b9b4622d46e866952bb022e538c9", size = 185918, upload-time = "2025-06-19T22:48:08.269Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/e1/3d/760b1456010ed11ce87c0109007f0166078dfdada7597f0091ae76eb7305/oauthlib-3.3.0-py3-none-any.whl", hash = "sha256:a2b3a0a2a4ec2feb4b9110f56674a39b2cc2f23e14713f4ed20441dfba14e934", size = 165155, upload-time = "2025-06-17T23:19:16.771Z" },
+    { url = "https://files.pythonhosted.org/packages/be/9c/92789c596b8df838baa98fa71844d84283302f7604ed565dafe5a6b5041a/oauthlib-3.3.1-py3-none-any.whl", hash = "sha256:88119c938d2b8fb88561af5f6ee0eec8cc8d552b7bb1f712743136eb7523b7a1", size = 160065, upload-time = "2025-06-19T22:48:06.508Z" },
 ]
 
 [[package]]
@@ -2550,11 +2547,11 @@ wheels = [
 
 [[package]]
 name = "pygments"
-version = "2.19.1"
+version = "2.19.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/7c/2d/c3338d48ea6cc0feb8446d8e6937e1408088a72a39937982cc6111d17f84/pygments-2.19.1.tar.gz", hash = "sha256:61c16d2a8576dc0649d9f39e089b5f02bcd27fba10d8fb4dcc28173f7a45151f", size = 4968581, upload-time = "2025-01-06T17:26:30.443Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/8a/0b/9fcc47d19c48b59121088dd6da2488a49d5f72dacf8262e2790a1d2c7d15/pygments-2.19.1-py3-none-any.whl", hash = "sha256:9ea1544ad55cecf4b8242fab6dd35a93bbce657034b0611ee383099054ab6d8c", size = 1225293, upload-time = "2025-01-06T17:26:25.553Z" },
+    { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" },
 ]
 
 [[package]]
@@ -2711,11 +2708,11 @@ wheels = [
 
 [[package]]
 name = "python-dotenv"
-version = "1.1.0"
+version = "1.1.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/88/2c/7bb1416c5620485aa793f2de31d3df393d3686aa8a8506d11e10e13c5baf/python_dotenv-1.1.0.tar.gz", hash = "sha256:41f90bc6f5f177fb41f53e87666db362025010eb28f60a01c9143bfa33a2b2d5", size = 39920, upload-time = "2025-03-25T10:14:56.835Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/f6/b0/4bc07ccd3572a2f9df7e6782f52b0c6c90dcbb803ac4a167702d7d0dfe1e/python_dotenv-1.1.1.tar.gz", hash = "sha256:a8a6399716257f45be6a007360200409fce5cda2661e3dec71d23dc15f6189ab", size = 41978, upload-time = "2025-06-24T04:21:07.341Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/1e/18/98a99ad95133c6a6e2005fe89faedf294a748bd5dc803008059409ac9b1e/python_dotenv-1.1.0-py3-none-any.whl", hash = "sha256:d7c01d9e2293916c18baf562d95698754b0dbbb5e74d457c45d4f6561fb9d55d", size = 20256, upload-time = "2025-03-25T10:14:55.034Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/ed/539768cf28c661b5b068d66d96a2f155c4971a5d55684a514c1a0e0dec2f/python_dotenv-1.1.1-py3-none-any.whl", hash = "sha256:31f23644fe2602f88ff55e1f5c79ba497e01224ee7737937930c448e4d0e24dc", size = 20556, upload-time = "2025-06-24T04:21:06.073Z" },
 ]
 
 [[package]]
@@ -2964,15 +2961,15 @@ wheels = [
 
 [[package]]
 name = "sentry-sdk"
-version = "2.30.0"
+version = "2.32.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/04/4c/af31e0201b48469786ddeb1bf6fd3dfa3a291cc613a0fe6a60163a7535f9/sentry_sdk-2.30.0.tar.gz", hash = "sha256:436369b02afef7430efb10300a344fb61a11fe6db41c2b11f41ee037d2dd7f45", size = 326767, upload-time = "2025-06-12T10:34:34.733Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/10/59/eb90c45cb836cf8bec973bba10230ddad1c55e2b2e9ffa9d7d7368948358/sentry_sdk-2.32.0.tar.gz", hash = "sha256:9016c75d9316b0f6921ac14c8cd4fb938f26002430ac5be9945ab280f78bec6b", size = 334932, upload-time = "2025-06-27T08:10:02.89Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/5a/99/31ac6faaae33ea698086692638f58d14f121162a8db0039e68e94135e7f1/sentry_sdk-2.30.0-py2.py3-none-any.whl", hash = "sha256:59391db1550662f746ea09b483806a631c3ae38d6340804a1a4c0605044f6877", size = 343149, upload-time = "2025-06-12T10:34:32.896Z" },
+    { url = "https://files.pythonhosted.org/packages/01/a1/fc4856bd02d2097324fb7ce05b3021fb850f864b83ca765f6e37e92ff8ca/sentry_sdk-2.32.0-py2.py3-none-any.whl", hash = "sha256:6cf51521b099562d7ce3606da928c473643abe99b00ce4cb5626ea735f4ec345", size = 356122, upload-time = "2025-06-27T08:10:01.424Z" },
 ]
 
 [[package]]
@@ -3325,15 +3322,15 @@ socks = [
 
 [[package]]
 name = "uvicorn"
-version = "0.34.3"
+version = "0.35.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "click" },
     { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/de/ad/713be230bcda622eaa35c28f0d328c3675c371238470abdea52417f17a8e/uvicorn-0.34.3.tar.gz", hash = "sha256:35919a9a979d7a59334b6b10e05d77c1d0d574c50e0fc98b8b1a0f165708b55a", size = 76631, upload-time = "2025-06-01T07:48:17.531Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5e/42/e0e305207bb88c6b8d3061399c6a961ffe5fbb7e2aa63c9234df7259e9cd/uvicorn-0.35.0.tar.gz", hash = "sha256:bc662f087f7cf2ce11a1d7fd70b90c9f98ef2e2831556dd078d131b96cc94a01", size = 78473, upload-time = "2025-06-28T16:15:46.058Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/6d/0d/8adfeaa62945f90d19ddc461c55f4a50c258af7662d34b6a3d5d1f8646f6/uvicorn-0.34.3-py3-none-any.whl", hash = "sha256:16246631db62bdfbf069b0645177d6e8a77ba950cfedbfd093acef9444e4d885", size = 62431, upload-time = "2025-06-01T07:48:15.664Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/e2/dc81b1bd1dcfe91735810265e9d26bc8ec5da45b4c0f6237e286819194c3/uvicorn-0.35.0-py3-none-any.whl", hash = "sha256:197535216b25ff9b785e29a0b79199f55222193d47f820816e7da751e9bc8d4a", size = 66406, upload-time = "2025-06-28T16:15:44.816Z" },
 ]
 
