ci: setup action: remove unused dependencies on poetry install (cherry-pick #12365 ) (#12371 )

ci: setup action: remove unused dependencies on poetry install (#12365) Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
root: fix ssl settings for read replicas not being applied (cherry-pick #12341 ) (#12345 )
2024-12-18 00:53:16 +01:00 · 2024-12-12 18:58:14 +01:00 · 2024-12-10 17:48:12 +01:00 · 2024-12-10 17:47:19 +01:00 · 2024-12-10 17:45:48 +01:00 · 2024-12-10 17:12:52 +01:00
800 changed files with 39959 additions and 84235 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.2
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final
@ -30,5 +30,3 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/common/constants.ts]
 [bumpversion:file:website/docs/install-config/install/aws/template.yaml]
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -11,9 +11,9 @@ inputs:
    description: "Docker image arch"
 outputs:
-  shouldPush:
+  shouldBuild:
-    description: "Whether to push the image or not"
+    description: "Whether to build image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+    value: ${{ steps.ev.outputs.shouldBuild }}
  sha:
    description: "sha"
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -7,14 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
-# Decide if we should push the image or not
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
    should_push = False
 if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
    # Don't push on the internal repo
    should_push = False
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@ -71,7 +64,7 @@ def get_attest_image_names(image_with_tags: list[str]):
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -7,7 +7,6 @@ on:
  workflow_dispatch:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -7,7 +7,6 @@ on:
  workflow_dispatch:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -1,46 +0,0 @@
 name: authentik-ci-aws-cfn
 on:
  push:
    branches:
      - main
      - next
      - version-*
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: |
          npm ci
      - name: Check changes have been applied
        run: |
          poetry run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
    needs:
      - check-changes-applied
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -116,7 +116,7 @@ jobs:
          poetry run make test
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
@ -134,13 +134,13 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@v1.10.0
      - name: run integration
        run: |
          poetry run coverage run manage.py test tests/integration
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
@ -198,7 +198,7 @@ jobs:
          poetry run coverage run manage.py test ${{ matrix.job.glob }}
          poetry run coverage xml
      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
@ -209,7 +209,6 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
    if: always()
    needs:
      - lint
      - test-migrations
@ -219,9 +218,7 @@ jobs:
      - test-e2e
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  build:
    strategy:
      fail-fast: false
@ -243,7 +240,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -255,7 +252,7 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-server
          image-arch: ${{ matrix.arch }}
      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@ -272,15 +269,15 @@ jobs:
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
          platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
@ -306,7 +303,7 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/dev-server
      - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: ./.github/actions/comment-pr-instructions
        with:
          tag: ${{ steps.ev.outputs.imageMainTag }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -49,15 +49,12 @@ jobs:
        run: |
          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
  ci-outpost-mark:
    if: always()
    needs:
      - lint-golint
      - test-unittest
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
    timeout-minutes: 120
    needs:
@ -82,7 +79,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -93,7 +90,7 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@ -107,16 +104,16 @@ jobs:
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -61,15 +61,12 @@ jobs:
        working-directory: web/
        run: npm run build
  ci-web-mark:
    if: always()
    needs:
      - build
      - lint
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
  test:
    needs:
      - ci-web-mark
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -62,13 +62,10 @@ jobs:
        working-directory: website/
        run: npm run ${{ matrix.job }}
  ci-website-mark:
    if: always()
    needs:
      - lint
      - test
      - build
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - run: echo mark
        with:
          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -11,7 +11,6 @@ env:
 jobs:
  build:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -7,7 +7,6 @@ on:
 jobs:
  clean-ghcr:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    name: Delete old unused container images
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -12,7 +12,6 @@ env:
 jobs:
  publish-source-docs:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -11,7 +11,6 @@ permissions:
 jobs:
  update-next:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -17,7 +17,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -55,7 +55,7 @@ jobs:
            VERSION=${{ github.ref }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@ -83,7 +83,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -119,7 +119,7 @@ jobs:
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@ -169,27 +169,6 @@ jobs:
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
  upload-aws-cfn-template:
    permissions:
      # Needed for AWS login
      id-token: write
      contents: read
    needs:
      - build-server
      - build-outpost
    env:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -18,7 +18,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@ -1,21 +0,0 @@
 name: "authentik-repo-mirror"
 on: [push, delete]
 jobs:
  to_internal:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
        uses: pixta-dev/repository-mirroring-action@v1
        with:
          target_repo_url:
            git@github.com:goauthentik/authentik-internal.git
          ssh_private_key:
            ${{ secrets.GH_MIRROR_KEY }}
        env:
          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -11,7 +11,6 @@ permissions:
 jobs:
  stale:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -33,8 +33,7 @@
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar",
+        "!Value scalar"
        "!AtIndex scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
--- a/10
+++ b/10
@ -19,18 +19,10 @@ Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
 # Locale
 locale/                         @goauthentik/backend @goauthentik/frontend
