retry

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -31,4 +31,4 @@ optional_value = final
 
 [bumpversion:file:web/src/common/constants.ts]
 
-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]
+[bumpversion:file:lifecycle/aws/template.yaml]

.github/actions/comment-pr-instructions/action.yml

@@ -35,14 +35,6 @@ runs:
             AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
             ```
 
-            For arm64, use these values:
-
-            ```shell
-            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
-            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
-            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            ```
-
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
           <details>
@@ -60,18 +52,6 @@ runs:
                     tag: ${{ inputs.tag }}
             ```
 
-            For arm64, use these values:
-
-            ```yaml
-            authentik:
-                outposts:
-                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
-            ```
-
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
         edit-mode: replace

.github/actions/docker-push-variables/action.yml

@@ -29,9 +29,15 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  imageTagsJSON:
+    description: "Docker image tags, as a JSON array"
+    value: ${{ steps.ev.outputs.imageTagsJSON }}
   attestImageNames:
     description: "Docker image names used for attestation"
     value: ${{ steps.ev.outputs.attestImageNames }}
+  cacheTo:
+    description: "cache-to value for the docker build step"
+    value: ${{ steps.ev.outputs.cacheTo }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}

.github/actions/docker-push-variables/push_vars.py

@@ -2,6 +2,7 @@
 
 import configparser
 import os
+from json import dumps
 from time import time
 
 parser = configparser.ConfigParser()
@@ -48,7 +49,7 @@ if is_release:
             ]
 else:
     suffix = ""
-    if image_arch and image_arch != "amd64":
+    if image_arch:
         suffix = f"-{image_arch}"
     for name in image_names:
         image_tags += [
@@ -70,12 +71,23 @@ def get_attest_image_names(image_with_tags: list[str]):
     return ",".join(set(image_tags))
 
 
+# Generate `cache-to` param
+cache_to = ""
+if should_push:
+    _cache_tag = "buildcache"
+    if image_arch:
+        _cache_tag += f"-{image_arch}"
+    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
+
+
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
     print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
+    print(f"cacheTo={cache_to}", file=_output)

.github/actions/docker-push-variables/test.sh

@@ -1,7 +1,18 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
     IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    python $SCRIPT_DIR/push_vars.py
+
+# Pushing PR/main
+GITHUB_OUTPUT=/dev/stdout \
+    GITHUB_REF=ref \
+    GITHUB_SHA=sha \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    DOCKER_USERNAME=foo \
     python $SCRIPT_DIR/push_vars.py

.github/dependabot.yml

@@ -82,6 +82,16 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+  - package-ecosystem: npm
+    directory: "/lifecycle/aws"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "lifecycle/aws:"
+    labels:
+      - dependencies
   - package-ecosystem: pip
     directory: "/"
     schedule:

.github/workflows/_reusable-docker-build-single.yaml

@@ -0,0 +1,94 @@
+# Re-usable workflow for a single-architecture build
+name: Single-arch Container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      image_arch:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: false
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs:
+      image-digest:
+        value: ${{ jobs.build.outputs.image-digest }}
+
+jobs:
+  build:
+    name: Build ${{ inputs.image_arch }}
+    runs-on: ${{ inputs.runs-on }}
+    outputs:
+      image-digest: ${{ steps.push.outputs.digest }}
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.3.0
+      - uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+          image-arch: ${{ inputs.image_arch }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        if: ${{ inputs.release }}
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: generate ts client
+        if: ${{ !inputs.release }}
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-to: ${{ steps.ev.outputs.cacheTo }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/_reusable-docker-build.yaml

@@ -0,0 +1,102 @@
+# Re-usable workflow for a multi-architecture build
+name: Multi-arch container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: true
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs: {}
+
+jobs:
+  build-server-amd64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: amd64
+      runs-on: ubuntu-latest
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  build-server-arm64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: arm64
+      runs-on: ubuntu-22.04-arm
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  get-tags:
+    runs-on: ubuntu-latest
+    needs:
+      - build-server-amd64
+      - build-server-arm64
+    outputs:
+      tags: ${{ steps.ev.outputs.imageTagsJSON }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+  merge-server:
+    runs-on: ubuntu-latest
+    needs:
+      - get-tags
+      - build-server-amd64
+      - build-server-arm64
+    strategy:
+      fail-fast: false
+      matrix:
+        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: int128/docker-manifest-create-action@v2
+        id: build
+        with:
+          tags: ${{ matrix.tag }}
+          sources: |
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true

.github/workflows/ci-aws-cfn.yml

@@ -25,10 +25,10 @@ jobs:
         uses: ./.github/actions/setup
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version-file: lifecycle/aws/package.json
           cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: lifecycle/aws/package-lock.json
+      - working-directory: lifecycle/aws/
         run: |
           npm ci
       - name: Check changes have been applied

.github/workflows/ci-main.yml

@@ -223,68 +223,18 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build:
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-          - amd64
-          - arm64
-    needs: ci-core-mark
-    runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
       attestations: write
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-server
-          image-arch: ${{ matrix.arch }}
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: generate ts client
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          build-args: |
-            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
-          platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    needs: ci-core-mark
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
+    with:
+      image_name: ghcr.io/goauthentik/dev-server
+      release: false
   pr-comment:
     needs:
       - build

.github/workflows/ci-outpost.yml

@@ -72,7 +72,7 @@ jobs:
           - rac
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write

.github/workflows/release-publish.yml

@@ -7,64 +7,15 @@ on:
 
 jobs:
   build-server:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload contianer images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server,beryju/authentik
-      - name: Docker Login Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            VERSION=${{ github.ref }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
+    with:
+      image_name: ghcr.io/goauthentik/server,beryju/authentik
+      release: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
@@ -188,8 +139,8 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: Upload template
         run: |
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server

CODEOWNERS

@@ -15,6 +15,7 @@ go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
+lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -116,15 +116,29 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
     --mount=type=cache,target=/root/.cache/pip \
     --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
     python -m venv /ak-root/venv/ && \
     bash -c "source ${VENV_PATH}/bin/activate && \
     pip3 install --upgrade pip && \
     pip3 install poetry && \
-    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip install --force-reinstall /wheels/*"
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -136,37 +150,34 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
-WORKDIR /
-
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
-    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
+    adduser --system --no-create-home --uid 1000 --group --home /ak-root authentik && \
     mkdir -p /certs /media /blueprints && \
-    mkdir -p /authentik/.ssh && \
-    mkdir -p /ak-root && \
-    chown authentik:authentik /certs /media /authentik/.ssh /ak-root
+    mkdir -p /ak-root/authentik/.ssh && \
+    chown authentik:authentik /certs /media /ak-root/authentik/.ssh /ak-root
 
-COPY ./authentik/ /authentik
-COPY ./pyproject.toml /
-COPY ./poetry.lock /
-COPY ./schemas /schemas
-COPY ./locale /locale
-COPY ./tests /tests
-COPY ./manage.py /
+COPY ./authentik/ /ak-root/authentik
+COPY ./pyproject.toml /ak-root
+COPY ./poetry.lock /ak-root
+COPY ./schemas /ak-root/schemas
+COPY ./locale /ak-root/locale
+COPY ./tests /ak-root/tests
+COPY ./manage.py /ak-root
 COPY ./blueprints /blueprints
-COPY ./lifecycle/ /lifecycle
+COPY ./lifecycle/ /ak-root/lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
-COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=web-builder /work/web/dist/ /ak-root/web/dist/
+COPY --from=web-builder /work/web/authentik/ /ak-root/web/authentik/
+COPY --from=website-builder /work/website/build/ /ak-root/website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000
@@ -174,12 +185,13 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
     PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
-    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    PATH="/ak-root/venv/bin:/ak-root/lifecycle:$PATH" \
     VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false
-
-ENV GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false \
+    GOFIPS=1
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 
+WORKDIR /ak-root
+
 ENTRYPOINT [ "dumb-init", "--", "ak" ]

Makefile

@@ -5,7 +5,7 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
@@ -78,6 +78,9 @@ migrate: ## Run the Authentik Django server's migrations
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
+aws-cfn:
+	cd lifecycle/aws && npm run aws-cfn
+
 core-i18n-extract:
 	ak makemessages \
 		--add-location file \
@@ -252,9 +255,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 
-aws-cfn:
-	cd website && npm run aws-cfn
-
 #########################
 ## Docker
 #########################

authentik/core/api/users.py

@@ -427,7 +427,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     queryset = User.objects.none()
     ordering = ["username"]
     serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid"]
+    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
     filterset_class = UsersFilter
 
     def get_queryset(self):

authentik/sources/kerberos/models.py

@@ -12,6 +12,7 @@ from django.db.models.fields import b64decode
 from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from kadmin import KAdmin, KAdminApiVersion
 from kadmin.exceptions import PyKAdminException
@@ -173,12 +174,18 @@ class KerberosSource(Source):
     def get_base_user_properties(self, principal: str, **kwargs):
         localpart, _ = principal.rsplit("@", 1)
 
-        return {
+        properties = {
             "username": localpart,
             "type": UserTypes.INTERNAL,
             "path": self.get_user_path(),
         }
 
+        if "principal_obj" in kwargs:
+            princ_expiry = kwargs["principal_obj"].expire_time
+            properties["is_active"] = princ_expiry is None or princ_expiry > now()
+
+        return properties
+
     def get_base_group_properties(self, group_id: str, **kwargs):
         return {
             "name": group_id,

authentik/sources/oauth/clients/oauth2.py

@@ -81,7 +81,12 @@ class OAuth2Client(BaseOAuthClient):
             if self.source.source_type.urls_customizable and self.source.access_token_url:
                 access_token_url = self.source.access_token_url
             response = self.do_request(
-                "post", access_token_url, data=args, headers=self._default_headers, **request_kwargs
+                "post",
+                access_token_url,
+                auth=(self.get_client_id(), self.get_client_secret()),
+                data=args,
+                headers=self._default_headers,
+                **request_kwargs,
             )
             response.raise_for_status()
         except RequestException as exc:

lifecycle/ak

@@ -62,10 +62,29 @@ function prepare_debug {
     chown authentik:authentik /unittest.xml
 }
 
+function migrate_container_change_root_dir {
+    # With authentik 2025.2 we're moving the root directory of the authentik app
+    # into /ak-root, mainly to not clutter the root filesystem of the container
+    # and to make it possible to use devcontainers in the future.
+    # In most installs this migration isn't required as no files are mounted into
+    # these directories, however it is used if scripts are overwritten from the outside
+    # or more commonly the flow background image is overwritten in `/web`
+    if [ -d /authentik ]; then
+        log "Legacy /authentik folder exist, migrating files"
+        cp -rp /authentik/* /ak-root/authentik
+    fi
+    if [ ! -d /web ]; then
+        log "Legacy /web folder exist, migrating files"
+        cp -rp /web/* /ak-root/web
+    fi
+}
+
 if [[ "${AUTHENTIK_REMOTE_DEBUG}" == "true" ]]; then
     prepare_debug
 fi
 
+migrate_container_change_root_dir
+
 if [[ "$1" == "server" ]]; then
     set_mode "server"
     # If we have bootstrap credentials set, run bootstrap tasks outside of main server

lifecycle/aws/.gitignore

@@ -0,0 +1,111 @@
+
+# Created by https://www.gitignore.io/api/node
+# Edit at https://www.gitignore.io/?templates=node
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+dist
+
+# Uncomment the public line if your project uses Gatsby
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# https://create-react-app.dev/docs/using-the-public-folder/#docsNav
+# public
+
+# Storybook build outputs
+.out
+.storybook-out
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# Temporary folders
+tmp/
+temp/
+
+# End of https://www.gitignore.io/api/node
+
+cdk.out

lifecycle/aws/app.py

@@ -6,6 +6,7 @@ from aws_cdk import (
     App,
     CfnOutput,
     CfnParameter,
+    DefaultStackSynthesizer,
     Duration,
     RemovalPolicy,
     Stack,
@@ -38,7 +39,7 @@ from authentik import __version__
 
 class AuthentikStack(Stack):
     def __init__(self, scope: Construct, id: str, **kwargs):
-        super().__init__(scope, id, *kwargs)
+        super().__init__(scope, id, **kwargs)
 
         ### Inputs
 
@@ -327,6 +328,7 @@ class AuthentikStack(Stack):
             security_groups=[authentik_security_group],
             vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS),
             enable_execute_command=True,
+            min_healthy_percent=50,
         )
 
         worker_task = ecs.FargateTaskDefinition(
@@ -376,6 +378,7 @@ class AuthentikStack(Stack):
             security_groups=[authentik_security_group],
             vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS),
             enable_execute_command=True,
+            min_healthy_percent=50,
         )
 
         # Load balancer
@@ -417,5 +420,9 @@ class AuthentikStack(Stack):
 
 
 app = App()
-AuthentikStack(app, "AuthentikStack")
+AuthentikStack(
+    app,
+    "AuthentikStack",
+    synthesizer=DefaultStackSynthesizer(generate_bootstrap_version_rule=False),
+)
 app.synth()

lifecycle/aws/package-lock.json

@@ -0,0 +1,141 @@
+{
+    "name": "@goauthentik/lifecycle-aws",
+    "version": "0.0.0",
+    "lockfileVersion": 3,
+    "requires": true,
+    "packages": {
+        "": {
+            "name": "@goauthentik/lifecycle-aws",
+            "version": "0.0.0",
+            "license": "MIT",
+            "devDependencies": {
+                "aws-cdk": "^2.176.0",
+                "cross-env": "^7.0.3"
+            },
+            "engines": {
+                "node": ">=20"
+            }
+        },
+        "node_modules/aws-cdk": {
+            "version": "2.176.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.176.0.tgz",
+            "integrity": "sha512-yRjIXzK2ddznwuSjasWAViYBtBSQbEu6GHlylaC3GHsIUPhrK3KguqIuhdlxjMeiQ1Fvok8REDLCReZJdrSLLg==",
+            "dev": true,
+            "license": "Apache-2.0",
+            "bin": {
+                "cdk": "bin/cdk"
+            },
+            "engines": {
+                "node": ">= 14.15.0"
+            },
+            "optionalDependencies": {
+                "fsevents": "2.3.2"
+            }
+        },
+        "node_modules/cross-env": {
+            "version": "7.0.3",
+            "resolved": "https://registry.npmjs.org/cross-env/-/cross-env-7.0.3.tgz",
+            "integrity": "sha512-+/HKd6EgcQCJGh2PSjZuUitQBQynKor4wrFbRg4DtAgS1aWO+gU52xpH7M9ScGgXSYmAVS9bIJ8EzuaGw0oNAw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "cross-spawn": "^7.0.1"
+            },
+            "bin": {
+                "cross-env": "src/bin/cross-env.js",
+                "cross-env-shell": "src/bin/cross-env-shell.js"
+            },
+            "engines": {
+                "node": ">=10.14",
+                "npm": ">=6",
+                "yarn": ">=1"
+            }
+        },
+        "node_modules/cross-spawn": {
+            "version": "7.0.6",
+            "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+            "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "path-key": "^3.1.0",
+                "shebang-command": "^2.0.0",
+                "which": "^2.0.1"
+            },
+            "engines": {
+                "node": ">= 8"
+            }
+        },
+        "node_modules/fsevents": {
+            "version": "2.3.2",
+            "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+            "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+            "dev": true,
+            "hasInstallScript": true,
+            "license": "MIT",
+            "optional": true,
+            "os": [
+                "darwin"
+            ],
+            "engines": {
+                "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+            }
+        },
+        "node_modules/isexe": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
+            "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
+            "dev": true,
+            "license": "ISC"
+        },
+        "node_modules/path-key": {
+            "version": "3.1.1",
+            "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+            "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=8"
+            }
+        },
+        "node_modules/shebang-command": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+            "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "shebang-regex": "^3.0.0"
+            },
+            "engines": {
+                "node": ">=8"
+            }
+        },
+        "node_modules/shebang-regex": {
+            "version": "3.0.0",
+            "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+            "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=8"
+            }
+        },
+        "node_modules/which": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+            "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+            "dev": true,
+            "license": "ISC",
+            "dependencies": {