 [package.optional-dependencies]

web/package-lock.json

@@ -22,7 +22,7 @@
                 "@floating-ui/dom": "^1.6.11",
                 "@formatjs/intl-listformat": "^7.7.11",
                 "@fortawesome/fontawesome-free": "^6.7.2",
-                "@goauthentik/api": "^2025.6.2-1750801939",
+                "@goauthentik/api": "^2025.6.2-1750856752",
                 "@lit/context": "^1.1.2",
                 "@lit/localize": "^0.12.2",
                 "@lit/reactive-element": "^2.0.4",
@@ -34,7 +34,7 @@
                 "@openlayers-elements/maps": "^0.4.0",
                 "@patternfly/elements": "^4.1.0",
                 "@patternfly/patternfly": "^4.224.2",
-                "@sentry/browser": "^9.31.0",
+                "@sentry/browser": "^9.32.0",
                 "@spotlightjs/spotlight": "^3.0.1",
                 "@webcomponents/webcomponentsjs": "^2.8.0",
                 "base64-js": "^1.5.1",
@@ -75,7 +75,7 @@
             "devDependencies": {
                 "@eslint/js": "^9.27.0",
                 "@goauthentik/core": "^1.0.0",
-                "@goauthentik/esbuild-plugin-live-reload": "^1.0.4",
+                "@goauthentik/esbuild-plugin-live-reload": "^1.0.5",
                 "@goauthentik/eslint-config": "^1.0.5",
                 "@goauthentik/prettier-config": "^1.0.5",
                 "@goauthentik/tsconfig": "^1.0.4",
@@ -1716,32 +1716,30 @@
                 "node": ">=6"
             }
         },
-        "node_modules/@gerrit0/mini-shiki": {
-            "version": "3.4.2",
-            "resolved": "https://registry.npmjs.org/@gerrit0/mini-shiki/-/mini-shiki-3.4.2.tgz",
-            "integrity": "sha512-3jXo5bNjvvimvdbIhKGfFxSnKCX+MA8wzHv55ptzk/cx8wOzT+BRcYgj8aFN3yTiTs+zvQQiaZFr7Jce1ZG3fw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@shikijs/engine-oniguruma": "^3.4.2",
-                "@shikijs/langs": "^3.4.2",
-                "@shikijs/themes": "^3.4.2",
-                "@shikijs/types": "^3.4.2",
-                "@shikijs/vscode-textmate": "^10.0.2"
-            }
-        },
         "node_modules/@goauthentik/api": {
-            "version": "2025.6.2-1750801939",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.6.2-1750801939.tgz",
-            "integrity": "sha512-3s0pE6enhLEWVMD+zClORktBhUAw1vO/lCG0ATqm6xqbTfqGxPYWj5XMzYuX7+a2axxn1BFE134afWmdzDhThw=="
+            "version": "2025.6.2-1750856752",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.6.2-1750856752.tgz",
+            "integrity": "sha512-Zf/1wa5Q1CBbfc4EyJYc/JieTnMS9V0k4wGlK3ojC+kTDJhGjYdHPWpOGiAV9GJXQWHXfHLpA9bqPtBx/0ww7A=="
         },
         "node_modules/@goauthentik/core": {
             "resolved": "packages/core",
             "link": true
         },
         "node_modules/@goauthentik/esbuild-plugin-live-reload": {
-            "resolved": "packages/esbuild-plugin-live-reload",
-            "link": true
+            "version": "1.0.5",
+            "resolved": "https://registry.npmjs.org/@goauthentik/esbuild-plugin-live-reload/-/esbuild-plugin-live-reload-1.0.5.tgz",
+            "integrity": "sha512-MZ/najY+Xn62ijzj7JDS1sVupWI3BNRwJc4kykB/iP9CdLJw+xO71qPTjfCEEOVYMZrOTftD4KOLhRYx3GTqkA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "find-free-ports": "^3.1.1"
+            },
+            "engines": {
+                "node": ">=22"
+            },
+            "peerDependencies": {
+                "esbuild": "^0.25.4"
+            }
         },
         "node_modules/@goauthentik/eslint-config": {
             "version": "1.0.5",
@@ -4058,6 +4056,7 @@
             "integrity": "sha512-ROFF39F6ZrnzSUEmQQZUar0Jt4xVoP9WnDRdWwF4NNcXs3xBTLgBUDoOwW141y1jP+S8nahIbdxbFC7IShw9Iw==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "engines": {
                 "node": "^12.20.0 || ^14.18.0 || >=16.0.0"
             },
@@ -4561,75 +4560,75 @@
             "dev": true
         },
         "node_modules/@sentry-internal/browser-utils": {
-            "version": "9.31.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.31.0.tgz",
-            "integrity": "sha512-rviu/jUmeQbY4rSO8l4pubOtRIhFtH5Gu/ryRNMTlpJRdomp4uxddqthHUDH5g6xCXZsMTyJEIdx0aTqbgr/GQ==",
+            "version": "9.32.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.32.0.tgz",
+            "integrity": "sha512-mVWdruSWXF+2WgS24jwLhWFyC/nDQbKXseLR8paU9LGSnVtlBlQseIx1GrANbJrhBxiEWSft4WiuxU34wPsbXg==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "9.31.0"
+                "@sentry/core": "9.32.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/feedback": {
-            "version": "9.31.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.31.0.tgz",
-            "integrity": "sha512-Ygi/8UZ7p2B4DhXQjZDtOc45vNUHkfk2XETBTBGkByEQkE8vygzSiKhgRcnVpzwq+8xKFMRy+PxvpcCo+PNQew==",
+            "version": "9.32.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.32.0.tgz",
+            "integrity": "sha512-OaXaovXqlhN1sG2wtJMhxMEjyeuK7RwY57o96LgKE0bWM//Fs9WWCOkGa+7l8TOf0+0ib7gfhJZlpN0hlqOgRw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "9.31.0"
+                "@sentry/core": "9.32.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay": {
-            "version": "9.31.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.31.0.tgz",
-            "integrity": "sha512-V5rvcO/xSj8JMw4ZnZT2cBYC+UOuIiZ2Flj4EoIurxMrTgowE1uMXUBA32EBfuB5/vQSJXB6W5uAudhk7LjBPQ==",
+            "version": "9.32.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.32.0.tgz",
+            "integrity": "sha512-mOHUKjUtHbEwshikrCQPM1ZqWAMUEcpEGashnXQp3KQivvbTxrExiNnt6XK5TjJyGvsI3A907Bp/HvEzgneYgQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "9.31.0",
-                "@sentry/core": "9.31.0"
+                "@sentry-internal/browser-utils": "9.32.0",
+                "@sentry/core": "9.32.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay-canvas": {
-            "version": "9.31.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.31.0.tgz",
-            "integrity": "sha512-VGqfvQCIuXQZeecrBf8bd4sj8lYGzUA/2CffTAkad1nB1Onyz0Kzo54qLWemivCxA3ufHf6DCpNA3Loa/0ywFQ==",
+            "version": "9.32.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.32.0.tgz",
+            "integrity": "sha512-tu+coeTRpJxknmWPMJC2jqmIM5IsVoRn9gEDdkSrcPbgx/GwgE03fSJVBJL1tOEA8yRNIhZPMR86ORE7/7n2ow==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/replay": "9.31.0",