 web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
 CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                     @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security
 website/docs/security/          @goauthentik/security @goauthentik/docs
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1 +1 @@
-website/docs/developer-docs/index.md
+website/developer-docs/index.md
--- a/2
+++ b/2
@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
--- a/5
+++ b/5
@ -5,7 +5,7 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 GEN_API_TS = "gen-ts-api"
@ -252,9 +252,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 aws-cfn:
 	cd website && npm run aws-cfn
 #########################
 ## Docker
 #########################
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 ## Independent audits and pentests
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 ## What authentik classifies as a CVE
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
 | 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
 | 2024.12.x | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.12.2"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
@ -16,5 +16,5 @@ def get_full_version() -> str:
    """Get full version, with build hash appended"""
    version = __version__
    if (build_hash := get_build_hash()) != "":
-        return f"{version}+{build_hash}"
+        version += "." + build_hash
    return version
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -7,9 +7,7 @@ from sys import version as python_version
 from typing import TypedDict
 from cryptography.hazmat.backends.openssl.backend import backend
 from django.conf import settings
 from django.utils.timezone import now
 from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
@ -54,16 +52,10 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        for key, value in request.META.items():
            if not isinstance(value, str):
                continue
-            actual_value = value
+            headers[key] = value
            if raw_session in actual_value:
                actual_value = actual_value.replace(
                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
                )
            headers[key] = actual_value
        return headers
    def get_http_host(self, request: Request) -> str:
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -1,16 +1,12 @@
 """authentik administration overview"""
 from socket import gethostname
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from packaging.version import parse
+from rest_framework.fields import IntegerField
 from rest_framework.fields import BooleanField, CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
@ -20,38 +16,11 @@ class WorkerView(APIView):
    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
-    @extend_schema(
+    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
        responses=inline_serializer(
            "Worker",
            fields={
                "worker_id": CharField(),
                "version": CharField(),
                "version_matching": BooleanField(),
            },
            many=True,
        )
    )
    def get(self, request: Request) -> Response:
        """Get currently connected worker count."""
-        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+        count = len(CELERY_APP.control.ping(timeout=0.5))
        our_version = parse(get_full_version())
        response = []
        for worker in raw:
            key = list(worker.keys())[0]
            version = worker[key].get("version")
            version_matching = False
            if version:
                version_matching = parse(version) == our_version
            response.append(
                {"worker_id": key, "version": version, "version_matching": version_matching}
            )
        # In debug we run with `task_always_eager`, so tasks are ran on the main process
        if settings.DEBUG:  # pragma: no cover
-            response.append(
+            count += 1
-                {
+        return Response({"count": count})
                    "worker_id": f"authentik-debug@{gethostname()}",
                    "version": get_full_version(),
                    "version_matching": True,
                }
            )
        return Response(response)
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -1,10 +1,11 @@
 """authentik admin app config"""
-from prometheus_client import Info
+from prometheus_client import Gauge, Info
 from authentik.blueprints.apps import ManagedAppConfig
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 class AuthentikAdminConfig(ManagedAppConfig):
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@ -1,35 +1,14 @@
 """admin signals"""
 from django.dispatch import receiver
 from packaging.version import parse
 from prometheus_client import Gauge
-from authentik import get_full_version
+from authentik.admin.apps import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
 GAUGE_WORKERS = Gauge(
    "authentik_admin_workers",
    "Currently connected workers, their versions and if they are the same version as authentik",
    ["version", "version_matched"],
 )
 _version = parse(get_full_version())
@receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
    """Set worker gauge"""
-    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+    count = len(CELERY_APP.control.ping(timeout=0.5))
-    worker_version_count = {}
+    GAUGE_WORKERS.set(count)
    for worker in raw:
        key = list(worker.keys())[0]
        version = worker[key].get("version")
        version_matching = False
        if version:
            version_matching = parse(version) == _version
        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
        worker_version_count[version]["count"] += 1
    for version, stats in worker_version_count.items():
        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -34,7 +34,7 @@ class TestAdminAPI(TestCase):
        response = self.client.get(reverse("authentik_api:admin_workers"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(len(body), 0)
+        self.assertEqual(body["count"], 0)
    def test_metrics(self):
        """Test metrics API"""
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -0,0 +1,67 @@
 """API Authorization"""
 from django.conf import settings
 from django.db.models import Model
 from django.db.models.query import QuerySet
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 from authentik.api.authentication import validate_auth
 from authentik.rbac.filters import ObjectFilter
 class OwnerFilter(BaseFilterBackend):
    """Filter objects by their owner"""
    owner_key = "user"
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        if request.user.is_superuser:
            return queryset
        return queryset.filter(**{self.owner_key: request.user})
 class SecretKeyFilter(DjangoFilterBackend):
    """Allow access to all objects when authenticated with secret key as token.
