Merge branch 'main' into web/add-command-palette

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	web/package-lock.json
#	web/package.json
#	web/src/admin/AdminInterface/AdminInterface.ts

Makefile

@@ -94,7 +94,7 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		uv run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -72,33 +72,20 @@ class Command(BaseCommand):
                     "additionalProperties": True,
                 },
                 "entries": {
-                    "anyOf": [
-                        {
-                            "type": "array",
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
-                        },
-                        {
-                            "type": "object",
-                            "additionalProperties": {
-                                "type": "array",
-                                "items": {"$ref": "#/$defs/blueprint_entry"},
-                            },
-                        },
-                    ],
+                    "type": "array",
+                    "items": {
+                        "oneOf": [],
+                    },
                 },
             },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
         }
 
-    def add_arguments(self, parser):
-        parser.add_argument("--file", type=str)
-
     @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
         """Generate JSON Schema for blueprints"""
         self.build()
-        with open(file, "w") as _schema:
-            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
 
     @staticmethod
     def json_default(value: Any) -> Any:
@@ -125,7 +112,7 @@ class Command(BaseCommand):
                 }
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                 self.template_entry(model_path, model, serializer)
             )
 

authentik/blueprints/tests/fixtures/state_present.yaml

@@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
-      - identifiers:
-            name: "%(id)s"
-            slug: "%(id)s"
-        model: authentik_flows.flow
-        state: present
-        attrs:
-            designation: stage_configuration
-            title: foo
+    - identifiers:
+          name: "%(id)s"
+          slug: "%(id)s"
+      model: authentik_flows.flow
+      state: present
+      attrs:
+          designation: stage_configuration
+          title: foo

authentik/blueprints/v1/common.py

@@ -191,18 +191,11 @@ class Blueprint:
     """Dataclass used for a full export"""
 
     version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
     context: dict = field(default_factory=dict)
 
     metadata: BlueprintMetadata | None = field(default=None)
 
-    def iter_entries(self) -> Iterable[BlueprintEntry]:
-        if isinstance(self.entries, dict):
-            for _section, entries in self.entries.items():
-                yield from entries
-        else:
-            yield from self.entries
-
 
 class YAMLTag:
     """Base class for all YAML Tags"""
@@ -233,7 +226,7 @@ class KeyOf(YAMLTag):
         self.id_from = node.value
 
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
             if _entry.id == self.id_from and _entry._state.instance:
                 # Special handling for PolicyBindingModels, as they'll have a different PK
                 # which is used when creating policy bindings

authentik/blueprints/v1/importer.py

@@ -384,7 +384,7 @@ class Importer:
     def _apply_models(self, raise_errors=False) -> bool:
         """Apply (create/update) models yaml"""
         self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
             model_app_label, model_name = entry.get_model(self._import).split(".")
             try:
                 model: type[SerializerModel] = registry.get_model(model_app_label, model_name)

authentik/providers/oauth2/errors.py

@@ -15,7 +15,6 @@ class OAuth2Error(SentryIgnoredException):
 
     error: str
     description: str
-    cause: str | None = None
 
     def create_dict(self):
         """Return error as dict for JSON Rendering"""
@@ -35,10 +34,6 @@ class OAuth2Error(SentryIgnoredException):
             **kwargs,
         )
 
-    def with_cause(self, cause: str):
-        self.cause = cause
-        return self
-
 
 class RedirectUriError(OAuth2Error):
     """The request fails due to a missing, invalid, or mismatching

authentik/providers/oauth2/tests/test_authorize.py

@@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.providers.oauth2.constants import SCOPE_OFFLINE_ACCESS, SCOPE_OPENID, TOKEN_TYPE
+from authentik.providers.oauth2.constants import TOKEN_TYPE
 from authentik.providers.oauth2.errors import AuthorizeError, ClientIdError, RedirectUriError
 from authentik.providers.oauth2.models import (
     AccessToken,
@@ -43,7 +43,7 @@ class TestAuthorize(OAuthTestCase):
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
         )
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
             request = self.factory.get(
                 "/",
                 data={
@@ -53,7 +53,6 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.error, "unsupported_response_type")
 
     def test_invalid_client_id(self):
         """Test invalid client ID"""
@@ -69,7 +68,7 @@ class TestAuthorize(OAuthTestCase):
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
         )
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
             request = self.factory.get(
                 "/",
                 data={
@@ -80,30 +79,19 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.error, "request_not_supported")
-
-    def test_invalid_redirect_uri_missing(self):
-        """test missing redirect URI"""
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
-        )
-        with self.assertRaises(RedirectUriError) as cm:
-            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
-            OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.cause, "redirect_uri_missing")
 
     def test_invalid_redirect_uri(self):
-        """test invalid redirect URI"""
+        """test missing/invalid redirect URI"""
         OAuth2Provider.objects.create(
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
         )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
+            OAuthAuthorizationParams.from_request(request)
+        with self.assertRaises(RedirectUriError):
             request = self.factory.get(
                 "/",
                 data={
@@ -113,7 +101,6 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.cause, "redirect_uri_no_match")
 
     def test_blocked_redirect_uri(self):
         """test missing/invalid redirect URI"""
@@ -121,9 +108,9 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:localhost")],
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
         )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
             request = self.factory.get(
                 "/",
                 data={
@@ -133,7 +120,6 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.cause, "redirect_uri_forbidden_scheme")
 
     def test_invalid_redirect_uri_empty(self):
         """test missing/invalid redirect URI"""
@@ -143,6 +129,9 @@ class TestAuthorize(OAuthTestCase):
             authorization_flow=create_test_flow(),
             redirect_uris=[],
         )
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
+            OAuthAuthorizationParams.from_request(request)
         request = self.factory.get(
             "/",
             data={
@@ -161,9 +150,12 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.REGEX, "http://local.invalid?")],
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
         )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
+            OAuthAuthorizationParams.from_request(request)
+        with self.assertRaises(RedirectUriError):
             request = self.factory.get(
                 "/",
                 data={
@@ -173,7 +165,6 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.cause, "redirect_uri_no_match")
 
     def test_redirect_uri_invalid_regex(self):
         """test missing/invalid redirect URI (invalid regex)"""
@@ -181,9 +172,12 @@ class TestAuthorize(OAuthTestCase):
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.REGEX, "+")],
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
         )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
+            OAuthAuthorizationParams.from_request(request)
+        with self.assertRaises(RedirectUriError):
             request = self.factory.get(
                 "/",
                 data={
@@ -193,22 +187,23 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.cause, "redirect_uri_no_match")
 