+                "isexe": "^2.0.0"
+            },
+            "bin": {
+                "node-which": "bin/node-which"
+            },
+            "engines": {
+                "node": ">= 8"
+            }
+        }
+    }
+}

lifecycle/aws/package.json

@@ -0,0 +1,16 @@
+{
+    "name": "@goauthentik/lifecycle-aws",
+    "version": "0.0.0",
+    "private": true,
+    "license": "MIT",
+    "scripts": {
+        "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml"
+    },
+    "engines": {
+        "node": ">=20"
+    },
+    "devDependencies": {
+        "aws-cdk": "^2.176.0",
+        "cross-env": "^7.0.3"
+    }
+}

poetry.lock

@@ -1271,37 +1271,37 @@ tests = ["django", "hypothesis", "pytest", "pytest-asyncio"]
 
 [[package]]
 name = "debugpy"
-version = "1.8.11"
+version = "1.8.12"
 description = "An implementation of the Debug Adapter Protocol for Python"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "debugpy-1.8.11-cp310-cp310-macosx_14_0_x86_64.whl", hash = "sha256:2b26fefc4e31ff85593d68b9022e35e8925714a10ab4858fb1b577a8a48cb8cd"},
-    {file = "debugpy-1.8.11-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:61bc8b3b265e6949855300e84dc93d02d7a3a637f2aec6d382afd4ceb9120c9f"},
-    {file = "debugpy-1.8.11-cp310-cp310-win32.whl", hash = "sha256:c928bbf47f65288574b78518449edaa46c82572d340e2750889bbf8cd92f3737"},
-    {file = "debugpy-1.8.11-cp310-cp310-win_amd64.whl", hash = "sha256:8da1db4ca4f22583e834dcabdc7832e56fe16275253ee53ba66627b86e304da1"},
-    {file = "debugpy-1.8.11-cp311-cp311-macosx_14_0_universal2.whl", hash = "sha256:85de8474ad53ad546ff1c7c7c89230db215b9b8a02754d41cb5a76f70d0be296"},
-    {file = "debugpy-1.8.11-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8ffc382e4afa4aee367bf413f55ed17bd91b191dcaf979890af239dda435f2a1"},
-    {file = "debugpy-1.8.11-cp311-cp311-win32.whl", hash = "sha256:40499a9979c55f72f4eb2fc38695419546b62594f8af194b879d2a18439c97a9"},
-    {file = "debugpy-1.8.11-cp311-cp311-win_amd64.whl", hash = "sha256:987bce16e86efa86f747d5151c54e91b3c1e36acc03ce1ddb50f9d09d16ded0e"},
-    {file = "debugpy-1.8.11-cp312-cp312-macosx_14_0_universal2.whl", hash = "sha256:84e511a7545d11683d32cdb8f809ef63fc17ea2a00455cc62d0a4dbb4ed1c308"},
-    {file = "debugpy-1.8.11-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ce291a5aca4985d82875d6779f61375e959208cdf09fcec40001e65fb0a54768"},
-    {file = "debugpy-1.8.11-cp312-cp312-win32.whl", hash = "sha256:28e45b3f827d3bf2592f3cf7ae63282e859f3259db44ed2b129093ca0ac7940b"},
-    {file = "debugpy-1.8.11-cp312-cp312-win_amd64.whl", hash = "sha256:44b1b8e6253bceada11f714acf4309ffb98bfa9ac55e4fce14f9e5d4484287a1"},
-    {file = "debugpy-1.8.11-cp313-cp313-macosx_14_0_universal2.whl", hash = "sha256:8988f7163e4381b0da7696f37eec7aca19deb02e500245df68a7159739bbd0d3"},
-    {file = "debugpy-1.8.11-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c1f6a173d1140e557347419767d2b14ac1c9cd847e0b4c5444c7f3144697e4e"},
-    {file = "debugpy-1.8.11-cp313-cp313-win32.whl", hash = "sha256:bb3b15e25891f38da3ca0740271e63ab9db61f41d4d8541745cfc1824252cb28"},
-    {file = "debugpy-1.8.11-cp313-cp313-win_amd64.whl", hash = "sha256:d8768edcbeb34da9e11bcb8b5c2e0958d25218df7a6e56adf415ef262cd7b6d1"},
-    {file = "debugpy-1.8.11-cp38-cp38-macosx_14_0_x86_64.whl", hash = "sha256:ad7efe588c8f5cf940f40c3de0cd683cc5b76819446abaa50dc0829a30c094db"},
-    {file = "debugpy-1.8.11-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:189058d03a40103a57144752652b3ab08ff02b7595d0ce1f651b9acc3a3a35a0"},
-    {file = "debugpy-1.8.11-cp38-cp38-win32.whl", hash = "sha256:32db46ba45849daed7ccf3f2e26f7a386867b077f39b2a974bb5c4c2c3b0a280"},
-    {file = "debugpy-1.8.11-cp38-cp38-win_amd64.whl", hash = "sha256:116bf8342062246ca749013df4f6ea106f23bc159305843491f64672a55af2e5"},
-    {file = "debugpy-1.8.11-cp39-cp39-macosx_14_0_x86_64.whl", hash = "sha256:654130ca6ad5de73d978057eaf9e582244ff72d4574b3e106fb8d3d2a0d32458"},
-    {file = "debugpy-1.8.11-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:23dc34c5e03b0212fa3c49a874df2b8b1b8fda95160bd79c01eb3ab51ea8d851"},
-    {file = "debugpy-1.8.11-cp39-cp39-win32.whl", hash = "sha256:52d8a3166c9f2815bfae05f386114b0b2d274456980d41f320299a8d9a5615a7"},
-    {file = "debugpy-1.8.11-cp39-cp39-win_amd64.whl", hash = "sha256:52c3cf9ecda273a19cc092961ee34eb9ba8687d67ba34cc7b79a521c1c64c4c0"},
-    {file = "debugpy-1.8.11-py2.py3-none-any.whl", hash = "sha256:0e22f846f4211383e6a416d04b4c13ed174d24cc5d43f5fd52e7821d0ebc8920"},
-    {file = "debugpy-1.8.11.tar.gz", hash = "sha256:6ad2688b69235c43b020e04fecccdf6a96c8943ca9c2fb340b8adc103c655e57"},
+    {file = "debugpy-1.8.12-cp310-cp310-macosx_14_0_x86_64.whl", hash = "sha256:a2ba7ffe58efeae5b8fad1165357edfe01464f9aef25e814e891ec690e7dd82a"},
+    {file = "debugpy-1.8.12-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cbbd4149c4fc5e7d508ece083e78c17442ee13b0e69bfa6bd63003e486770f45"},
+    {file = "debugpy-1.8.12-cp310-cp310-win32.whl", hash = "sha256:b202f591204023b3ce62ff9a47baa555dc00bb092219abf5caf0e3718ac20e7c"},
+    {file = "debugpy-1.8.12-cp310-cp310-win_amd64.whl", hash = "sha256:9649eced17a98ce816756ce50433b2dd85dfa7bc92ceb60579d68c053f98dff9"},
+    {file = "debugpy-1.8.12-cp311-cp311-macosx_14_0_universal2.whl", hash = "sha256:36f4829839ef0afdfdd208bb54f4c3d0eea86106d719811681a8627ae2e53dd5"},
+    {file = "debugpy-1.8.12-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a28ed481d530e3138553be60991d2d61103ce6da254e51547b79549675f539b7"},
+    {file = "debugpy-1.8.12-cp311-cp311-win32.whl", hash = "sha256:4ad9a94d8f5c9b954e0e3b137cc64ef3f579d0df3c3698fe9c3734ee397e4abb"},
+    {file = "debugpy-1.8.12-cp311-cp311-win_amd64.whl", hash = "sha256:4703575b78dd697b294f8c65588dc86874ed787b7348c65da70cfc885efdf1e1"},
+    {file = "debugpy-1.8.12-cp312-cp312-macosx_14_0_universal2.whl", hash = "sha256:7e94b643b19e8feb5215fa508aee531387494bf668b2eca27fa769ea11d9f498"},
+    {file = "debugpy-1.8.12-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:086b32e233e89a2740c1615c2f775c34ae951508b28b308681dbbb87bba97d06"},
+    {file = "debugpy-1.8.12-cp312-cp312-win32.whl", hash = "sha256:2ae5df899732a6051b49ea2632a9ea67f929604fd2b036613a9f12bc3163b92d"},
+    {file = "debugpy-1.8.12-cp312-cp312-win_amd64.whl", hash = "sha256:39dfbb6fa09f12fae32639e3286112fc35ae976114f1f3d37375f3130a820969"},
+    {file = "debugpy-1.8.12-cp313-cp313-macosx_14_0_universal2.whl", hash = "sha256:696d8ae4dff4cbd06bf6b10d671e088b66669f110c7c4e18a44c43cf75ce966f"},
+    {file = "debugpy-1.8.12-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:898fba72b81a654e74412a67c7e0a81e89723cfe2a3ea6fcd3feaa3395138ca9"},
+    {file = "debugpy-1.8.12-cp313-cp313-win32.whl", hash = "sha256:22a11c493c70413a01ed03f01c3c3a2fc4478fc6ee186e340487b2edcd6f4180"},
+    {file = "debugpy-1.8.12-cp313-cp313-win_amd64.whl", hash = "sha256:fdb3c6d342825ea10b90e43d7f20f01535a72b3a1997850c0c3cefa5c27a4a2c"},
+    {file = "debugpy-1.8.12-cp38-cp38-macosx_14_0_x86_64.whl", hash = "sha256:b0232cd42506d0c94f9328aaf0d1d0785f90f87ae72d9759df7e5051be039738"},
+    {file = "debugpy-1.8.12-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9af40506a59450f1315168d47a970db1a65aaab5df3833ac389d2899a5d63b3f"},
+    {file = "debugpy-1.8.12-cp38-cp38-win32.whl", hash = "sha256:5cc45235fefac57f52680902b7d197fb2f3650112379a6fa9aa1b1c1d3ed3f02"},
+    {file = "debugpy-1.8.12-cp38-cp38-win_amd64.whl", hash = "sha256:557cc55b51ab2f3371e238804ffc8510b6ef087673303890f57a24195d096e61"},
+    {file = "debugpy-1.8.12-cp39-cp39-macosx_14_0_x86_64.whl", hash = "sha256:b5c6c967d02fee30e157ab5227706f965d5c37679c687b1e7bbc5d9e7128bd41"},
+    {file = "debugpy-1.8.12-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:88a77f422f31f170c4b7e9ca58eae2a6c8e04da54121900651dfa8e66c29901a"},
+    {file = "debugpy-1.8.12-cp39-cp39-win32.whl", hash = "sha256:a4042edef80364239f5b7b5764e55fd3ffd40c32cf6753da9bda4ff0ac466018"},
+    {file = "debugpy-1.8.12-cp39-cp39-win_amd64.whl", hash = "sha256:f30b03b0f27608a0b26c75f0bb8a880c752c0e0b01090551b9d87c7d783e2069"},
+    {file = "debugpy-1.8.12-py2.py3-none-any.whl", hash = "sha256:274b6a2040349b5c9864e475284bce5bb062e63dce368a394b8cc865ae3b00c6"},
+    {file = "debugpy-1.8.12.tar.gz", hash = "sha256:646530b04f45c830ceae8e491ca1c9320a2d2f0efea3141487c82130aba70dce"},
 ]
 
 [[package]]
@@ -4188,17 +4188,17 @@ testing = ["Django", "django-configurations (>=2.0)"]
 
 [[package]]
 name = "pytest-github-actions-annotate-failures"
-version = "0.2.0"
+version = "0.3.0"
 description = "pytest plugin to annotate failed tests with a workflow command for GitHub Actions"
 optional = false
-python-versions = ">=3.7"
+python-versions = ">=3.8"
 files = [
-    {file = "pytest-github-actions-annotate-failures-0.2.0.tar.gz", hash = "sha256:844ab626d389496e44f960b42f0a72cce29ae06d363426d17ea9ae1b4bef2288"},
-    {file = "pytest_github_actions_annotate_failures-0.2.0-py3-none-any.whl", hash = "sha256:8bcef65fed503faaa0524b59cfeccc8995130972dd7b008d64193cc41b9cde85"},
+    {file = "pytest_github_actions_annotate_failures-0.3.0-py3-none-any.whl", hash = "sha256:41ea558ba10c332c0bfc053daeee0c85187507b2034e990f21e4f7e5fef044cf"},
+    {file = "pytest_github_actions_annotate_failures-0.3.0.tar.gz", hash = "sha256:d4c3177c98046c3900a7f8ddebb22ea54b9f6822201b5d3ab8fcdea51e010db7"},
 ]
 
 [package.dependencies]
-pytest = ">=4.0.0"
+pytest = ">=6.0.0"
 
 [[package]]
 name = "pytest-randomly"
@@ -4630,29 +4630,29 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.9.1"
+version = "0.9.2"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.9.1-py3-none-linux_armv6l.whl", hash = "sha256:84330dda7abcc270e6055551aca93fdde1b0685fc4fd358f26410f9349cf1743"},
-    {file = "ruff-0.9.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:3cae39ba5d137054b0e5b472aee3b78a7c884e61591b100aeb544bcd1fc38d4f"},
