release: 2022.10.4

web: backport API update
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-23 14:19:17 +01:00 · 2022-12-23 14:19:10 +01:00 · 2022-12-23 14:18:13 +01:00 · 2022-12-23 14:18:09 +01:00 · 2022-12-02 23:01:17 +02:00 · 2022-12-02 22:51:09 +02:00
687 changed files with 15952 additions and 30479 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.1.2
+current_version = 2022.10.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.dockerignore
+++ b/.dockerignore
@ -1,8 +1,8 @@
 env
+static
 htmlcov
 *.env.yml
 **/node_modules
 dist/**
 build/**
 build_docs/**
-Dockerfile
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -38,14 +38,6 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```

-            For arm64, use these values:
-
-            ```shell
-            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
-            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
-            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            ```
-
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -62,17 +54,6 @@ runs:
                tag: ${{ inputs.tag }}
            ```

-            For arm64, use these values:
-
-            ```yaml
-            authentik:
-                outposts:
-                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}-arm64
-            ```
-
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -17,9 +17,6 @@ outputs:
  sha:
    description: "sha"
    value: ${{ steps.ev.outputs.sha }}
-  shortHash:
-    description: "shortHash"
-    value: ${{ steps.ev.outputs.shortHash }}
  version:
    description: "version"
    value: ${{ steps.ev.outputs.version }}
@ -56,7 +53,6 @@ runs:
            print("branchNameContainer=%s" % safe_branch_name, file=_output)
            print("timestamp=%s" % int(time()), file=_output)
            print("sha=%s" % os.environ["GITHUB_SHA"], file=_output)
-            print("shortHash=%s" % os.environ["GITHUB_SHA"][:7], file=_output)
            print("shouldBuild=%s" % should_build, file=_output)
            print("version=%s" % version, file=_output)
            print("versionFamily=%s" % version_family, file=_output)
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -13,7 +13,7 @@ runs:
    - name: Setup python and restore poetry
      uses: actions/setup-python@v3
      with:
-        python-version: '3.11'
+        python-version: '3.10'
        cache: 'poetry'
    - name: Setup node
      uses: actions/setup-node@v3.1.0
@ -25,7 +25,7 @@ runs:
      shell: bash
      run: |
        docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
+        poetry env use python3.10
        poetry install
        cd web && npm ci
    - name: Generate config
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -46,7 +46,6 @@ jobs:
        run: poetry run python -m lifecycle.migrate
  test-migrations-from-stable:
    runs-on: ubuntu-latest
-    continue-on-error: true
    steps:
      - uses: actions/checkout@v3
        with:
@ -84,10 +83,17 @@ jobs:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: run unittest
        run: |
          poetry run make test
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [unittest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
@ -98,39 +104,32 @@ jobs:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.5.0
+        uses: helm/kind-action@v1.4.0
      - name: run integration
        run: |
-          poetry run coverage run manage.py test tests/integration
+          poetry run make test-integration
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [integration]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
          flags: integration
-  test-e2e:
-    name: test-e2e (${{ matrix.job.name }})
+  test-e2e-provider:
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - name: proxy
-            glob: tests/e2e/test_provider_proxy*
-          - name: oauth
-            glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-          - name: oauth-oidc
-            glob: tests/e2e/test_provider_oidc*
-          - name: saml
-            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-          - name: ldap
-            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: flows
-            glob: tests/e2e/test_flows*
    steps:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
      - name: Setup e2e env (chrome, etc)
        run: |
          docker-compose -f tests/e2e/docker-compose.yml up -d
@ -148,8 +147,48 @@ jobs:
          npm run build
      - name: run e2e
        run: |
-          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run make test-e2e-provider
          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [e2e-provider]unittest.xml --link=codecov
+      - if: ${{ always() }}
+        uses: codecov/codecov-action@v3
+        with:
+          flags: e2e
+  test-e2e-rest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - uses: testspace-com/setup-testspace@v1
+        with:
+          domain: ${{github.repository_owner}}
+      - name: Setup e2e env (chrome, etc)
+        run: |
+          docker-compose -f tests/e2e/docker-compose.yml up -d
+      - id: cache-web
+        uses: actions/cache@v3
+        with:
+          path: web/dist
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
+      - name: prepare web ui
+        if: steps.cache-web.outputs.cache-hit != 'true'
+        working-directory: web/
+        run: |
+          npm ci
+          make -C .. gen-client-ts
+          npm run build
+      - name: run e2e
+        run: |
+          poetry run make test-e2e-rest
+          poetry run coverage xml
+      - name: run testspace
+        if: ${{ always() }}
+        run: |
+          testspace [e2e-rest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v3
        with:
@ -161,7 +200,8 @@ jobs:
      - test-migrations-from-stable
      - test-unittest
      - test-integration
-      - test-e2e
+      - test-e2e-rest
+      - test-e2e-provider
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -169,6 +209,11 @@ jobs:
    needs: ci-core-mark
    runs-on: ubuntu-latest
    timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - 'linux/amd64'
    steps:
      - uses: actions/checkout@v3
      - name: Set up QEMU
@ -187,58 +232,20 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
+      - name: Building Docker Image
        uses: docker/build-push-action@v3
        with:
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
+            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
+          platforms: ${{ matrix.arch }}
      - name: Comment on PR
        if: github.event_name == 'pull_request'
        continue-on-error: true
        uses: ./.github/actions/comment-pr-instructions
        with:
-          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
-  build-arm64:
-    needs: ci-core-mark
-    runs-on: ubuntu-latest
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2.1.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      - name: Login to Container Registry
-        uses: docker/login-action@v2
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        uses: docker/build-push-action@v3
-        with:
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
-          tags: |
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-arm64
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}-arm64
-          build-args: |
-            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
-          platforms: linux/arm64
+          tag: gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -28,8 +28,6 @@ jobs:
        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
-        with:
-          args: --timeout 5000s
  test-unittest:
    runs-on: ubuntu-latest
    steps:
@ -82,12 +80,13 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Generate API
        run: make gen-client-go
-      - name: Build Docker Image
+      - name: Building Docker Image
        uses: docker/build-push-action@v3
        with:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}
+            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}
            ghcr.io/goauthentik/dev-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
          file: ${{ matrix.type }}.Dockerfile
          build-args: |
@ -112,7 +111,7 @@ jobs:
      - uses: actions/setup-go@v3
        with:
          go-version: "^1.17"
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
@ -27,27 +27,11 @@ jobs:
      - name: Eslint
        working-directory: web/
        run: npm run lint
-  lint-build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
-        with:
-          node-version: '16'
-          cache: 'npm'
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: TSC
-        working-directory: web/
-        run: npm run tsc
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
@ -63,7 +47,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
@ -85,7 +69,6 @@ jobs:
      - lint-eslint
      - lint-prettier
      - lint-lit-analyse
-      - lint-build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -95,7 +78,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@v1
+        uses: sondrelg/container-retention-policy@v1
        with:
          image-names: dev-server,dev-ldap,dev-proxy
          cut-off: One week ago UTC
          account-type: org
          org-name: goauthentik
          untagged-only: false
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ secrets.GHCR_CLEANUP_TOKEN }}
          skip-tags: gh-next,gh-main
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -27,13 +27,10 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
+      - name: Building Docker Image
        uses: docker/build-push-action@v3
        with:
          push: ${{ github.event_name == 'release' }}
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: |
            beryju/authentik:${{ steps.ev.outputs.version }},
            beryju/authentik:${{ steps.ev.outputs.versionFamily }},
@ -42,8 +39,7 @@ jobs:
            ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
-          build-args: |
-            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
+          context: .
  build-outpost:
    runs-on: ubuntu-latest
    strategy:
@ -75,7 +71,7 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
+      - name: Building Docker Image
        uses: docker/build-push-action@v3
        with:
          push: ${{ github.event_name == 'release' }}
@ -88,8 +84,6 @@ jobs:
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
-          build-args: |
-            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
@ -106,7 +100,7 @@ jobs:
      - uses: actions/setup-go@v3
        with:
          go-version: "^1.17"
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          cache: 'npm'
@ -167,9 +161,11 @@ jobs:
        if: ${{ github.event_name == 'release' }}
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_ORG: authentik-security-inc
+          SENTRY_ORG: beryjuorg
          SENTRY_PROJECT: authentik
+          SENTRY_URL: https://sentry.beryju.org
        with:
          version: authentik@${{ steps.ev.outputs.version }}
+          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -26,14 +26,14 @@ jobs:
        id: get_version
        uses: actions/github-script@v6
        with:
-          github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1.1.4
        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.ref }}
          release_name: Release ${{ steps.get_version.outputs.result }}
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -19,8 +19,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run compile
@ -29,7 +27,7 @@ jobs:
        uses: peter-evans/create-pull-request@v4
        id: cpr
        with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
          branch: compile-backend-translation
          commit-message: "core: compile backend translations"
          title: "core: compile backend translations"
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -10,9 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
-      - uses: actions/setup-node@v3.6.0
+      - uses: actions/setup-node@v3.5.1
        with:
          node-version: '16'
          registry-url: 'https://registry.npmjs.org'
@ -30,20 +28,14 @@ jobs:
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v4
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
        id: cpr
        with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
          branch: update-web-api-client
          commit-message: "web: bump API Client version"
          title: "web: bump API Client version"
          body: "web: bump API Client version"
          delete-branch: true
          signoff: true
-          team-reviewers: "@goauthentik/core"
-          author: authentik bot <github-bot@goauthentik.io>
-      - uses: peter-evans/enable-pull-request-automerge@v2
-        with:
-          token: ${{ secrets.BOT_GITHUB_TOKEN }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash
--- a/.gitignore
+++ b/.gitignore
@ -194,9 +194,11 @@ pip-selfcheck.json
 /static/
 local.env.yml

+# Selenium Screenshots
+selenium_screenshots/
+backups/
 media/
 *mmdb

 .idea/
 /gen-*/
-data/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -14,9 +14,7 @@
        "webauthn",
        "traefik",
        "passwordless",
-        "kubernetes",
-        "sso",
-        "slo"
+        "kubernetes"
    ],
    "python.linting.pylintEnabled": true,
    "todo-tree.tree.showCountsInTree": true,
@ -24,13 +22,7 @@
    "python.formatting.provider": "black",
    "yaml.customTags": [
        "!Find sequence",
-        "!KeyOf scalar",
-        "!Context scalar",
-        "!Context sequence",
-        "!Format sequence",
-        "!Condition sequence",
-        "!Env sequence",
-        "!Env scalar"
+        "!KeyOf scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
@ -38,13 +30,5 @@
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
-    },
-    "gitlens.autolinks": [
-        {
-            "alphanumeric": true,
-            "prefix": "#<num>",
-            "url": "https://github.com/goauthentik/authentik/issues/<num>",
-            "ignoreCase": false
    }
-    ]
 }
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -59,18 +59,19 @@ These are the current packages:
 authentik
 ├── admin - Administrative tasks and APIs, no models (Version updates, Metrics, system tasks)
 ├── api - General API Configuration (Routes, Schema and general API utilities)
-├── blueprints - Handle managed models and their state.
 ├── core - Core authentik functionality, central routes, core Models
 ├── crypto - Cryptography, currently used to generate and hold Certificates and Private Keys
 ├── events - Event Log, middleware and signals to generate signals
 ├── flows - Flows, the FlowPlanner and the FlowExecutor, used for all flows for authentication, authorization, etc
 ├── lib - Generic library of functions, few dependencies on other packages.
+├── managed - Handle managed models and their state.
 ├── outposts - Configure and deploy outposts on kubernetes and docker.
 ├── policies - General PolicyEngine
 │   ├── dummy - A Dummy policy used for testing
 │   ├── event_matcher - Match events based on different criteria
 │   ├── expiry - Check when a user's password was last set
 │   ├── expression - Execute any arbitrary python code
+│   ├── hibp - Check a password against HaveIBeenPwned
 │   ├── password - Check a password against several rules
 │   └── reputation - Check the user's/client's reputation
 ├── providers
--- a/27
+++ b/27
@ -20,7 +20,7 @@ WORKDIR /work/web
 RUN npm ci && npm run build

 # Stage 3: Poetry to requirements.txt export
-FROM docker.io/python:3.11.1-slim-bullseye AS poetry-locker
+FROM docker.io/python:3.10.7-slim-bullseye AS poetry-locker

 WORKDIR /work
 COPY ./pyproject.toml /work
@ -31,7 +31,7 @@ RUN pip install --no-cache-dir poetry && \
    poetry export -f requirements.txt --dev --output requirements-dev.txt

 # Stage 4: Build go proxy
-FROM docker.io/golang:1.19.5-bullseye AS go-builder
+FROM docker.io/golang:1.19.2-bullseye AS go-builder

 WORKDIR /work

@ -46,23 +46,8 @@ COPY ./go.sum /work/go.sum

 RUN go build -o /work/authentik ./cmd/server/

-# Stage 5: MaxMind GeoIP
-FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip
-
-ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
-ENV GEOIPUPDATE_VERBOSE="true"
-
-RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
-    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
-    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "\
-        export GEOIPUPDATE_ACCOUNT_ID=$(cat /run/secrets/GEOIPUPDATE_ACCOUNT_ID); \
-        export GEOIPUPDATE_LICENSE_KEY=$(cat /run/secrets/GEOIPUPDATE_LICENSE_KEY); \
-        /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0 \
-    "
-
-# Stage 6: Run
-FROM docker.io/python:3.11.1-slim-bullseye AS final-image
+# Stage 5: Run
+FROM docker.io/python:3.10.7-slim-bullseye AS final-image

 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
@ -75,11 +60,10 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 COPY --from=poetry-locker /work/requirements.txt /
 COPY --from=poetry-locker /work/requirements-dev.txt /
-COPY --from=geoip /usr/share/GeoIP /geoip

 RUN apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev && \
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev && \
    # Required for runtime
    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
    # Required for bootstrap & healtcheck
@ -97,7 +81,6 @@ RUN apt-get update && \
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
 COPY ./xml /xml
-COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
--- a/687
+++ b/687
@ -1,21 +1,674 @@
-MIT License
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007

-Copyright (c) 2022 Jens Langhammer
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+                            Preamble

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/19
+++ b/19
@ -6,6 +6,15 @@ NPM_VERSION = $(shell python -m scripts.npm_version)

 all: lint-fix lint test gen web

+test-integration:
+	coverage run manage.py test tests/integration
+
+test-e2e-provider:
+	coverage run manage.py test tests/e2e/test_provider*
+
+test-e2e-rest:
+	coverage run manage.py test tests/e2e/test_flows* tests/e2e/test_source*
+
 test-go:
 	go test -timeout 0 -v -race -cover ./...

@ -60,7 +69,7 @@ gen-build:
 	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml

 gen-diff:
-	git show $(shell git describe --abbrev=0):schema.yml > old_schema.yml
+	git show $(shell git tag -l | tail -n 1):schema.yml > old_schema.yml
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
@ -117,7 +126,7 @@ gen: gen-build gen-clean gen-client-ts
 web-build: web-install
 	cd web && npm run build

-web: web-lint-fix web-lint web-check-compile
+web: web-lint-fix web-lint

 web-install:
 	cd web && npm ci
@ -135,9 +144,6 @@ web-lint:
 	cd web && npm run lint
 	cd web && npm run lit-analyse

-web-check-compile:
-	cd web && npm run tsc
-
 web-extract:
 	cd web && npm run extract

@ -191,4 +197,7 @@ dev-reset:
 	dropdb -U postgres -h localhost authentik
 	createdb -U postgres -h localhost authentik
 	redis-cli -n 0 flushall
+	redis-cli -n 1 flushall
+	redis-cli -n 2 flushall
+	redis-cli -n 3 flushall
 	make migrate
--- a/README.md
+++ b/README.md
@ -5,13 +5,14 @@
 ---

 [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-main.yml?branch=main&label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-main?label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
+[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/main?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)

 ## What is authentik?

--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,8 @@ Authentik takes security very seriously. We follow the rules of [responsible dis

 | Version   | Supported          |
 | --------- | ------------------ |
-| 2022.12.x | :white_check_mark: |
-| 2023.1.x  | :white_check_mark: |
+| 2022.10.x | :white_check_mark: |
+| 2022.11.x | :white_check_mark: |

 ## Reporting a Vulnerability

@ -41,4 +41,4 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:sec

 ## Getting security notifications

-To get security notifications, subscribe to the mailing list [here](https://groups.google.com/g/authentik-security-announcements) or join the [discord](https://goauthentik.io/discord) server.
+To get security notifications, join the [discord](https://goauthentik.io/discord) server. In the future there will be a mailing list too.