-    def test_redirect_uri_regex(self):
-        """test valid redirect URI (regex)"""
+    def test_empty_redirect_uri(self):
+        """test empty redirect URI (configure in provider)"""
         OAuth2Provider.objects.create(
             name=generate_id(),
             client_id="test",
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.REGEX, ".+")],
         )
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
+            OAuthAuthorizationParams.from_request(request)
         request = self.factory.get(
             "/",
             data={
                 "response_type": "code",
                 "client_id": "test",
-                "redirect_uri": "http://foo.bar.baz",
+                "redirect_uri": "http://localhost",
             },
         )
         OAuthAuthorizationParams.from_request(request)
@@ -263,7 +258,7 @@ class TestAuthorize(OAuthTestCase):
             GrantTypes.IMPLICIT,
         )
         # Implicit without openid scope
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
             request = self.factory.get(
                 "/",
                 data={
@@ -290,7 +285,7 @@ class TestAuthorize(OAuthTestCase):
         self.assertEqual(
             OAuthAuthorizationParams.from_request(request).grant_type, GrantTypes.HYBRID
         )
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
             request = self.factory.get(
                 "/",
                 data={
@@ -300,7 +295,6 @@ class TestAuthorize(OAuthTestCase):
                 },
             )
             OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.error, "unsupported_response_type")
 
     def test_full_code(self):
         """Test full authorization"""
@@ -621,54 +615,3 @@ class TestAuthorize(OAuthTestCase):
                 },
             },
         )
-
-    def test_openid_missing_invalid(self):
-        """test request requiring an OpenID scope to be set"""
-        OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
-        )
-        request = self.factory.get(
-            "/",
-            data={
-                "response_type": "id_token",
-                "client_id": "test",
-                "redirect_uri": "http://localhost",
-                "scope": "",
-            },
-        )
-        with self.assertRaises(AuthorizeError) as cm:
-            OAuthAuthorizationParams.from_request(request)
-        self.assertEqual(cm.exception.cause, "scope_openid_missing")
-
-    @apply_blueprint("system/providers-oauth2.yaml")
-    def test_offline_access_invalid(self):
-        """test request for offline_access with invalid response type"""
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            client_id="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
-        )
-        provider.property_mappings.set(
-            ScopeMapping.objects.filter(
-                managed__in=[
-                    "goauthentik.io/providers/oauth2/scope-openid",
-                    "goauthentik.io/providers/oauth2/scope-offline_access",
-                ]
-            )
-        )
-        request = self.factory.get(
-            "/",
-            data={
-                "response_type": "id_token",
-                "client_id": "test",
-                "redirect_uri": "http://localhost",
-                "scope": f"{SCOPE_OPENID} {SCOPE_OFFLINE_ACCESS}",
-                "nonce": generate_id(),
-            },
-        )
-        parsed = OAuthAuthorizationParams.from_request(request)
-        self.assertNotIn(SCOPE_OFFLINE_ACCESS, parsed.scope)

authentik/providers/oauth2/views/authorize.py

@@ -190,7 +190,7 @@ class OAuthAuthorizationParams:
         allowed_redirect_urls = self.provider.redirect_uris
         if not self.redirect_uri:
             LOGGER.warning("Missing redirect uri.")
-            raise RedirectUriError("", allowed_redirect_urls).with_cause("redirect_uri_missing")
+            raise RedirectUriError("", allowed_redirect_urls)
 
         if len(allowed_redirect_urls) < 1:
             LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
@@ -219,14 +219,10 @@ class OAuthAuthorizationParams:
                         provider=self.provider,
                     )
         if not match_found:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls).with_cause(
-                "redirect_uri_no_match"
-            )
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
         # Check against forbidden schemes
         if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls).with_cause(
-                "redirect_uri_forbidden_scheme"
-            )
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
 
     def check_scope(self, github_compat=False):
         """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@@ -255,9 +251,7 @@ class OAuthAuthorizationParams:
             or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN]
         ):
             LOGGER.warning("Missing 'openid' scope.")
-            raise AuthorizeError(
-                self.redirect_uri, "invalid_scope", self.grant_type, self.state
-            ).with_cause("scope_openid_missing")
+            raise AuthorizeError(self.redirect_uri, "invalid_scope", self.grant_type, self.state)
         if SCOPE_OFFLINE_ACCESS in self.scope:
             # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
             # Don't explicitly request consent with offline_access, as the spec allows for
@@ -292,9 +286,7 @@ class OAuthAuthorizationParams:
             return
         if not self.nonce:
             LOGGER.warning("Missing nonce for OpenID Request")
-            raise AuthorizeError(
-                self.redirect_uri, "invalid_request", self.grant_type, self.state
-            ).with_cause("none_missing")
+            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
 
     def check_code_challenge(self):
         """PKCE validation of the transformation method."""
@@ -353,10 +345,10 @@ class AuthorizationFlowInitView(PolicyAccessView):
                 self.request, github_compat=self.github_compat
             )
         except AuthorizeError as error:
-            LOGGER.warning(error.description, redirect_uri=error.redirect_uri, cause=error.cause)
+            LOGGER.warning(error.description, redirect_uri=error.redirect_uri)
             raise RequestValidationError(error.get_response(self.request)) from None
         except OAuth2Error as error:
-            LOGGER.warning(error.description, cause=error.cause)
+            LOGGER.warning(error.description)
             raise RequestValidationError(
                 bad_request_message(self.request, error.description, title=error.error)
             ) from None

locale/es/LC_MESSAGES/django.po

@@ -6,18 +6,18 @@
 # Translators:
 # jcamat, 2022
 # Angel, 2024
+# Iamanaws, 2024
 # Marcelo Elizeche Landó, 2025
 # Jens L. <jens@goauthentik.io>, 2025
-# Iamanaws, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-04 00:12+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Iamanaws, 2025\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -111,7 +111,7 @@ msgstr "Certificado Web usado por el servidor web Core de authentik"
 
 #: authentik/brands/models.py
 msgid "Certificates used for client authentication."
-msgstr "Certificados utilizados para la autenticación del cliente."
+msgstr ""
 
 #: authentik/brands/models.py
 msgid "Brand"
@@ -131,7 +131,7 @@ msgstr "Descripción adicional no disponible."
 
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
-msgstr "No se puede establecer un grupo como su propio padre."
+msgstr "No se puede establecer el grupo como padre de sí mismo."
 
 #: authentik/core/api/providers.py
 msgid ""
@@ -183,11 +183,11 @@ msgstr "Remueve usuario del grupo"
 
 #: authentik/core/models.py
 msgid "Enable superuser status"
-msgstr "Habilitar el estado de superusuario"
+msgstr "Habiliar estado de \"superusuario\""
 
 #: authentik/core/models.py
 msgid "Disable superuser status"
-msgstr "Deshabilitar el estado de superusuario"
+msgstr "Deshabiliar estado de \"superusuario\""
 
 #: authentik/core/models.py
 msgid "User's display name."
@@ -241,7 +241,7 @@ msgstr "Flujo utilizado al autorizar a este proveedor."
 
 #: authentik/core/models.py
 msgid "Flow used ending the session from a provider."
-msgstr "Flujo utilizado para finalizar la sesión desde un proveedor."
+msgstr "Flujo usado para terminar la sesión de un proveedor."
 
 #: authentik/core/models.py
 msgid ""
@@ -273,11 +273,11 @@ msgstr "Aplicaciones"
 
 #: authentik/core/models.py
 msgid "Application Entitlement"
-msgstr "Derecho de Aplicación"
+msgstr ""
 
 #: authentik/core/models.py
 msgid "Application Entitlements"
-msgstr "Derechos de Aplicación"
+msgstr ""
 
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
@@ -288,9 +288,9 @@ msgid ""
 "Link to a user with identical email address. Can have security implications "
 "when a source doesn't validate email addresses."
 msgstr ""
-"Enlace a un usuario con la misma dirección de correo electrónico. Puede "
-"tener implicaciones de seguridad cuando una fuente no valida las direcciones"
-" de correo electrónico."
+"Apunta a un usuario con una dirección de correo electrónico idéntica. Puede "
+"tener implicaciones de seguridad cuando una fuente no valida la dirección de"
+" correo electrónico."
 