-                "@sentry/core": "9.31.0"
+                "@sentry-internal/replay": "9.32.0",
+                "@sentry/core": "9.32.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "9.31.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.31.0.tgz",
-            "integrity": "sha512-DzG72JJTqHzE0Qo2fHeHm3xgFs97InaSQStmTMxOA59yPqvAXbweNPcsgCNu1q76+jZyaJcoy1qOwahnLuEVDg==",
+            "version": "9.32.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.32.0.tgz",
+            "integrity": "sha512-BzPogpH87n+sC9VPfXaXkiKJtagLpIB87LGg1hSBURpwGx6Rt2ORmaVYgwwuuFZX8Hia727IIM7pbcbNfrXGRQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "9.31.0",
-                "@sentry-internal/feedback": "9.31.0",
-                "@sentry-internal/replay": "9.31.0",
-                "@sentry-internal/replay-canvas": "9.31.0",
-                "@sentry/core": "9.31.0"
+                "@sentry-internal/browser-utils": "9.32.0",
+                "@sentry-internal/feedback": "9.32.0",
+                "@sentry-internal/replay": "9.32.0",
+                "@sentry-internal/replay-canvas": "9.32.0",
+                "@sentry/core": "9.32.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/core": {
-            "version": "9.31.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.31.0.tgz",
-            "integrity": "sha512-6JeoPGvBgT9m2YFIf2CrW+KrrOYzUqb9+Xwr/Dw25kPjVKy+WJjWqK8DKCNLgkBA22OCmSOmHuRwFR0YxGVdZQ==",
+            "version": "9.32.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.32.0.tgz",
+            "integrity": "sha512-1wAXMMmeY4Ny2MJBCuri3b4LMVPjqXdgbVgTxxipGW+gzPsjv+8+LCSnJAR/cRBr8JoXV+qGC2tE06rI1XDj3A==",
             "license": "MIT",
             "engines": {
                 "node": ">=18"
@@ -4719,55 +4718,6 @@
                 "node": ">=14.18"
             }
         },
-        "node_modules/@shikijs/engine-oniguruma": {
-            "version": "3.4.2",
-            "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-3.4.2.tgz",
-            "integrity": "sha512-zcZKMnNndgRa3ORja6Iemsr3DrLtkX3cAF7lTJkdMB6v9alhlBsX9uNiCpqofNrXOvpA3h6lHcLJxgCIhVOU5Q==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@shikijs/types": "3.4.2",
-                "@shikijs/vscode-textmate": "^10.0.2"
-            }
-        },
-        "node_modules/@shikijs/langs": {
-            "version": "3.4.2",
-            "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-3.4.2.tgz",
-            "integrity": "sha512-H6azIAM+OXD98yztIfs/KH5H4PU39t+SREhmM8LaNXyUrqj2mx+zVkr8MWYqjceSjDw9I1jawm1WdFqU806rMA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@shikijs/types": "3.4.2"
-            }
-        },
-        "node_modules/@shikijs/themes": {
-            "version": "3.4.2",
-            "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-3.4.2.tgz",
-            "integrity": "sha512-qAEuAQh+brd8Jyej2UDDf+b4V2g1Rm8aBIdvt32XhDPrHvDkEnpb7Kzc9hSuHUxz0Iuflmq7elaDuQAP9bHIhg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@shikijs/types": "3.4.2"
-            }
-        },
-        "node_modules/@shikijs/types": {
-            "version": "3.4.2",
-            "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-3.4.2.tgz",
-            "integrity": "sha512-zHC1l7L+eQlDXLnxvM9R91Efh2V4+rN3oMVS2swCBssbj2U/FBwybD1eeLaq8yl/iwT+zih8iUbTBCgGZOYlVg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@shikijs/vscode-textmate": "^10.0.2",
-                "@types/hast": "^3.0.4"
-            }
-        },
-        "node_modules/@shikijs/vscode-textmate": {
-            "version": "10.0.2",
-            "resolved": "https://registry.npmjs.org/@shikijs/vscode-textmate/-/vscode-textmate-10.0.2.tgz",
-            "integrity": "sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg==",
-            "dev": true,
-            "license": "MIT"
-        },
         "node_modules/@sinclair/typebox": {
             "version": "0.27.8",
             "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.27.8.tgz",
@@ -13238,6 +13188,7 @@
             "integrity": "sha512-Mc7QhQ8s+cLrnUfU/Ji94vG/r8M26m8f++vyres4ZoojaRDpZ1eSIh/EpzLNwlWuvzSZ3UbDFspjFvTDXe6e/g==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "engines": {
                 "node": ">=12.20"
             }
@@ -13248,6 +13199,7 @@
             "integrity": "sha512-qE3Veg1YXzGHQhlA6jzebZN2qVf6NX+A7m7qlhCGG30dJixrAQhYOsJjsnBjJkCSmuOPpCk30145fr8FV0bzog==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "engines": {
                 "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
             },
@@ -15698,6 +15650,7 @@
             "version": "3.1.1",
             "resolved": "https://registry.npmjs.org/find-free-ports/-/find-free-ports-3.1.1.tgz",
             "integrity": "sha512-hQebewth9i5qkf0a0u06iFaxQssk5ZnPBBggsa1vk8zCYaZoz9IZXpoRLTbEOrYdqfrjvcxU00gYoCPgmXugKA==",
+            "dev": true,
             "license": "MIT"
         },
         "node_modules/find-replace": {
@@ -16242,6 +16195,7 @@
             "integrity": "sha512-cmP497iLq54AZnv4YRAEMnEyQ1eIn4tGKbmswqwmFV4GBnAqE8NLtWxxdXa++AalfgL5EBH4IxTPyquEuGY/jA==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "funding": {
                 "url": "https://github.com/fisker/git-hooks-list?sponsor=1"
             }
@@ -19172,16 +19126,6 @@
             "dev": true,
             "license": "MIT"
         },
-        "node_modules/linkify-it": {
-            "version": "5.0.0",
-            "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz",
-            "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "uc.micro": "^2.0.0"
-            }
-        },
         "node_modules/lit": {
             "version": "3.3.0",
             "resolved": "https://registry.npmjs.org/lit/-/lit-3.3.0.tgz",
@@ -19586,13 +19530,6 @@
                 "node": ">=16.14"
             }
         },
-        "node_modules/lunr": {
-            "version": "2.3.9",
-            "resolved": "https://registry.npmjs.org/lunr/-/lunr-2.3.9.tgz",
-            "integrity": "sha512-zTU3DaZaF3Rt9rhN3uBMGQD3dD2/vFQqnvZCDv4dl5iOzq2IZQqTxu90r4E5J+nP70J3ilqVCrbho2eWaeW8Ow==",
-            "dev": true,
-            "license": "MIT"
-        },
         "node_modules/lz-string": {
             "version": "1.5.0",
             "resolved": "https://registry.npmjs.org/lz-string/-/lz-string-1.5.0.tgz",