-    {file = "ruff-0.9.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:50c647ff96f4ba288db0ad87048257753733763b409b2faf2ea78b45c8bb7fcb"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f0c8b149e9c7353cace7d698e1656ffcf1e36e50f8ea3b5d5f7f87ff9986a7ca"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:beb3298604540c884d8b282fe7625651378e1986c25df51dec5b2f60cafc31ce"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:39d0174ccc45c439093971cc06ed3ac4dc545f5e8bdacf9f067adf879544d969"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:69572926c0f0c9912288915214ca9b2809525ea263603370b9e00bed2ba56dbd"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:937267afce0c9170d6d29f01fcd1f4378172dec6760a9f4dface48cdabf9610a"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:186c2313de946f2c22bdf5954b8dd083e124bcfb685732cfb0beae0c47233d9b"},
-    {file = "ruff-0.9.1-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3f94942a3bb767675d9a051867c036655fe9f6c8a491539156a6f7e6b5f31831"},
-    {file = "ruff-0.9.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:728d791b769cc28c05f12c280f99e8896932e9833fef1dd8756a6af2261fd1ab"},
-    {file = "ruff-0.9.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:2f312c86fb40c5c02b44a29a750ee3b21002bd813b5233facdaf63a51d9a85e1"},
-    {file = "ruff-0.9.1-py3-none-musllinux_1_2_i686.whl", hash = "sha256:ae017c3a29bee341ba584f3823f805abbe5fe9cd97f87ed07ecbf533c4c88366"},
-    {file = "ruff-0.9.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:5dc40a378a0e21b4cfe2b8a0f1812a6572fc7b230ef12cd9fac9161aa91d807f"},
-    {file = "ruff-0.9.1-py3-none-win32.whl", hash = "sha256:46ebf5cc106cf7e7378ca3c28ce4293b61b449cd121b98699be727d40b79ba72"},
-    {file = "ruff-0.9.1-py3-none-win_amd64.whl", hash = "sha256:342a824b46ddbcdddd3abfbb332fa7fcaac5488bf18073e841236aadf4ad5c19"},
-    {file = "ruff-0.9.1-py3-none-win_arm64.whl", hash = "sha256:1cd76c7f9c679e6e8f2af8f778367dca82b95009bc7b1a85a47f1521ae524fa7"},
-    {file = "ruff-0.9.1.tar.gz", hash = "sha256:fd2b25ecaf907d6458fa842675382c8597b3c746a2dde6717fe3415425df0c17"},
+    {file = "ruff-0.9.2-py3-none-linux_armv6l.whl", hash = "sha256:80605a039ba1454d002b32139e4970becf84b5fee3a3c3bf1c2af6f61a784347"},
+    {file = "ruff-0.9.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:b9aab82bb20afd5f596527045c01e6ae25a718ff1784cb92947bff1f83068b00"},
+    {file = "ruff-0.9.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:fbd337bac1cfa96be615f6efcd4bc4d077edbc127ef30e2b8ba2a27e18c054d4"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:82b35259b0cbf8daa22a498018e300b9bb0174c2bbb7bcba593935158a78054d"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8b6a9701d1e371bf41dca22015c3f89769da7576884d2add7317ec1ec8cb9c3c"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9cc53e68b3c5ae41e8faf83a3b89f4a5d7b2cb666dff4b366bb86ed2a85b481f"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:8efd9da7a1ee314b910da155ca7e8953094a7c10d0c0a39bfde3fcfd2a015684"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3292c5a22ea9a5f9a185e2d131dc7f98f8534a32fb6d2ee7b9944569239c648d"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1a605fdcf6e8b2d39f9436d343d1f0ff70c365a1e681546de0104bef81ce88df"},
+    {file = "ruff-0.9.2-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c547f7f256aa366834829a08375c297fa63386cbe5f1459efaf174086b564247"},
+    {file = "ruff-0.9.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d18bba3d3353ed916e882521bc3e0af403949dbada344c20c16ea78f47af965e"},
+    {file = "ruff-0.9.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:b338edc4610142355ccf6b87bd356729b62bf1bc152a2fad5b0c7dc04af77bfe"},
+    {file = "ruff-0.9.2-py3-none-musllinux_1_2_i686.whl", hash = "sha256:492a5e44ad9b22a0ea98cf72e40305cbdaf27fac0d927f8bc9e1df316dcc96eb"},
+    {file = "ruff-0.9.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:af1e9e9fe7b1f767264d26b1075ac4ad831c7db976911fa362d09b2d0356426a"},
+    {file = "ruff-0.9.2-py3-none-win32.whl", hash = "sha256:71cbe22e178c5da20e1514e1e01029c73dc09288a8028a5d3446e6bba87a5145"},
+    {file = "ruff-0.9.2-py3-none-win_amd64.whl", hash = "sha256:c5e1d6abc798419cf46eed03f54f2e0c3adb1ad4b801119dedf23fcaf69b55b5"},
+    {file = "ruff-0.9.2-py3-none-win_arm64.whl", hash = "sha256:a1b63fa24149918f8b37cef2ee6fff81f24f0d74b6f0bdc37bc3e1f2143e41c6"},
+    {file = "ruff-0.9.2.tar.gz", hash = "sha256:b5eceb334d55fae5f316f783437392642ae18e16dcf4f1858d55d3c2a0f8f5d0"},
 ]
 
 [[package]]
@@ -4691,13 +4691,13 @@ django-query = ["django (>=3.2)"]
 
 [[package]]
 name = "selenium"
-version = "4.27.1"
+version = "4.28.0"
 description = "Official Python bindings for Selenium WebDriver"
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 files = [
-    {file = "selenium-4.27.1-py3-none-any.whl", hash = "sha256:b89b1f62b5cfe8025868556fe82360d6b649d464f75d2655cb966c8f8447ea18"},
-    {file = "selenium-4.27.1.tar.gz", hash = "sha256:5296c425a75ff1b44d0d5199042b36a6d1ef76c04fb775b97b40be739a9caae2"},
+    {file = "selenium-4.28.0-py3-none-any.whl", hash = "sha256:3d6a2e8e1b850a1078884ea19f4e011ecdc12263434d87a0b78769836fb82dd8"},
+    {file = "selenium-4.28.0.tar.gz", hash = "sha256:a9fae6eef48d470a1b0c6e45185d96f0dafb025e8da4b346cc41e4da3ac54fa0"},
 ]
 
 [package.dependencies]
@@ -4986,13 +4986,13 @@ pbr = ">=2.0.0,<2.1.0 || >2.1.0"
 
 [[package]]
 name = "structlog"
-version = "24.4.0"
+version = "25.1.0"
 description = "Structured Logging for Python"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "structlog-24.4.0-py3-none-any.whl", hash = "sha256:597f61e80a91cc0749a9fd2a098ed76715a1c8a01f73e336b746504d1aad7610"},
-    {file = "structlog-24.4.0.tar.gz", hash = "sha256:b27bfecede327a6d2da5fbc96bd859f114ecc398a6389d664f62085ee7ae6fc4"},
+    {file = "structlog-25.1.0-py3-none-any.whl", hash = "sha256:843fe4f254540329f380812cbe612e1af5ec5b8172205ae634679cd35a6d6321"},
+    {file = "structlog-25.1.0.tar.gz", hash = "sha256:2ef2a572e0e27f09664965d31a576afe64e46ac6084ef5cec3c2b8cd6e4e3ad3"},
 ]
 
 [package.extras]
@@ -5490,13 +5490,13 @@ files = [
 
 [[package]]
 name = "webauthn"
-version = "2.4.0"
+version = "2.5.0"
 description = "Pythonic WebAuthn"
 optional = false
 python-versions = "*"
 files = [
-    {file = "webauthn-2.4.0-py3-none-any.whl", hash = "sha256:2bf59646e1ad2aed113d16a1ca90196b45f1c4d160964d6271a181e60d0d03b1"},
-    {file = "webauthn-2.4.0.tar.gz", hash = "sha256:9bb4f95c5d2377f9e1abd156ca5a23cbb5def69ef1ed60a7ab70028cc68b741e"},
+    {file = "webauthn-2.5.0-py3-none-any.whl", hash = "sha256:d978b40bee53a3b283e4a867718ff8269b049c9d66c184eff137338810e98be6"},
+    {file = "webauthn-2.5.0.tar.gz", hash = "sha256:6b3d2e2a5636686829f528227865e19582700d6c107ef0a1256ef150b5bd4599"},
 ]
 
 [package.dependencies]

web/package-lock.json

@@ -14952,9 +14952,9 @@
             }
         },
         "node_modules/katex": {
-            "version": "0.16.11",
-            "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.11.tgz",
-            "integrity": "sha512-RQrI8rlHY92OLf3rho/Ts8i/XvjgguEjOkO1BEXcU3N8BqPpSzBNwV/G0Ukr+P/l3ivvJUE/Fa/CwbS6HesGNQ==",
+            "version": "0.16.21",
+            "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.21.tgz",
+            "integrity": "sha512-XvqR7FgOHtWupfMiigNzmh+MgUVmDGU2kXZm899ZkPfcuoPuFxyHmXsgATDpFZDAXCI8tvinaVcDo8PIIJSo4A==",
             "funding": [
                 "https://opencollective.com/katex",
                 "https://github.com/sponsors/katex"

web/src/components/ak-number-input.ts

@@ -9,6 +9,9 @@ export class AkNumberInput extends HorizontalLightComponent<number> {
     @property({ type: Number, reflect: true })
     value = NaN;
 
+    @property({ type: Number, reflect: true })
+    min = NaN;
+
     renderControl() {
         const setValue = (ev: InputEvent) => {
             const value = (ev.target as HTMLInputElement).value;
@@ -19,6 +22,7 @@ export class AkNumberInput extends HorizontalLightComponent<number> {
             type="number"
             @input=${setValue}
             value=${ifDefined(this.value)}
+            min=${ifDefined(this.min)}
             class="pf-c-form-control"
             ?required=${this.required}
         />`;

website/.prettierignore

@@ -5,5 +5,3 @@ coverage
 node_modules
 help
 static
-docs/install-config/install/aws/template.yaml
-docs/install-config/install/aws/cdk.out

website/docs/add-secure-apps/outposts/integrations/docker.md

@@ -4,12 +4,12 @@ title: Docker
 
 The Docker integration automatically deploys and manages outpost containers using the Docker HTTP API.
 
-This integration has the advantage over manual deployments of automatic updates (whenever authentik is updated, it updates the outposts), and authentik can (in a future version) automatically rotate the token that the outpost uses to communicate with the core authentik server.
+This integration has the advantage over manual deployments of automatic updates that whenever authentik is upgraded to a later version, it also upgrades the outposts.
 
 The following outpost settings are used:
 
-- `object_naming_template`: Configures how the container is called
-- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx#authentik_outposts) to configure the global default)
+- `object_naming_template`: Configures how the container is called.
+- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx#authentik_outposts) to configure the global default).
 - `docker_network`: The Docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname.
 - `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with Traefik for example, you might not want to bind ports as they are routed through Traefik.
 - `docker_labels`: Optional additional labels that can be applied to the container.
@@ -66,7 +66,7 @@ Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Do
 
 ## Remote hosts (SSH)
 
-Starting with authentik 2021.12.5, you can connect to remote Docker hosts using SSH. To configure this, create a new SSH keypair using these commands:
+authentik can connect to remote Docker hosts using SSH. To configure this, create a new SSH keypair using these commands:
 