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,14 +2,16 @@
 from os import environ
 from typing import Optional

-__version__ = "2023.1.2"
+__version__ = "2022.10.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


 def get_build_hash(fallback: Optional[str] = None) -> str:
    """Get build hash"""
    build_hash = environ.get(ENV_GIT_HASH_KEY, fallback if fallback else "")
-    return fallback if build_hash == "" and fallback else build_hash
+    if build_hash == "" and fallback:
+        return fallback
+    return build_hash


 def get_full_version() -> str:
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -1,7 +1,4 @@
 """authentik administration metrics"""
-from datetime import timedelta
-
-from django.db.models.functions import ExtractHour
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
@ -24,44 +21,38 @@ class CoordinateSerializer(PassiveSerializer):
 class LoginMetricsSerializer(PassiveSerializer):
    """Login Metrics per 1h"""

-    logins = SerializerMethodField()
-    logins_failed = SerializerMethodField()
-    authorizations = SerializerMethodField()
+    logins_per_1h = SerializerMethodField()
+    logins_failed_per_1h = SerializerMethodField()
+    authorizations_per_1h = SerializerMethodField()

    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins(self, _):
-        """Get successful logins per 8 hours for the last 7 days"""
+    def get_logins_per_1h(self, _):
+        """Get successful logins per hour for the last 24 hours"""
        user = self.context["user"]
        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN)
+            .get_events_per_hour()
        )

    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins_failed(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
+    def get_logins_failed_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN_FAILED
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN_FAILED)
+            .get_events_per_hour()
        )

    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_authorizations(self, _):
-        """Get successful authorizations per 8 hours for the last 7 days"""
+    def get_authorizations_per_1h(self, _):
+        """Get successful authorizations per hour for the last 24 hours"""
        user = self.context["user"]
        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.AUTHORIZE_APPLICATION)
+            .get_events_per_hour()
        )


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -8,6 +8,7 @@ from typing import TypedDict
 from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
 from gunicorn import version_info as gunicorn_version
+from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from rest_framework.fields import SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@ -15,7 +16,6 @@ from rest_framework.response import Response
 from rest_framework.views import APIView

 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost

@ -69,7 +69,7 @@ class SystemSerializer(PassiveSerializer):
        return {
            "python_version": python_version,
            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
-            "environment": get_env(),
+            "environment": "kubernetes" if SERVICE_HOST_ENV_NAME in os.environ else "compose",
            "architecture": platform.machine(),
            "platform": platform.platform(),
            "uname": " ".join(platform.uname()),
--- a/authentik/admin/api/tasks.py
+++ b/authentik/admin/api/tasks.py
@ -7,13 +7,7 @@ from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import (
-    CharField,
-    ChoiceField,
-    DateTimeField,
-    ListField,
-    SerializerMethodField,
-)
+from rest_framework.fields import CharField, ChoiceField, DateTimeField, ListField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -32,7 +26,6 @@ class TaskSerializer(PassiveSerializer):
    task_name = CharField()
    task_description = CharField()
    task_finish_timestamp = DateTimeField(source="finish_time")
-    task_duration = SerializerMethodField()

    status = ChoiceField(
        source="result.status.name",
@ -40,11 +33,7 @@ class TaskSerializer(PassiveSerializer):
    )
    messages = ListField(source="result.messages")

-    def get_task_duration(self, instance: TaskInfo) -> int:
-        """Get the duration a task took to run"""
-        return max(instance.finish_timestamp - instance.start_timestamp, 0)
-
-    def to_representation(self, instance: TaskInfo):
+    def to_representation(self, instance):
        """When a new version of authentik adds fields to TaskInfo,
        the API will fail with an AttributeError, as the classes
        are pickled in cache. In that case, just delete the info"""
@ -79,6 +68,7 @@ class TaskViewSet(ViewSet):
            ),
        ],
    )
+    # pylint: disable=invalid-name
    def retrieve(self, request: Request, pk=None) -> Response:
        """Get a single system task"""
        task = TaskInfo.by_name(pk)
@ -109,6 +99,7 @@ class TaskViewSet(ViewSet):
        ],
    )
    @action(detail=True, methods=["post"])
+    # pylint: disable=invalid-name
    def retry(self, request: Request, pk=None) -> Response:
        """Retry task"""
        task = TaskInfo.by_name(pk)
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@ -8,6 +8,7 @@ from authentik.root.monitoring import monitoring_set


@receiver(monitoring_set)
+# pylint: disable=unused-argument
 def monitoring_set_workers(sender, **kwargs):
    """Set worker gauge"""
    count = len(CELERY_APP.control.ping(timeout=0.5))
@ -15,6 +16,7 @@ def monitoring_set_workers(sender, **kwargs):


@receiver(monitoring_set)
+# pylint: disable=unused-argument
 def monitoring_set_tasks(sender, **kwargs):
    """Set task gauges"""
    for task in TaskInfo.all().values():
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -31,5 +31,4 @@ class AuthentikAPIConfig(AppConfig):
                    "type": "apiKey",
                    "in": "header",
                    "name": "Authorization",
-                    "scheme": "bearer",
                }
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -11,6 +11,7 @@ from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
+from authentik.providers.oauth2.models import RefreshToken

 LOGGER = get_logger()

@ -32,18 +33,6 @@ def validate_auth(header: bytes) -> Optional[str]:

 def bearer_auth(raw_header: bytes) -> Optional[User]:
    """raw_header in the Format of `Bearer ....`"""
-    user = auth_user_lookup(raw_header)
-    if not user:
-        return None
-    if not user.is_active:
-        raise AuthenticationFailed("Token invalid/expired")
-    return user
-
-
-def auth_user_lookup(raw_header: bytes) -> Optional[User]:
-    """raw_header in the Format of `Bearer ....`"""
-    from authentik.providers.oauth2.models import RefreshToken
-
    auth_credentials = validate_auth(raw_header)
    if not auth_credentials:
        return None
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -1,15 +1,9 @@
 """API Authorization"""
-from django.conf import settings
 from django.db.models import Model
 from django.db.models.query import QuerySet
-from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
-from rest_framework_guardian.filters import ObjectPermissionsFilter
-
-from authentik.api.authentication import validate_auth


 class OwnerFilter(BaseFilterBackend):
@ -23,20 +17,6 @@ class OwnerFilter(BaseFilterBackend):
        return queryset.filter(**{self.owner_key: request.user})


-class SecretKeyFilter(DjangoFilterBackend):
-    """Allow access to all objects when authenticated with secret key as token.
-
-    Replaces both DjangoFilterBackend and ObjectPermissionsFilter"""
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        auth_header = get_authorization_header(request)
-        token = validate_auth(auth_header)
-        if token and token == settings.SECRET_KEY:
-            return queryset
-        queryset = ObjectPermissionsFilter().filter_queryset(request, queryset, view)
-        return super().filter_queryset(request, queryset, view)
-
-
 class OwnerPermissions(BasePermission):
    """Authorize requests by an object's owner matching the requesting user"""

--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -62,7 +62,7 @@ window.addEventListener('DOMContentLoaded', (event) => {
    allow-spec-url-load="false"
    allow-spec-file-load="false">
    <div slot="nav-logo">
-        <img  alt="authentik Logo" class="logo" src="{% static 'dist/assets/icons/icon_left_brand.png' %}" />
+        <img class="logo" src="{% static 'dist/assets/icons/icon_left_brand.png' %}" />
    </div>
 </rapi-doc>
 <script>
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -3,12 +3,13 @@ from base64 import b64encode

 from django.conf import settings
 from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import AuthenticationFailed

 from authentik.api.authentication import bearer_auth
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import USER_ATTRIBUTE_SA, Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
@ -35,18 +36,9 @@ class TestAPIAuth(TestCase):

    def test_bearer_valid(self):
        """Test valid token"""
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=create_test_admin_user())
+        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)

-    def test_bearer_valid_deactivated(self):
-        """Test valid token"""
-        user = create_test_admin_user()
-        user.is_active = False
-        user.save()
-        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=user)
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth(f"Bearer {token.key}".encode())
-
    def test_managed_outpost(self):
        """Test managed outpost"""
        with self.assertRaises(AuthenticationFailed):
@ -64,7 +56,7 @@ class TestAPIAuth(TestCase):
            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
        )
        refresh = RefreshToken.objects.create(
-            user=create_test_admin_user(),
+            user=get_anonymous_user(),
            provider=provider,
            refresh_token=generate_id(),
            _scope=SCOPE_AUTHENTIK_API,
@ -77,7 +69,7 @@ class TestAPIAuth(TestCase):
            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
        )
        refresh = RefreshToken.objects.create(
-            user=create_test_admin_user(),
+            user=get_anonymous_user(),
            provider=provider,
            refresh_token=generate_id(),
            _scope="",
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -35,7 +35,6 @@ class ErrorReportingConfigSerializer(PassiveSerializer):
    """Config for error reporting"""

    enabled = BooleanField(read_only=True)
-    sentry_dsn = CharField(read_only=True)
    environment = CharField(read_only=True)
    send_pii = BooleanField(read_only=True)
    traces_sample_rate = FloatField(read_only=True)
@ -68,7 +67,7 @@ class ConfigView(APIView):
            caps.append(Capabilities.CAN_GEO_IP)
        if CONFIG.y_bool("impersonation"):
            caps.append(Capabilities.CAN_IMPERSONATE)
-        if settings.DEBUG:  # pragma: no cover
+        if settings.DEBUG:
            caps.append(Capabilities.CAN_DEBUG)
        return caps

@ -78,7 +77,6 @@ class ConfigView(APIView):
            {
                "error_reporting": {
                    "enabled": CONFIG.y("error_reporting.enabled"),
-                    "sentry_dsn": CONFIG.y("error_reporting.sentry_dsn"),
                    "environment": CONFIG.y("error_reporting.environment"),
                    "send_pii": CONFIG.y("error_reporting.send_pii"),
                    "traces_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.4)),
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -45,15 +45,15 @@ from authentik.policies.dummy.api import DummyPolicyViewSet
 from authentik.policies.event_matcher.api import EventMatcherPolicyViewSet
 from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
 from authentik.policies.expression.api import ExpressionPolicyViewSet
+from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
 from authentik.policies.password.api import PasswordPolicyViewSet
 from authentik.policies.reputation.api import ReputationPolicyViewSet, ReputationViewSet
 from authentik.providers.ldap.api import LDAPOutpostConfigViewSet, LDAPProviderViewSet
-from authentik.providers.oauth2.api.providers import OAuth2ProviderViewSet
-from authentik.providers.oauth2.api.scopes import ScopeMappingViewSet
+from authentik.providers.oauth2.api.provider import OAuth2ProviderViewSet
+from authentik.providers.oauth2.api.scope import ScopeMappingViewSet
 from authentik.providers.oauth2.api.tokens import AuthorizationCodeViewSet, RefreshTokenViewSet
 from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet
-from authentik.providers.saml.api.property_mapping import SAMLPropertyMappingViewSet
-from authentik.providers.saml.api.providers import SAMLProviderViewSet
+from authentik.providers.saml.api import SAMLPropertyMappingViewSet, SAMLProviderViewSet
 from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
 from authentik.sources.oauth.api.source import OAuthSourceViewSet
 from authentik.sources.oauth.api.source_connection import UserOAuthSourceConnectionViewSet
@ -149,6 +149,7 @@ router.register("policies/all", PolicyViewSet)
 router.register("policies/bindings", PolicyBindingViewSet)
 router.register("policies/expression", ExpressionPolicyViewSet)
 router.register("policies/event_matcher", EventMatcherPolicyViewSet)
+router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
 router.register("policies/reputation/scores", ReputationViewSet)
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -1,5 +1,4 @@
 """Serializer mixin for managed models"""
-from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
@ -12,7 +11,6 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.api.decorators import permission_required
 from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed
-from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
@ -42,21 +40,6 @@ class BlueprintInstanceSerializer(ModelSerializer):
            raise ValidationError(exc) from exc
        return path

-    def validate_content(self, content: str) -> str:
-        """Ensure content (if set) is a valid blueprint"""
-        if content == "":
-            return content
-        context = self.instance.context if self.instance else {}
-        valid, logs = Importer(content, context).validate()
-        if not valid:
-            raise ValidationError(_("Failed to validate blueprint"), *[x["msg"] for x in logs])
-        return content
-
-    def validate(self, attrs: dict) -> dict:
-        if attrs.get("path", "") == "" and attrs.get("content", "") == "":
-            raise ValidationError(_("Either path or content must be set."))
-        return super().validate(attrs)
-
    class Meta:

        model = BlueprintInstance
@ -71,7 +54,6 @@ class BlueprintInstanceSerializer(ModelSerializer):
            "enabled",
            "managed_models",
            "metadata",
-            "content",
        ]
        extra_kwargs = {
            "status": {"read_only": True},
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@ -57,10 +57,9 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):

    def reconcile_blueprints_discover(self):
        """Run blueprint discovery"""
-        from authentik.blueprints.v1.tasks import blueprints_discover, clear_failed_blueprints
+        from authentik.blueprints.v1.tasks import blueprints_discover

        blueprints_discover.delay()
-        clear_failed_blueprints.delay()

    def import_models(self):
        super().import_models()
--- a/authentik/blueprints/management/commands/schema_template.json
+++ b/authentik/blueprints/management/commands/schema_template.json
@ -53,21 +53,6 @@
                    "id": {
                        "type": "string"
                    },
-                    "state": {
-                        "type": "string",
-                        "enum": [
-                            "absent",
-                            "present",
-                            "created"
-                        ],
-                        "default": "present"
-                    },
-                    "conditions": {
-                        "type": "array",
-                        "items": {
-                            "type": "boolean"
-                        }
-                    },
                    "attrs": {
                        "type": "object",
                        "properties": {
--- a/authentik/blueprints/migrations/0002_blueprintinstance_content.py
+++ b/authentik/blueprints/migrations/0002_blueprintinstance_content.py
@ -1,23 +0,0 @@
-# Generated by Django 4.1.5 on 2023-01-10 19:48
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_blueprints", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="blueprintinstance",
-            name="content",
-            field=models.TextField(blank=True, default=""),
-        ),
-        migrations.AlterField(
-            model_name="blueprintinstance",
-            name="path",
-            field=models.TextField(blank=True, default=""),
-        ),
-    ]
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@ -1,18 +1,30 @@
 """blueprint models"""
 from pathlib import Path
+from urllib.parse import urlparse
 from uuid import uuid4

 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
+from opencontainers.distribution.reggie import (
+    NewClient,
+    WithDebug,
+    WithDefaultName,
+    WithDigest,
+    WithReference,
+    WithUserAgent,
+    WithUsernamePassword,
+)
+from requests.exceptions import RequestException
 from rest_framework.serializers import Serializer
 from structlog import get_logger

-from authentik.blueprints.v1.oci import BlueprintOCIClient, OCIException
 from authentik.lib.config import CONFIG
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.http import authentik_user_agent

+OCI_MEDIA_TYPE = "application/vnd.goauthentik.blueprint.v1+yaml"
 LOGGER = get_logger()


@ -62,8 +74,7 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):

    name = models.TextField()
    metadata = models.JSONField(default=dict)
-    path = models.TextField(default="", blank=True)
-    content = models.TextField(default="", blank=True)
+    path = models.TextField()
    context = models.JSONField(default=dict)
    last_applied = models.DateTimeField(auto_now=True)
    last_applied_hash = models.TextField()
@ -75,29 +86,61 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):

    def retrieve_oci(self) -> str:
        """Get blueprint from an OCI registry"""
-        client = BlueprintOCIClient(self.path.replace("oci://", "https://"))
+        url = urlparse(self.path)
+        ref = "latest"
+        path = url.path[1:]
+        if ":" in url.path:
+            path, _, ref = path.partition(":")
+        client = NewClient(
+            f"{url.scheme}://{url.hostname}",
+            WithUserAgent(authentik_user_agent()),
+            WithUsernamePassword(url.username, url.password),
+            WithDefaultName(path),
+            WithDebug(True),
+        )
+        LOGGER.info("Fetching OCI manifests for blueprint", instance=self)
+        manifest_request = client.NewRequest(
+            "GET",
+            "/v2/<name>/manifests/<reference>",
+            WithReference(ref),
+        ).SetHeader("Accept", "application/vnd.oci.image.manifest.v1+json")
        try:
-            manifests = client.fetch_manifests()
-            return client.fetch_blobs(manifests)
-        except OCIException as exc:
+            manifest_response = client.Do(manifest_request)
+            manifest_response.raise_for_status()
+        except RequestException as exc:
            raise BlueprintRetrievalFailed(exc) from exc
+        manifest = manifest_response.json()
+        if "errors" in manifest:
+            raise BlueprintRetrievalFailed(manifest["errors"])

-    def retrieve_file(self) -> str:
-        """Get blueprint from path"""
+        blob = None
+        for layer in manifest.get("layers", []):
+            if layer.get("mediaType", "") == OCI_MEDIA_TYPE:
+                blob = layer.get("digest")
+                LOGGER.debug("Found layer with matching media type", instance=self, blob=blob)
+        if not blob:
+            raise BlueprintRetrievalFailed("Blob not found")
+
+        blob_request = client.NewRequest(
+            "GET",
+            "/v2/<name>/blobs/<digest>",
+            WithDigest(blob),
+        )
        try:
-            full_path = Path(CONFIG.y("blueprints_dir")).joinpath(Path(self.path))
-            with full_path.open("r", encoding="utf-8") as _file:
-                return _file.read()