@@ -19654,24 +19591,6 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
-        "node_modules/markdown-it": {
-            "version": "14.1.0",
-            "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
-            "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "argparse": "^2.0.1",
-                "entities": "^4.4.0",
-                "linkify-it": "^5.0.0",
-                "mdurl": "^2.0.0",
-                "punycode.js": "^2.3.1",
-                "uc.micro": "^2.1.0"
-            },
-            "bin": {
-                "markdown-it": "bin/markdown-it.mjs"
-            }
-        },
         "node_modules/markdown-table": {
             "version": "3.0.4",
             "resolved": "https://registry.npmjs.org/markdown-table/-/markdown-table-3.0.4.tgz",
@@ -20069,13 +19988,6 @@
                 "url": "https://opencollective.com/unified"
             }
         },
-        "node_modules/mdurl": {
-            "version": "2.0.0",
-            "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",
-            "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
-            "dev": true,
-            "license": "MIT"
-        },
         "node_modules/media-typer": {
             "version": "0.3.0",
             "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
@@ -23018,6 +22930,7 @@
             "integrity": "sha512-h+3tSpr2nVpp+YOK1MDIYtYhHVXr8/0V59UUbJpIJFaqi3w4fvUokJo6eV8W+vELrUXIZzJ+DKm5G7lYzrMcKQ==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "sort-package-json": "3.2.1",
                 "synckit": "0.11.6"
@@ -23265,16 +23178,6 @@
                 "node": ">=6"
             }
         },
-        "node_modules/punycode.js": {
-            "version": "2.3.1",
-            "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz",
-            "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=6"
-            }
-        },
         "node_modules/puppeteer-core": {
             "version": "22.15.0",
             "resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-22.15.0.tgz",
@@ -25377,7 +25280,8 @@
             "resolved": "https://registry.npmjs.org/sort-object-keys/-/sort-object-keys-1.1.3.tgz",
             "integrity": "sha512-855pvK+VkU7PaKYPc+Jjnmt4EzejQHyhhF33q31qG8x7maDzkeFhAAThdCYay11CISO+qAMwjOBP+fPZe0IPyg==",
             "dev": true,
-            "license": "MIT"
+            "license": "MIT",
+            "peer": true
         },
         "node_modules/sort-package-json": {
             "version": "3.2.1",
@@ -25385,6 +25289,7 @@
             "integrity": "sha512-rTfRdb20vuoAn7LDlEtCqOkYfl2X+Qze6cLbNOzcDpbmKEhJI30tTN44d5shbKJnXsvz24QQhlCm81Bag7EOKg==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "detect-indent": "^7.0.1",
                 "detect-newline": "^4.0.1",
@@ -26077,6 +25982,7 @@
             "integrity": "sha512-2pR2ubZSV64f/vqm9eLPz/KOvR9Dm+Co/5ChLgeHl0yEDRc6h5hXHoxEQH8Y5Ljycozd3p1k5TTSVdzYGkPvLw==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "@pkgr/core": "^0.2.4"
             },
@@ -26287,6 +26193,7 @@
             "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "fdir": "^6.4.4",
                 "picomatch": "^4.0.2"
@@ -27156,43 +27063,6 @@
             "dev": true,
             "license": "MIT"
         },
-        "node_modules/typedoc": {
-            "version": "0.28.5",
-            "resolved": "https://registry.npmjs.org/typedoc/-/typedoc-0.28.5.tgz",
-            "integrity": "sha512-5PzUddaA9FbaarUzIsEc4wNXCiO4Ot3bJNeMF2qKpYlTmM9TTaSHQ7162w756ERCkXER/+o2purRG6YOAv6EMA==",
-            "dev": true,
-            "license": "Apache-2.0",
-            "dependencies": {
-                "@gerrit0/mini-shiki": "^3.2.2",
-                "lunr": "^2.3.9",
-                "markdown-it": "^14.1.0",
-                "minimatch": "^9.0.5",
-                "yaml": "^2.7.1"
-            },
-            "bin": {
-                "typedoc": "bin/typedoc"
-            },
-            "engines": {
-                "node": ">= 18",
-                "pnpm": ">= 10"
-            },
-            "peerDependencies": {
-                "typescript": "5.0.x || 5.1.x || 5.2.x || 5.3.x || 5.4.x || 5.5.x || 5.6.x || 5.7.x || 5.8.x"
-            }
-        },
-        "node_modules/typedoc-plugin-markdown": {
-            "version": "4.6.3",
-            "resolved": "https://registry.npmjs.org/typedoc-plugin-markdown/-/typedoc-plugin-markdown-4.6.3.tgz",
-            "integrity": "sha512-86oODyM2zajXwLs4Wok2mwVEfCwCnp756QyhLGX2IfsdRYr1DXLCgJgnLndaMUjJD7FBhnLk2okbNE9PdLxYRw==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">= 18"
-            },
-            "peerDependencies": {
-                "typedoc": "0.28.x"
-            }
-        },
         "node_modules/types-ramda": {
             "version": "0.30.1",
             "resolved": "https://registry.npmjs.org/types-ramda/-/types-ramda-0.30.1.tgz",
@@ -27249,13 +27119,6 @@
                 "node": ">=8"
             }
         },
-        "node_modules/uc.micro": {
-            "version": "2.1.0",
-            "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
-            "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
-            "dev": true,
-            "license": "MIT"
-        },
         "node_modules/ufo": {
             "version": "1.5.4",
             "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.5.4.tgz",
@@ -29467,6 +29330,7 @@
         "packages/esbuild-plugin-live-reload": {
             "name": "@goauthentik/esbuild-plugin-live-reload",
             "version": "1.0.5",
+            "extraneous": true,
             "license": "MIT",
             "dependencies": {
                 "find-free-ports": "^3.1.1"
@@ -29490,16 +29354,6 @@
                 "esbuild": "^0.25.5"
             }
         },
-        "packages/esbuild-plugin-live-reload/node_modules/@types/node": {
-            "version": "22.15.19",
-            "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.19.tgz",
-            "integrity": "sha512-3vMNr4TzNQyjHcRZadojpRaD9Ofr6LsonZAoQ+HMUa/9ORTPoxVIw0e0mpqWpdjj8xybyCM+oKOUH2vwFu/oEw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "undici-types": "~6.21.0"
-            }
-        },
         "packages/monorepo": {
             "name": "@goauthentik/monorepo",
             "version": "1.0.0",