 ```
 # Generate the keypair itself, using RSA keys in the PEM format

website/docs/developer-docs/docs/style-guide.mdx

@@ -70,11 +70,14 @@ Formatting in documentation is important; it improves comprehension and readabil
     - directory names
     - code snippets (single line or a block of code)
 
-- For variables or placeholders use _italic_ font for the variable, and use place-holder names that makes it obvious that the user needs to replace it.
+- Use _italic_ font for variables or placeholders to make it clear they need to be replaced. Choose placeholder names that highlight their purpose, ensuring users understand what to update.
 
-    Example: <kbd>https://<em>company-domain</em>/source/oauth/callback/<em>source-slug</em></kbd>
+- When handling URLs:
 
-    When using variables in code snippets, make sure to specify if the value is something the user needs to define, is system-defined or generated.
+    - For URLs entered as values or defined in fields, apply `code formatting` and _italicize_ any variables within them to emphasize that placeholders require user input. Example: `<kbd>https://<em>company-domain</em>/source/oauth/callback/<em>source-slug</em></kbd>`.
+    - When mentioning URLs in text or within procedural instructions, omit code formatting. For instance: "In your browser, go to https://example.com."
+
+    Clearly indicate whether variables in code snippets need to be defined by the user, are system-provided, or generated.
 
 - When referring to authentik functionality and features, such as flows, stages, sources, or policies, do not capitalize and do not use bold or italic text. When possible link to the corresponding documentation.
 

website/docs/install-config/beta.mdx

@@ -27,8 +27,6 @@ AUTHENTIK_TAG=gh-next
 AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
 ```
 
-The Beta image is amd64 only. For arm64 platforms, append `-arm64` to the tag name (no spaces).
-
 Next, run the upgrade commands below.
 
   </TabItem>
@@ -47,8 +45,6 @@ image:
     pullPolicy: Always
 ```
 
-The Beta image is amd64 only. For arm64 platforms, append `-arm64` to the tag name (no spaces).
-
 Next, run the upgrade commands below.
 
   </TabItem>

website/docs/install-config/install/aws.md

@@ -31,4 +31,4 @@ The stack will output the endpoint of the ALB that to which you can point your D
 
 ### Further customization
 
-If you require further customization, we recommend you install authentik via [Docker Compose](../docker-compose.mdx) or [Kubernetes](../kubernetes.md).
+If you require further customization, we recommend you install authentik via [Docker Compose](./docker-compose.mdx) or [Kubernetes](./kubernetes.md).

website/docs/install-config/install/aws/.gitignore

@@ -1 +0,0 @@
-cdk.out

website/docs/install-config/install/aws/fix_template.py

@@ -1,11 +0,0 @@
-#!/usr/bin/env python3
-
-import yaml
-
-with open("template.yaml") as file:
-    template = yaml.safe_load(file)
-    del template["Conditions"]["CDKMetadataAvailable"]
-    del template["Parameters"]["BootstrapVersion"]
-    del template["Resources"]["CDKMetadata"]
-with open("template.yaml", "w") as file:
-    yaml.dump(template, file)

website/docs/releases/2024/v2024.12.md

@@ -42,7 +42,7 @@ slug: "/releases/2024.12"
 
 - **CloudFormation** <span class="badge badge--info">Preview</span>
 
-    Deploy authentik in your own AWS environment with one click using our new [AWS CloudFormation template](../../install-config/install/aws/index.md).
+    Deploy authentik in your own AWS environment with one click using our new [AWS CloudFormation template](../../install-config/install/aws.md).
 