 #: authentik/core/models.py
 msgid ""
@@ -305,8 +305,8 @@ msgid ""
 "Link to a user with identical username. Can have security implications when "
 "a username is used with another source."
 msgstr ""
-"Enlace a un usuario con el mismo nombre de usuario. Puede tener "
-"implicaciones de seguridad cuando un nombre de usuario se utiliza con otra "
+"Enlace a un usuario con un nombre de usuario idéntico. Puede tener "
+"implicaciones de seguridad cuando se usa un nombre de usuario con otra "
 "fuente."
 
 #: authentik/core/models.py
@@ -322,8 +322,8 @@ msgid ""
 "Link to a group with identical name. Can have security implications when a "
 "group name is used with another source."
 msgstr ""
-"Enlace a un grupo con el mismo nombre. Puede tener implicaciones de "
-"seguridad cuando un nombre de grupo se utiliza con otra fuente."
+"Enlace a un grupo con un nombre idéntico. Puede tener implicaciones de "
+"seguridad cuando se utiliza un nombre de grupo con otra fuente."
 
 #: authentik/core/models.py
 msgid "Use the group name, but deny enrollment when the name already exists."
@@ -385,7 +385,7 @@ msgstr "Asignaciones de Propiedades"
 
 #: authentik/core/models.py
 msgid "session data"
-msgstr "datos de sesión"
+msgstr ""
 
 #: authentik/core/models.py
 msgid "Session"
@@ -424,7 +424,7 @@ msgstr "¡Autenticado exitosamente con {source}!"
 #: authentik/core/sources/flow_manager.py
 #, python-brace-format
 msgid "Successfully linked {source}!"
-msgstr "¡{source} enlazado correctamente!"
+msgstr "¡{source} vinculado exitosamente!"
 
 #: authentik/core/sources/flow_manager.py
 msgid "Source is not configured for enrollment."
@@ -476,11 +476,11 @@ msgstr ""
 
 #: authentik/crypto/models.py
 msgid "Certificate-Key Pair"
-msgstr "Par Certificado-Clave"
+msgstr "Par de claves de certificado"
 
 #: authentik/crypto/models.py
 msgid "Certificate-Key Pairs"
-msgstr "Pares Certificado-Clave"
+msgstr "Pares de claves de certificado"
 
 #: authentik/enterprise/api.py
 msgid "Enterprise is required to create/update this object."
@@ -511,7 +511,7 @@ msgstr ""
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr "Número de contraseñas contra las que verificar."
+msgstr ""
 
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@@ -521,20 +521,18 @@ msgstr "La contraseña no se ha establecido en contexto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
-"Esta contraseña se ha utilizado anteriormente. Por favor, elija una "
-"diferente."
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr "Política de Unicidad de Contraseñas"
+msgstr ""
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr "Políticas de Unicidad de Contraseñas"
+msgstr ""
 
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr "Historial de Contraseñas del Usuario"
+msgstr ""
 
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@@ -619,39 +617,39 @@ msgstr "Clave de firma"
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr "Clave utilizada para firmar los eventos SSF."
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr "Proveedor del Marco de Señales Compartidas"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr "Proveedores del Marco de Señales Compartidas"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr "Agregar flujo de datos al proveedor SSF"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr "Flujo de Datos SSF"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr "Flujos de Datos SSF"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr "Evento de Flujo de Datos SSF"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr "Eventos de Flujos de Datos SSF"
+msgstr ""
 
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr "Error al enviar la solicitud"
+msgstr "Falló envio de petición"
 
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@@ -683,29 +681,26 @@ msgid ""
 "option has a higher priority than the `client_certificate` option on "
 "`Brand`."
 msgstr ""
-"Configura las autoridades certificadoras para validar el certificado. Esta "
-"opción tiene una prioridad mayor que la opción `client_certificate` en "
-"`Brand`."
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stage"
-msgstr "Etapa de TLS mutuo"
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stages"
-msgstr "Etapas de TLS mutuo"
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Permissions to pass Certificates for outposts."
-msgstr "Permisos para pasar Certificados a los puestos avanzados."
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "Certificate required but no certificate was given."
-msgstr "Se requiere certificado, pero no se proporcionó ninguno."
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "No user found for certificate."
-msgstr "No se encontró usuario para el certificado."
+msgstr ""
 
 #: authentik/enterprise/stages/source/models.py
 msgid ""
@@ -758,16 +753,12 @@ msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
 "serializable."
 msgstr ""
-"Personaliza el cuerpo de la solicitud. El mapeo debe devolver datos que sean"
-" serializables en JSON."
 
 #: authentik/events/models.py
 msgid ""
 "Configure additional headers to be sent. Mapping should return a dictionary "
 "of key-value pairs"
 msgstr ""
-"Configura encabezados adicionales para enviar. El mapeo debe devolver un "
-"diccionario de pares clave-valor"
 
 #: authentik/events/models.py
 msgid ""
@@ -795,7 +786,7 @@ msgstr "Transporte de notificaciones"
 
 #: authentik/events/models.py
 msgid "Notification Transports"
-msgstr "Medios de Notificación"
+msgstr "Transportes de notificación"
 
 #: authentik/events/models.py
 msgid "Notice"
@@ -822,9 +813,9 @@ msgid ""
 "Select which transports should be used to notify the user. If none are "
 "selected, the notification will only be shown in the authentik UI."
 msgstr ""
-"Selecciona qué medios se deben usar para notificar al usuario. Si no se "
-"selecciona ninguno, la notificación solo se mostrará en la interfaz de "
-"authentik."
+"Seleccione qué transportes se deben usar para notificar al usuario. Si no se"
+" selecciona ninguno, la notificación solo se mostrará en la interfaz de "
+"usuario de authentik."
 
 #: authentik/events/models.py
 msgid "Controls which severity level the created notifications will have."
@@ -996,7 +987,7 @@ msgstr "Evalúa políticas durante el proceso de planeación del Flujo."
 
 #: authentik/flows/models.py
 msgid "Evaluate policies when the Stage is presented to the user."
-msgstr "Evaluar las políticas cuando la Etapa se presenta al usuario."
+msgstr ""
 
 #: authentik/flows/models.py
 msgid ""
@@ -1043,8 +1034,6 @@ msgid ""
 "When enabled, provider will not modify or create objects in the remote "
 "system."
 msgstr ""
-"Cuando está habilitado, el proveedor no modificará ni creará objetos en el "
-"sistema remoto."
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
@@ -1052,21 +1041,20 @@ msgstr "Iniciando sincronización completa de proveedor"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr "Sincronizando usuarios"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr "Sincronizando grupos"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of {object_type}"
-msgstr "Sincronizando página {page} de {object_type}"
+msgid "Syncing page {page} of groups"
+msgstr "Sincronizando página {page} de grupos"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
 msgstr ""
-"Descartando solicitud de mutación debido a ejecución en modo de simulación"
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@@ -1245,7 +1233,7 @@ msgstr ""
 
 #: authentik/policies/expiry/models.py
 msgid "Password has expired."
-msgstr "La contraseña ha expirado."
+msgstr "La contraseña ha caducado."
 
 #: authentik/policies/expiry/models.py
 msgid "Password Expiry Policy"
@@ -1283,7 +1271,7 @@ msgstr "La IP del cliente no está en un país permitido."
 
 #: authentik/policies/geoip/models.py
 msgid "Distance from previous authentication is larger than threshold."
-msgstr "La distancia desde la autenticación anterior es mayor que el umbral."
+msgstr "La distancia desde la autenticación previa es mayor que el límite."
 