web/package.json

@@ -93,7 +93,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.7.11",
         "@fortawesome/fontawesome-free": "^6.7.2",
-        "@goauthentik/api": "^2025.6.2-1750801939",
+        "@goauthentik/api": "^2025.6.2-1750856752",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
         "@lit/reactive-element": "^2.0.4",
@@ -105,7 +105,7 @@
         "@openlayers-elements/maps": "^0.4.0",
         "@patternfly/elements": "^4.1.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^9.31.0",
+        "@sentry/browser": "^9.32.0",
         "@spotlightjs/spotlight": "^3.0.1",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
@@ -146,7 +146,7 @@
     "devDependencies": {
         "@eslint/js": "^9.27.0",
         "@goauthentik/core": "^1.0.0",
-        "@goauthentik/esbuild-plugin-live-reload": "^1.0.4",
+        "@goauthentik/esbuild-plugin-live-reload": "^1.0.5",
         "@goauthentik/eslint-config": "^1.0.5",
         "@goauthentik/prettier-config": "^1.0.5",
         "@goauthentik/tsconfig": "^1.0.4",

web/src/admin/admin-overview/cards/RecentEventsCard.ts

@@ -1,4 +1,4 @@
-import { EventGeo, EventUser } from "@goauthentik/admin/events/utils";
+import { EventGeo, renderEventUser } from "@goauthentik/admin/events/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EventWithContext } from "@goauthentik/common/events";
 import { actionToLabel } from "@goauthentik/common/labels";
@@ -73,7 +73,7 @@ export class RecentEventsCard extends Table<Event> {
         return [
             html`<div><a href="${`#/events/log/${item.pk}`}">${actionToLabel(item.action)}</a></div>
                 <small>${item.app}</small>`,
-            EventUser(item),
+            renderEventUser(item),
             html`<div>${formatElapsedTime(item.created)}</div>
                 <small>${item.created.toLocaleString()}</small>`,
             html` <div>${item.clientIp || msg("-")}</div>

web/src/admin/events/EventListPage.ts

@@ -3,7 +3,7 @@ import { WithLicenseSummary } from "#elements/mixins/license";
 import { updateURLParams } from "#elements/router/RouteMatch";
 import "@goauthentik/admin/events/EventMap";
 import "@goauthentik/admin/events/EventVolumeChart";
-import { EventGeo, EventUser } from "@goauthentik/admin/events/utils";
+import { EventGeo, renderEventUser } from "@goauthentik/admin/events/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EventWithContext } from "@goauthentik/common/events";
 import { actionToLabel } from "@goauthentik/common/labels";
@@ -113,7 +113,7 @@ export class EventListPage extends WithLicenseSummary(TablePage<Event>) {
         return [
             html`<div>${actionToLabel(item.action)}</div>
                 <small>${item.app}</small>`,
-            EventUser(item),
+            renderEventUser(item),
             html`<div>${formatElapsedTime(item.created)}</div>
                 <small>${item.created.toLocaleString()}</small>`,
             html`<div>${item.clientIp || msg("-")}</div>

web/src/admin/events/EventMap.ts

@@ -8,6 +8,7 @@ import OlMap from "@openlayers-elements/core/ol-map";
 import "@openlayers-elements/maps/ol-layer-openstreetmap";
 import "@openlayers-elements/maps/ol-select";
 import Feature from "ol/Feature";
+import { isEmpty } from "ol/extent";
 import { Point } from "ol/geom";
 import { fromLonLat } from "ol/proj";
 import Icon from "ol/style/Icon";
@@ -92,7 +93,7 @@ export class EventMap extends AKElement {
         // Re-add them
         this.events?.results
             .filter((event) => {
-                if (!Object.hasOwn(event.context, "geo")) {
+                if (!Object.hasOwn(event.context || {}, "geo")) {
                     return false;
                 }
                 const geo = (event as EventWithContext).context.geo;
@@ -124,6 +125,9 @@ export class EventMap extends AKElement {
                 this.vectorLayer?.source?.addFeature(feature);
             });
         // Zoom to show points better
+        if (isEmpty(this.vectorLayer.source.getExtent())) {
+            return;
+        }
         this.map.map.getView().fit(this.vectorLayer.source.getExtent(), {
             padding: [
                 this.zoomPaddingPx,

web/src/admin/events/EventViewPage.ts

@@ -1,4 +1,4 @@
-import { EventGeo, EventUser } from "#admin/events/utils";
+import { EventGeo, renderEventUser } from "#admin/events/utils";
 import { DEFAULT_CONFIG } from "#common/api/config";
 import { EventWithContext } from "#common/events";
 import { actionToLabel } from "#common/labels";
@@ -92,7 +92,7 @@ export class EventViewPage extends AKElement {
                                     </dt>
                                     <dd class="pf-c-description-list__description">
                                         <div class="pf-c-description-list__text">
-                                            ${EventUser(this.event)}
+                                            ${renderEventUser(this.event)}
                                         </div>
                                     </dd>
                                 </div>

web/src/admin/events/utils.ts

@@ -1,9 +1,9 @@
-import { EventWithContext } from "@goauthentik/common/events";
+import { EventUser, EventWithContext } from "@goauthentik/common/events";
 import { truncate } from "@goauthentik/common/utils";
 import { SlottedTemplateResult } from "@goauthentik/elements/types";
 
 import { msg, str } from "@lit/localize";
-import { html, nothing } from "lit";
+import { TemplateResult, html, nothing } from "lit";
 
 /**
  * Given event with a geographical context, format it into a string for display.
@@ -18,31 +18,48 @@ export function EventGeo(event: EventWithContext): SlottedTemplateResult {
     return html`${parts.join(", ")}`;
 }
 
-export function EventUser(
+export function renderEventUser(
     event: EventWithContext,
     truncateUsername?: number,
 ): SlottedTemplateResult {
     if (!event.user.username) return html`-`;
 
-    let body: SlottedTemplateResult = nothing;
+    const linkOrSpan = (inner: TemplateResult, evu: EventUser) => {
+        return html`${evu.pk && !evu.is_anonymous
+            ? html`<a href="#/identity/users/${evu.pk}">${inner}</a>`
+            : html`<span>${inner}</span>`}`;
+    };
 