 - **OAuth2 provider federation**
 

website/docs/users-sources/sources/social-logins/discord/index.md

@@ -10,7 +10,7 @@ Allows users to authenticate using their Discord credentials
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Discord
 

website/docs/users-sources/sources/social-logins/facebook/index.md

@@ -10,7 +10,7 @@ Adding Facebook as a source allows users to authenticate through authentik using
 
 The following placeholders are used:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Facebook configuration
 

website/docs/users-sources/sources/social-logins/github/index.md

@@ -10,7 +10,7 @@ Allows users to authenticate using their Github credentials
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 - `www.my.company` Homepage URL for your site
 
 ## Github

website/docs/users-sources/sources/social-logins/google/index.md

@@ -10,7 +10,7 @@ Allows users to authenticate using their Google credentials
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Google
 

website/docs/users-sources/sources/social-logins/mailcow/index.md

@@ -10,8 +10,8 @@ Allows users to authenticate using their Mailcow credentials
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
-- `mailcow.company` is the FQDN of the mailcow install.
+- `authentik.company` is the FQDN of the authentik installation.
+- `mailcow.company` is the FQDN of the mailcow installation.
 
 ## Mailcow
 

website/docs/users-sources/sources/social-logins/twitch/index.md

@@ -10,7 +10,7 @@ Allows users to authenticate using their Twitch credentials
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Twitch
 

website/docs/users-sources/sources/social-logins/twitter/index.md

@@ -10,7 +10,7 @@ Allows users to authenticate using their twitter credentials
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Twitter
 

website/integrations/services/actual-budget/index.mdx

@@ -20,8 +20,8 @@ sidebar_label: Actual Budget
 
 The following placeholders are used in this guide:
 
-- _actual.company_ is the FQDN of the Actual Budget install.
-- _authentik.company_ is the FQDN of the authentik install.
+- `actual.company` is the FQDN of the Actual Budget installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/apache-guacamole/index.mdx

@@ -17,8 +17,8 @@ sidebar_label: Apache Guacamole™
 
 The following placeholders are used in this guide:
 
-- `guacamole.company` is the FQDN of the Guacamole install.
-- `authentik.company` is the FQDN of the authentik install.
+- `guacamole.company` is the FQDN of the Guacamole installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/argocd/index.md

@@ -17,8 +17,8 @@ sidebar_label: ArgoCD
 
 The following placeholders are used in this guide:
 
-- `argocd.company` is the FQDN of the ArgoCD install.
-- `authentik.company` is the FQDN of the authentik install.
+- `argocd.company` is the FQDN of the ArgoCD installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 :::note
 Only settings that have been modified from default have been listed.

website/integrations/services/aruba-orchestrator/index.md

@@ -17,8 +17,8 @@ sidebar_label: Aruba Orchestrator
 
 The following placeholders are used in this guide:
 
-- `arubaorchestrator.company` is the FQDN of the Aruba Orchestrator install.
-- `authentik.company` is the FQDN of the authentik install.
+- `arubaorchestrator.company` is the FQDN of the Aruba Orchestrator installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `SSL Certificate` is the name of the SSL certificate used to sign outgoing responses.
 
 ## authentik Configuration

website/integrations/services/awx-tower/index.md

@@ -25,8 +25,8 @@ AWX is the open-source version of RHAAP. The term "AWX" will be used interchange
 
 The following placeholders are used in this guide:
 
-- `awx.company` is the FQDN of the AWX/RHAAP install.
-- `authentik.company` is the FQDN of the authentik install.
+- `awx.company` is the FQDN of the AWX/RHAAP installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
 

website/integrations/services/budibase/index.md

@@ -17,8 +17,8 @@ sidebar_label: Budibase
 
 The following placeholders are used in this guide:
 
-- `budibase.company` is the FQDN of the Budibase install.
-- `authentik.company` is the FQDN of the authentik install.
+- `budibase.company` is the FQDN of the Budibase installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/chronograf/index.md

@@ -17,8 +17,8 @@ sidebar_label: Chronograf
 
 The following placeholders are used in this guide:
 
-- `chronograf.company` is the FQDN of your Chronograf install.
-- `authentik.company` is the FQDN of your authentik install.
+- `chronograf.company` is the FQDN of your Chronograf installation.
+- `authentik.company` is the FQDN of your authentik installation.
 
 ## authentik configuration
 

website/integrations/services/cloudflare-access/index.mdx

@@ -18,7 +18,7 @@ sidebar_label: Cloudflare Access
 The following placeholders are used in this guide:
 
 - `company.cloudflareaccess.com` is the FQDN of your Cloudflare Access subdomain.
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.
 

website/integrations/services/dokuwiki/index.md

@@ -17,8 +17,8 @@ From https://en.wikipedia.org/wiki/DokuWiki
 
 The following placeholders are used in this guide:
 
-- `dokuwiki.company` is the FQDN of the DokiWiki install.
-- `authentik.company` is the FQDN of the authentik install.
+- `dokuwiki.company` is the FQDN of the DokiWiki installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## DokuWiki configuration
 

website/integrations/services/engomo/index.md

@@ -18,8 +18,8 @@ sidebar_label: engomo
 
 The following placeholders are used in this guide:
 
-- `engomo.company` is the FQDN of the engomo install.
-- `authentik.company` is the FQDN of the authentik install.
+- `engomo.company` is the FQDN of the engomo installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `engomo.mapping` is the name of the Scope Mapping.
 - `ak.cert` is the self-signed certificate that will be used for the service provider.
 

website/integrations/services/espoCRM/index.md

@@ -21,8 +21,8 @@ This guide does _not_ cover Team Mapping. Please refer to EspoCRM's [documentati
 
 The following placeholders are used in this guide:
 
-- `crm.<your_company>` is the FQDN of the EspoCRM install.
-- `authentik.<your_company>` is the FQDN of the authentik install.
+- `crm.<your_company>` is the FQDN of the EspoCRM installation.
+- `authentik.<your_company>` is the FQDN of the authentik installation.
 - `_SLUG_` is the slug you choose upon application create in authentik.
 
 ## authentik configuration

website/integrations/services/firezone/index.md

@@ -17,9 +17,9 @@ sidebar_label: Firezone
 
 The following placeholders are used in this guide:
 
-- `firezone.company` is the FQDN of the Firezone install.
+- `firezone.company` is the FQDN of the Firezone installation.
 - `authentik` is the unique ID used to generate logins for this provider.
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/fortigate-admin/index.md

@@ -18,8 +18,8 @@ sidebar_label: FortiGate Admin Login
 
 The following placeholders are used in this guide:
 
-- `fgt.company` is the FQDN of the FortiGate install.
-- `authentik.company` is the FQDN of the authentik install.
+- `fgt.company` is the FQDN of the FortiGate installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `fgt.mapping` is the name of the SAML Property Mapping.
 - `ak.cert` = The authentik self-signed certificate you use for the service provider.
 

website/integrations/services/fortimanager/index.md

@@ -19,8 +19,8 @@ sidebar_label: FortiManager
 
 The following placeholders are used in this guide:
 
-- `fgm.company` is the FQDN of the FortiManager install.
-- `authentik.company` is the FQDN of the authentik install.
+- `fgm.company` is the FQDN of the FortiManager installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
 

website/integrations/services/frappe/index.md

@@ -21,8 +21,8 @@ These instructions apply to all projects in the Frappe Family.
 
 The following placeholders are used in this guide:
 
-- `frappe.company` is the FQDN of the Frappe install.
-- `authentik.company` is the FQDN of the authentik install.
+- `frappe.company` is the FQDN of the Frappe installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `provider` is the name for the social login provider in Frappe.
 