 #: authentik/policies/geoip/models.py
 msgid "Distance is further than possible."
@@ -1332,7 +1320,7 @@ msgstr "Vinculación de Políticas"
 
 #: authentik/policies/models.py
 msgid "Policy Bindings"
-msgstr "Vinculaciones de Políticas"
+msgstr "Vinculaciones de políticas"
 
 #: authentik/policies/models.py
 msgid ""
@@ -1606,11 +1594,11 @@ msgstr "ES256 (Encriptación Asimétrica)"
 
 #: authentik/providers/oauth2/models.py
 msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384 (Encriptación Asimétrica)"
+msgstr ""
 
 #: authentik/providers/oauth2/models.py
 msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512 (Encriptación Asimétrica)"
+msgstr ""
 
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
@@ -1825,7 +1813,7 @@ msgstr "Valida Certificados SSL de servidores de origen"
 
 #: authentik/providers/proxy/models.py
 msgid "Internal host SSL Validation"
-msgstr "Validación SSL del host interno"
+msgstr "Validación SSL de host interno"
 
 #: authentik/providers/proxy/models.py
 msgid ""
@@ -2039,7 +2027,7 @@ msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "AuthnContextClassRef Property Mapping"
-msgstr "Asignación de Propiedades de AuthnContextClassRef"
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid ""
@@ -2047,9 +2035,6 @@ msgid ""
 "empty, the AuthnContextClassRef will be set based on which authentication "
 "methods the user used to authenticate."
 msgstr ""
-"Configura cómo se creará el valor de AuthnContextClassRef. Si se deja vacío,"
-" el AuthnContextClassRef se establecerá según los métodos de autenticación "
-"que el usuario haya utilizado para autenticarse."
 
 #: authentik/providers/saml/models.py
 msgid ""
@@ -2199,11 +2184,11 @@ msgstr "Predeterminado"
 
 #: authentik/providers/scim/models.py
 msgid "AWS"
-msgstr "AWS"
+msgstr ""
 
 #: authentik/providers/scim/models.py
 msgid "Slack"
-msgstr "Slack"
+msgstr ""
 
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
@@ -2215,13 +2200,11 @@ msgstr "Token de Autenticación"
 
 #: authentik/providers/scim/models.py
 msgid "SCIM Compatibility Mode"
-msgstr "Modo de Compatibilidad SCIM"
+msgstr ""
 
 #: authentik/providers/scim/models.py
 msgid "Alter authentik behavior for vendor-specific SCIM implementations."
 msgstr ""
-"Modificar el comportamiento de authentik para implementaciones SCIM "
-"específicas de proveedores."
 
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
@@ -2249,7 +2232,7 @@ msgstr "Roles"
 
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
-msgstr "Permisos Iniciales"
+msgstr ""
 
 #: authentik/rbac/models.py
 msgid "System permission"
@@ -2287,7 +2270,7 @@ msgstr ""
 
 #: authentik/recovery/views.py
 msgid "Used recovery-link to authenticate."
-msgstr "Se utilizó un enlace de recuperación para autenticarse."
+msgstr "Se usó el enlace de recuperación para autenticarse."
 
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos realm"
@@ -2299,7 +2282,7 @@ msgstr "krb5.conf personalizado a usar. Usa el del sistema por defecto."
 
 #: authentik/sources/kerberos/models.py
 msgid "KAdmin server type"
-msgstr "Tipo de servidor KAdmin"
+msgstr ""
 
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
@@ -2307,24 +2290,23 @@ msgstr "Sincronizar usuarios desde Kerberos hacia Authentik"
 
 #: authentik/sources/kerberos/models.py
 msgid "When a user changes their password, sync it back to Kerberos"
-msgstr ""
-"Cuando un usuario cambie su contraseña, sincronizarla de vuelta a Kerberos."
+msgstr "Cuando un usuario cambia su contraseña, sincronizarlo hacia Kerberos"
 
 #: authentik/sources/kerberos/models.py
 msgid "Principal to authenticate to kadmin for sync."
-msgstr "Principal para autenticarse en kadmin para la sincronización."
+msgstr "Principal para autenticarse como kadmin para la sincronización."
 
 #: authentik/sources/kerberos/models.py
 msgid "Password to authenticate to kadmin for sync"
-msgstr "Contraseña para autenticarse en kadmin para la sincronización"
+msgstr "Contraseña para autenticarse como kadmin para la sincronización"
 
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
 "form TYPE:residual"
 msgstr ""
-"Keytab para autenticarse en kadmin para la sincronización. Debe estar "
-"codificado en base64 o en el formato TIPO:residuo"
+"Keytab para autenticarse como kadmin para la sincronización. Debe estar "
+"codificado en base64 o en el formato TIPO:residual"
 
 #: authentik/sources/kerberos/models.py
 msgid ""
@@ -2340,7 +2322,7 @@ msgid ""
 "HTTP@hostname"
 msgstr ""
 "Forzar el uso de un nombre de servidor específico para SPNEGO. Debe estar en"
-" el formato HTTP@nombre_de_host"
+" el formato HTTP@nombredelservidor"
 
 #: authentik/sources/kerberos/models.py
 msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
@@ -2357,8 +2339,8 @@ msgid ""
 "If enabled, the authentik-stored password will be updated upon login with "
 "the Kerberos password backend"
 msgstr ""
-"Si está habilitado, la contraseña almacenada en authentik se actualizará al "
-"iniciar sesión con el backend de contraseñas de Kerberos."
+"Si está habilitado, la contraseña almacenada por authentik será actualizada "
+"al iniciar sesión con el backend de contraseñas Kerberos"
 
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source"
@@ -2406,7 +2388,7 @@ msgid ""
 msgstr ""
 "\n"
 "                    Asegúrate de que tienes entradas válidas\n"
-"                    (obtenibles mediante kinit) \n"
+"                    (se obtienen a través de kinit) \n"
 "                    y de haber configurado correctamente el navegador.\n"
 "                    Por favor, contacta a tu administrador.\n"
 "                "
@@ -2471,10 +2453,6 @@ msgstr "DN de grupo de adición"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "Considere que los objetos que coinciden con este filtro son usuarios."
 
-#: authentik/sources/ldap/models.py
-msgid "Attribute which matches the value of `group_membership_field`."
-msgstr "Atributo que coincide con el valor de `group_membership_field`."
-
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "Campo que contiene los miembros de un grupo."
@@ -2507,17 +2485,12 @@ msgid ""
 "attribute. This allows nested group resolution on systems like FreeIPA and "
 "Active Directory"
 msgstr ""
-"Buscar la pertenencia a grupos basándose en un atributo del usuario en lugar"
-" de un atributo del grupo. Esto permite la resolución de grupos anidados en "
-"sistemas como FreeIPA y Active Directory"
 
 #: authentik/sources/ldap/models.py
 msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
 msgstr ""
-"Eliminar usuarios y grupos de authentik que fueron proporcionados "
-"previamente por esta fuente, pero que ahora están ausentes."
 
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@@ -2539,24 +2512,22 @@ msgstr "Asignaciones de Propiedades de Fuente de LDAP"
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
 msgstr ""
-"ID único utilizado para verificar si este objeto aún existe en el "
-"directorio."
 
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
-msgstr "Conexión de Fuente LDAP de Usuario"
+msgstr ""
 
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
-msgstr "Conexiones de Fuente LDAP de Usuario"
+msgstr ""
 
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
-msgstr "Conexión de Fuente LDAP de Grupo"
+msgstr ""
 
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
-msgstr "Conexiones de Fuente LDAP de Grupo"
+msgstr ""
 
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
@@ -2568,11 +2539,11 @@ msgstr "No se recibió ningún token."
 