-        except (IOError, OSError) as exc:
+            blob_response = client.Do(blob_request)
+            blob_response.raise_for_status()
+            return blob_response.text
+        except RequestException as exc:
            raise BlueprintRetrievalFailed(exc) from exc

    def retrieve(self) -> str:
        """Retrieve blueprint contents"""
-        if self.path.startswith("oci://"):
+        full_path = Path(CONFIG.y("blueprints_dir")).joinpath(Path(self.path))
+        if full_path.exists():
+            LOGGER.debug("Blueprint path exists locally", instance=self)
+            with full_path.open("r", encoding="utf-8") as _file:
+                return _file.read()
        return self.retrieve_oci()
-        if self.path != "":
-            return self.retrieve_file()
-        return self.content

    @property
    def serializer(self) -> Serializer:
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@ -9,9 +9,4 @@ CELERY_BEAT_SCHEDULE = {
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
-    "blueprints_v1_cleanup": {
-        "task": "authentik.blueprints.v1.tasks.clear_failed_blueprints",
-        "schedule": crontab(minute=fqdn_rand("blueprints_v1_cleanup"), hour="*"),
-        "options": {"queue": "authentik_scheduled"},
-    },
 }
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@ -7,6 +7,7 @@ from django.apps import apps

 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.blueprints.models import BlueprintInstance
+from authentik.lib.config import CONFIG


 def apply_blueprint(*files: str):
@ -45,13 +46,3 @@ def reconcile_app(app_name: str):
        return wrapper

    return wrapper_outer
-
-
-def load_yaml_fixture(path: str, **kwargs) -> str:
-    """Load yaml fixture, optionally formatting it with kwargs"""
-    with open(Path(__file__).resolve().parent / Path(path), "r", encoding="utf-8") as _fixture:
-        fixture = _fixture.read()
-        try:
-            return fixture % kwargs
-        except TypeError:
-            return fixture
--- a/authentik/blueprints/tests/fixtures/conditions_fulfilled.yaml
+++ b/authentik/blueprints/tests/fixtures/conditions_fulfilled.yaml
@ -1,21 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id1)s"
-          slug: "%(id1)s"
-      model: authentik_flows.flow
-      conditions:
-          - true
-      attrs:
-          designation: stage_configuration
-          title: foo
-    - identifiers:
-          name: "%(id2)s"
-          slug: "%(id2)s"
-      model: authentik_flows.flow
-      conditions:
-          - true
-          - true
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/conditions_not_fulfilled.yaml
+++ b/authentik/blueprints/tests/fixtures/conditions_not_fulfilled.yaml
@ -1,21 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id1)s"
-          slug: "%(id1)s"
-      model: authentik_flows.flow
-      conditions:
-          - false
-      attrs:
-          designation: stage_configuration
-          title: foo
-    - identifiers:
-          name: "%(id2)s"
-          slug: "%(id2)s"
-      model: authentik_flows.flow
-      conditions:
-          - true
-          - false
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/state_absent.yaml
+++ b/authentik/blueprints/tests/fixtures/state_absent.yaml
@ -1,13 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: absent
-    - identifiers:
-          name: "%(id)s"
-          expression: |
-            return True
-      model: authentik_policies_expression.expressionpolicy
-      state: absent
--- a/authentik/blueprints/tests/fixtures/state_created.yaml
+++ b/authentik/blueprints/tests/fixtures/state_created.yaml
@ -1,10 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: created
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -1,10 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          name: "%(id)s"
-          slug: "%(id)s"
-      model: authentik_flows.flow
-      state: present
-      attrs:
-          designation: stage_configuration
-          title: foo
--- a/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
+++ b/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
@ -1,13 +0,0 @@
-version: 1
-entries:
-    - identifiers:
-          pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
-      model: authentik_stages_prompt.prompt
-      attrs:
-          name: qwerweqrq
-          field_key: username
-          label: Username
-          type: username
-          required: true
-          placeholder: Username
-          order: 0
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -1,150 +0,0 @@
-version: 1
-context:
-    foo: bar
-    policy_property: name
-    policy_property_value: foo-bar-baz-qux
-    sequence:
-    - foo
-    - bar
-    mapping:
-      key1: value
-      key2: 2
-entries:
-    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
-      state: !Format ["%s", present]
-      identifiers:
-          slug: test
-      attrs:
-          name: test
-          provider_type: github
-          consumer_key: !Env foo
-          consumer_secret: !Env [bar, baz]
-          authentication_flow:
-              !Find [
-                  authentik_flows.Flow,
-                  [slug, default-source-authentication],
-              ]
-          enrollment_flow:
-              !Find [!Format  ["%s", authentik_flows.Flow], [slug, default-source-enrollment]]
-    - attrs:
-          expression: return True
-      identifiers:
-          name: !Format [foo-%s-%s-%s, !Context foo, !Context bar, qux]
-      id: policy
-      model: authentik_policies_expression.expressionpolicy
-    - attrs:
-          attributes:
-              policy_pk1:
-                  !Format [
-                      "%s-%s",
-                      !Find [
-                          authentik_policies_expression.expressionpolicy,
-                          [
-                              !Context policy_property,
-                              !Context policy_property_value,
-                          ],
-                          [expression, return True],
-                      ],
-                      suffix,
-                  ]
-              policy_pk2: !Format ["%s-%s", !KeyOf policy, suffix]
-              boolAnd:
-                  !Condition [AND, !Context foo, !Format ["%s", "a_string"], 1]
-              boolNand:
-                  !Condition [NAND, !Context foo, !Format ["%s", "a_string"], 1]
-              boolOr:
-                  !Condition [
-                      OR,
-                      !Context foo,
-                      !Format ["%s", "a_string"],
-                      null,
-                  ]
-              boolNor:
-                  !Condition [
-                      NOR,
-                      !Context foo,
-                      !Format ["%s", "a_string"],
-                      null,
-                  ]
-              boolXor:
-                  !Condition [XOR, !Context foo, !Format ["%s", "a_string"], 1]
-              boolXnor:
-                  !Condition [XNOR, !Context foo, !Format ["%s", "a_string"], 1]
-              boolComplex:
-                  !Condition [
-                      XNOR,
-                      !Condition [AND, !Context non_existing],
-                      !Condition [NOR, a string],
-                      !Condition [XOR, null],
-                  ]
-              if_true_complex:
-                  !If [
-                      true,
-                      {
-                          dictionary:
-                              {
-                                  with: { keys: "and_values" },
-                                  and_nested_custom_tags:
-                                      !Format ["foo-%s", !Context foo],
-                              },
-                      },
-                      null,
-                  ]
-              if_false_complex:
-                  !If [
-                      !Condition [AND, false],
-                      null,
-                      [list, with, items, !Format ["foo-%s", !Context foo]],
-                  ]
-              if_true_simple: !If [!Context foo, true, text]
-              if_false_simple: !If [null, false, 2]
-              enumerate_mapping_to_mapping: !Enumerate [
-                  !Context mapping,
-                  MAP,
-                  [!Format ["prefix-%s", !Index 0], !Format ["other-prefix-%s", !Value 0]]
-              ]
-              enumerate_mapping_to_sequence: !Enumerate [
-                  !Context mapping,
-                  SEQ,
-                  !Format ["prefixed-pair-%s-%s", !Index 0, !Value 0]
-              ]
-              enumerate_sequence_to_sequence: !Enumerate [
-                  !Context sequence,
-                  SEQ,
-                  !Format ["prefixed-items-%s-%s", !Index 0, !Value 0]
-              ]
-              enumerate_sequence_to_mapping: !Enumerate [
-                  !Context sequence,
-                  MAP,
-                  [!Format ["index: %d", !Index 0], !Value 0]
-              ]
-              nested_complex_enumeration: !Enumerate [
-                  !Context sequence,
-                  MAP,
-                  [
-                      !Index 0,
-                      !Enumerate [
-                          !Context mapping,
-                          MAP,
-                          [
-                              !Format ["%s", !Index 0],
-                              [
-                                  !Enumerate [!Value 2, SEQ, !Format ["prefixed-%s", !Value 0]],
-                                  {
-                                    outer_value: !Value 1,
-                                    outer_index: !Index 1,
-                                    middle_value: !Value 0,
-                                    middle_index: !Index 0
-                                  }
-                              ]
-                          ]
-                      ]
-                  ]
-              ]
-      identifiers:
-          name: test
-      conditions:
-          - !Condition [AND, true, true, text]
-          - true
-          - text
-      model: authentik_core.group
--- a/authentik/blueprints/tests/test_models.py
+++ b/authentik/blueprints/tests/test_models.py
@ -16,7 +16,7 @@ def serializer_tester_factory(test_model: Type[SerializerModel]) -> Callable:
    """Test serializer"""

    def tester(self: TestModels):
-        if test_model._meta.abstract:  # pragma: no cover
+        if test_model._meta.abstract:
            return
        model_class = test_model()
        self.assertTrue(isinstance(model_class, SerializerModel))
--- a/authentik/blueprints/tests/test_oci.py
+++ b/authentik/blueprints/tests/test_oci.py
@ -2,8 +2,7 @@
 from django.test import TransactionTestCase
 from requests_mock import Mocker

-from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed
-from authentik.blueprints.v1.oci import OCI_MEDIA_TYPE
+from authentik.blueprints.models import OCI_MEDIA_TYPE, BlueprintInstance, BlueprintRetrievalFailed


 class TestBlueprintOCI(TransactionTestCase):
@ -27,8 +26,8 @@ class TestBlueprintOCI(TransactionTestCase):

            self.assertEqual(
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
-                ).retrieve(),
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
+                ).retrieve_oci(),
                "foo",
            )

@ -41,7 +40,7 @@ class TestBlueprintOCI(TransactionTestCase):

            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()

    def test_manifests_error_response(self):
@ -54,7 +53,7 @@ class TestBlueprintOCI(TransactionTestCase):

            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()

    def test_no_matching_blob(self):
@ -73,7 +72,7 @@ class TestBlueprintOCI(TransactionTestCase):
            )
            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()

    def test_blob_error(self):
@ -94,5 +93,5 @@ class TestBlueprintOCI(TransactionTestCase):

            with self.assertRaises(BlueprintRetrievalFailed):
                BlueprintInstance(
-                    path="oci://ghcr.io/goauthentik/blueprints/test:latest"
+                    path="https://ghcr.io/goauthentik/blueprints/test:latest"
                ).retrieve_oci()
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -13,7 +13,7 @@ from authentik.tenants.models import Tenant
 class TestPackaged(TransactionTestCase):
    """Empty class, test methods are added dynamically"""

-    @apply_blueprint("default/default-tenant.yaml")
+    @apply_blueprint("default/90-default-tenant.yaml")
    def test_decorator_static(self):
        """Test @apply_blueprint decorator"""
        self.assertTrue(Tenant.objects.filter(domain="authentik-default").exists())
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -1,20 +1,41 @@
 """Test blueprints v1"""
-from os import environ
-
 from django.test import TransactionTestCase

-from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
-from authentik.core.models import Group
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.lib.generators import generate_id
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.user_login.models import UserLoginStage

+STATIC_PROMPT_EXPORT = """version: 1
+entries:
+- identifiers:
+    pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
+  model: authentik_stages_prompt.prompt
+  attrs:
+    field_key: username
+    label: Username
+    type: username
+    required: true
+    placeholder: Username
+    order: 0
+"""
+
+YAML_TAG_TESTS = """version: 1
+context:
+    foo: bar
+entries:
+- attrs:
+    expression: return True
+  identifiers:
+    name: !Format [foo-%s-%s, !Context foo, !Context bar]
+  id: default-source-enrollment-if-username
+  model: authentik_policies_expression.expressionpolicy
+"""
+

 class TestBlueprintsV1(TransactionTestCase):
    """Test Blueprints"""
@ -30,61 +51,6 @@ class TestBlueprintsV1(TransactionTestCase):
            )
        )
        self.assertFalse(importer.validate()[0])
-        importer = Importer(
-            (
-                '{"version": 1, "entries": [{"attrs": {"name": "test"}, '
-                '"identifiers": {}, '
-                '"model": "authentik_core.Group"}]}'
-            )
-        )
-        self.assertFalse(importer.validate()[0])
-
-    def test_validated_import_dict_identifiers(self):
-        """Test importing blueprints with dict identifiers."""
-        Group.objects.filter(name__istartswith="test").delete()
-
-        Group.objects.create(
-            name="test1",
-            attributes={
-                "key": ["value"],
-                "other_key": ["a_value", "other_value"],
-            },
-        )
-        Group.objects.create(
-            name="test2",
-            attributes={
-                "key": ["value"],
-                "other_key": ["diff_value", "other_diff_value"],
-            },
-        )
-
-        importer = Importer(
-            (
-                '{"version": 1, "entries": [{"attrs": {"name": "test999", "attributes": '
-                '{"key": ["updated_value"]}}, "identifiers": {"attributes": {"other_key": '
-                '["other_value"]}}, "model": "authentik_core.Group"}]}'
-            )
-        )
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        self.assertTrue(
-            Group.objects.filter(
-                name="test2",
-                attributes={
-                    "key": ["value"],
-                    "other_key": ["diff_value", "other_diff_value"],
-                },
-            )
-        )
-        self.assertTrue(
-            Group.objects.filter(
-                name="test999",
-                # All attributes used as identifiers are kept and merged with the
-                # new attributes declared in the blueprint
-                attributes={"key": ["updated_value"], "other_key": ["other_value"]},
-            )
-        )
-        self.assertFalse(Group.objects.filter(name="test1"))

    def test_export_validate_import(self):
        """Test export and validate it"""
@ -119,113 +85,25 @@ class TestBlueprintsV1(TransactionTestCase):
        """Test export and import it twice"""
        count_initial = Prompt.objects.filter(field_key="username").count()

-        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(STATIC_PROMPT_EXPORT)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())

        count_before = Prompt.objects.filter(field_key="username").count()
        self.assertEqual(count_initial + 1, count_before)

-        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(STATIC_PROMPT_EXPORT)
        self.assertTrue(importer.apply())

        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)

    def test_import_yaml_tags(self):
        """Test some yaml tags"""
-        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
-        Group.objects.filter(name="test").delete()
-        environ["foo"] = generate_id()
-        importer = Importer(load_yaml_fixture("fixtures/tags.yaml"), {"bar": "baz"})
+        ExpressionPolicy.objects.filter(name="foo-foo-bar").delete()
+        importer = Importer(YAML_TAG_TESTS, {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
-        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
-        self.assertTrue(policy)
-        self.assertTrue(
-            Group.objects.filter(
-                attributes={
-                    "policy_pk1": str(policy.pk) + "-suffix",
-                    "policy_pk2": str(policy.pk) + "-suffix",
-                    "boolAnd": True,
-                    "boolNand": False,
-                    "boolOr": True,
-                    "boolNor": False,
-                    "boolXor": True,
-                    "boolXnor": False,
-                    "boolComplex": True,
-                    "if_true_complex": {
-                        "dictionary": {
-                            "with": {"keys": "and_values"},
-                            "and_nested_custom_tags": "foo-bar",
-                        }
-                    },
-                    "if_false_complex": ["list", "with", "items", "foo-bar"],
-                    "if_true_simple": True,
-                    "if_false_simple": 2,
-                    "enumerate_mapping_to_mapping": {
-                        "prefix-key1": "other-prefix-value",
-                        "prefix-key2": "other-prefix-2",
-                    },
-                    "enumerate_mapping_to_sequence": [
-                        "prefixed-pair-key1-value",
-                        "prefixed-pair-key2-2",
-                    ],
-                    "enumerate_sequence_to_sequence": [
-                        "prefixed-items-0-foo",
-                        "prefixed-items-1-bar",
-                    ],
-                    "enumerate_sequence_to_mapping": {"index: 0": "foo", "index: 1": "bar"},
-                    "nested_complex_enumeration": {
-                        "0": {
-                            "key1": [
-                                ["prefixed-f", "prefixed-o", "prefixed-o"],
-                                {
-                                    "outer_value": "foo",
-                                    "outer_index": 0,
-                                    "middle_value": "value",
-                                    "middle_index": "key1",
-                                },
-                            ],
-                            "key2": [
-                                ["prefixed-f", "prefixed-o", "prefixed-o"],
-                                {
-                                    "outer_value": "foo",
-                                    "outer_index": 0,
-                                    "middle_value": 2,
-                                    "middle_index": "key2",
-                                },
-                            ],
-                        },
-                        "1": {
-                            "key1": [
-                                ["prefixed-b", "prefixed-a", "prefixed-r"],
-                                {
-                                    "outer_value": "bar",
-                                    "outer_index": 1,
-                                    "middle_value": "value",
-                                    "middle_index": "key1",
-                                },
-                            ],
-                            "key2": [
-                                ["prefixed-b", "prefixed-a", "prefixed-r"],
-                                {
-                                    "outer_value": "bar",
-                                    "outer_index": 1,
-                                    "middle_value": 2,
-                                    "middle_index": "key2",