    Replaces both DjangoFilterBackend and ObjectFilter"""
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        auth_header = get_authorization_header(request)
        token = validate_auth(auth_header)
        if token and token == settings.SECRET_KEY:
            return queryset
        queryset = ObjectFilter().filter_queryset(request, queryset, view)
        return super().filter_queryset(request, queryset, view)
 class OwnerPermissions(BasePermission):
    """Authorize requests by an object's owner matching the requesting user"""
    owner_key = "user"
    def has_permission(self, request: Request, view) -> bool:
        """If the user is authenticated, we allow all requests here. For listing, the
        object-level permissions are done by the filter backend"""
        return request.user.is_authenticated
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        """Check if the object's owner matches the currently logged in user"""
        if not hasattr(obj, self.owner_key):
            return False
        owner = getattr(obj, self.owner_key)
        if owner != request.user:
            return False
        return True
 class OwnerSuperuserPermissions(OwnerPermissions):
    """Similar to OwnerPermissions, except always allow access for superusers"""
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        if request.user.is_superuser:
            return True
        return super().has_object_permission(request, view, obj)
--- a/authentik/blueprints/management/commands/blueprint_shell.py
+++ b/authentik/blueprints/management/commands/blueprint_shell.py
@ -1,68 +0,0 @@
 """Test and debug Blueprints"""
 import atexit
 import readline
 from pathlib import Path
 from pprint import pformat
 from sys import exit as sysexit
 from textwrap import indent
 from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 from yaml import load
 from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
 from authentik.core.management.commands.shell import get_banner_text
 from authentik.lib.utils.errors import exception_to_string
 LOGGER = get_logger()
 class Command(BaseCommand):
    """Test and debug Blueprints"""
    lines = []
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
        histfolder.mkdir(parents=True, exist_ok=True)
        histfile = histfolder / Path("blueprint_shell_history")
        readline.parse_and_bind("tab: complete")
        readline.parse_and_bind("set editing-mode vi")
        try:
            readline.read_history_file(str(histfile))
        except FileNotFoundError:
            pass
        atexit.register(readline.write_history_file, str(histfile))
    @no_translations
    def handle(self, *args, **options):
        """Interactively debug blueprint files"""
        self.stdout.write(get_banner_text("Blueprint shell"))
        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
        def do_eval():
            yaml_input = "\n".join([line for line in self.lines if line])
            data = load(yaml_input, BlueprintLoader)
            self.stdout.write(pformat(data))
            self.lines = []
        while True:
            try:
                line = input("> ")
                if line == ".eval":
                    do_eval()
                else:
                    self.lines.append(line)
            except EntryInvalidError as exc:
                self.stdout.write("Failed to evaluate expression:")
                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
            except EOFError:
                break
            except KeyboardInterrupt:
                self.stdout.write()
                sysexit(0)
        self.stdout.write()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -126,7 +126,7 @@ class Command(BaseCommand):
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        template = {
+        return {
            "type": "object",
            "required": ["model", "identifiers"],
            "properties": {
@ -143,11 +143,6 @@ class Command(BaseCommand):
                "identifiers": {"$ref": def_path},
            },
        }
        # Meta models don't require identifiers, as there's no matching database model to find
        if issubclass(model, BaseMetaModel):
            del template["properties"]["identifiers"]
            template["required"].remove("identifiers")
        return template
    def field_to_jsonschema(self, field: Field) -> dict:
        """Convert a single field to json schema"""
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -146,10 +146,6 @@ entries:
                  ]
              ]
              nested_context: !Context context2
              at_index_sequence: !AtIndex [!Context sequence, 0]
              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
              at_index_mapping: !AtIndex [!Context mapping, "key2"]
              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -215,10 +215,6 @@ class TestBlueprintsV1(TransactionTestCase):
                    },
                    "nested_context": "context-nested-value",
                    "env_null": None,
                    "at_index_sequence": "foo",
                    "at_index_sequence_default": "non existent",
                    "at_index_mapping": 2,
                    "at_index_mapping_default": "non existent",
                }
            ).exists()
        )
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -24,10 +24,6 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 class UNSET:
    """Used to test whether a key has not been set."""