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
-msgstr "Autenticación Básica HTTP"
+msgstr ""
 
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
-msgstr "Incluir el ID de cliente y el secreto como parámetros de la solicitud"
+msgstr ""
 
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
@@ -2619,8 +2590,6 @@ msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
-"Cómo realizar la autenticación durante un flujo de solicitud de token con "
-"authorization_code"
 
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
@@ -2938,7 +2907,7 @@ msgstr "Conexiones de Fuente de SAML de Grupo"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr "Continuar a {source_name}"
+msgstr ""
 
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@@ -2974,7 +2943,7 @@ msgstr "Dispositivos Duo"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email OTP"
-msgstr "OTP por Correo Electrónico"
+msgstr ""
 
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
@@ -2995,11 +2964,11 @@ msgstr ""
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stage"
-msgstr "Etapa de Configuración del Autenticador de Correo Electrónico"
+msgstr ""
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stages"
-msgstr "Etapas de Configuración del Autenticador de Correo Electrónico"
+msgstr ""
 
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/authenticator_email/stage.py
@@ -3010,11 +2979,11 @@ msgstr ""
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
-msgstr "Dispositivo de correo electrónico"
+msgstr "Dispositivo de Email"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Devices"
-msgstr "Dispositivos de correo electrónico"
+msgstr "Dispositivos de Email"
 
 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/authenticator_sms/stage.py
@@ -3024,7 +2993,7 @@ msgstr "El código no coincide"
 
 #: authentik/stages/authenticator_email/stage.py
 msgid "Invalid email"
-msgstr "Correo electrónico inválido"
+msgstr "Email Inválido"
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #: authentik/stages/email/templates/email/password_reset.html
@@ -3044,9 +3013,6 @@ msgid ""
 "          Email MFA code.\n"
 "          "
 msgstr ""
-"\n"
-"          Código MFA por correo electrónico.\n"
-"          "
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #, python-format
@@ -3056,8 +3022,7 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"    Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s.\n"
-"    "
+"Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s."
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #: authentik/stages/email/templates/email/password_reset.txt
@@ -3070,8 +3035,6 @@ msgid ""
 "\n"
 "Email MFA code\n"
 msgstr ""
-"\n"
-"Código MFA por correo electrónico\n"
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #, python-format
@@ -3313,8 +3276,8 @@ msgstr "No se pudo validar el token"
 msgid ""
 "Offset after which consent expires. (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
-"Desfase después del cual expira el consentimiento. (Formato: "
-"hours=1;minutes=2;seconds=3)."
+"Compensación después de la cual caduca el consentimiento. (Formato: horas = "
+"1; minutos = 2; segundos = 3)."
 
 #: authentik/stages/consent/models.py
 msgid "Consent Stage"
@@ -3334,7 +3297,7 @@ msgstr "Consentimientos del usuario"
 
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr "Token de consentimiento inválido, mostrando el aviso nuevamente"
+msgstr ""
 
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@@ -3354,11 +3317,11 @@ msgstr "Etapas ficticias"
 
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr "Continúa para confirmar esta dirección de correo electrónico."
+msgstr ""
 
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr "El enlace ya fue utilizado, por favor, solícita uno nuevo."
+msgstr ""
 
 #: authentik/stages/email/models.py
 msgid "Password Reset"
@@ -3482,8 +3445,7 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"    Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s.\n"
-"    "
+"Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s."
 
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
@@ -3567,26 +3529,24 @@ msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
-"Mostrar al usuario la opción \"Recordarme en este dispositivo\", permitiendo"
-" que los usuarios recurrentes pasen directamente a ingresar su contraseña."
 
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo de inscripción opcional, que se enlaza en la parte inferior de la "
-"página."
+"Flujo de inscripción opcional, que está vinculado en la parte inferior de la"
+" página."
 
 #: authentik/stages/identification/models.py
 msgid "Optional recovery flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo de recuperación opcional, que se enlaza en la parte inferior de la "
-"página."
+"Flujo de recuperación opcional, que está vinculado en la parte inferior de "
+"la página."
 
 #: authentik/stages/identification/models.py
 msgid "Optional passwordless flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo opcional sin contraseña, que se enlaza en la parte inferior de la "
-"página."
+"Flujo sin contraseña opcional, el cual está vinculado en la parte inferior "
+"de la página."
 
 #: authentik/stages/identification/models.py
 msgid "Specify which sources should be shown."
@@ -3820,11 +3780,11 @@ msgstr "Las contraseñas no coinciden."
 
 #: authentik/stages/redirect/api.py
 msgid "Target URL should be present when mode is Static."
-msgstr "La URL de destino debe estar presente cuando el modo es Estático."
+msgstr ""
 
 #: authentik/stages/redirect/api.py
 msgid "Target Flow should be present when mode is Flow."
-msgstr "El Flujo de Destino debe estar presente cuando el modo es Flujo."
+msgstr ""
 
 #: authentik/stages/redirect/models.py
 msgid "Redirect Stage"
@@ -3881,6 +3841,10 @@ msgstr "Etapas de inicio de"
 msgid "No Pending user to login."
 msgstr "Ningún usuario pendiente para iniciar sesión."
 
+#: authentik/stages/user_login/stage.py
+msgid "Successfully logged in!"
+msgstr "¡Se ha iniciado sesión correctamente!"
+
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "Etapa de cierre de sesión del usuario"
@@ -3956,12 +3920,10 @@ msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
-"La reputación no puede disminuir por debajo de este valor. Cero o negativo."
 
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
-"La reputación no puede aumentar por encima de este valor. Cero o positivo."
 
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
@@ -3984,8 +3946,8 @@ msgstr "Personificación habilitada/deshabilitada globalmente."
 #: authentik/tenants/models.py
 msgid "Require administrators to provide a reason for impersonating a user."
 msgstr ""
-"Requerir que los administradores proporcionen una razón para personificar a "
-"un usuario."
+"Requerir a los administradores proporcionar una razón para suplantar un "
+"usuario."
 
 #: authentik/tenants/models.py
 msgid "Default token duration"
@@ -3997,7 +3959,7 @@ msgstr "Longitud predeterminada del token"
 
 #: authentik/tenants/models.py
 msgid "Tenant"
-msgstr "Inquilino"
+msgstr "inquilino"
 