-                                },
-                            ],
-                        },
-                    },
-                }
-            )
-        )
-        self.assertTrue(
-            OAuthSource.objects.filter(
-                slug="test",
-                consumer_key=environ["foo"],
-            )
-        )
+        self.assertTrue(ExpressionPolicy.objects.filter(name="foo-foo-bar"))

    def test_export_validate_import_policies(self):
        """Test export and validate it"""
@ -262,21 +140,15 @@ class TestBlueprintsV1(TransactionTestCase):
        with transaction_rollback():
            # First stage fields
            username_prompt = Prompt.objects.create(
-                name=generate_id(),
-                field_key="username",
-                label="Username",
-                order=0,
-                type=FieldTypes.TEXT,
+                field_key="username", label="Username", order=0, type=FieldTypes.TEXT
            )
            password = Prompt.objects.create(
-                name=generate_id(),
                field_key="password",
                label="Password",
                order=1,
                type=FieldTypes.PASSWORD,
            )
            password_repeat = Prompt.objects.create(
-                name=generate_id(),
                field_key="password_repeat",
                label="Password (repeat)",
                order=2,
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@ -43,28 +43,3 @@ class TestBlueprintsV1API(APITestCase):
                    "6871c0003f5c07be5c3316d9d4a08444bd8fed1b3f03294e51e44522"
                ),
            )
-
-    def test_api_blank(self):
-        """Test blank"""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-list"),
-            data={
-                "name": "foo",
-            },
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(
-            res.content.decode(), {"non_field_errors": ["Either path or content must be set."]}
-        )
-
-    def test_api_content(self):
-        """Test blank"""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-list"),
-            data={
-                "name": "foo",
-                "content": '{"version": 3}',
-            },
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(res.content.decode(), {"content": ["Failed to validate blueprint"]})
--- a/authentik/blueprints/tests/test_v1_conditions.py
+++ b/authentik/blueprints/tests/test_v1_conditions.py
@ -1,43 +0,0 @@
-"""Test blueprints v1"""
-from django.test import TransactionTestCase
-
-from authentik.blueprints.tests import load_yaml_fixture
-from authentik.blueprints.v1.importer import Importer
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-
-
-class TestBlueprintsV1Conditions(TransactionTestCase):
-    """Test Blueprints conditions attribute"""
-
-    def test_conditions_fulfilled(self):
-        """Test conditions fulfilled"""
-        flow_slug1 = generate_id()
-        flow_slug2 = generate_id()
-        import_yaml = load_yaml_fixture(
-            "fixtures/conditions_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
-        )
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure objects exist
-        flow: Flow = Flow.objects.filter(slug=flow_slug1).first()
-        self.assertEqual(flow.slug, flow_slug1)
-        flow: Flow = Flow.objects.filter(slug=flow_slug2).first()
-        self.assertEqual(flow.slug, flow_slug2)
-
-    def test_conditions_not_fulfilled(self):
-        """Test conditions not fulfilled"""
-        flow_slug1 = generate_id()
-        flow_slug2 = generate_id()
-        import_yaml = load_yaml_fixture(
-            "fixtures/conditions_not_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
-        )
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure objects do not exist
-        self.assertFalse(Flow.objects.filter(slug=flow_slug1))
-        self.assertFalse(Flow.objects.filter(slug=flow_slug2))
--- a/authentik/blueprints/tests/test_v1_state.py
+++ b/authentik/blueprints/tests/test_v1_state.py
@ -1,82 +0,0 @@
-"""Test blueprints v1"""
-from django.test import TransactionTestCase
-
-from authentik.blueprints.tests import load_yaml_fixture
-from authentik.blueprints.v1.importer import Importer
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-
-
-class TestBlueprintsV1State(TransactionTestCase):
-    """Test Blueprints state attribute"""
-
-    def test_state_present(self):
-        """Test state present"""
-        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_present.yaml", id=flow_slug)
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure object exists
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.slug, flow_slug)
-
-        # Update object
-        flow.title = "bar"
-        flow.save()
-
-        flow.refresh_from_db()
-        self.assertEqual(flow.title, "bar")
-
-        # Ensure importer updates it
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.title, "foo")
-
-    def test_state_created(self):
-        """Test state created"""
-        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure object exists
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.slug, flow_slug)
-
-        # Update object
-        flow.title = "bar"
-        flow.save()
-
-        flow.refresh_from_db()
-        self.assertEqual(flow.title, "bar")
-
-        # Ensure importer doesn't update it
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.title, "bar")
-
-    def test_state_absent(self):
-        """Test state absent"""
-        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
-
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        # Ensure object exists
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertEqual(flow.slug, flow_slug)
-
-        import_yaml = load_yaml_fixture("fixtures/state_absent.yaml", id=flow_slug)
-        importer = Importer(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
-        self.assertIsNone(flow)
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@ -67,30 +67,25 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
    @CONFIG.patch("blueprints_dir", TMP)
    def test_valid_updated(self):
        """Test valid file"""
-        BlueprintInstance.objects.filter(name="foo").delete()
        with NamedTemporaryFile(mode="w+", suffix=".yaml", dir=TMP) as file:
            file.write(
                dump(
                    {
                        "version": 1,
                        "entries": [],
-                        "metadata": {
-                            "name": "foo",
-                        },
                    }
                )
            )
            file.flush()
            blueprints_discover()  # pylint: disable=no-value-for-parameter
-            blueprint = BlueprintInstance.objects.filter(name="foo").first()
            self.assertEqual(
-                blueprint.last_applied_hash,
+                BlueprintInstance.objects.first().last_applied_hash,
                (
-                    "b86ec439b3857350714f070d2833490e736d9155d3d97b2cac13f3b352223e5a"
-                    "1adbf8ec56fa616d46090cc4773ff9e46c4e509fde96b97de87dd21fa329ca1a"
+                    "e52bb445b03cd36057258dc9f0ce0fbed8278498ee1470e45315293e5f026d1b"
+                    "d1f9b3526871c0003f5c07be5c3316d9d4a08444bd8fed1b3f03294e51e44522"
                ),
            )
-            self.assertEqual(blueprint.metadata, {"labels": {}, "name": "foo"})
+            self.assertEqual(BlueprintInstance.objects.first().metadata, {})
            file.write(
                dump(
                    {
@ -98,28 +93,24 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                        "entries": [],
                        "metadata": {
                            "name": "foo",
-                            "labels": {
-                                "foo": "bar",
-                            },
                        },
                    }
                )
            )
            file.flush()
            blueprints_discover()  # pylint: disable=no-value-for-parameter
-            blueprint.refresh_from_db()
            self.assertEqual(
-                blueprint.last_applied_hash,
+                BlueprintInstance.objects.first().last_applied_hash,
                (
-                    "87b68b10131d2c9751ed308bba38f04734b9e2cdf8532ed617bc52979b063c49"
-                    "2564f33f3d20ab9d5f0fd9e6eb77a13942e060199f147789cb7afab9690e72b5"
+                    "fc62fea96067da8592bdf90927246d0ca150b045447df93b0652a0e20a8bc327"
+                    "681510b5db37ea98759c61f9a98dd2381f46a3b5a2da69dfb45158897f14e824"
                ),
            )
            self.assertEqual(
-                blueprint.metadata,
+                BlueprintInstance.objects.first().metadata,
                {
                    "name": "foo",
-                    "labels": {"foo": "bar"},
+                    "labels": {},
                },
            )

--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -1,15 +1,10 @@
 """transfer common classes"""
 from collections import OrderedDict
-from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
-from functools import reduce
-from operator import ixor
-from os import getenv
-from typing import Any, Iterable, Literal, Mapping, Optional, Union
+from typing import Any, Optional
 from uuid import UUID

-from deepmerge import always_merger
 from django.apps import apps
 from django.db.models import Model, Q
 from rest_framework.fields import Field
@ -46,33 +41,19 @@ class BlueprintEntryState:
    instance: Optional[Model] = None


-class BlueprintEntryDesiredState(Enum):
-    """State an entry should be reconciled to"""
-
-    ABSENT = "absent"
-    PRESENT = "present"
-    CREATED = "created"
-
-
@dataclass
 class BlueprintEntry:
    """Single entry of a blueprint"""

-    model: Union[str, "YAMLTag"]
-    state: Union[BlueprintEntryDesiredState, "YAMLTag"] = field(
-        default=BlueprintEntryDesiredState.PRESENT
-    )
-    conditions: list[Any] = field(default_factory=list)
+    model: str
    identifiers: dict[str, Any] = field(default_factory=dict)
    attrs: Optional[dict[str, Any]] = field(default_factory=dict)

+    # pylint: disable=invalid-name
    id: Optional[str] = None

    _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)

-    def __post_init__(self, *args, **kwargs) -> None:
-        self.__tag_contexts: list["YAMLTagContext"] = []
-
    @staticmethod
    def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
        """Convert a SerializerModel instance to a blueprint Entry"""
@ -89,46 +70,17 @@ class BlueprintEntry:
            attrs=all_attrs,
        )

-    def _get_tag_context(
-        self,
-        depth: int = 0,
-        context_tag_type: Optional[type["YAMLTagContext"] | tuple["YAMLTagContext", ...]] = None,
-    ) -> "YAMLTagContext":
-        """Get a YAMLTagContext object located at a certain depth in the tag tree"""
-        if depth < 0:
-            raise ValueError("depth must be a positive number or zero")
-
-        if context_tag_type:
-            contexts = [x for x in self.__tag_contexts if isinstance(x, context_tag_type)]
-        else:
-            contexts = self.__tag_contexts
-
-        try:
-            return contexts[-(depth + 1)]
-        except IndexError:
-            raise ValueError(f"invalid depth: {depth}. Max depth: {len(contexts) - 1}")
-
    def tag_resolver(self, value: Any, blueprint: "Blueprint") -> Any:
        """Check if we have any special tags that need handling"""
-        val = copy(value)
-
-        if isinstance(value, YAMLTagContext):
-            self.__tag_contexts.append(value)
-
        if isinstance(value, YAMLTag):
-            val = value.resolve(self, blueprint)
-
+            return value.resolve(self, blueprint)
        if isinstance(value, dict):
            for key, inner_value in value.items():
-                val[key] = self.tag_resolver(inner_value, blueprint)
+                value[key] = self.tag_resolver(inner_value, blueprint)
        if isinstance(value, list):
            for idx, inner_value in enumerate(value):
-                val[idx] = self.tag_resolver(inner_value, blueprint)
-
-        if isinstance(value, YAMLTagContext):
-            self.__tag_contexts.pop()
-
-        return val
+                value[idx] = self.tag_resolver(inner_value, blueprint)
+        return value

    def get_attrs(self, blueprint: "Blueprint") -> dict[str, Any]:
        """Get attributes of this entry, with all yaml tags resolved"""
@ -138,18 +90,6 @@ class BlueprintEntry:
        """Get attributes of this entry, with all yaml tags resolved"""
        return self.tag_resolver(self.identifiers, blueprint)

-    def get_state(self, blueprint: "Blueprint") -> BlueprintEntryDesiredState:
-        """Get the blueprint state, with yaml tags resolved if present"""
-        return BlueprintEntryDesiredState(self.tag_resolver(self.state, blueprint))
-
-    def get_model(self, blueprint: "Blueprint") -> str:
-        """Get the blueprint model, with yaml tags resolved if present"""
-        return str(self.tag_resolver(self.model, blueprint))
-
-    def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
-        """Check all conditions of this entry match (evaluate to True)"""
-        return all(self.tag_resolver(self.conditions, blueprint))
-

@dataclass
 class BlueprintMetadata:
@ -178,19 +118,12 @@ class YAMLTag:
        raise NotImplementedError


-class YAMLTagContext:
-    """Base class for all YAML Tag Contexts"""
-
-    def get_context(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        """Implement yaml tag context logic"""
-        raise NotImplementedError
-
-
 class KeyOf(YAMLTag):
    """Reference another object by their ID"""

    id_from: str

+    # pylint: disable=unused-argument
    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
        super().__init__()
        self.id_from = node.value
@ -211,31 +144,13 @@ class KeyOf(YAMLTag):
        )


-class Env(YAMLTag):
-    """Lookup environment variable with optional default"""
-
-    key: str
-    default: Optional[Any]
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
-        super().__init__()
-        self.default = None
-        if isinstance(node, ScalarNode):
-            self.key = node.value
-        if isinstance(node, SequenceNode):
-            self.key = node.value[0].value
-            self.default = node.value[1].value
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        return getenv(self.key, self.default)
-
-
 class Context(YAMLTag):
    """Lookup key from instance context"""

    key: str
    default: Optional[Any]

+    # pylint: disable=unused-argument
    def __init__(self, loader: "BlueprintLoader", node: ScalarNode | SequenceNode) -> None:
        super().__init__()
        self.default = None
@ -258,23 +173,17 @@ class Format(YAMLTag):
    format_string: str
    args: list[Any]

+    # pylint: disable=unused-argument
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
        self.format_string = node.value[0].value
        self.args = []
        for raw_node in node.value[1:]:
-            self.args.append(loader.construct_object(raw_node))
+            self.args.append(raw_node.value)

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        args = []
-        for arg in self.args:
-            if isinstance(arg, YAMLTag):
-                args.append(arg.resolve(entry, blueprint))
-            else:
-                args.append(arg)
-
        try:
-            return self.format_string % tuple(args)
+            return self.format_string % tuple(self.args)
        except TypeError as exc:
            raise EntryInvalidError(exc)

@ -282,12 +191,15 @@ class Format(YAMLTag):
 class Find(YAMLTag):
    """Find any object"""

-    model_name: str | YAMLTag
+    model_name: str
    conditions: list[list]

+    model_class: type[Model]
+
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
-        self.model_name = loader.construct_object(node.value[0])
+        self.model_name = node.value[0].value
+        self.model_class = apps.get_model(*self.model_name.split("."))
        self.conditions = []
        for raw_node in node.value[1:]:
            values = []
@ -296,227 +208,15 @@ class Find(YAMLTag):
            self.conditions.append(values)

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.model_name, YAMLTag):
-            model_name = self.model_name.resolve(entry, blueprint)
-        else:
-            model_name = self.model_name
-
-        model_class = apps.get_model(*model_name.split("."))
-
        query = Q()
        for cond in self.conditions:
-            if isinstance(cond[0], YAMLTag):
-                query_key = cond[0].resolve(entry, blueprint)
-            else:
-                query_key = cond[0]
-            if isinstance(cond[1], YAMLTag):
-                query_value = cond[1].resolve(entry, blueprint)
-            else:
-                query_value = cond[1]
-            query &= Q(**{query_key: query_value})
-        instance = model_class.objects.filter(query).first()
+            query &= Q(**{cond[0]: cond[1]})
+        instance = self.model_class.objects.filter(query).first()
        if instance:
            return instance.pk
        return None


-class Condition(YAMLTag):
-    """Convert all values to a single boolean"""
-
-    mode: Literal["AND", "NAND", "OR", "NOR", "XOR", "XNOR"]
-    args: list[Any]
-
-    _COMPARATORS = {
-        # Using all and any here instead of from operator import iand, ior
-        # to improve performance
-        "AND": all,
-        "NAND": lambda args: not all(args),
-        "OR": any,
-        "NOR": lambda args: not any(args),
-        "XOR": lambda args: reduce(ixor, args) if len(args) > 1 else args[0],
-        "XNOR": lambda args: not (reduce(ixor, args) if len(args) > 1 else args[0]),
-    }
-
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.mode = node.value[0].value
-        self.args = []
-        for raw_node in node.value[1:]:
-            self.args.append(loader.construct_object(raw_node))
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        args = []
-        for arg in self.args:
-            if isinstance(arg, YAMLTag):
-                args.append(arg.resolve(entry, blueprint))
-            else:
-                args.append(arg)
-
-        if not args:
-            raise EntryInvalidError("At least one value is required after mode selection.")
-
-        try:
-            comparator = self._COMPARATORS[self.mode.upper()]
-            return comparator(tuple(bool(x) for x in args))
-        except (TypeError, KeyError) as exc:
-            raise EntryInvalidError(exc)
-
-
-class If(YAMLTag):
-    """Select YAML to use based on condition"""
-
-    condition: Any
-    when_true: Any
-    when_false: Any
-
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.condition = loader.construct_object(node.value[0])
-        self.when_true = loader.construct_object(node.value[1])
-        self.when_false = loader.construct_object(node.value[2])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.condition, YAMLTag):
-            condition = self.condition.resolve(entry, blueprint)
-        else:
-            condition = self.condition
-
-        try:
-            return entry.tag_resolver(
-                self.when_true if condition else self.when_false,
-                blueprint,
-            )
-        except TypeError as exc:
-            raise EntryInvalidError(exc)
-
-
-class Enumerate(YAMLTag, YAMLTagContext):
-    """Iterate over an iterable."""
-
-    iterable: YAMLTag | Iterable
-    item_body: Any
-    output_body: Literal["SEQ", "MAP"]
-
-    _OUTPUT_BODIES = {
-        "SEQ": (list, lambda a, b: [*a, b]),
-        "MAP": (
-            dict,
-            lambda a, b: always_merger.merge(
-                a, {b[0]: b[1]} if isinstance(b, (tuple, list)) else b
-            ),
-        ),
-    }
-
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.iterable = loader.construct_object(node.value[0])
-        self.output_body = node.value[1].value
-        self.item_body = loader.construct_object(node.value[2])
-        self.__current_context: tuple[Any, Any] = tuple()
-
-    def get_context(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        return self.__current_context
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.iterable, EnumeratedItem) and self.iterable.depth == 0:
-            raise EntryInvalidError(
-                f"{self.__class__.__name__} tag's iterable references this tag's context. "
-                "This is a noop. Check you are setting depth bigger than 0."