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
    """Get object's attributes via their serializer, and convert it to a normal dict"""
    serializer: Serializer = obj.serializer(obj)
@ -202,9 +198,6 @@ class Blueprint:
 class YAMLTag:
    """Base class for all YAML Tags"""
    def __repr__(self) -> str:
        return str(self.resolve(BlueprintEntry(""), Blueprint()))
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        """Implement yaml tag logic"""
        raise NotImplementedError
@ -563,53 +556,6 @@ class Value(EnumeratedItem):
            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
 class AtIndex(YAMLTag):
    """Get value at index of a sequence or mapping"""
    obj: YAMLTag | dict | list | tuple
    attribute: int | str | YAMLTag
    default: Any | UNSET
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
        self.obj = loader.construct_object(node.value[0])
        self.attribute = loader.construct_object(node.value[1])
        if len(node.value) == 2:  # noqa: PLR2004
            self.default = UNSET
        else:
            self.default = loader.construct_object(node.value[2])
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        if isinstance(self.obj, YAMLTag):
            obj = self.obj.resolve(entry, blueprint)
        else:
            obj = self.obj
        if isinstance(self.attribute, YAMLTag):
            attribute = self.attribute.resolve(entry, blueprint)
        else:
            attribute = self.attribute
        if isinstance(obj, list | tuple):
            try:
                return obj[attribute]
            except TypeError as exc:
                raise EntryInvalidError.from_entry(
                    f"Invalid index for list: {attribute}", entry
                ) from exc
            except IndexError as exc:
                if self.default is UNSET:
                    raise EntryInvalidError.from_entry(
                        f"Index out of range: {attribute}", entry
                    ) from exc
                return self.default
        if attribute in obj:
            return obj[attribute]
        else:
            if self.default is UNSET:
                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
            return self.default
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""
@ -660,7 +606,6 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Enumerate", Enumerate)
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
        self.add_constructor("!AtIndex", AtIndex)
 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -65,12 +65,7 @@ from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
    AccessToken,
    AuthorizationCode,
    DeviceToken,
    RefreshToken,
 )
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@ -130,7 +125,6 @@ def excluded_models() -> list[type[Model]]:
        MicrosoftEntraProviderGroup,
        EndpointDevice,
        EndpointDeviceConnection,
        DeviceToken,
    )
@ -299,11 +293,7 @@ class Importer:
        serializer_kwargs = {}
        model_instance = existing_models.first()
-        if (
+        if not isinstance(model(), BaseMetaModel) and model_instance:
            not isinstance(model(), BaseMetaModel)
            and model_instance
            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
        ):
            self.logger.debug(
                "Initialise serializer with instance",
                model=model,
@ -313,12 +303,11 @@ class Importer:
            serializer_kwargs["instance"] = model_instance
            serializer_kwargs["partial"] = True
        elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
            msg = (
                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
                "and object exists already",
            )
            raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
                    "and object exists already",
                ),
                entry,
            )
        else:
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -159,7 +159,7 @@ def blueprints_discovery(self: SystemTask, path: str | None = None):
        check_blueprint_v1_file(blueprint)
        count += 1
    self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
    )
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -14,10 +14,10 @@ from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.utils import get_current_tenant
@ -84,8 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
    matched_domain = CharField(source="domain")
    branding_title = CharField()
-    branding_logo = CharField(source="branding_logo_url")
+    branding_logo = CharField()
-    branding_favicon = CharField(source="branding_favicon_url")
+    branding_favicon = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -25,7 +25,5 @@ class BrandMiddleware:
            locale = brand.default_locale
            if locale != "":
                locale_to_set = locale
-        if locale_to_set:
+        with override(locale_to_set):
-            with override(locale_to_set):
+            return self.get_response(request)
                return self.get_response(request)
        return self.get_response(request)
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -10,7 +10,6 @@ from structlog.stdlib import get_logger
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
@ -72,18 +71,6 @@ class Brand(SerializerModel):
    )
    attributes = models.JSONField(default=dict, blank=True)
    def branding_logo_url(self) -> str:
        """Get branding_logo with the correct prefix"""
        if self.branding_logo.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
        return self.branding_logo
    def branding_favicon_url(self) -> str:
        """Get branding_favicon with the correct prefix"""
        if self.branding_favicon.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
        return self.branding_favicon
    @property
    def serializer(self) -> Serializer:
        from authentik.brands.api import BrandSerializer
--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@ -1,58 +0,0 @@
 """Application Roles API Viewset"""
 from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import (