 #: authentik/tenants/models.py
 msgid "Tenants"

web/package-lock.json

@@ -51,6 +51,7 @@
                 "lit": "^3.2.0",
                 "md-front-matter": "^1.0.4",
                 "mermaid": "^11.6.0",
+                "ninja-keys": "^1.2.2",
                 "rapidoc": "^9.3.8",
                 "react": "^19.1.0",
                 "react-dom": "^19.1.0",
@@ -2587,6 +2588,57 @@
                 "@lit/reactive-element": "^1.0.0 || ^2.0.0"
             }
         },
+        "node_modules/@material/mwc-icon": {
+            "version": "0.25.3",
+            "resolved": "https://registry.npmjs.org/@material/mwc-icon/-/mwc-icon-0.25.3.tgz",
+            "integrity": "sha512-36076AWZIRSr8qYOLjuDDkxej/HA0XAosrj7TS1ZeLlUBnLUtbDtvc1S7KSa0hqez7ouzOqGaWK24yoNnTa2OA==",
+            "deprecated": "MWC beta is longer supported. Please upgrade to @material/web",
+            "license": "Apache-2.0",
+            "dependencies": {
+                "lit": "^2.0.0",
+                "tslib": "^2.0.1"
+            }
+        },
+        "node_modules/@material/mwc-icon/node_modules/@lit/reactive-element": {
+            "version": "1.6.3",
+            "resolved": "https://registry.npmjs.org/@lit/reactive-element/-/reactive-element-1.6.3.tgz",
+            "integrity": "sha512-QuTgnG52Poic7uM1AN5yJ09QMe0O28e10XzSvWDz02TJiiKee4stsiownEIadWm8nYzyDAyT+gKzUoZmiWQtsQ==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit-labs/ssr-dom-shim": "^1.0.0"
+            }
+        },
+        "node_modules/@material/mwc-icon/node_modules/lit": {
+            "version": "2.8.0",
+            "resolved": "https://registry.npmjs.org/lit/-/lit-2.8.0.tgz",
+            "integrity": "sha512-4Sc3OFX9QHOJaHbmTMk28SYgVxLN3ePDjg7hofEft2zWlehFL3LiAuapWc4U/kYwMYJSh2hTCPZ6/LIC7ii0MA==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit/reactive-element": "^1.6.0",
+                "lit-element": "^3.3.0",
+                "lit-html": "^2.8.0"
+            }
+        },
+        "node_modules/@material/mwc-icon/node_modules/lit-element": {
+            "version": "3.3.3",
+            "resolved": "https://registry.npmjs.org/lit-element/-/lit-element-3.3.3.tgz",
+            "integrity": "sha512-XbeRxmTHubXENkV4h8RIPyr8lXc+Ff28rkcQzw3G6up2xg5E8Zu1IgOWIwBLEQsu3cOVFqdYwiVi0hv0SlpqUA==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit-labs/ssr-dom-shim": "^1.1.0",
+                "@lit/reactive-element": "^1.3.0",
+                "lit-html": "^2.8.0"
+            }
+        },
+        "node_modules/@material/mwc-icon/node_modules/lit-html": {
+            "version": "2.8.0",
+            "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-2.8.0.tgz",
+            "integrity": "sha512-o9t+MQM3P4y7M7yNzqAyjp7z+mQGa4NS4CxiyLqFPyFWyc4O+nodLrkrxSaCTrla6M5YOLaT3RpbbqjszB5g3Q==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@types/trusted-types": "^2.0.2"
+            }
+        },
         "node_modules/@mdx-js/mdx": {
             "version": "3.1.0",
             "resolved": "https://registry.npmjs.org/@mdx-js/mdx/-/mdx-3.1.0.tgz",
@@ -16940,6 +16992,12 @@
             "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==",
             "dev": true
         },
+        "node_modules/hotkeys-js": {
+            "version": "3.8.7",
+            "resolved": "https://registry.npmjs.org/hotkeys-js/-/hotkeys-js-3.8.7.tgz",
+            "integrity": "sha512-ckAx3EkUr5XjDwjEHDorHxRO2Kb7z6Z2Sxul4MbBkN8Nho7XDslQsgMJT+CiJ5Z4TgRxxvKHEpuLE3imzqy4Lg==",
+            "license": "MIT"
+        },
         "node_modules/html-escaper": {
             "version": "2.0.2",
             "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -21632,6 +21690,57 @@
             "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
             "dev": true
         },
+        "node_modules/ninja-keys": {
+            "version": "1.2.2",
+            "resolved": "https://registry.npmjs.org/ninja-keys/-/ninja-keys-1.2.2.tgz",
+            "integrity": "sha512-ylo8jzKowi3XBHkgHRjBJaKQkl32WRLr7kRiA0ajiku11vHRDJ2xANtTScR5C7XlDwKEOYvUPesCKacUeeLAYw==",
+            "license": "MIT",
+            "dependencies": {
+                "@material/mwc-icon": "0.25.3",
+                "hotkeys-js": "3.8.7",
+                "lit": "2.2.6"
+            }
+        },
+        "node_modules/ninja-keys/node_modules/@lit/reactive-element": {
+            "version": "1.6.3",
+            "resolved": "https://registry.npmjs.org/@lit/reactive-element/-/reactive-element-1.6.3.tgz",
+            "integrity": "sha512-QuTgnG52Poic7uM1AN5yJ09QMe0O28e10XzSvWDz02TJiiKee4stsiownEIadWm8nYzyDAyT+gKzUoZmiWQtsQ==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit-labs/ssr-dom-shim": "^1.0.0"
+            }
+        },
+        "node_modules/ninja-keys/node_modules/lit": {
+            "version": "2.2.6",
+            "resolved": "https://registry.npmjs.org/lit/-/lit-2.2.6.tgz",
+            "integrity": "sha512-K2vkeGABfSJSfkhqHy86ujchJs3NR9nW1bEEiV+bXDkbiQ60Tv5GUausYN2mXigZn8lC1qXuc46ArQRKYmumZw==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit/reactive-element": "^1.3.0",
+                "lit-element": "^3.2.0",
+                "lit-html": "^2.2.0"
+            }
+        },
+        "node_modules/ninja-keys/node_modules/lit-element": {
+            "version": "3.3.3",
+            "resolved": "https://registry.npmjs.org/lit-element/-/lit-element-3.3.3.tgz",
+            "integrity": "sha512-XbeRxmTHubXENkV4h8RIPyr8lXc+Ff28rkcQzw3G6up2xg5E8Zu1IgOWIwBLEQsu3cOVFqdYwiVi0hv0SlpqUA==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit-labs/ssr-dom-shim": "^1.1.0",
+                "@lit/reactive-element": "^1.3.0",
+                "lit-html": "^2.8.0"
+            }
+        },
+        "node_modules/ninja-keys/node_modules/lit-html": {
+            "version": "2.8.0",
+            "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-2.8.0.tgz",
+            "integrity": "sha512-o9t+MQM3P4y7M7yNzqAyjp7z+mQGa4NS4CxiyLqFPyFWyc4O+nodLrkrxSaCTrla6M5YOLaT3RpbbqjszB5g3Q==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@types/trusted-types": "^2.0.2"
+            }
+        },
         "node_modules/node-abort-controller": {
             "version": "3.1.1",
             "resolved": "https://registry.npmjs.org/node-abort-controller/-/node-abort-controller-3.1.1.tgz",

web/package.json

@@ -122,6 +122,7 @@
         "lit": "^3.2.0",
         "md-front-matter": "^1.0.4",
         "mermaid": "^11.6.0",
+        "ninja-keys": "^1.2.2",
         "rapidoc": "^9.3.8",
         "react": "^19.1.0",
         "react-dom": "^19.1.0",