-            )
-
-        if isinstance(self.iterable, YAMLTag):
-            iterable = self.iterable.resolve(entry, blueprint)
-        else:
-            iterable = self.iterable
-
-        if not isinstance(iterable, Iterable):
-            raise EntryInvalidError(
-                f"{self.__class__.__name__}'s iterable must be an iterable "
-                "such as a sequence or a mapping"
-            )
-
-        if isinstance(iterable, Mapping):
-            iterable = tuple(iterable.items())
-        else:
-            iterable = tuple(enumerate(iterable))
-
-        try:
-            output_class, add_fn = self._OUTPUT_BODIES[self.output_body.upper()]
-        except KeyError as exc:
-            raise EntryInvalidError(exc)
-
-        result = output_class()
-
-        self.__current_context = tuple()
-
-        try:
-            for item in iterable:
-                self.__current_context = item
-                resolved_body = entry.tag_resolver(self.item_body, blueprint)
-                result = add_fn(result, resolved_body)
-                if not isinstance(result, output_class):
-                    raise EntryInvalidError(
-                        f"Invalid {self.__class__.__name__} item found: {resolved_body}"
-                    )
-        finally:
-            self.__current_context = tuple()
-
-        return result
-
-
-class EnumeratedItem(YAMLTag):
-    """Get the current item value and index provided by an Enumerate tag context"""
-
-    depth: int
-
-    _SUPPORTED_CONTEXT_TAGS = (Enumerate,)
-
-    def __init__(self, loader: "BlueprintLoader", node: ScalarNode) -> None:
-        super().__init__()
-        self.depth = int(node.value)
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        try:
-            context_tag: Enumerate = entry._get_tag_context(
-                depth=self.depth,
-                context_tag_type=EnumeratedItem._SUPPORTED_CONTEXT_TAGS,
-            )
-        except ValueError as exc:
-            if self.depth == 0:
-                raise EntryInvalidError(
-                    f"{self.__class__.__name__} tags are only usable "
-                    f"inside an {Enumerate.__name__} tag"
-                )
-
-            raise EntryInvalidError(f"{self.__class__.__name__} tag: {exc}")
-
-        return context_tag.get_context(entry, blueprint)
-
-
-class Index(EnumeratedItem):
-    """Get the current item index provided by an Enumerate tag context"""
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        context = super().resolve(entry, blueprint)
-
-        try:
-            return context[0]
-        except IndexError:  # pragma: no cover
-            raise EntryInvalidError(f"Empty/invalid context: {context}")
-
-
-class Value(EnumeratedItem):
-    """Get the current item value provided by an Enumerate tag context"""
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        context = super().resolve(entry, blueprint)
-
-        try:
-            return context[1]
-        except IndexError:  # pragma: no cover
-            raise EntryInvalidError(f"Empty/invalid context: {context}")
-
-
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""

@ -527,15 +227,8 @@ class BlueprintDumper(SafeDumper):
        self.add_representer(UUID, lambda self, data: self.represent_str(str(data)))
        self.add_representer(OrderedDict, lambda self, data: self.represent_dict(dict(data)))
        self.add_representer(Enum, lambda self, data: self.represent_str(data.value))
-        self.add_representer(
-            BlueprintEntryDesiredState, lambda self, data: self.represent_str(data.value)
-        )
        self.add_representer(None, lambda self, data: self.represent_str(str(data)))

-    def ignore_aliases(self, data):
-        """Don't use any YAML anchors"""
-        return True
-
    def represent(self, data) -> None:
        if is_dataclass(data):

@ -557,12 +250,6 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Find", Find)
        self.add_constructor("!Context", Context)
        self.add_constructor("!Format", Format)
-        self.add_constructor("!Condition", Condition)
-        self.add_constructor("!If", If)
-        self.add_constructor("!Env", Env)
-        self.add_constructor("!Enumerate", Enumerate)
-        self.add_constructor("!Value", Value)
-        self.add_constructor("!Index", Index)


 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -3,7 +3,6 @@ from contextlib import contextmanager
 from copy import deepcopy
 from typing import Any, Optional

-from dacite.config import Config
 from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
@ -21,7 +20,6 @@ from yaml import load
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
-    BlueprintEntryDesiredState,
    BlueprintEntryState,
    BlueprintLoader,
    EntryInvalidError,
@ -34,7 +32,7 @@ from authentik.core.models import (
    Source,
    UserSourceConnection,
 )
-from authentik.flows.models import FlowToken, Stage
+from authentik.flows.models import Stage
 from authentik.lib.models import SerializerModel
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
@ -60,8 +58,6 @@ def is_model_allowed(model: type[Model]) -> bool:
        PolicyBindingModel,
        # Classes that have other dependencies
        AuthenticatedSession,
-        # Classes which are only internally managed
-        FlowToken,
    )
    return model not in excluded_models and issubclass(model, (SerializerModel, BaseMetaModel))

@ -86,16 +82,14 @@ class Importer:
        self.logger = get_logger()
        import_dict = load(yaml_input, BlueprintLoader)
        try:
-            self.__import = from_dict(
-                Blueprint, import_dict, config=Config(cast=[BlueprintEntryDesiredState])
-            )
+            self.__import = from_dict(Blueprint, import_dict)
        except DaciteError as exc:
            raise EntryInvalidError from exc
-        ctx = {}
-        always_merger.merge(ctx, self.__import.context)
+        context = {}
+        always_merger.merge(context, self.__import.context)
        if context:
-            always_merger.merge(ctx, context)
-        self.__import.context = ctx
+            always_merger.merge(context, context)
+        self.__import.context = context

    @property
    def blueprint(self) -> Blueprint:
@ -134,23 +128,16 @@ class Importer:
            main_query = Q(pk=attrs["pk"])
        sub_query = Q()
        for identifier, value in attrs.items():
+            if isinstance(value, dict):
+                continue
            if identifier == "pk":
                continue
-            if isinstance(value, dict):
-                sub_query &= Q(**{f"{identifier}__contains": value})
-            else:
            sub_query &= Q(**{identifier: value})
-
        return main_query | sub_query

-    # pylint: disable-msg=too-many-locals
-    def _validate_single(self, entry: BlueprintEntry) -> Optional[BaseSerializer]:
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer:
        """Validate a single entry"""
-        if not entry.check_all_conditions_match(self.__import):
-            self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
-            return None
-
-        model_app_label, model_name = entry.get_model(self.__import).split(".")
+        model_app_label, model_name = entry.model.split(".")
        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
        # Don't use isinstance since we don't want to check for inheritance
        if not is_model_allowed(model):
@ -165,6 +152,8 @@ class Importer:
                    f"Serializer errors {serializer.errors}", serializer_errors=serializer.errors
                ) from exc
            return serializer
+        if entry.identifiers == {}:
+            raise EntryInvalidError("No identifiers")

        # If we try to validate without referencing a possible instance
        # we'll get a duplicate error, hence we load the model here and return
@ -176,19 +165,11 @@ class Importer:
            if isinstance(value, dict) and "pk" in value:
                del updated_identifiers[key]
                updated_identifiers[f"{key}"] = value["pk"]
-
-        query = self.__query_from_identifier(updated_identifiers)
-        if not query:
-            raise EntryInvalidError("No or invalid identifiers")
-
-        existing_models = model.objects.filter(query)
+        existing_models = model.objects.filter(self.__query_from_identifier(updated_identifiers))

        serializer_kwargs = {}
+        if not isinstance(model(), BaseMetaModel) and existing_models.exists():
            model_instance = existing_models.first()
-        if not isinstance(model(), BaseMetaModel) and model_instance:
-            if entry.get_state(self.__import) == BlueprintEntryDesiredState.CREATED:
-                self.logger.debug("instance exists, skipping")
-                return None
            self.logger.debug(
                "initialise serializer with instance",
                model=model,
@ -210,7 +191,7 @@ class Importer:
            full_data = self.__update_pks_for_attrs(entry.get_attrs(self.__import))
        except ValueError as exc:
            raise EntryInvalidError(exc) from exc
-        always_merger.merge(full_data, updated_identifiers)
+        full_data.update(updated_identifiers)
        serializer_kwargs["data"] = full_data

        serializer: Serializer = model().serializer(**serializer_kwargs)
@ -239,7 +220,7 @@ class Importer:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
        for entry in self.__import.entries:
-            model_app_label, model_name = entry.get_model(self.__import).split(".")
+            model_app_label, model_name = entry.model.split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
            except LookupError:
@ -253,26 +234,12 @@ class Importer:
            except EntryInvalidError as exc:
                self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                return False
-            if not serializer:
-                continue

-            state = entry.get_state(self.__import)
-            if state in [
-                BlueprintEntryDesiredState.PRESENT,
-                BlueprintEntryDesiredState.CREATED,
-            ]:
            model = serializer.save()
            if "pk" in entry.identifiers:
                self.__pk_map[entry.identifiers["pk"]] = model.pk
            entry._state = BlueprintEntryState(model)
            self.logger.debug("updated model", model=model)
-            elif state == BlueprintEntryDesiredState.ABSENT:
-                instance: Optional[Model] = serializer.instance
-                if instance.pk:
-                    instance.delete()
-                    self.logger.debug("deleted model", mode=instance)
-                    continue
-                self.logger.debug("entry to delete with no instance, skipping")
        return True

    def validate(self) -> tuple[bool, list[EventDict]]:
--- a/authentik/blueprints/v1/labels.py
+++ b/authentik/blueprints/v1/labels.py
@ -3,4 +3,3 @@
 LABEL_AUTHENTIK_SYSTEM = "blueprints.goauthentik.io/system"
 LABEL_AUTHENTIK_INSTANTIATE = "blueprints.goauthentik.io/instantiate"
 LABEL_AUTHENTIK_GENERATED = "blueprints.goauthentik.io/generated"
-LABEL_AUTHENTIK_DESCRIPTION = "blueprints.goauthentik.io/description"
--- a/authentik/blueprints/v1/oci.py
+++ b/authentik/blueprints/v1/oci.py
@ -1,98 +0,0 @@
-"""OCI Client"""
-from typing import Any
-from urllib.parse import ParseResult, urlparse
-
-from opencontainers.distribution.reggie import (
-    NewClient,
-    WithDebug,
-    WithDefaultName,
-    WithDigest,
-    WithReference,
-    WithUserAgent,
-    WithUsernamePassword,
-)
-from requests.exceptions import RequestException
-from structlog import get_logger
-from structlog.stdlib import BoundLogger
-
-from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.http import authentik_user_agent
-
-OCI_MEDIA_TYPE = "application/vnd.goauthentik.blueprint.v1+yaml"
-
-
-class OCIException(SentryIgnoredException):
-    """OCI-related errors"""
-
-
-class BlueprintOCIClient:
-    """Blueprint OCI Client"""
-
-    url: ParseResult
-    sanitized_url: str
-    logger: BoundLogger
-    ref: str
-    client: NewClient
-
-    def __init__(self, url: str) -> None:
-        self._parse_url(url)
-        self.logger = get_logger().bind(url=self.sanitized_url)
-
-        self.ref = "latest"
-        path = self.url.path[1:]
-        if ":" in self.url.path:
-            path, _, self.ref = path.partition(":")
-        self.client = NewClient(
-            f"https://{self.url.hostname}",
-            WithUserAgent(authentik_user_agent()),
-            WithUsernamePassword(self.url.username, self.url.password),
-            WithDefaultName(path),
-            WithDebug(True),
-        )
-
-    def _parse_url(self, url: str):
-        self.url = urlparse(url)
-        netloc = self.url.netloc
-        if "@" in netloc:
-            netloc = netloc[netloc.index("@") + 1 :]
-        self.sanitized_url = self.url._replace(netloc=netloc).geturl()
-
-    def fetch_manifests(self) -> dict[str, Any]:
-        """Fetch manifests for ref"""
-        self.logger.info("Fetching OCI manifests for blueprint")
-        manifest_request = self.client.NewRequest(
-            "GET",
-            "/v2/<name>/manifests/<reference>",
-            WithReference(self.ref),
-        ).SetHeader("Accept", "application/vnd.oci.image.manifest.v1+json")
-        try:
-            manifest_response = self.client.Do(manifest_request)
-            manifest_response.raise_for_status()
-        except RequestException as exc:
-            raise OCIException(exc) from exc
-        manifest = manifest_response.json()
-        if "errors" in manifest:
-            raise OCIException(manifest["errors"])
-        return manifest
-
-    def fetch_blobs(self, manifest: dict[str, Any]):
-        """Fetch blob based on manifest info"""
-        blob = None
-        for layer in manifest.get("layers", []):
-            if layer.get("mediaType", "") == OCI_MEDIA_TYPE:
-                blob = layer.get("digest")
-                self.logger.debug("Found layer with matching media type", blob=blob)
-        if not blob:
-            raise OCIException("Blob not found")
-
-        blob_request = self.client.NewRequest(
-            "GET",
-            "/v2/<name>/blobs/<digest>",
-            WithDigest(blob),
-        )
-        try:
-            blob_response = self.client.Do(blob_request)
-            blob_response.raise_for_status()
-            return blob_response.text
-        except RequestException as exc:
-            raise OCIException(exc) from exc
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -10,13 +10,6 @@ from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import get_logger
-from watchdog.events import (
-    FileCreatedEvent,
-    FileModifiedEvent,
-    FileSystemEvent,
-    FileSystemEventHandler,
-)
-from watchdog.observers import Observer
 from yaml import load
 from yaml.error import YAMLError

@ -39,7 +32,6 @@ from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
-_file_watcher_started = False


@dataclass
@ -53,39 +45,6 @@ class BlueprintFile:
    meta: Optional[BlueprintMetadata] = field(default=None)


-def start_blueprint_watcher():
-    """Start blueprint watcher, if it's not running already."""
-    # This function might be called twice since it's called on celery startup
-    # pylint: disable=global-statement
-    global _file_watcher_started
-    if _file_watcher_started:
-        return
-    observer = Observer()
-    observer.schedule(BlueprintEventHandler(), CONFIG.y("blueprints_dir"), recursive=True)
-    observer.start()
-    _file_watcher_started = True
-
-
-class BlueprintEventHandler(FileSystemEventHandler):
-    """Event handler for blueprint events"""
-
-    def on_any_event(self, event: FileSystemEvent):
-        if not isinstance(event, (FileCreatedEvent, FileModifiedEvent)):
-            return
-        if event.is_directory:
-            return
-        if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discover.delay()
-        if isinstance(event, FileModifiedEvent):
-            path = Path(event.src_path)
-            root = Path(CONFIG.y("blueprints_dir")).absolute()
-            rel_path = str(path.relative_to(root))
-            for instance in BlueprintInstance.objects.filter(path=rel_path):
-                LOGGER.debug("modified blueprint file, starting apply", instance=instance)
-                apply_blueprint.delay(instance.pk.hex)
-
-
@CELERY_APP.task(
    throws=(DatabaseError, ProgrammingError, InternalError),
 )
@ -101,7 +60,8 @@ def blueprints_find():
    """Find blueprints and return valid ones"""
    blueprints = []
    root = Path(CONFIG.y("blueprints_dir"))
-    for path in root.glob("**/*.yaml"):
+    for file in root.glob("**/*.yaml"):
+        path = Path(file)
        LOGGER.debug("found blueprint", path=str(path))
        with open(path, "r", encoding="utf-8") as blueprint_file:
            try:
@ -219,14 +179,3 @@ def apply_blueprint(self: MonitoredTask, instance_pk: str):
    finally:
        if instance:
            instance.save()
-
-
-@CELERY_APP.task()
-def clear_failed_blueprints():
-    """Remove blueprints which couldn't be fetched"""
-    # Exclude OCI blueprints as those might be temporarily unavailable
-    for blueprint in BlueprintInstance.objects.exclude(path__startswith="oci://"):
-        try:
-            blueprint.retrieve()
-        except BlueprintRetrievalFailed:
-            blueprint.delete()
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -1,10 +1,8 @@
 """Application API Views"""
-from datetime import timedelta
 from typing import Optional

 from django.core.cache import cache
 from django.db.models import QuerySet
-from django.db.models.functions import ExtractHour
 from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
@ -25,15 +23,10 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
 from authentik.events.utils import sanitize_dict
-from authentik.lib.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
@ -44,7 +37,7 @@ LOGGER = get_logger()

 def user_app_cache_key(user_pk: str) -> str:
    """Cache key where application list for user is saved"""
-    return f"goauthentik.io/core/app_access/{user_pk}"
+    return f"user_app_cache_{user_pk}"


 class ApplicationSerializer(ModelSerializer):
@ -198,9 +191,9 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        if not should_cache:
            allowed_applications = self._get_allowed_applications(queryset)
        if should_cache:
+            LOGGER.debug("Caching allowed application list")
            allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
            if not allowed_applications:
-                LOGGER.debug("Caching allowed application list")
                allowed_applications = self._get_allowed_applications(queryset)
                cache.set(
                    user_app_cache_key(self.request.user.pk),
@ -227,10 +220,25 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        methods=["POST"],
        parser_classes=(MultiPartParser,),
    )
+    # pylint: disable=unused-argument
    def set_icon(self, request: Request, slug: str):
        """Set application icon"""
        app: Application = self.get_object()
-        return set_file(request, app, "meta_icon")
+        icon = request.FILES.get("file", None)
+        clear = request.data.get("clear", "false").lower() == "true"
+        if clear:
+            # .delete() saves the model by default
+            app.meta_icon.delete()
+            return Response({})
+        if icon:
+            app.meta_icon = icon
+            try:
+                app.save()
+            except PermissionError as exc:
+                LOGGER.warning("Failed to save icon", exc=exc)
+                return HttpResponseBadRequest()
+            return Response({})
+        return HttpResponseBadRequest()

    @permission_required("authentik_core.change_application")
    @extend_schema(
@ -246,22 +254,29 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        filter_backends=[],
        methods=["POST"],
    )
+    # pylint: disable=unused-argument
    def set_icon_url(self, request: Request, slug: str):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
-        return set_file_url(request, app, "meta_icon")
+        url = request.data.get("url", None)
+        if url is None:
+            return HttpResponseBadRequest()
+        app.meta_icon.name = url
+        app.save()
+        return Response({})

    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @extend_schema(responses={200: CoordinateSerializer(many=True)})
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=unused-argument
    def metrics(self, request: Request, slug: str):
        """Metrics for application logins"""
        app = self.get_object()
        return Response(
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+            get_objects_for_user(request.user, "authentik_events.view_event")
+            .filter(
                action=EventAction.AUTHORIZE_APPLICATION,
                context__authorized_application__pk=app.pk.hex,
            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            .get_events_per_hour()
        )
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,22 +2,15 @@
 from json import loads