-    if (event.user.is_anonymous) {
-        body = html`<div>${msg("Anonymous user")}</div>`;
-    } else {
-        body = html`<div>
-            <a href="#/identity/users/${event.user.pk}"
-                >${truncateUsername
-                    ? truncate(event.user?.username, truncateUsername)
-                    : event.user?.username}</a
-            >
-        </div>`;
-    }
+    const renderUsername = (evu: EventUser) => {
+        let username = evu.username;
+        if (evu.is_anonymous) {
+            username = msg("Anonymous user");
+        }
+        if (truncateUsername) {
+            return truncate(username, truncateUsername);
+        }
+        return username;
+    };
+
+    let body: SlottedTemplateResult = nothing;
+    body = html`<div>${linkOrSpan(html`${renderUsername(event.user)}`, event.user)}</div>`;
 
     if (event.user.on_behalf_of) {
         return html`${body}<small>
-                <a href="#/identity/users/${event.user.on_behalf_of.pk}"
-                    >${msg(str`On behalf of ${event.user.on_behalf_of.username}`)}</a
-                >
+                ${linkOrSpan(
+                    html`${msg(str`On behalf of ${renderUsername(event.user.on_behalf_of)}`)}`,
+                    event.user.on_behalf_of,
+                )}
+            </small>`;
+    }
+    if (event.user.authenticated_as) {
+        return html`${body}<small>
+                ${linkOrSpan(
+                    html`${msg(
+                        str`Authenticated as ${renderUsername(event.user.authenticated_as)}`,
+                    )}`,
+                    event.user.authenticated_as,
+                )}
             </small>`;
     }
 

web/src/common/events.ts

@@ -4,8 +4,9 @@ export interface EventUser {
     pk: number;
     email?: string;
     username: string;
-    on_behalf_of?: EventUser;
     is_anonymous?: boolean;
+    on_behalf_of?: EventUser;
+    authenticated_as?: EventUser;
 }
 
 export interface EventGeo {

web/src/components/events/ObjectChangelog.ts

@@ -1,4 +1,4 @@
-import { EventGeo, EventUser } from "@goauthentik/admin/events/utils";
+import { EventGeo, renderEventUser } from "@goauthentik/admin/events/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EventWithContext } from "@goauthentik/common/events";
 import { actionToLabel } from "@goauthentik/common/labels";
@@ -72,7 +72,7 @@ export class ObjectChangelog extends Table<Event> {
     row(item: EventWithContext): SlottedTemplateResult[] {
         return [
             html`${actionToLabel(item.action)}`,
-            EventUser(item),
+            renderEventUser(item),
             html`<div>${formatElapsedTime(item.created)}</div>
                 <small>${item.created.toLocaleString()}</small>`,
             html`<div>${item.clientIp || msg("-")}</div>

web/src/components/events/UserEvents.ts

@@ -1,4 +1,4 @@
-import { EventUser } from "@goauthentik/admin/events/utils";
+import { renderEventUser } from "@goauthentik/admin/events/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EventWithContext } from "@goauthentik/common/events";
 import { actionToLabel } from "@goauthentik/common/labels";
@@ -46,7 +46,7 @@ export class UserEvents extends Table<Event> {
     row(item: EventWithContext): SlottedTemplateResult[] {
         return [
             html`${actionToLabel(item.action)}`,
-            EventUser(item),
+            renderEventUser(item),
             html`<div>${formatElapsedTime(item.created)}</div>
                 <small>${item.created.toLocaleString()}</small>`,
             html`<span>${item.clientIp || msg("-")}</span>`,

web/xliff/de.xlf

@@ -451,7 +451,7 @@
         
       </trans-unit>
       <trans-unit id="sc35581d9c1cd67ff">
-        <source>On behalf of <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></source>
+        <source>On behalf of <x id="0" equiv-text="${renderUsername(event.user.on_behalf_of)}"/></source>
         <target>Im Namen von
         <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></target>
         
@@ -8751,9 +8751,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s05849efeac672dc7">
   <source>No app entitlements created.</source>
 </trans-unit>
-<trans-unit id="sdc8a8f29af6aa411">
-  <source>This application does currently not have any application entitlement defined.</source>
-</trans-unit>
 <trans-unit id="sf0bd204ce3fea1de">
   <source>Create Entitlement</source>
 </trans-unit>
@@ -9256,6 +9253,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8495753cb15e8d8e">
   <source>Maximum allowed registration attempts. When set to 0 attempts, attempts are not limited.</source>
+</trans-unit>
+<trans-unit id="sab4db6a3bd6abc1e">
+  <source>This application does currently not have any application entitlements defined.</source>
+</trans-unit>
+<trans-unit id="s7225aacf0eee94d2">
+  <source>Authenticated as <x id="0" equiv-text="${renderUsername(event.user.authenticated_as)}"/></source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -363,7 +363,7 @@
         <target>Recent events</target>
       </trans-unit>
       <trans-unit id="sc35581d9c1cd67ff">
-        <source>On behalf of <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></source>
+        <source>On behalf of <x id="0" equiv-text="${renderUsername(event.user.on_behalf_of)}"/></source>
         <target>On behalf of
         <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></target>
       </trans-unit>
@@ -7263,9 +7263,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s05849efeac672dc7">
   <source>No app entitlements created.</source>
 </trans-unit>
-<trans-unit id="sdc8a8f29af6aa411">
-  <source>This application does currently not have any application entitlement defined.</source>
-</trans-unit>
 <trans-unit id="sf0bd204ce3fea1de">
   <source>Create Entitlement</source>
 </trans-unit>
@@ -7766,6 +7763,12 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8495753cb15e8d8e">
   <source>Maximum allowed registration attempts. When set to 0 attempts, attempts are not limited.</source>
+</trans-unit>
+<trans-unit id="sab4db6a3bd6abc1e">
+  <source>This application does currently not have any application entitlements defined.</source>
+</trans-unit>
+<trans-unit id="s7225aacf0eee94d2">
+  <source>Authenticated as <x id="0" equiv-text="${renderUsername(event.user.authenticated_as)}"/></source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -451,7 +451,7 @@
         
       </trans-unit>
       <trans-unit id="sc35581d9c1cd67ff">
-        <source>On behalf of <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></source>
+        <source>On behalf of <x id="0" equiv-text="${renderUsername(event.user.on_behalf_of)}"/></source>
         <target>En nombre de
         <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></target>
         