web/src/admin/AdminInterface/AdminCommands.ts

@@ -0,0 +1,172 @@
+import { navigate } from "@goauthentik/elements/router/RouterOutlet";
+import { INinjaAction } from "ninja-keys/dist/interfaces/ininja-action.js";
+
+import { msg } from "@lit/localize";
+
+export const adminCommands: INinjaAction[] = [
+    {
+        id: msg("Overview"),
+        title: msg("Dashboard"),
+        handler: () => navigate("/administration/overview"),
+        section: msg("Dashboards"),
+    },
+    {
+        handler: () => navigate("/administration/dashboard/users"),
+        id: msg("User Statistics"),
+        title: msg("User Statistics"),
+        icon: '<i class="pf-icon pf-icon-user"></i>',
+        section: msg("Dashboards"),
+    },
+    {
+        handler: () => navigate("/administration/system-tasks"),
+        id: msg("System Tasks"),
+        title: msg("System Tasks"),
+        section: msg("Dashboards"),
+    },
+    {
+        handler: () => navigate("/core/applications"),
+        id: msg("Applications"),
+        title: msg("Applications"),
+        section: msg("Applications"),
+    },
+    {
+        handler: () => navigate("/core/providers"),
+        id: msg("Providers"),
+        title: msg("Providers"),
+        section: msg("Applications"),
+    },
+    {
+        handler: () => navigate("/outpost/outposts"),
+        id: msg("Outposts"),
+        title: msg("Outposts"),
+        section: msg("Applications"),
+    },
+    {
+        handler: () => navigate("/events/log"),
+        id: msg("Logs"),
+        title: msg("Logs"),
+        section: msg("Events"),
+    },
+    {
+        handler: () => navigate("/events/rules"),
+        id: msg("Notification Rules"),
+        title: msg("Notification Rules"),
+        section: msg("Events"),
+    },
+    {
+        handler: () => navigate("/events/transports"),
+        id: msg("Notification Transports"),
+        title: msg("Notification Transports"),
+        section: msg("Events"),
+    },
+
+    {
+        handler: () => navigate("/policy/policies"),
+        id: msg("Policies"),
+        title: msg("Policies"),
+        section: msg("Customization"),
+    },
+    {
+        handler: () => navigate("/core/property-mappings"),
+        id: msg("Property Mappings"),
+        title: msg("Property Mappings"),
+        section: msg("Customization"),
+    },
+    {
+        handler: () => navigate("/blueprints/instances"),
+        id: msg("Blueprints"),
+        title: msg("Blueprints"),
+        section: msg("Customization"),
+    },
+    {
+        handler: () => navigate("/policy/reputation"),
+        id: msg("Reputation scores"),
+        title: msg("Reputation scores"),
+        section: msg("Customization"),
+    },
+    {
+        handler: () => navigate("/flow/flows"),
+        id: msg("Flows"),
+        title: msg("Flows"),
+        section: msg("Flows"),
+    },
+    {
+        handler: () => navigate("/flow/stages"),
+        id: msg("Stages"),
+        title: msg("Stages"),
+        section: msg("Flows"),
+    },
+    {
+        handler: () => navigate("/flow/stages/prompts"),
+        id: msg("Prompts"),
+        title: msg("Prompts"),
+        section: msg("Flows"),
+    },
+
+    {
+        handler: () => navigate("/identity/users"),
+        id: msg("Users"),
+        title: msg("Users"),
+        section: msg("Directory"),
+    },
+    {
+        handler: () => navigate("/identity/groups"),
+        id: msg("Groups"),
+        title: msg("Groups"),
+        section: msg("Directory"),
+    },
+    {
+        handler: () => navigate("/identity/roles"),
+        id: msg("Roles"),
+        title: msg("Roles"),
+        section: msg("Directory"),
+    },
+    {
+        handler: () => navigate("/core/sources"),
+        id: msg("Federation and Social login"),
+        title: msg("Federation and Social login"),
+        section: msg("Directory"),
+    },
+    {
+        handler: () => navigate("/core/tokens"),
+        id: msg("Tokens and App passwords"),
+        title: msg("Tokens and App passwords"),
+        section: msg("Directory"),
+    },
+    {
+        handler: () => navigate("/flow/stages/invitations"),
+        id: msg("Invitations"),
+        title: msg("Invitations"),
+        section: msg("Directory"),
+    },
+
+    {
+        handler: () => navigate("/core/brands"),
+        id: msg("Brands"),
+        title: msg("Brands"),
+        section: msg("System"),
+    },
+    {
+        handler: () => navigate("/crypto/certificates"),
+        id: msg("Certificates"),
+        title: msg("Certificates"),
+        section: msg("System"),
+    },
+    {
+        handler: () => navigate("/outpost/integrations"),
+        id: msg("Outpost Integrations"),
+        title: msg("Outpost Integrations"),
+        section: msg("System"),
+    },
+    {
+        handler: () => navigate("/admin/settings"),
+        id: msg("Settings"),
+        title: msg("Settings"),
+        section: msg("System"),
+    },
+    {
+        handler: () => window.location.assign("/if/user/"),
+        id: msg("User interface"),
+        title: msg("Go to my User page"),
+    },
+];

web/src/admin/AdminInterface/index.entrypoint.ts

@@ -1,5 +1,6 @@
 import "#admin/AdminInterface/AboutModal";
 import type { AboutModal } from "#admin/AdminInterface/AboutModal";
+import { adminCommands } from "#admin/AdminInterface/AdminCommands";
 import { ROUTES } from "#admin/Routes";
 import { EVENT_API_DRAWER_TOGGLE, EVENT_NOTIFICATION_DRAWER_TOGGLE } from "#common/constants";
 import { configureSentry } from "#common/sentry/index";
@@ -21,6 +22,7 @@ import { getURLParam, updateURLParams } from "#elements/router/RouteMatch";
 import "#elements/router/RouterOutlet";
 import "#elements/sidebar/Sidebar";
 import "#elements/sidebar/SidebarItem";
+import "ninja-keys";
 
 import { CSSResult, TemplateResult, css, html, nothing } from "lit";
 import { customElement, eventOptions, property, query } from "lit/decorators.js";
@@ -119,6 +121,10 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
             .pf-c-drawer__panel {
                 z-index: var(--pf-global--ZIndex--xl);
             }
+            ninja-keys {
+                --ninja-z-index: 99999;
+                --ninja-accent-color: var(--ak-accent);
+            }
         `,
     ];
 
@@ -190,6 +196,11 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
         };
 
         return html` <ak-locale-context>
+            <ninja-keys
+                .data=${adminCommands}
+                noAutoLoadMdicons
+                class="${this.activeTheme === UiThemeEnum.Dark ? "dark" : ""}"
+            ></ninja-keys>
             <div class="pf-c-page">
                 <ak-page-navbar ?open=${this.sidebarOpen} @sidebar-toggle=${this.sidebarListener}>
                     <ak-version-banner></ak-version-banner>

web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts

@@ -4,7 +4,6 @@ import {
     propertyMappingsSelector,
 } from "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@@ -69,15 +68,21 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                             ${msg("Client ID for the app registration.")}
                         </p>
                     </ak-form-element-horizontal>
-                    <ak-hidden-text-input
-                        name="clientSecret"
+                    <ak-form-element-horizontal
                         label=${msg("Client Secret")}
-                        value="${this.instance?.clientSecret ?? ""}"
-                        input-hint="code"
                         required
-                        .help=${msg("Client secret for the app registration.")}
+                        name="clientSecret"
                     >
-                    </ak-hidden-text-input>
+                        <input
+                            type="text"
+                            value="${this.instance?.clientSecret ?? ""}"
+                            class="pf-c-form-control pf-m-monospace"
+                            required
+                        />
+                        <p class="pf-c-form__helper-text">
+                            ${msg("Client secret for the app registration.")}
+                        </p>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal label=${msg("Tenant ID")} required name="tenantId">
                         <input
                             type="text"