 from django.db.models.query import QuerySet
-from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_objects_for_user
-from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, JSONField
-from rest_framework.request import Request
-from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter

-from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer, is_dict
+from authentik.core.api.utils import is_dict
 from authentik.core.models import Group, User


@ -96,6 +89,7 @@ class GroupFilter(FilterSet):
        queryset=User.objects.all(),
    )

+    # pylint: disable=unused-argument
    def filter_attributes(self, queryset, name, value):
        """Filter attributes by query args"""
        try:
@ -119,12 +113,6 @@ class GroupFilter(FilterSet):
        fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]


-class UserAccountSerializer(PassiveSerializer):
-    """Account adding/removing operations"""
-
-    pk = IntegerField(required=True)
-
-
 class GroupViewSet(UsedByMixin, ModelViewSet):
    """Group Viewset"""

@ -146,51 +134,3 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        if self.request.user.has_perm("authentik_core.view_group"):
            return self._filter_queryset_for_list(queryset)
        return super().filter_queryset(queryset)
-
-    @permission_required(None, ["authentik_core.add_user"])
-    @extend_schema(
-        request=UserAccountSerializer,
-        responses={
-            204: OpenApiResponse(description="User added"),
-            404: OpenApiResponse(description="User not found"),
-        },
-    )
-    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
-    def add_user(self, request: Request, pk: str) -> Response:
-        """Add user to group"""
-        group: Group = self.get_object()
-        user: User = (
-            get_objects_for_user(request.user, "authentik_core.view_user")
-            .filter(
-                pk=request.data.get("pk"),
-            )
-            .first()
-        )
-        if not user:
-            raise Http404
-        group.users.add(user)
-        return Response(status=204)
-
-    @permission_required(None, ["authentik_core.add_user"])
-    @extend_schema(
-        request=UserAccountSerializer,
-        responses={
-            204: OpenApiResponse(description="User added"),
-            404: OpenApiResponse(description="User not found"),
-        },
-    )
-    @action(detail=True, methods=["POST"], pagination_class=None, filter_backends=[])
-    def remove_user(self, request: Request, pk: str) -> Response:
-        """Add user to group"""
-        group: Group = self.get_object()
-        user: User = (
-            get_objects_for_user(request.user, "authentik_core.view_user")
-            .filter(
-                pk=request.data.get("pk"),
-            )
-            .first()
-        )
-        if not user:
-            raise Http404
-        group.users.remove(user)
-        return Response(status=204)
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -19,7 +19,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
 from authentik.core.models import PropertyMapping
-from authentik.events.utils import sanitize_item
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer

@ -117,6 +116,7 @@ class PropertyMappingViewSet(
        ],
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    # pylint: disable=unused-argument, invalid-name
    def test(self, request: Request, pk: str) -> Response:
        """Test Property Mapping"""
        mapping: PropertyMapping = self.get_object()
@ -140,9 +140,7 @@ class PropertyMappingViewSet(
                self.request,
                **test_params.validated_data.get("context", {}),
            )
-            response_data["result"] = dumps(
-                sanitize_item(result), indent=(4 if format_result else None)
-            )
+            response_data["result"] = dumps(result, indent=(4 if format_result else None))
        except Exception as exc:  # pylint: disable=broad-except
            response_data["result"] = str(exc)
            response_data["successful"] = False
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -2,11 +2,10 @@
 from typing import Iterable

 from django_filters.rest_framework import DjangoFilterBackend
-from drf_spectacular.utils import OpenApiResponse, extend_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter, SearchFilter
-from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, ReadOnlyField, SerializerMethodField
@ -14,17 +13,10 @@ from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
-from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
-from authentik.lib.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.engine import PolicyEngine

@ -36,7 +28,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):

    managed = ReadOnlyField()
    component = SerializerMethodField()
-    icon = ReadOnlyField(source="get_icon")

    def get_component(self, obj: Source) -> str:
        """Get object component so that we know how to edit the object"""
@ -63,7 +54,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
            "user_matching_mode",
            "managed",
            "user_path_template",
-            "icon",
        ]


@ -85,47 +75,6 @@ class SourceViewSet(
    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()

-    @permission_required("authentik_core.change_source")
-    @extend_schema(
-        request={
-            "multipart/form-data": FileUploadSerializer,
-        },
-        responses={
-            200: OpenApiResponse(description="Success"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        pagination_class=None,
-        filter_backends=[],
-        methods=["POST"],
-        parser_classes=(MultiPartParser,),
-    )
-    def set_icon(self, request: Request, slug: str):
-        """Set source icon"""
-        source: Source = self.get_object()
-        return set_file(request, source, "icon")
-
-    @permission_required("authentik_core.change_source")
-    @extend_schema(
-        request=FilePathSerializer,
-        responses={
-            200: OpenApiResponse(description="Success"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        pagination_class=None,
-        filter_backends=[],
-        methods=["POST"],
-    )
-    def set_icon_url(self, request: Request, slug: str):
-        """Set source icon (as URL)"""
-        source: Source = self.get_object()
-        return set_file_url(request, source, "icon")
-
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -112,6 +112,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        }
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["GET"])
+    # pylint: disable=unused-argument
    def view_key(self, request: Request, identifier: str) -> Response:
        """Return token key and log access"""
        token: Token = self.get_object()
@ -133,6 +134,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
+    # pylint: disable=unused-argument
    def set_key(self, request: Request, identifier: str) -> Response:
        """Return token key and log access"""
        token: Token = self.get_object()
--- a/authentik/core/api/used_by.py
+++ b/authentik/core/api/used_by.py
@ -53,7 +53,7 @@ class UsedByMixin:
        responses={200: UsedBySerializer(many=True)},
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
-    # pylint: disable=too-many-locals
+    # pylint: disable=invalid-name, unused-argument, too-many-locals
    def used_by(self, request: Request, *args, **kwargs) -> Response:
        """Get a list of all objects that use this object"""
        # pyright: reportGeneralTypeIssues=false
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -4,9 +4,6 @@ from json import loads
 from typing import Any, Optional

 from django.contrib.auth import update_session_auth_hash
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core.cache import cache
-from django.db.models.functions import ExtractHour
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -49,6 +46,7 @@ from structlog.stdlib import get_logger

 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.decorators import permission_required
+from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import (
@ -59,7 +57,6 @@ from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
-    AuthenticatedSession,
    Group,
    Token,
    TokenIntents,
@ -77,26 +74,6 @@ from authentik.tenants.models import Tenant
 LOGGER = get_logger()


-class UserGroupSerializer(ModelSerializer):
-    """Simplified Group Serializer for user's groups"""
-
-    attributes = JSONField(required=False)
-    parent_name = CharField(source="parent.name", read_only=True)
-
-    class Meta:
-
-        model = Group
-        fields = [
-            "pk",
-            "num_pk",
-            "name",
-            "is_superuser",
-            "parent",
-            "parent_name",
-            "attributes",
-        ]
-
-
 class UserSerializer(ModelSerializer):
    """User Serializer"""

@ -106,7 +83,7 @@ class UserSerializer(ModelSerializer):
    groups = PrimaryKeyRelatedField(
        allow_empty=True, many=True, source="ak_groups", queryset=Group.objects.all()
    )
-    groups_obj = ListSerializer(child=UserGroupSerializer(), read_only=True, source="ak_groups")
+    groups_obj = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")
    uid = CharField(read_only=True)
    username = CharField(max_length=150)

@ -203,44 +180,38 @@ class SessionUserSerializer(PassiveSerializer):
 class UserMetricsSerializer(PassiveSerializer):
    """User Metrics"""

-    logins = SerializerMethodField()
-    logins_failed = SerializerMethodField()
-    authorizations = SerializerMethodField()
+    logins_per_1h = SerializerMethodField()
+    logins_failed_per_1h = SerializerMethodField()
+    authorizations_per_1h = SerializerMethodField()

    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins(self, _):
-        """Get successful logins per 8 hours for the last 7 days"""
+    def get_logins_per_1h(self, _):
+        """Get successful logins per hour for the last 24 hours"""
        user = self.context["user"]
        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN, user__pk=user.pk
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN, user__pk=user.pk)
+            .get_events_per_hour()
        )

    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins_failed(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
+    def get_logins_failed_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN_FAILED, context__username=user.username
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.LOGIN_FAILED, context__username=user.username)
+            .get_events_per_hour()
        )

    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_authorizations(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
+    def get_authorizations_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+            get_objects_for_user(user, "authentik_events.view_event")
+            .filter(action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk)
+            .get_events_per_hour()
        )


@ -272,6 +243,7 @@ class UsersFilter(FilterSet):
        queryset=Group.objects.all(),
    )

+    # pylint: disable=unused-argument
    def filter_attributes(self, queryset, name, value):
        """Filter attributes by query args"""
        try:
@ -406,8 +378,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                return Response(data={"non_field_errors": [str(exc)]}, status=400)

    @extend_schema(responses={200: SessionUserSerializer(many=False)})
-    @action(url_path="me", url_name="me", detail=False, pagination_class=None, filter_backends=[])
-    def user_me(self, request: Request) -> Response:
+    @action(detail=False, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name
+    def me(self, request: Request) -> Response:
        """Get information about current user"""
        context = {"request": request}
        serializer = SessionUserSerializer(
@ -435,6 +408,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, methods=["POST"])
+    # pylint: disable=invalid-name, unused-argument
    def set_password(self, request: Request, pk: int) -> Response:
        """Set password for user"""
        user: User = self.get_object()
@ -452,6 +426,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
    def metrics(self, request: Request, pk: int) -> Response:
        """User metrics per 1h"""
        user: User = self.get_object()
@ -467,6 +442,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
    def recovery(self, request: Request, pk: int) -> Response:
        """Create a temporary link that a user can use to recover their accounts"""
        link, _ = self._create_recovery_link()
@ -491,6 +467,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
    def recovery_email(self, request: Request, pk: int) -> Response:
        """Create a temporary link that a user can use to recover their accounts"""
        for_user: User = self.get_object()
@ -564,14 +541,3 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                )
            }
        )
-
-    def partial_update(self, request: Request, *args, **kwargs) -> Response:
-        response = super().partial_update(request, *args, **kwargs)
-        instance: User = self.get_object()
-        if not instance.is_active:
-            sessions = AuthenticatedSession.objects.filter(user=instance)
-            session_ids = sessions.values_list("session_key", flat=True)
-            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
-            sessions.delete()
-            LOGGER.debug("Deleted user's sessions", user=instance.username)
-        return response
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -2,7 +2,7 @@
 from typing import Any

 from django.db.models import Model
-from rest_framework.fields import CharField, IntegerField, JSONField
+from rest_framework.fields import BooleanField, CharField, FileField, IntegerField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError


@ -23,10 +23,17 @@ class PassiveSerializer(Serializer):
        return Model()


-class PropertyMappingPreviewSerializer(PassiveSerializer):
-    """Preview how the current user is mapped via the property mappings selected in a provider"""
+class FileUploadSerializer(PassiveSerializer):
+    """Serializer to upload file"""

-    preview = JSONField(read_only=True)
+    file = FileField(required=False)
+    clear = BooleanField(default=False)
+
+
+class FilePathSerializer(PassiveSerializer):
+    """Serializer to upload file"""
+
+    url = CharField()


 class MetaNameSerializer(PassiveSerializer):
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -1,4 +1,5 @@
 """Property Mapping Evaluator"""
+from traceback import format_tb
 from typing import Optional

 from django.db.models import Model
@ -7,7 +8,6 @@ from django.http import HttpRequest
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
-from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.types import PolicyRequest


@ -38,7 +38,7 @@ class PropertyMappingEvaluator(BaseEvaluator):

    def handle_error(self, exc: Exception, expression_source: str):
        """Exception Handler"""
-        error_string = exception_to_string(exc)
+        error_string = "\n".join(format_tb(exc.__traceback__) + [str(exc)])
        event = Event.new(
            EventAction.PROPERTY_MAPPING_EXCEPTION,
            expression=expression_source,
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -1,8 +1,6 @@
 """authentik shell command"""
 import code
 import platform
-import sys
-import traceback

 from django.apps import apps
 from django.core.management.base import BaseCommand
@ -49,6 +47,7 @@ class Command(BaseCommand):
        return namespace

    @staticmethod
+    # pylint: disable=unused-argument
    def post_save_handler(sender, instance: Model, created: bool, **_):
        """Signal handler for all object's post_save"""
        if not should_log_model(instance):
@ -64,6 +63,7 @@ class Command(BaseCommand):
        ).save()

    @staticmethod
+    # pylint: disable=unused-argument
    def pre_delete_handler(sender, instance: Model, **_):
        """Signal handler for all object's pre_delete"""
        if not should_log_model(instance):  # pragma: no cover
@ -89,21 +89,6 @@ class Command(BaseCommand):
            exec(options["command"], namespace)  # nosec # noqa
            return

-        try:
-            hook = sys.__interactivehook__
-        except AttributeError:
-            # Match the behavior of the cpython shell where a missing
-            # sys.__interactivehook__ is ignored.
-            pass
-        else:
-            try:
-                hook()
-            except Exception:  # pylint: disable=broad-except
-                # Match the behavior of the cpython shell where an error in
-                # sys.__interactivehook__ prints a warning and the exception
-                # and continues.
-                print("Failed calling sys.__interactivehook__")
-                traceback.print_exc()
        # Try to enable tab-complete
        try:
            import readline
--- a/authentik/core/migrations/0024_source_icon.py
+++ b/authentik/core/migrations/0024_source_icon.py
@ -1,20 +0,0 @@
-# Generated by Django 4.1.3 on 2022-11-15 20:33
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0023_source_authentik_c_slug_ccb2e5_idx_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="source",
-            name="icon",
-            field=models.FileField(
-                default=None, max_length=500, null=True, upload_to="source-icons/"
-            ),
-        ),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -297,7 +297,7 @@ class Provider(SerializerModel):
        raise NotImplementedError

    def __str__(self):
-        return str(self.name)
+        return self.name


 class Application(SerializerModel, PolicyBindingModel):
@ -379,7 +379,7 @@ class Application(SerializerModel, PolicyBindingModel):
            return None

    def __str__(self):
-        return str(self.name)
+        return self.name

    class Meta:

@ -421,12 +421,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    enabled = models.BooleanField(default=True)
    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
-    icon = models.FileField(
-        upload_to="source-icons/",
-        default=None,
-        null=True,
-        max_length=500,
-    )

    authentication_flow = models.ForeignKey(
        "authentik_flows.Flow",
@ -460,16 +454,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    objects = InheritanceManager()

-    @property
-    def get_icon(self) -> Optional[str]:
-        """Get the URL to the Icon. If the name is /static or
-        starts with http it is returned as-is"""
-        if not self.icon:
-            return None
-        if "://" in self.icon.name or self.icon.name.startswith("/static"):
-            return self.icon.name
-        return self.icon.url
-
    def get_user_path(self) -> str:
        """Get user path, fallback to default for formatting errors"""
        try:
@ -497,7 +481,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        return None

    def __str__(self):
-        return str(self.name)
+        return self.name

    class Meta:

--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -20,6 +20,7 @@ if TYPE_CHECKING:


@receiver(post_save)
+# pylint: disable=unused-argument
 def post_save_application(sender: type[Model], instance, created: bool, **_):
    """Clear user's application cache upon application creation"""
    from authentik.core.api.applications import user_app_cache_key
@ -35,6 +36,7 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):


@receiver(user_logged_in)
+# pylint: disable=unused-argument
 def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
    """Create an AuthenticatedSession from request"""
    from authentik.core.models import AuthenticatedSession
@ -45,6 +47,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):


@receiver(user_logged_out)
+# pylint: disable=unused-argument
 def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
    """Delete AuthenticatedSession if it exists"""
    from authentik.core.models import AuthenticatedSession
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -48,6 +48,7 @@ class Action(Enum):
 class MessageStage(StageView):
    """Show a pre-configured message after the flow is done"""

+    # pylint: disable=unused-argument
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Show a pre-configured message after the flow is done"""
        message = getattr(self.executor.current_stage, "message", "")
@ -208,6 +209,7 @@ class SourceFlowManager:
            response.error_message = error.messages
        return response

+    # pylint: disable=unused-argument
    def get_stages_to_append(self, flow: Flow) -> list[Stage]:
        """Hook to override stages which are appended to the flow"""
        if not self.source.enrollment_flow:
@ -262,6 +264,7 @@ class SourceFlowManager:
            flow_slug=flow.slug,
        )

+    # pylint: disable=unused-argument
    def handle_auth(
        self,
        connection: UserSourceConnection,
--- a/authentik/core/sources/stage.py
+++ b/authentik/core/sources/stage.py
@ -13,6 +13,7 @@ class PostUserEnrollmentStage(StageView):
    """Dynamically injected stage which saves the Connection after
    the user has been enrolled."""