@@ -8814,9 +8814,6 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 <trans-unit id="s05849efeac672dc7">
   <source>No app entitlements created.</source>
 </trans-unit>
-<trans-unit id="sdc8a8f29af6aa411">
-  <source>This application does currently not have any application entitlement defined.</source>
-</trans-unit>
 <trans-unit id="sf0bd204ce3fea1de">
   <source>Create Entitlement</source>
 </trans-unit>
@@ -9317,6 +9314,12 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="s8495753cb15e8d8e">
   <source>Maximum allowed registration attempts. When set to 0 attempts, attempts are not limited.</source>
+</trans-unit>
+<trans-unit id="sab4db6a3bd6abc1e">
+  <source>This application does currently not have any application entitlements defined.</source>
+</trans-unit>
+<trans-unit id="s7225aacf0eee94d2">
+  <source>Authenticated as <x id="0" equiv-text="${renderUsername(event.user.authenticated_as)}"/></source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -451,7 +451,7 @@
         
       </trans-unit>
       <trans-unit id="sc35581d9c1cd67ff">
-        <source>On behalf of <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></source>
+        <source>On behalf of <x id="0" equiv-text="${renderUsername(event.user.on_behalf_of)}"/></source>
         <target>Au nom de
         <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></target>
         
@@ -9231,10 +9231,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <source>No app entitlements created.</source>
   <target>Aucun droit applicatif créé.</target>
 </trans-unit>
-<trans-unit id="sdc8a8f29af6aa411">
-  <source>This application does currently not have any application entitlement defined.</source>
-  <target>Cette application n'a actuellement pas de droit applicatif défini.</target>
-</trans-unit>
 <trans-unit id="sf0bd204ce3fea1de">
   <source>Create Entitlement</source>
   <target>Créer un droit</target>
@@ -9885,6 +9881,12 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s8495753cb15e8d8e">
   <source>Maximum allowed registration attempts. When set to 0 attempts, attempts are not limited.</source>
+</trans-unit>
+<trans-unit id="sab4db6a3bd6abc1e">
+  <source>This application does currently not have any application entitlements defined.</source>
+</trans-unit>
+<trans-unit id="s7225aacf0eee94d2">
+  <source>Authenticated as <x id="0" equiv-text="${renderUsername(event.user.authenticated_as)}"/></source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="it" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -451,7 +451,7 @@
         
       </trans-unit>
       <trans-unit id="sc35581d9c1cd67ff">
-        <source>On behalf of <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></source>
+        <source>On behalf of <x id="0" equiv-text="${renderUsername(event.user.on_behalf_of)}"/></source>
         <target>Per conto di
         <x id="0" equiv-text="${event.user.on_behalf_of.username}"/></target>
         
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>La URL &quot;
-        <x id="0" equiv-text="${this.url}"/>&quot; non è stata trovata.</target>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <target>La URL "
+        <x id="0" equiv-text="${this.url}"/>" non è stata trovata.</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1100,7 +1100,7 @@
       </trans-unit>
       <trans-unit id="sde949d0ef44572eb">
         <source>Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.</source>
-        <target>Richiede che l'utente abbia un attributo &quot;upn&quot; impostato e ricorre all'ID utente con hash. Utilizza questa modalità solo se disponi di domini UPN e di posta diversi.</target>
+        <target>Richiede che l'utente abbia un attributo "upn" impostato e ricorre all'ID utente con hash. Utilizza questa modalità solo se disponi di domini UPN e di posta diversi.</target>
         
       </trans-unit>
       <trans-unit id="s9f23ed1799b4d49a">
@@ -1260,7 +1260,7 @@
       </trans-unit>
       <trans-unit id="s211b75e868072162">
         <source>Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.</source>
-        <target>Impostalo sul dominio per il quale desideri che l'autenticazione sia valida. Deve essere un dominio principale dell'URL riportato sopra. Se esegui applicazioni come app1.domain.tld, app2.domain.tld, impostalo su &quot;domain.tld&quot;.</target>
+        <target>Impostalo sul dominio per il quale desideri che l'autenticazione sia valida. Deve essere un dominio principale dell'URL riportato sopra. Se esegui applicazioni come app1.domain.tld, app2.domain.tld, impostalo su "domain.tld".</target>
         
       </trans-unit>
       <trans-unit id="s2345170f7e272668">
@@ -1709,8 +1709,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>Inserisci un URL completo, un percorso relativo oppure utilizza &quot;fa://fa-test&quot; per utilizzare l'icona &quot;fa-test&quot; di Font Awesome.</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <target>Inserisci un URL completo, un percorso relativo oppure utilizza "fa://fa-test" per utilizzare l'icona "fa-test" di Font Awesome.</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -3134,7 +3134,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s3198c384c2f68b08">
         <source>Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.</source>
-        <target>Tempo da attendere quando gli utenti temporanei devono essere eliminati. Questo vale solo se l'IDP utilizza il formato NameID &quot;Transient&quot; e l'utente non si disconnette manualmente.</target>
+        <target>Tempo da attendere quando gli utenti temporanei devono essere eliminati. Questo vale solo se l'IDP utilizza il formato NameID "Transient" e l'utente non si disconnette manualmente.</target>
         
       </trans-unit>
       <trans-unit id="sb32e9c1faa0b8673">
@@ -3276,7 +3276,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s9f8aac89fe318acc">
         <source>Optionally set the 'FriendlyName' value of the Assertion attribute.</source>
-        <target>Opzionale: imposta il valore &quot;friendlyname&quot; dell'attributo di asserzione.</target>
+        <target>Opzionale: imposta il valore "friendlyname" dell'attributo di asserzione.</target>
         
       </trans-unit>
       <trans-unit id="s851c108679653d2a">
@@ -3757,10 +3757,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
         <target>Sei sicuro di voler aggiornare
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot;?</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="1" equiv-text="${this.obj?.name}"/>"?</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4133,7 +4133,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s7520286c8419a266">
         <source>Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON.</source>
-        <target>Dati facoltativi che vengono caricati nella variabile di contesto &quot;prompt_data&quot; del flusso. YAML o JSON.</target>
+        <target>Dati facoltativi che vengono caricati nella variabile di contesto "prompt_data" del flusso. YAML o JSON.</target>
         
       </trans-unit>
       <trans-unit id="sb8795b799c70776a">
@@ -4826,8 +4826,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-        <target>Un autenticatore &quot;roaming&quot;, come un YubiKey</target>
+        <source>A "roaming" authenticator, like a YubiKey</source>
+        <target>Un autenticatore "roaming", come un YubiKey</target>
         
       </trans-unit>
       <trans-unit id="sfffba7b23d8fb40c">
@@ -5132,7 +5132,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s5170f9ef331949c0">
         <source>Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.</source>
-        <target>Mostra campi di input arbitrari all'utente, ad esempio durante l'iscrizione. I dati vengono salvati nel contesto di flusso nell'ambito della variabile &quot;prompt_data&quot;.</target>
+        <target>Mostra campi di input arbitrari all'utente, ad esempio durante l'iscrizione. I dati vengono salvati nel contesto di flusso nell'ambito della variabile "prompt_data".</target>
         