web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts

@@ -5,7 +5,6 @@ import {
     akOAuthRedirectURIInput,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@@ -167,16 +166,17 @@ export function renderForm(
                     input-hint="code"
                 >
                 </ak-text-input>
-                <ak-hidden-text-input
+                <ak-text-input
                     name="clientSecret"
                     label=${msg("Client Secret")}
                     value="${provider?.clientSecret ?? randomString(128, ascii_letters + digits)}"
                     input-hint="code"
                     ?hidden=${!showClientSecret}
                 >
-                </ak-hidden-text-input>
+                </ak-text-input>
                 <ak-form-element-horizontal
                     label=${msg("Redirect URIs/Origins (RegEx)")}
+                    required
                     name="redirectUris"
                 >
                     <ak-array-input

web/src/admin/providers/radius/RadiusProviderFormForm.ts

@@ -1,8 +1,6 @@
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-hidden-text-input";
-import "@goauthentik/components/ak-text-input";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@@ -76,14 +74,14 @@ export function renderForm(
         <ak-form-group expanded>
             <span slot="header"> ${msg("Protocol settings")} </span>
             <div slot="body" class="pf-c-form">
-                <ak-hidden-text-input
+                <ak-text-input
                     name="sharedSecret"
                     label=${msg("Shared secret")}
                     .errorMessages=${errors?.sharedSecret ?? []}
                     value=${provider?.sharedSecret ?? randomString(128, ascii_letters + digits)}
                     required
                     input-hint="code"
-                ></ak-hidden-text-input>
+                ></ak-text-input>
                 <ak-text-input
                     name="clientNetworks"
                     label=${msg("Client Networks")}

web/src/admin/providers/scim/SCIMProviderFormForm.ts

@@ -1,5 +1,4 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@@ -51,7 +50,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                 >
                 </ak-switch-input>
 
-                <ak-hidden-text-input
+                <ak-text-input
                     name="token"
                     label=${msg("Token")}
                     value="${provider?.token ?? ""}"
@@ -61,7 +60,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                         "Token to authenticate with. Currently only bearer authentication is supported.",
                     )}
                     input-hint="code"
-                ></ak-hidden-text-input>
+                ></ak-text-input>
                 <ak-radio-input
                     name="compatibilityMode"
                     label=${msg("Compatibility Mode")}

web/src/admin/sources/plex/PlexSourceForm.ts

@@ -128,7 +128,7 @@ export class PlexSourceForm extends WithCapabilitiesConfig(BaseSourceForm<PlexSo
                     this.doAuth();
                 }}
             >
-                ${msg("Re-authenticate with Plex")}
+                ${msg("Re-authenticate with plex")}
             </button>
             <ak-form-element-horizontal name="allowFriends">
                 <label class="pf-c-switch">

web/src/admin/users/ServiceAccountForm.ts

@@ -1,6 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { dateTimeLocal } from "@goauthentik/common/temporal";
-import "@goauthentik/components/ak-hidden-text-input";
 import { Form } from "@goauthentik/elements/forms/Form";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModalForm } from "@goauthentik/elements/forms/ModalForm";
@@ -125,14 +124,19 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
                         class="pf-c-form-control"
                     />
                 </ak-form-element-horizontal>
-                <ak-hidden-text-input
-                    label=${msg("Password")}
-                    value="${this.result?.token ?? ""}"
-                    .help=${msg(
-                        "Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
-                    )}
-                >
-                </ak-hidden-text-input>
+                <ak-form-element-horizontal label=${msg("Password")}>
+                    <input
+                        type="text"
+                        readonly
+                        value=${ifDefined(this.result?.token)}
+                        class="pf-c-form-control"
+                    />
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
             </form>`;
     }
 

web/src/elements/ak-dual-select/ak-dual-select.ts

@@ -33,7 +33,7 @@ import {
 
 function localeComparator(a: DualSelectPair, b: DualSelectPair) {
     const aSortBy = a[2] || a[0];
-    const bSortBy = b[2] || b[0];
+    const bSortBy = b[2] || a[0];
 
     return aSortBy.localeCompare(bSortBy);
 }

web/xliff/de.xlf

@@ -3001,6 +3001,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>Server laden</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Mit Plex erneut authentifizieren</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9236,15 +9241,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -2414,6 +2414,10 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>Load servers</target>
       </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Re-authenticate with plex</target>
+      </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
         <target>Allow friends to authenticate via Plex, even if you don't share any servers</target>
@@ -7744,15 +7748,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -2982,6 +2982,11 @@ no se aprueba cuando una o ambas de las opciones seleccionadas son iguales o sup
         <source>Load servers</source>
         <target>Servidores de carga</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Vuelva a autenticarse con plex</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9296,15 +9301,6 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -3010,6 +3010,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>Charger les serveurs</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Se ré-authentifier avec Plex</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9865,15 +9870,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -3011,6 +3011,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>Carico server</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Riautenticarsi con plex</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9848,15 +9853,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -2973,6 +2973,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>서버 로드</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Plex로 다시 인증하기</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9204,15 +9209,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -2987,6 +2987,11 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
         <source>Load servers</source>
         <target>Servers laden</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Opnieuw authenticeren met Plex</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9108,15 +9113,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -3012,6 +3012,11 @@ nie przechodzi, gdy jedna lub obie wybrane opcje są równe lub wyższe od progu
         <source>Load servers</source>
         <target>Załaduj serwery</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Ponowne uwierzytelnienie za pomocą plex</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9531,15 +9536,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -2990,6 +2990,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
   <target>Ĺōàď śēŕvēŕś</target>
 
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+  <target>Ŕē-àũţĥēńţĩćàţē ŵĩţĥ ƥĺēx</target>
+
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9540,13 +9545,4 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
-</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -3011,6 +3011,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>Загрузить серверы</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Повторная аутентификация с помощью plex</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9623,15 +9628,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -2990,6 +2990,11 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
         <source>Load servers</source>
         <target>Sunucuları yükle</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>Plex ile yeniden kimlik doğrulama</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9595,15 +9600,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -2128,6 +2128,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s91f389c796720a81">
   <source>Load servers</source>
 </trans-unit>
+<trans-unit id="s24f405197ede5ebb">
+  <source>Re-authenticate with plex</source>
+</trans-unit>
 <trans-unit id="sc297b2e13c28ecf9">
   <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
 </trans-unit>
@@ -6359,15 +6362,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
-</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -3011,6 +3011,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>加载服务器</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>使用 Plex 重新验证身份</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9875,15 +9880,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
   <target>生成新的证书密钥对</target>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -2290,6 +2290,10 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>加载服务器</target>
       </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>使用 plex 重新进行身份验证</target>
+      </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
         <target>允许好友通过Plex进行身份验证，即使您不共享任何服务器</target>
@@ -7444,15 +7448,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -2972,6 +2972,11 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Load servers</source>
         <target>載入伺服器</target>
         
+      </trans-unit>
+      <trans-unit id="s24f405197ede5ebb">
+        <source>Re-authenticate with plex</source>
+        <target>使用 plex 重新身分認證</target>
+        
       </trans-unit>
       <trans-unit id="sc297b2e13c28ecf9">
         <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@@ -9183,15 +9188,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
   <source>Generate New Certificate-Key Pair</source>
-</trans-unit>
-<trans-unit id="sf9686d31d28fcf7d">
-  <source>Show field content</source>
-</trans-unit>
-<trans-unit id="sb1b05a7573ab618c">
-  <source>Hide field content</source>
-</trans-unit>
-<trans-unit id="s4f820625804ed29b">
-  <source>Re-authenticate with Plex</source>
 </trans-unit>
     </body>
   </file>