+    # pylint: disable=unused-argument
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Stage used after the user has been enrolled"""
        connection: UserSourceConnection = self.executor.plan.context[
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -2,14 +2,10 @@
 {% get_current_language as LANGUAGE_CODE %}

 <script>
-    window.authentik = {
-        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        tenant: JSON.parse('{{ tenant_json|escapejs }}'),
-        versionFamily: "{{ version_family }}",
-        versionSubdomain: "{{ version_subdomain }}",
-        build: "{{ build }}",
-    };
+    window.authentik = {};
+    window.authentik.locale = "{{ LANGUAGE_CODE }}";
+    window.authentik.config = JSON.parse('{{ config_json|escapejs }}');
+    window.authentik.tenant = JSON.parse('{{ tenant_json|escapejs }}');
    window.addEventListener("DOMContentLoaded", () => {
        {% for message in messages %}
        window.dispatchEvent(
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -13,7 +13,6 @@
        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/dropdown.css' %}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -60,7 +60,7 @@
    <div class="ak-login-container">
        <header class="pf-c-login__header">
            <div class="pf-c-brand ak-brand">
-                <img src="{{ tenant.branding_logo }}" alt="authentik Logo" />
+                <img src="{{ tenant.branding_logo }}" alt="authentik icon" />
            </div>
        </header>
        {% block main_container %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -1,8 +1,6 @@
 """Test Applications API"""
 from json import loads

-from django.core.files.base import ContentFile
-from django.test.client import BOUNDARY, MULTIPART_CONTENT, encode_multipart
 from django.urls import reverse
 from rest_framework.test import APITestCase

@ -23,7 +21,7 @@ class TestApplicationsAPI(APITestCase):
            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
-        self.allowed: Application = Application.objects.create(
+        self.allowed = Application.objects.create(
            name="allowed",
            slug="allowed",
            meta_launch_url="https://goauthentik.io/%(username)s",
@ -37,31 +35,6 @@ class TestApplicationsAPI(APITestCase):
            order=0,
        )

-    def test_set_icon(self):
-        """Test set_icon"""
-        file = ContentFile(b"text", "name")
-        self.client.force_login(self.user)
-        response = self.client.post(
-            reverse(
-                "authentik_api:application-set-icon",
-                kwargs={"slug": self.allowed.slug},
-            ),
-            data=encode_multipart(data={"file": file}, boundary=BOUNDARY),
-            content_type=MULTIPART_CONTENT,
-        )
-        self.assertEqual(response.status_code, 200)
-
-        app_raw = self.client.get(
-            reverse(
-                "authentik_api:application-detail",
-                kwargs={"slug": self.allowed.slug},
-            ),
-        )
-        app = loads(app_raw.content)
-        self.allowed.refresh_from_db()
-        self.assertEqual(self.allowed.get_meta_icon, app["meta_icon"])
-        self.assertEqual(self.allowed.meta_icon.read(), b"text")
-
    def test_check_access(self):
        """Test check_access operation"""
        self.client.force_login(self.user)
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -1,69 +0,0 @@
-"""Test Groups API"""
-from django.urls.base import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-
-
-class TestGroupsAPI(APITestCase):
-    """Test Groups API"""
-
-    def setUp(self) -> None:
-        self.admin = create_test_admin_user()
-        self.user = User.objects.create(username="test-user")
-
-    def test_add_user(self):
-        """Test add_user"""
-        group = Group.objects.create(name=generate_id())
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 204)
-        group.refresh_from_db()
-        self.assertEqual(list(group.users.all()), [self.user])
-
-    def test_add_user_404(self):
-        """Test add_user"""
-        group = Group.objects.create(name=generate_id())
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-add-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk + 3,
-            },
-        )
-        self.assertEqual(res.status_code, 404)
-
-    def test_remove_user(self):
-        """Test remove_user"""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 204)
-        group.refresh_from_db()
-        self.assertEqual(list(group.users.all()), [])
-
-    def test_remove_user_404(self):
-        """Test remove_user"""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.client.force_login(self.admin)
-        res = self.client.post(
-            reverse("authentik_api:group-remove-user", kwargs={"pk": group.pk}),
-            data={
-                "pk": self.user.pk + 3,
-            },
-        )
-        self.assertEqual(res.status_code, 404)
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -35,7 +35,7 @@ def source_tester_factory(test_model: type[Stage]) -> Callable:

    def tester(self: TestModels):
        model_class = None
-        if test_model._meta.abstract:  # pragma: no cover
+        if test_model._meta.abstract:
            model_class = test_model.__bases__[0]()
        else:
            model_class = test_model()
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -1,6 +1,7 @@
 """Test Source flow_manager"""
 from django.contrib.auth.models import AnonymousUser
 from django.test import TestCase
+from django.test.client import RequestFactory
 from guardian.utils import get_anonymous_user

 from authentik.core.models import SourceUserMatchingModes, User
@ -21,6 +22,7 @@ class TestSourceFlowManager(TestCase):
    def setUp(self) -> None:
        super().setUp()
        self.source: OAuthSource = OAuthSource.objects.create(name="test")
+        self.factory = RequestFactory()
        self.identifier = generate_id()

    def test_unauthenticated_enroll(self):
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -1,12 +1,10 @@
 """Test Users API"""
 from json import loads

-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.config import CONFIG
@ -259,26 +257,3 @@ class TestUsersAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["user"]["avatar"], "bar")
-
-    def test_session_delete(self):
-        """Ensure sessions are deleted when a user is deactivated"""
-        user = create_test_admin_user()
-        session_id = generate_id()
-        AuthenticatedSession.objects.create(
-            user=user,
-            session_key=session_id,
-            last_ip="",
-        )
-        cache.set(KEY_PREFIX + session_id, "foo")
-
-        self.client.force_login(self.admin)
-        response = self.client.patch(
-            reverse("authentik_api:user-detail", kwargs={"pk": user.pk}),
-            data={
-                "is_active": False,
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-
-        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
-        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
--- a/authentik/core/tests/utils.py
+++ b/authentik/core/tests/utils.py
@ -47,11 +47,11 @@ def create_test_tenant() -> Tenant:
 def create_test_cert(use_ec_private_key=False) -> CertificateKeyPair:
    """Generate a certificate for testing"""
    builder = CertificateBuilder(
-        name=f"{generate_id()}.self-signed.goauthentik.io",
        use_ec_private_key=use_ec_private_key,
    )
+    builder.common_name = "goauthentik.io"
    builder.build(
-        subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"],
+        subject_alt_names=["goauthentik.io"],
        validity_days=360,
    )
    builder.common_name = generate_id()
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -6,8 +6,6 @@ from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request

-from authentik import get_build_hash
-from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.flows.models import Flow
 from authentik.tenants.api import CurrentTenantSerializer
@ -19,9 +17,6 @@ class InterfaceView(TemplateView):
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        kwargs["config_json"] = dumps(ConfigView(request=Request(self.request)).get_config().data)
        kwargs["tenant_json"] = dumps(CurrentTenantSerializer(self.request.tenant).data)
-        kwargs["version_family"] = f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}"
-        kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
-        kwargs["build"] = get_build_hash()
        return super().get_context_data(**kwargs)


--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -15,14 +15,12 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField, IntegerField, SerializerMethodField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

-from authentik.api.authorization import SecretKeyFilter
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
@ -187,6 +185,7 @@ class CertificateKeyPairFilter(FilterSet):
        label="Only return certificate-key pairs with keys", method="filter_has_key"
    )

+    # pylint: disable=unused-argument
    def filter_has_key(self, queryset, name, value):  # pragma: no cover
        """Only return certificate-key pairs with keys"""
        return queryset.exclude(key_data__exact="")
@ -204,17 +203,9 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    filterset_class = CertificateKeyPairFilter
    ordering = ["name"]
    search_fields = ["name"]
-    filter_backends = [SecretKeyFilter, OrderingFilter, SearchFilter]

    @extend_schema(
        parameters=[
-            # Override the type for `has_key` above
-            OpenApiParameter(
-                "has_key",
-                bool,
-                required=False,
-                description="Only return certificate-key pairs with keys",
-            ),
            OpenApiParameter("include_details", bool, default=True),
        ]
    )
@ -235,11 +226,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        data = CertificateGenerationSerializer(data=request.data)
        if not data.is_valid():
            return Response(data.errors, status=400)
-        raw_san = data.validated_data.get("subject_alt_name", "")
-        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["common_name"])
+        builder = CertificateBuilder()
+        builder.common_name = data.validated_data["common_name"]
        builder.build(
-            subject_alt_names=sans,
+            subject_alt_names=data.validated_data.get("subject_alt_name", "").split(","),
            validity_days=int(data.validated_data["validity_days"]),
        )
        instance = builder.save()
@ -257,6 +247,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        responses={200: CertificateDataSerializer(many=False)},
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
    def view_certificate(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs certificate and log access"""
        certificate: CertificateKeyPair = self.get_object()
@ -287,6 +278,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        responses={200: CertificateDataSerializer(many=False)},
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument
    def view_private_key(self, request: Request, pk: str) -> Response:
        """Return certificate-key pairs private key and log access"""
        certificate: CertificateKeyPair = self.get_object()
--- a/authentik/crypto/apps.py
+++ b/authentik/crypto/apps.py
@ -27,16 +27,20 @@ class AuthentikCryptoConfig(ManagedAppConfig):
        from authentik.crypto.builder import CertificateBuilder
        from authentik.crypto.models import CertificateKeyPair

-        builder = CertificateBuilder("authentik Internal JWT Certificate")
+        builder = CertificateBuilder()
+        builder.common_name = "goauthentik.io"
        builder.build(
            subject_alt_names=["goauthentik.io"],
            validity_days=360,
        )
        if not cert:
+
            cert = CertificateKeyPair()
-        builder.cert = cert
-        builder.cert.managed = MANAGED_KEY
-        builder.save()
+        cert.certificate_data = builder.certificate
+        cert.key_data = builder.private_key
+        cert.name = "authentik Internal JWT Certificate"
+        cert.managed = MANAGED_KEY
+        cert.save()

    def reconcile_managed_jwt_cert(self):
        """Ensure managed JWT certificate"""
@ -59,6 +63,10 @@ class AuthentikCryptoConfig(ManagedAppConfig):
        name = "authentik Self-signed Certificate"
        if CertificateKeyPair.objects.filter(name=name).exists():
            return
-        builder = CertificateBuilder(name)
+        builder = CertificateBuilder()
        builder.build(subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"])
-        builder.save()
+        CertificateKeyPair.objects.create(
+            name="authentik Self-signed Certificate",
+            certificate_data=builder.certificate,
+            key_data=builder.private_key,
+        )
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@ -21,13 +21,13 @@ class CertificateBuilder:

    _use_ec_private_key: bool

-    def __init__(self, name: str, use_ec_private_key=False):
+    def __init__(self, use_ec_private_key=False):
        self._use_ec_private_key = use_ec_private_key
        self.__public_key = None
        self.__private_key = None
        self.__builder = None
        self.__certificate = None
-        self.common_name = name
+        self.common_name = "authentik Self-signed Certificate"
        self.cert = CertificateKeyPair()

    def save(self) -> CertificateKeyPair:
@ -57,10 +57,7 @@ class CertificateBuilder:
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = self.generate_private_key()
        self.__public_key = self.__private_key.public_key()
-        alt_names: list[x509.GeneralName] = []
-        for alt_name in subject_alt_names or []:
-            if alt_name.strip() != "":
-                alt_names.append(x509.DNSName(alt_name))
+        alt_names: list[x509.GeneralName] = [x509.DNSName(x) for x in subject_alt_names or []]
        self.__builder = (
            x509.CertificateBuilder()
            .subject_name(
@ -79,15 +76,12 @@ class CertificateBuilder:
                    ]
                )
            )
+            .add_extension(x509.SubjectAlternativeName(alt_names), critical=True)
            .not_valid_before(datetime.datetime.today() - one_day)
            .not_valid_after(datetime.datetime.today() + datetime.timedelta(days=validity_days))
            .serial_number(int(uuid.uuid4()))
            .public_key(self.__public_key)
        )
-        if alt_names:
-            self.__builder = self.__builder.add_extension(
-                x509.SubjectAlternativeName(alt_names), critical=True
-            )
        self.__certificate = self.__builder.sign(
            private_key=self.__private_key,
            algorithm=hashes.SHA256(),
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -4,8 +4,6 @@ from json import loads
 from os import makedirs
 from tempfile import TemporaryDirectory

-from cryptography.x509.extensions import SubjectAlternativeName
-from cryptography.x509.general_name import DNSName
 from django.urls import reverse
 from rest_framework.test import APITestCase

@ -16,7 +14,7 @@ from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
-from authentik.lib.generators import generate_id, generate_key
+from authentik.lib.generators import generate_key
 from authentik.providers.oauth2.models import OAuth2Provider


@ -56,8 +54,8 @@ class TestCrypto(APITestCase):

    def test_builder(self):
        """Test Builder"""
-        name = generate_id()
-        builder = CertificateBuilder(name)
+        builder = CertificateBuilder()
+        builder.common_name = "test-cert"
        with self.assertRaises(ValueError):
            builder.save()
        builder.build(
@ -66,49 +64,17 @@ class TestCrypto(APITestCase):
        )
        instance = builder.save()
        now = datetime.datetime.today()
-        self.assertEqual(instance.name, name)
+        self.assertEqual(instance.name, "test-cert")
        self.assertEqual((instance.certificate.not_valid_after - now).days, 2)

    def test_builder_api(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
-        name = generate_id()
        self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
-            data={"common_name": name, "subject_alt_name": "bar,baz", "validity_days": 3},
+            data={"common_name": "foo", "subject_alt_name": "bar,baz", "validity_days": 3},
        )
-        key = CertificateKeyPair.objects.filter(name=name).first()
-        self.assertIsNotNone(key)
-        ext: SubjectAlternativeName = key.certificate.extensions[0].value
-        self.assertIsInstance(ext, SubjectAlternativeName)
-        self.assertIsInstance(ext[0], DNSName)
-        self.assertEqual(ext[0].value, "bar")
-        self.assertIsInstance(ext[1], DNSName)
-        self.assertEqual(ext[1].value, "baz")
-
-    def test_builder_api_empty_san(self):
-        """Test Builder (via API)"""
-        self.client.force_login(create_test_admin_user())
-        name = generate_id()
-        self.client.post(
-            reverse("authentik_api:certificatekeypair-generate"),
-            data={"common_name": name, "subject_alt_name": "", "validity_days": 3},
-        )
-        key = CertificateKeyPair.objects.filter(name=name).first()
-        self.assertIsNotNone(key)
-        self.assertEqual(len(key.certificate.extensions), 0)
-
-    def test_builder_api_empty_san_multiple(self):
-        """Test Builder (via API)"""
-        self.client.force_login(create_test_admin_user())
-        name = generate_id()
-        self.client.post(
-            reverse("authentik_api:certificatekeypair-generate"),
-            data={"common_name": name, "subject_alt_name": ", ", "validity_days": 3},
-        )
-        key = CertificateKeyPair.objects.filter(name=name).first()
-        self.assertIsNotNone(key)
-        self.assertEqual(len(key.certificate.extensions), 0)
+        self.assertTrue(CertificateKeyPair.objects.filter(name="foo").exists())

    def test_builder_api_invalid(self):
        """Test Builder (via API) (invalid)"""
@ -227,8 +193,8 @@ class TestCrypto(APITestCase):

    def test_discovery(self):
        """Test certificate discovery"""
-        name = generate_id()
-        builder = CertificateBuilder(name)
+        builder = CertificateBuilder()
+        builder.common_name = "test-cert"
        with self.assertRaises(ValueError):
            builder.save()
        builder.build(
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -1,11 +1,9 @@
 """Events API Views"""
-from datetime import timedelta
 from json import loads

 import django_filters
 from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform
-from django.db.models.functions import ExtractDay
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
@ -83,6 +81,7 @@ class EventsFilter(django_filters.FilterSet):
        label="Tenant name",
    )

+    # pylint: disable=unused-argument
    def filter_context_model_pk(self, queryset, name, value):
        """Because we store the PK as UUID.hex,
        we need to remove the dashes that a client may send. We can't use a
@ -179,7 +178,7 @@ class EventViewSet(ModelViewSet):
            get_objects_for_user(request.user, "authentik_events.view_event")
            .filter(action=filtered_action)
            .filter(**query)
-            .get_events_per(timedelta(weeks=4), ExtractDay, 30)
+            .get_events_per_day()
        )

    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -80,6 +80,7 @@ class NotificationTransportViewSet(UsedByMixin, ModelViewSet):
        request=OpenApiTypes.NONE,
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["post"])
+    # pylint: disable=invalid-name, unused-argument
    def test(self, request: Request, pk=None) -> Response:
        """Send example notification using selected transport. Requires
        Modify permissions."""