       </trans-unit>
       <trans-unit id="s36cb242ac90353bc">
@@ -5185,8 +5185,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
-        <target>Se impostato su una durata superiore a 0, l'utente avrà la possibilità di scegliere di &quot;rimanere firmato&quot;, che estenderà la sessione entro il momento specificato qui.</target>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <target>Se impostato su una durata superiore a 0, l'utente avrà la possibilità di scegliere di "rimanere firmato", che estenderà la sessione entro il momento specificato qui.</target>
         
       </trans-unit>
       <trans-unit id="s542a71bb8f41e057">
@@ -5207,7 +5207,7 @@ doesn't pass when either or both of the selected options are equal or above the
       <trans-unit id="s927398c400970760">
         <source>Write any data from the flow's context's 'prompt_data' to the currently pending user. If no user
         is pending, a new user is created, and data is written to them.</source>
-        <target>Scrivi qualsiasi dati dal contesto del flusso &quot;prompt_data&quot; all'utente attualmente in sospeso. Se nessun utente
+        <target>Scrivi qualsiasi dati dal contesto del flusso "prompt_data" all'utente attualmente in sospeso. Se nessun utente
  è in sospeso, viene creato un nuovo utente e vengono scritti dati.</target>
       </trans-unit>
       <trans-unit id="sb379d861cbed0b47">
@@ -7336,7 +7336,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
-  <target>Un suggerimento, &quot;New Application Wizard&quot;, è attualmente nascosto</target>
+  <target>Un suggerimento, "New Application Wizard", è attualmente nascosto</target>
 </trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
@@ -7451,7 +7451,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>Utente creato con successo e aggiunto al gruppo <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
   <target>Questo utente sarà aggiunto al gruppo &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;.</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -8598,7 +8598,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s9dda0789d278f5c5">
   <source>Provide users with a 'show password' button.</source>
-  <target>Fornisci agli utenti un pulsante &quot;Mostra password&quot;.</target>
+  <target>Fornisci agli utenti un pulsante "Mostra password".</target>
 </trans-unit>
 <trans-unit id="s2f7f35f6a5b733f5">
   <source>Show password</source>
@@ -8733,7 +8733,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>Gruppo di sincronizzazione</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
   <target><x id="0" equiv-text="${p.name}"/> (&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;, del tipo <x id="2" equiv-text="${p.type}"/>)</target>
 </trans-unit>
 <trans-unit id="s25bacc19d98b444e">
@@ -8981,8 +8981,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>URI di reindirizzamento validi dopo un flusso di autorizzazione riuscito. Specificare anche eventuali origini per i flussi impliciti.</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-  <target>Per consentire qualsiasi URI di reindirizzamento, imposta la modalità su Regex e il valore su &quot;.*&quot;. Tieni presente le possibili implicazioni per la sicurezza.</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
+  <target>Per consentire qualsiasi URI di reindirizzamento, imposta la modalità su Regex e il valore su ".*". Tieni presente le possibili implicazioni per la sicurezza.</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
   <source>Federated OIDC Sources</source>
@@ -9232,10 +9232,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>No app entitlements created.</source>
   <target>Non sono stati creati entitlements per l'app.</target>
 </trans-unit>
-<trans-unit id="sdc8a8f29af6aa411">
-  <source>This application does currently not have any application entitlement defined.</source>
-  <target>Al momento, per questa applicazione non è definito alcun entitlement applicativo.</target>
-</trans-unit>
 <trans-unit id="sf0bd204ce3fea1de">
   <source>Create Entitlement</source>
   <target>Crea Privilegio</target>
@@ -9652,7 +9648,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
   <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
-  <target>Campo che contiene i ND dei gruppi di cui l'utente è membro. Questo campo viene utilizzato per cercare i gruppi degli utenti, ad esempio &quot;memberOf&quot;. Per cercare gruppi nidificati in un ambiente Active Directory, utilizzare &quot;memberOf:1.2.840.113556.1.4.1941:&quot;.</target>
+  <target>Campo che contiene i ND dei gruppi di cui l'utente è membro. Questo campo viene utilizzato per cercare i gruppi degli utenti, ad esempio "memberOf". Per cercare gruppi nidificati in un ambiente Active Directory, utilizzare "memberOf:1.2.840.113556.1.4.1941:".</target>
 </trans-unit>
 <trans-unit id="s891cd64acabf23bf">
   <source>Initial Permissions</source>
@@ -9735,8 +9731,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>Come eseguire l'autenticazione durante un flusso di richiesta del token authorization_code</target>
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
-  <source>Enable &quot;Remember me on this device&quot;</source>
-  <target>Abilita &quot;Ricordami su questo dispositivo&quot;</target>
+  <source>Enable "Remember me on this device"</source>
+  <target>Abilita "Ricordami su questo dispositivo"</target>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
   <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
@@ -9888,7 +9884,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se630f2ccd39bf9e6">
   <source>If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
-  <target>Se non viene selezionato alcun gruppo e l'opzione &quot;Invia notifica all'utente dell'evento&quot; è disabilitata, la regola è disabilitata.</target>
+  <target>Se non viene selezionato alcun gruppo e l'opzione "Invia notifica all'utente dell'evento" è disabilitata, la regola è disabilitata.</target>
 </trans-unit>
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
@@ -9896,7 +9892,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sd30f00ff2135589c">
   <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento, oltre a tutti gli utenti del gruppo sopra indicato. L'utente dell'evento sarà sempre il primo a inviare una notifica solo all'utente dell'evento che ha abilitato &quot;Invia una volta&quot; nel trasporto delle notifiche.</target>
+  <target>Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento, oltre a tutti gli utenti del gruppo sopra indicato. L'utente dell'evento sarà sempre il primo a inviare una notifica solo all'utente dell'evento che ha abilitato "Invia una volta" nel trasporto delle notifiche.</target>
 </trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
   <source>Maximum registration attempts</source>
@@ -9905,6 +9901,14 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s8495753cb15e8d8e">
   <source>Maximum allowed registration attempts. When set to 0 attempts, attempts are not limited.</source>
   <target>Numero massimo di tentativi di registrazione consentiti. Se impostato su 0 tentativi, i tentativi non sono limitati.</target>
+</trans-unit>
+<trans-unit id="sab4db6a3bd6abc1e">
+  <source>This application does currently not have any application entitlements defined.</source>
+  <target>Questa applicazione al momento non ha eventuali diritti applicativi definiti.</target>
+</trans-unit>
+<trans-unit id="s7225aacf0eee94d2">
+  <source>Authenticated as <x id="0" equiv-text="${renderUsername(event.user.authenticated_as)}"/></source>
+  <target>Autenticato come <x id="0" equiv-text="${renderUsername(event.user.authenticated_as)}"/></target>
 </trans-unit>
     </body>
   </file>