 ## authentik configuration

website/integrations/services/freshrss/index.md

@@ -17,9 +17,9 @@ sidebar_label: FreshRSS
 
 The following placeholders are used in this guide:
 
-- `freshrss.company` is the FQDN of the FreshRSS install.
+- `freshrss.company` is the FQDN of the FreshRSS installation.
 - `port` is the port on which the FreshRSS install is running (usually 443)
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/gatus/index.md

@@ -17,8 +17,8 @@ sidebar_label: Gatus
 
 The following placeholders are used in this guide:
 
-- `gatus.company` is the FQDN of the Gatus install.
-- `authentik.company` is the FQDN of the authentik install.
+- `gatus.company` is the FQDN of the Gatus installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/glitchtip/index.md

@@ -17,8 +17,8 @@ sidebar_label: Glitchtip
 
 The following placeholders are used in this guide:
 
-- `glitchtip.company` is the FQDN of the Glitchtip install.
-- `authentik.company` is the FQDN of the authentik install.
+- `glitchtip.company` is the FQDN of the Glitchtip installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/globalprotect/index.md

@@ -20,7 +20,7 @@ sidebar_label: GlobalProtect
 The following placeholders are used in this guide:
 
 - `gp.company` is the FQDN of the GlobalProtect portal.
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 :::caution
 A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.

website/integrations/services/google/index.md

@@ -17,7 +17,7 @@ sidebar_label: Google Workspace
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 - `example.com` is the default E-mail address configured in Google workspace.
 
 ## authentik Configuration

website/integrations/services/grafana/index.mdx

@@ -17,8 +17,8 @@ sidebar_label: Grafana
 
 The following placeholders are used in this guide:
 
-- `grafana.company` is the FQDN of the Grafana install.
-- `authentik.company` is the FQDN of the authentik install.
+- `grafana.company` is the FQDN of the Grafana installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/gravitee/index.md

@@ -19,8 +19,8 @@ sidebar_label: Gravitee
 
 The following placeholders are used in this guide:
 
-- `gravitee.company` is the FQDN of the Gravitee install.
-- `authentik.company` is the FQDN of the authentik install.
+- `gravitee.company` is the FQDN of the Gravitee installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/harbor/index.md

@@ -17,8 +17,8 @@ sidebar_label: Harbor
 
 The following placeholders are used in this guide:
 
-- `harbor.company` is the FQDN of the Harbor install.
-- `authentik.company` is the FQDN of the authentik install.
+- `harbor.company` is the FQDN of the Harbor installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/hedgedoc/index.md

@@ -17,8 +17,8 @@ sidebar_label: HedgeDoc
 
 The following placeholders are used in this guide:
 
-- `hedgedoc.company` is the FQDN of the HedgeDoc install.
-- `authentik.company` is the FQDN of the authentik install.
+- `hedgedoc.company` is the FQDN of the HedgeDoc installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/hoarder/index.md

@@ -17,8 +17,8 @@ sidebar_label: Hoarder
 
 The following placeholders are used in this guide:
 
-- `hoarder.company` is the FQDN of the Hoarder install.
-- `authentik.company` is the FQDN of the authentik install.
+- `hoarder.company` is the FQDN of the Hoarder installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/home-assistant/index.md

@@ -27,8 +27,8 @@ For Home Assistant to work with authentik, a custom integration needs to be inst
 
 The following placeholders are used in this guide:
 
-- `hass.company` is the FQDN of the Home Assistant install.
-- `authentik.company` is the FQDN of the authentik install.
+- `hass.company` is the FQDN of the Home Assistant installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/immich/index.md

@@ -18,7 +18,7 @@ sidebar_label: Immich
 The following placeholders are used in this guide:
 
 - `https://immich.company` is the URL used to access the Immich instance.
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/jellyfin/index.md

@@ -29,8 +29,8 @@ An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
 
 The following placeholders are used in this guide:
 
-- `jellyfin.company` is the FQDN of the Jellyfin install.
-- `authentik.company` is the FQDN of the authentik install.
+- `jellyfin.company` is the FQDN of the Jellyfin installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `ldap.company` the FQDN of the LDAP outpost.
 - `dc=company,dc=com` the Base DN of the LDAP outpost.
 - `ldap_bind_user` the username of the desired LDAP Bind User

website/integrations/services/jenkins/index.md

@@ -17,8 +17,8 @@ sidebar_label: Jenkins
 
 The following placeholders are used in this guide:
 
-- `jenkins.company` is the FQDN of the Service install.
-- `authentik.company` is the FQDN of the authentik install.
+- `jenkins.company` is the FQDN of the Service installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/komga/index.md

@@ -17,8 +17,8 @@ sidebar_label: Komga
 
 The following placeholders are used in this guide:
 
-- `komga.company` is the FQDN of the Komga install.
-- `authentik.company` is the FQDN of the authentik install.
+- `komga.company` is the FQDN of the Komga installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/linkwarden/index.md

@@ -17,8 +17,8 @@ sidebar_label: Linkwarden
 
 The following placeholders are used in this guide:
 
-- `linkwarden.company` is the FQDN of the Linkwarden install.
-- `authentik.company` is the FQDN of the authentik install.
+- `linkwarden.company` is the FQDN of the Linkwarden installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Linkwarden configuration
 
@@ -36,7 +36,7 @@ After making these changes, restart your Docker containers to apply the new conf
 
 ## authentik configuration
 
-1. Access the **Admin Interface** in on your authentik install.
+1. Access the **Admin Interface** in on your authentik installation.
 2. Create a new **OAuth2 / OpenID Provider**.
 3. Note the generated **Client ID** and **Client Secret**.
 4. In the provider settings, add this redirect URL under **Redirect URIs/Origins (RegEx)**: `https://linkwarden.company/api/v1/auth/callback/authentik`

website/integrations/services/mastodon/index.md

@@ -17,8 +17,8 @@ sidebar_label: Mastodon
 
 The following placeholders are used in this guide:
 
-- `mastodon.company` is the FQDN of the mastodon install.
-- `authentik.company` is the FQDN of the authentik install.
+- `mastodon.company` is the FQDN of the mastodon installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik Configuration
 

website/integrations/services/matrix-synapse/index.md

@@ -17,8 +17,8 @@ sidebar_label: Matrix Synapse
 
 The following placeholders are used in this guide:
 
-- `matrix.company` is the FQDN of the Matrix install.
-- `authentik.company` is the FQDN of the authentik install.
+- `matrix.company` is the FQDN of the Matrix installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
 

website/integrations/services/meshcentral/index.md

@@ -15,8 +15,8 @@ sidebar_label: MeshCentral
 
 The following placeholders are used in this guide:
 
-- `meshcentral.company` is the FQDN of the MeshCentral install.
-- `authentik.company` is the FQDN of the authentik install.
+- `meshcentral.company` is the FQDN of the MeshCentral installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/minio/index.md

@@ -17,8 +17,8 @@ sidebar_label: MinIO
 
 The following placeholders are used in this guide:
 
-- `minio.company` is the FQDN of the MinIO install.
-- `authentik.company` is the FQDN of the authentik install.
+- `minio.company` is the FQDN of the MinIO installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ### Mapping to MinIO policies
 

website/integrations/services/mobilizon/index.md

@@ -17,8 +17,8 @@ sidebar_label: Mobilizon
 
 The following placeholders are used in this guide:
 
-- `mobilizon.company` is the FQDN of the mobilizon install.
-- `authentik.company` is the FQDN of the authentik install.
+- `mobilizon.company` is the FQDN of the mobilizon installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik Configuration
 