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@ -1,7 +1,6 @@
 """Events middleware"""
 from functools import partial
-from threading import Thread
-from typing import Any, Callable, Optional
+from typing import Callable

 from django.conf import settings
 from django.contrib.sessions.models import Session
@ -12,21 +11,13 @@ from django.http import HttpRequest, HttpResponse
 from django_otp.plugins.otp_static.models import StaticToken
 from guardian.models import UserObjectPermission

-from authentik.core.models import (
-    AuthenticatedSession,
-    PropertyMapping,
-    Provider,
-    Source,
-    User,
-    UserSourceConnection,
-)
+from authentik.core.models import AuthenticatedSession, User
 from authentik.events.models import Event, EventAction, Notification
+from authentik.events.signals import EventNewThread
 from authentik.events.utils import model_to_dict
-from authentik.flows.models import FlowToken, Stage
+from authentik.flows.models import FlowToken
 from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
-from authentik.outposts.models import OutpostServiceConnection
-from authentik.policies.models import Policy, PolicyBindingModel

 IGNORED_MODELS = (
    Event,
@ -36,14 +27,6 @@ IGNORED_MODELS = (
    StaticToken,
    Session,
    FlowToken,
-    Provider,
-    Source,
-    PropertyMapping,
-    UserSourceConnection,
-    Stage,
-    OutpostServiceConnection,
-    Policy,
-    PolicyBindingModel,
 )


@ -51,26 +34,7 @@ def should_log_model(model: Model) -> bool:
    """Return true if operation on `model` should be logged"""
    if model.__module__.startswith("silk"):
        return False
-    return model.__class__ not in IGNORED_MODELS
-
-
-class EventNewThread(Thread):
-    """Create Event in background thread"""
-
-    action: str
-    request: HttpRequest
-    kwargs: dict[str, Any]
-    user: Optional[User] = None
-
-    def __init__(self, action: str, request: HttpRequest, user: Optional[User] = None, **kwargs):
-        super().__init__()
-        self.action = action
-        self.request = request
-        self.user = user
-        self.kwargs = kwargs
-
-    def run(self):
-        Event.new(self.action, **self.kwargs).from_http(self.request, user=self.user)
+    return not isinstance(model, IGNORED_MODELS)


 class AuditMiddleware:
@ -118,6 +82,7 @@ class AuditMiddleware:
        self.disconnect(request)
        return response

+    # pylint: disable=unused-argument
    def process_exception(self, request: HttpRequest, exception: Exception):
        """Disconnect handlers in case of exception"""
        self.disconnect(request)
@ -141,6 +106,7 @@ class AuditMiddleware:
            thread.run()

    @staticmethod
+    # pylint: disable=unused-argument
    def post_save_handler(
        user: User, request: HttpRequest, sender, instance: Model, created: bool, **_
    ):
@ -152,6 +118,7 @@ class AuditMiddleware:
        EventNewThread(action, request, user=user, model=model_to_dict(instance)).run()

    @staticmethod
+    # pylint: disable=unused-argument
    def pre_delete_handler(user: User, request: HttpRequest, sender, instance: Model, **_):
        """Signal handler for all object's pre_delete"""
        if not should_log_model(instance):  # pragma: no cover
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -11,7 +11,8 @@ from django.conf import settings
 from django.db import models
 from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
-from django.db.models.functions import Extract
+from django.db.models.functions import ExtractHour
+from django.db.models.functions.datetime import ExtractDay
 from django.db.models.manager import Manager
 from django.db.models.query import QuerySet
 from django.http import HttpRequest
@ -44,7 +45,7 @@ from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tenants.models import Tenant
 from authentik.tenants.utils import DEFAULT_TENANT

-LOGGER = get_logger()
+LOGGER = get_logger("authentik.events")
 if TYPE_CHECKING:
    from rest_framework.serializers import Serializer

@ -110,35 +111,48 @@ class EventAction(models.TextChoices):
 class EventQuerySet(QuerySet):
    """Custom events query set with helper functions"""

-    def get_events_per(
-        self,
-        time_since: timedelta,
-        extract: Extract,
-        data_points: int,
-    ) -> list[dict[str, int]]:
+    def get_events_per_hour(self) -> list[dict[str, int]]:
        """Get event count by hour in the last day, fill with zeros"""
-        _now = now()
-        max_since = timedelta(days=60)
-        # Allow maximum of 60 days to limit load
-        if time_since.total_seconds() > max_since.total_seconds():
-            time_since = max_since
-        date_from = _now - time_since
+        date_from = now() - timedelta(days=1)
        result = (
            self.filter(created__gte=date_from)
-            .annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
-            .annotate(age_interval=extract("age"))
-            .values("age_interval")
+            .annotate(age=ExpressionWrapper(now() - F("created"), output_field=DurationField()))
+            .annotate(age_hours=ExtractHour("age"))
+            .values("age_hours")
            .annotate(count=Count("pk"))
-            .order_by("age_interval")
+            .order_by("age_hours")
        )
-        data = Counter({int(d["age_interval"]): d["count"] for d in result})
+        data = Counter({int(d["age_hours"]): d["count"] for d in result})
        results = []
-        interval_delta = time_since / data_points
-        for interval in range(1, -data_points, -1):
+        _now = now()
+        for hour in range(0, -24, -1):
            results.append(
                {
-                    "x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
-                    "y_cord": data[interval * -1],
+                    "x_cord": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
+                    "y_cord": data[hour * -1],
+                }
+            )
+        return results
+
+    def get_events_per_day(self) -> list[dict[str, int]]:
+        """Get event count by hour in the last day, fill with zeros"""
+        date_from = now() - timedelta(weeks=4)
+        result = (
+            self.filter(created__gte=date_from)
+            .annotate(age=ExpressionWrapper(now() - F("created"), output_field=DurationField()))
+            .annotate(age_days=ExtractDay("age"))
+            .values("age_days")
+            .annotate(count=Count("pk"))
+            .order_by("age_days")
+        )
+        data = Counter({int(d["age_days"]): d["count"] for d in result})
+        results = []
+        _now = now()
+        for day in range(0, -30, -1):
+            results.append(
+                {
+                    "x_cord": time.mktime((_now + timedelta(days=day)).timetuple()) * 1000,
+                    "y_cord": data[day * -1],
                }
            )
        return results
@ -151,14 +165,13 @@ class EventManager(Manager):
        """use custom queryset"""
        return EventQuerySet(self.model, using=self._db)

-    def get_events_per(
-        self,
-        time_since: timedelta,
-        extract: Extract,
-        data_points: int,
-    ) -> list[dict[str, int]]:
+    def get_events_per_hour(self) -> list[dict[str, int]]:
        """Wrap method from queryset"""
-        return self.get_queryset().get_events_per(time_since, extract, data_points)
+        return self.get_queryset().get_events_per_hour()
+
+    def get_events_per_day(self) -> list[dict[str, int]]:
+        """Wrap method from queryset"""
+        return self.get_queryset().get_events_per_day()


 class Event(SerializerModel, ExpiringModel):
@ -280,7 +293,7 @@ class Event(SerializerModel, ExpiringModel):
        return f"{self.action}: {self.context}"

    def __str__(self) -> str:
-        return f"Event action={self.action} user={self.user} context={self.context}"
+        return f"<Event action={self.action} user={self.user} context={self.context}>"

    class Meta:

@ -448,7 +461,7 @@ class NotificationTransport(SerializerModel):
            # pyright: reportGeneralTypeIssues=false
            return send_mail(mail.__dict__)  # pylint: disable=no-value-for-parameter
        except (SMTPException, ConnectionError, OSError) as exc:
-            raise NotificationTransportError(exc) from exc
+            raise NotificationTransportError from exc

    @property
    def serializer(self) -> "Serializer":
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -15,7 +15,6 @@ from authentik.events.models import Event, EventAction
 from authentik.lib.utils.errors import exception_to_string

 LOGGER = get_logger()
-CACHE_KEY_PREFIX = "goauthentik.io/events/tasks/"


 class TaskResultStatus(Enum):
@ -71,16 +70,16 @@ class TaskInfo:
    @staticmethod
    def all() -> dict[str, "TaskInfo"]:
        """Get all TaskInfo objects"""
-        return cache.get_many(cache.keys(CACHE_KEY_PREFIX + "*"))
+        return cache.get_many(cache.keys("task_*"))

    @staticmethod
    def by_name(name: str) -> Optional["TaskInfo"]:
        """Get TaskInfo Object by name"""
-        return cache.get(CACHE_KEY_PREFIX + name, None)
+        return cache.get(f"task_{name}", None)

    def delete(self):
        """Delete task info from cache"""
-        return cache.delete(CACHE_KEY_PREFIX + self.task_name)
+        return cache.delete(f"task_{self.task_name}")

    def set_prom_metrics(self):
        """Update prometheus metrics"""
@ -99,10 +98,10 @@ class TaskInfo:

    def save(self, timeout_hours=6):
        """Save task into cache"""
-        key = CACHE_KEY_PREFIX + self.task_name
+        key = f"task_{self.task_name}"
        if self.result.uid:
-            key += f"/{self.result.uid}"
-            self.task_name += f"/{self.result.uid}"
+            key += f"_{self.result.uid}"
+            self.task_name += f"_{self.result.uid}"
        self.set_prom_metrics()
        cache.set(key, self, timeout=timeout_hours * 60 * 60)

--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -1,4 +1,5 @@
 """authentik events signal listener"""
+from threading import Thread
 from typing import Any, Optional

 from django.contrib.auth.signals import user_logged_in, user_logged_out
@ -18,45 +19,67 @@ from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.user_write.signals import user_write

-SESSION_LOGIN_EVENT = "login_event"
+
+class EventNewThread(Thread):
+    """Create Event in background thread"""
+
+    action: str
+    request: HttpRequest
+    kwargs: dict[str, Any]
+    user: Optional[User] = None
+
+    def __init__(self, action: str, request: HttpRequest, user: Optional[User] = None, **kwargs):
+        super().__init__()
+        self.action = action
+        self.request = request
+        self.user = user
+        self.kwargs = kwargs
+
+    def run(self):
+        Event.new(self.action, **self.kwargs).from_http(self.request, user=self.user)


@receiver(user_logged_in)
+# pylint: disable=unused-argument
 def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
    """Log successful login"""
-    kwargs = {}
+    thread = EventNewThread(EventAction.LOGIN, request)
    if SESSION_KEY_PLAN in request.session:
        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
        if PLAN_CONTEXT_SOURCE in flow_plan.context:
            # Login request came from an external source, save it in the context
-            kwargs[PLAN_CONTEXT_SOURCE] = flow_plan.context[PLAN_CONTEXT_SOURCE]
+            thread.kwargs[PLAN_CONTEXT_SOURCE] = flow_plan.context[PLAN_CONTEXT_SOURCE]
        if PLAN_CONTEXT_METHOD in flow_plan.context:
+            thread.kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
            # Save the login method used
-            kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
-            kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
-    event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
-    request.session[SESSION_LOGIN_EVENT] = event
-
-
-def get_login_event(request: HttpRequest) -> Optional[Event]:
-    """Wrapper to get login event that can be mocked in tests"""
-    return request.session.get(SESSION_LOGIN_EVENT, None)
+            thread.kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(
+                PLAN_CONTEXT_METHOD_ARGS, {}
+            )
+    thread.user = user
+    thread.run()


@receiver(user_logged_out)
+# pylint: disable=unused-argument
 def on_user_logged_out(sender, request: HttpRequest, user: User, **_):
    """Log successfully logout"""
-    Event.new(EventAction.LOGOUT).from_http(request, user=user)
+    thread = EventNewThread(EventAction.LOGOUT, request)
+    thread.user = user
+    thread.run()


@receiver(user_write)
+# pylint: disable=unused-argument
 def on_user_write(sender, request: HttpRequest, user: User, data: dict[str, Any], **kwargs):
    """Log User write"""
-    data["created"] = kwargs.get("created", False)
-    Event.new(EventAction.USER_WRITE, **data).from_http(request, user=user)
+    thread = EventNewThread(EventAction.USER_WRITE, request, **data)
+    thread.kwargs["created"] = kwargs.get("created", False)
+    thread.user = user
+    thread.run()


@receiver(login_failed)
+# pylint: disable=unused-argument
 def on_login_failed(
    signal,
    sender,
@ -66,30 +89,37 @@ def on_login_failed(
    **kwargs,
 ):
    """Failed Login, authentik custom event"""
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(request)
+    thread = EventNewThread(EventAction.LOGIN_FAILED, request, **credentials, stage=stage, **kwargs)
+    thread.run()


@receiver(invitation_used)
+# pylint: disable=unused-argument
 def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_):
    """Log Invitation usage"""
-    Event.new(EventAction.INVITE_USED, invitation_uuid=invitation.invite_uuid.hex).from_http(
-        request
+    thread = EventNewThread(
+        EventAction.INVITE_USED, request, invitation_uuid=invitation.invite_uuid.hex
    )
+    thread.run()


@receiver(password_changed)
+# pylint: disable=unused-argument
 def on_password_changed(sender, user: User, password: str, **_):
    """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
+    thread = EventNewThread(EventAction.PASSWORD_SET, None, user=user)
+    thread.run()


@receiver(post_save, sender=Event)
+# pylint: disable=unused-argument
 def event_post_save_notification(sender, instance: Event, **_):
    """Start task to check if any policies trigger an notification on this event"""
    event_notification_handler.delay(instance.event_uuid.hex)


@receiver(pre_delete, sender=User)
+# pylint: disable=unused-argument
 def event_user_pre_delete_cleanup(sender, instance: User, **_):
    """If gdpr_compliance is enabled, remove all the user's events"""
    gdpr_cleanup.delay(instance.pk)
--- a/authentik/events/utils.py
+++ b/authentik/events/utils.py
@ -1,9 +1,7 @@
 """event utilities"""
 import re
-from copy import copy
 from dataclasses import asdict, is_dataclass
 from pathlib import Path
-from types import GeneratorType
 from typing import Any, Optional
 from uuid import UUID

@ -88,21 +86,13 @@ def sanitize_item(value: Any) -> Any:
    """Sanitize a single item, ensure it is JSON parsable"""
    if is_dataclass(value):
        # Because asdict calls `copy.deepcopy(obj)` on everything that's not tuple/dict,
-        # and deepcopy doesn't work with HttpRequest (neither django nor rest_framework).
-        # (more specifically doesn't work with ResolverMatch)
-        # rest_framework's custom Request class makes this more complicated as it also holds a
-        # thread lock.
-        # Since this class is mainly used for Events which already hold the http request context
-        # we just remove the http_request from the shallow policy request
+        # and deepcopy doesn't work with HttpRequests (neither django nor rest_framework).
        # Currently, the only dataclass that actually holds an http request is a PolicyRequest
-        if isinstance(value, PolicyRequest) and value.http_request is not None:
-            value: PolicyRequest = copy(value)
+        if isinstance(value, PolicyRequest):
            value.http_request = None
        value = asdict(value)
    if isinstance(value, dict):
        return sanitize_dict(value)
-    if isinstance(value, GeneratorType):
-        return sanitize_item(list(value))
    if isinstance(value, list):
        new_values = []
        for item in value:
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -1,6 +1,7 @@
 """Flow API Views"""
 from django.core.cache import cache
 from django.http import HttpResponse
+from django.http.response import HttpResponseBadRequest
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
@ -18,19 +19,19 @@ from authentik.api.decorators import permission_required
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import CacheSerializer, LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import (
+    CacheSerializer,
+    FilePathSerializer,
+    FileUploadSerializer,
+    LinkSerializer,
+    PassiveSerializer,
+)
 from authentik.events.utils import sanitize_dict
 from authentik.flows.api.flows_diagram import FlowDiagram, FlowDiagramSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
-from authentik.flows.planner import CACHE_PREFIX, PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.flows.views.executor import SESSION_KEY_HISTORY, SESSION_KEY_PLAN
-from authentik.lib.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.lib.views import bad_request_message

 LOGGER = get_logger()
@ -122,7 +123,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def cache_info(self, request: Request) -> Response:
        """Info about cached flows"""
-        return Response(data={"count": len(cache.keys(f"{CACHE_PREFIX}*"))})
+        return Response(data={"count": len(cache.keys("flow_*"))})

    @permission_required(None, ["authentik_flows.clear_flow_cache"])
    @extend_schema(
@ -135,7 +136,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, methods=["POST"])
    def cache_clear(self, request: Request) -> Response:
        """Clear flow cache"""
-        keys = cache.keys(f"{CACHE_PREFIX}*")
+        keys = cache.keys("flow_*")
        cache.delete_many(keys)
        LOGGER.debug("Cleared flow cache", keys=len(keys))
        return Response(status=204)
@ -210,6 +211,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=unused-argument
    def export(self, request: Request, slug: str) -> Response:
        """Export flow to .yaml file"""
        flow = self.get_object()
@ -220,6 +222,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):

    @extend_schema(responses={200: FlowDiagramSerializer()})
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["get"])
+    # pylint: disable=unused-argument
    def diagram(self, request: Request, slug: str) -> Response:
        """Return diagram for flow with slug `slug`, in the format used by flowchart.js"""
        diagram = FlowDiagram(self.get_object(), request.user)
@ -243,10 +246,29 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        methods=["POST"],
        parser_classes=(MultiPartParser,),
    )
+    # pylint: disable=unused-argument
    def set_background(self, request: Request, slug: str):
        """Set Flow background"""
        flow: Flow = self.get_object()
-        return set_file(request, flow, "background")
+        background = request.FILES.get("file", None)
+        clear = request.data.get("clear", "false").lower() == "true"
+        if clear:
+            if flow.background_url.startswith("/media"):
+                # .delete() saves the model by default
+                flow.background.delete()
+            else:
+                flow.background = None
+                flow.save()
+            return Response({})
+        if background:
+            flow.background = background
+            try:
+                flow.save()
+            except PermissionError as exc:
+                LOGGER.warning("Failed to save icon", exc=exc)
+                return HttpResponseBadRequest()
+            return Response({})
+        return HttpResponseBadRequest()

    @permission_required("authentik_core.change_application")
    @extend_schema(
@ -262,10 +284,16 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        filter_backends=[],
        methods=["POST"],
    )
+    # pylint: disable=unused-argument
    def set_background_url(self, request: Request, slug: str):
        """Set Flow background (as URL)"""
        flow: Flow = self.get_object()
-        return set_file_url(request, flow, "background")
+        url = request.data.get("url", None)
+        if not url:
+            return HttpResponseBadRequest()
+        flow.background.name = url
+        flow.save()
+        return Response({})

    @extend_schema(
        responses={
@ -274,6 +302,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=unused-argument
    def execute(self, request: Request, slug: str):
        """Execute flow for current user"""
        # Because we pre-plan the flow here, and not in the planner, we need to manually clear
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -1,6 +1,7 @@
 """Challenge helpers"""
 from dataclasses import asdict, is_dataclass
 from enum import Enum
+from traceback import format_tb
 from typing import TYPE_CHECKING, Optional, TypedDict
 from uuid import UUID

@ -8,10 +9,8 @@ from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
 from rest_framework.fields import CharField, ChoiceField, DictField
-from rest_framework.request import Request

 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.utils.errors import exception_to_string

 if TYPE_CHECKING:
    from authentik.flows.stage import StageView
@ -91,31 +90,32 @@ class WithUserInfoChallenge(Challenge):
    pending_user_avatar = CharField()


-class FlowErrorChallenge(Challenge):
+class FlowErrorChallenge(WithUserInfoChallenge):
    """Challenge class when an unhandled error occurs during a stage. Normal users
    are shown an error message, superusers are shown a full stacktrace."""

-    type = CharField(default=ChallengeTypes.NATIVE.value)
-    component = CharField(default="ak-stage-flow-error")
+    component = CharField(default="xak-flow-error")

    request_id = CharField()

    error = CharField(required=False)
    traceback = CharField(required=False)

-    def __init__(self, request: Optional[Request] = None, error: Optional[Exception] = None):
-        super().__init__(data={})
+    def __init__(self, *args, **kwargs):
+        request = kwargs.pop("request", None)
+        error = kwargs.pop("error", None)
+        super().__init__(*args, **kwargs)
        if not request or not error:
            return
-        self.initial_data["request_id"] = request.request_id
+        self.request_id = request.request_id
        from authentik.core.models import USER_ATTRIBUTE_DEBUG

        if request.user and request.user.is_authenticated:
            if request.user.is_superuser or request.user.group_attributes(request).get(
                USER_ATTRIBUTE_DEBUG, False
            ):
-                self.initial_data["error"] = str(error)
-                self.initial_data["traceback"] = exception_to_string(error)
+                self.error = error
+                self.traceback = "".join(format_tb(self.error.__traceback__))


 class AccessDeniedChallenge(WithUserInfoChallenge):
--- a/authentik/flows/markers.py
+++ b/authentik/flows/markers.py
@ -19,6 +19,7 @@ LOGGER = get_logger()
 class StageMarker:
    """Base stage marker class, no extra attributes, and has no special handler."""

+    # pylint: disable=unused-argument
    def process(
        self,
        plan: "FlowPlan",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	def0a42bf1	release: 2022.10.4	2022-12-23 14:19:17 +01:00
Jens Langhammer	727e55e44b	web: backport API update Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:19:10 +01:00
Jens L	cd88b91686	security: fix CVE 2022 23555 (#4274 ) * add flow to invitation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * show warning on invitation page Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add security advisory Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:18:13 +01:00
Jens L	8eb73d3a16	security: fix CVE 2022 46172 (#4275 ) * fallback to current user in user_write, add flag to disable user creation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update api and web ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update default flows Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add cve post to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-23 14:18:09 +01:00
Jens Langhammer	83f46f6ff1	release: 2022.10.3	2022-12-02 23:01:17 +02:00
Jens Langhammer	0e7cc6da4c	web: bump API version Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-02 22:51:09 +02:00
Jens Langhammer	a262171671	release: 2022.10.2	2022-12-01 10:40:58 +02:00
Jens Langhammer	87b8ca7be4	*: backport CVE-2022-46145 fix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-01 10:40:51 +02:00
Jens Langhammer	cc8dc1403f	root: include security policy in website container Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-30 13:05:02 +02:00
Jens Langhammer	f21a196a3b	root: rework and expand security policy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> # Conflicts: # SECURITY.md	2022-11-30 13:04:50 +02:00