@@ -56,10 +56,10 @@ config :mobilizon, :auth,
 config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
   client_id: "<Client ID>",
   client_secret: "<Client Secret>",
-  site: "https://mobilizon.company",
-  authorize_url: "https://mobilizon.company/application/o/authorize/",
-  token_url: "https://mobilizon.company/application/o/token/",
-  userinfo_url: "https://mobilizon.company/application/o/userinfo/",
+  site: "https://authentik.company",
+  authorize_url: "https://authentik.company/application/o/authorize/",
+  token_url: "https://authentik.company/application/o/token/",
+  userinfo_url: "https://authentik.company/application/o/userinfo/",
   token_method: :post
 ```
 

website/integrations/services/netbird/index.md

@@ -17,8 +17,8 @@ sidebar_label: NetBird
 
 The following placeholders are used in this guide:
 
-- `netbird.company` is the FQDN of the NetBird install.
-- `authentik.company` is the FQDN of the authentik install.
+- `netbird.company` is the FQDN of the NetBird installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/netbox/index.md

@@ -17,8 +17,8 @@ sidebar_label: NetBox
 
 The following placeholders are used in this guide:
 
-- `netbox.company` is the FQDN of the NetBox install.
-- `authentik.company` is the FQDN of the authentik install.
+- `netbox.company` is the FQDN of the NetBox installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to _Applications_ -> _Providers_. Create a _OAuth2/OpenID provider_ with the following parameters:
 

website/integrations/services/nextcloud/index.md

@@ -39,8 +39,8 @@ There are 3 ways to setup single sign on (SSO) for Nextcloud:
 
 The following placeholders are used in this guide:
 
-- `nextcloud.company` is the FQDN of the Nextcloud install.
-- `authentik.company` is the FQDN of the authentik install.
+- `nextcloud.company` is the FQDN of the Nextcloud installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `authentik.local` is the internal FQDN of the authentik install (only relevant when running authentik and Nextcloud behind a reverse proxy)
 
 Lets start by thinking what user attributes need to be available in Nextcloud:
@@ -116,7 +116,7 @@ Create a provider for Nextcloud. In the Admin Interface, go to _Applications_ ->
         - `Nextcloud Profile` (or `authentik default Oauth Mapping profile` if you skipped the [custom profile scope](#custom-profile-scope) section)
     - Subject mode: Based on the User's UUID
       :::danger
-      Nextcloud will use the UUID as username. However, mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the subject mode to an username, [disable username changing](https://docs.goauthentik.io/sys-mgmt/settings.md#allow-users-to-change-username) in authentik and set this to `Based on the User's username`.
+      Nextcloud will use the UUID as username. However, mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the subject mode to an username, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) in authentik and set this to `Based on the User's username`.
       :::
     - Include claims in ID token: ✔️
 
@@ -228,8 +228,8 @@ If you do not have any relying parties accessing authentik from the outside, you
 
 The following placeholders are used in this guide:
 
-- `nextcloud.company` is the FQDN of the Nextcloud install.
-- `authentik.company` is the FQDN of the authentik install.
+- `nextcloud.company` is the FQDN of the Nextcloud installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to _Applications_ -> _Providers_. Create a _SAML provider_ with the following parameters:
 
@@ -254,7 +254,7 @@ Set the following values:
 
 - Attribute to map the UID to: `http://schemas.goauthentik.io/2021/02/saml/uid`
   :::danger
-  Nextcloud uses the UID attribute as username. However, mapping it to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the UID to an username, [disable username changing](https://docs.goauthentik.io/sys-mgmt/settings.md#allow-users-to-change-username) in authentik and set the UID attribute to "http://schemas.goauthentik.io/2021/02/saml/username".
+  Nextcloud uses the UID attribute as username. However, mapping it to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the UID to an username, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) in authentik and set the UID attribute to "http://schemas.goauthentik.io/2021/02/saml/username".
   :::
 - Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
 - Identifier of the IdP entity (must be a URI): `https://authentik.company`

website/integrations/services/observium/index.md

@@ -21,8 +21,8 @@ This is based on authentik 2024.6.0 and Observium CE 24.4.13528
 
 The following placeholders are used in this guide:
 
-- `observium.company` is the FQDN of the Observium install.
-- `authentik.company` is the FQDN of the authentik install.
+- `observium.company` is the FQDN of the Observium installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 This guide assumes you already have a working Observium instance. It is recommended to install it with the install script, following the [instructions](https://docs.observium.org/) on Observium's website.
 

website/integrations/services/organizr/index.md

@@ -19,8 +19,8 @@ This integration leverages authentik's LDAP for the identity provider to achieve
 
 The following placeholders are used in this guide:
 
-- `organizr.company` is the FQDN of the Service install.
-- `authentik.company` is the FQDN of the authentik install.
+- `organizr.company` is the FQDN of the Service installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create a new user account _(or reuse an existing)_ for organizr to use for LDAP bind under _Directory_ -> _Users_ -> _Create_, in this example called `ldapservice`.
 

website/integrations/services/outline/index.md

@@ -18,8 +18,8 @@ sidebar_label: Outline
 
 The following placeholders are used in this guide:
 
-- `outline.company` is the FQDN of the Outline install.
-- `authentik.company` is the FQDN of the authentik install.
+- `outline.company` is the FQDN of the Outline installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/paperless-ng/index.md

@@ -23,7 +23,7 @@ The author of Paperless-ng recommends you do not expose Paperless outside your n
 
 The following placeholders are used in this guide:
 
-- `paperless.company` is the FQDN of the Paperless-ng install.
+- `paperless.company` is the FQDN of the Paperless-ng installation.
 
 Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
 

website/integrations/services/paperless-ngx/index.mdx

@@ -17,8 +17,8 @@ sidebar_label: Paperless-ngx
 
 The following placeholders are used in this guide:
 
-- `paperless.company` is the FQDN of the Paperless-ngx install.
-- `authentik.company` is the FQDN of the authentik install.
+- `paperless.company` is the FQDN of the Paperless-ngx installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik Configuration
 

website/integrations/services/powerdns-admin/index.md

@@ -17,8 +17,8 @@ sidebar_label: PowerDNS-Admin
 
 The following placeholders are used in this guide:
 
-- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install.
-- `authentik.company` is the FQDN of the authentik install.
+- `pdns-admin.company` is the FQDN of the PowerDNS-Admin installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create a SAML provider with the following parameters:
 

website/integrations/services/proftpd/index.md

@@ -19,7 +19,7 @@ This integration leverages authentik's LDAP for the identity provider to achieve
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik Configuration
 

website/integrations/services/proxmox-ve/index.md

@@ -22,7 +22,7 @@ Requires Proxmox VE 7.0 or newer.
 The following placeholders are used in this guide:
 
 - `proxmox.company` is the FQDN of the Proxmox VE server.
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/rancher/index.md

@@ -18,8 +18,8 @@ sidebar_label: Rancher
 
 The following placeholders are used in this guide:
 
-- `rancher.company` is the FQDN of the Rancher install.
-- `authentik.company` is the FQDN of the authentik install.
+- `rancher.company` is the FQDN of the Rancher installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Under _Customization_ -> _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
 

website/integrations/services/roundcube/index.md

@@ -21,7 +21,7 @@ The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP s
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping
 in the provider settings instead of the default oauth mapping.

website/integrations/services/semaphore/index.mdx

@@ -19,8 +19,8 @@ sidebar_label: Semaphore
 
 The following placeholders are used in this guide:
 
-- `semaphore.company` is the FQDN of the Semaphore install.
-- `authentik.company` is the FQDN of the authentik install.
+- `semaphore.company` is the FQDN of the Semaphore installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## authentik configuration
 

website/integrations/services/semgrep/index.md

@@ -17,7 +17,7 @@ sidebar_label: Semgrep
 
 The following placeholders are used in this guide:
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 - `devcompany` is the organization name on Semgrep Cloud platform.
 
 ## authentik configuration

website/integrations/services/sentry/index.md

@@ -18,8 +18,8 @@ sidebar_label: Sentry
 
 The following placeholders are used in this guide:
 
-- `sentry.company` is the FQDN of the Sentry install.
-- `authentik.company` is the FQDN of the authentik install.
+- `sentry.company` is the FQDN of the Sentry installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create an application in authentik. Create a SAML Provider with the following values
 

website/integrations/services/skyhigh/index.md

@@ -22,7 +22,7 @@ Skyhigh has multiple points for SAML integration:
 
 The following placeholder will be used throughout this document.
 
-- `authentik.company` is the FQDN of the authentik install.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Integration for Dashboard Administrator login
 

website/integrations/services/slack/index.md

@@ -16,7 +16,7 @@ sidebar_label: Slack
 The following placeholder will be used:
 
 - You can use <kbd>slack.<em>company</em>></kbd> or <kbd><em>my-workspace</em>.slack.com</kbd> as the FQDN of your Slack instance.
-- You can use <kbd>authentik.company</kbd> as the FQDN of the authentik install.
+- You can use <kbd>authentik.company</kbd> as the FQDN of the authentik installation.
 
 For additional information about integrating with Slack, refer to their [documentation](https://slack.com/help/articles/205168057-Custom-SAML-single-sign-on).
 

website/integrations/services/snipe-it/index.md

@@ -26,8 +26,8 @@ built-in authentication.
 
 The following placeholders are used in this guide:
 
-- `inventory.company` is the FQDN of the snipe-it install.
-- `authentik.company` is the FQDN of the authentik install.
+- `inventory.company` is the FQDN of the snipe-it installation.
+- `authentik.company` is the FQDN of the authentik installation.
 - `snipeit-user` is the name of the authentik service account we will create.
 - `DC=ldap,DC=authentik,DC=io` is the Base DN of the LDAP Provider (default)
 

website/integrations/services/sonar-qube/index.md

@@ -17,8 +17,8 @@ sidebar_label: SonarQube
 
 The following placeholders are used in this guide:
 
-- `sonarqube.company` is the FQDN of the sonarqube install.
-- `authentik.company` is the FQDN of the authentik install.
+- `sonarqube.company` is the FQDN of the sonarqube installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 ## Terraform provider
 

website/integrations/services/sonarr/index.md

@@ -21,8 +21,8 @@ These instructions apply to all projects in the \*arr Family. If you use multipl
 
 The following placeholders are used in this guide:
 
-- `sonarr.company` is the FQDN of the Sonarr install.
-- `authentik.company` is the FQDN of the authentik install.
+- `sonarr.company` is the FQDN of the Sonarr installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 Create a Proxy Provider with the following values