    Application,
    ApplicationEntitlement,
 )
 class ApplicationEntitlementSerializer(ModelSerializer):
    """ApplicationEntitlement Serializer"""
    def validate_app(self, app: Application) -> Application:
        """Ensure user has permission to view"""
        request: HttpRequest = self.context.get("request")
        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            return app
        user = request.user
        if user.has_perm("view_application", app) or user.has_perm(
            "authentik_core.view_application"
        ):
            return app
        raise ValidationError(_("User does not have access to application."), code="invalid")
    class Meta:
        model = ApplicationEntitlement
        fields = [
            "pbm_uuid",
            "name",
            "app",
            "attributes",
        ]
 class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
    """ApplicationEntitlement Viewset"""
    queryset = ApplicationEntitlement.objects.all()
    serializer_class = ApplicationEntitlementSerializer
    search_fields = [
        "pbm_uuid",
        "name",
        "app",
        "attributes",
    ]
    filterset_fields = [
        "pbm_uuid",
        "name",
        "app",
    ]
    ordering = ["name"]
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -209,7 +209,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    @extend_schema(
        parameters=[
            OpenApiParameter(
-                name="list_rbac",
+                name="superuser_full_list",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.BOOL,
            ),
@ -229,8 +229,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Custom list method that checks Policy based access instead of guardian"""
        should_cache = request.query_params.get("search", "") == ""
-        list_rbac = str(request.query_params.get("list_rbac", "false")).lower() == "true"
+        superuser_full_list = (
-        if list_rbac:
+            str(request.query_params.get("superuser_full_list", "false")).lower() == "true"
        )
        if superuser_full_list and request.user.is_superuser:
            return super().list(request)
        only_with_launch_url = str(
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -2,12 +2,16 @@
 from typing import TypedDict
 from django_filters.rest_framework import DjangoFilterBackend
 from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
@ -106,4 +110,11 @@ class AuthenticatedSessionViewSet(
    search_fields = ["user__username", "last_ip", "last_user_agent"]
    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
-    owner_field = "user"
+    permission_classes = [OwnerSuperuserPermissions]
    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
        if user.is_superuser:
            return super().get_queryset()
        return super().get_queryset().filter(user=user.pk)
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -2,16 +2,19 @@
 from collections.abc import Iterable
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
@ -156,9 +159,9 @@ class SourceViewSet(
 class UserSourceConnectionSerializer(SourceSerializer):
-    """User source connection"""
+    """OAuth Source Serializer"""
-    source_obj = SourceSerializer(read_only=True, source="source")
+    source = SourceSerializer(read_only=True)
    class Meta:
        model = UserSourceConnection
@ -166,10 +169,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "pk",
            "user",
            "source",
            "source_obj",
            "created",
        ]
        extra_kwargs = {
            "user": {"read_only": True},
            "created": {"read_only": True},
        }
@ -186,16 +189,17 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["user", "source__slug"]
    search_fields = ["source__slug"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
    owner_field = "user"
 class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection"""
+    """Group Source Connection Serializer"""
-    source_obj = SourceSerializer(read_only=True)
+    source = SourceSerializer(read_only=True)
    class Meta:
        model = GroupSourceConnection
@ -203,11 +207,12 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "pk",
            "group",
            "source",
            "source_obj",
            "identifier",
            "created",
        ]
        extra_kwargs = {
            "group": {"read_only": True},
            "identifier": {"read_only": True},
            "created": {"read_only": True},
        }
@ -224,7 +229,8 @@ class GroupSourceConnectionViewSet(
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["group", "source__slug"]
    search_fields = ["source__slug"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
    owner_field = "user"
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -3,15 +3,18 @@
 from typing import Any
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
-from guardian.shortcuts import assign_perm
+from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
@ -135,11 +138,16 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        "managed",
    ]
    ordering = ["identifier", "expires"]
-    owner_field = "user"
+    permission_classes = [OwnerSuperuserPermissions]
-    rbac_allow_create_without_perm = True
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
        if user.is_superuser:
            return super().get_queryset()
        return super().get_queryset().filter(user=user.pk)
    def perform_create(self, serializer: TokenSerializer):
        # TODO: better permission check
        if not self.request.user.is_superuser:
            instance = serializer.save(
                user=self.request.user,
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -1,12 +1,10 @@
 """transactional application and provider creation"""
 from django.apps import apps
 from django.db.models import Model
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -22,9 +20,8 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Application, Provider
+from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
 def get_provider_serializer_mapping():
@ -48,20 +45,6 @@ class TransactionProviderField(DictField):
    """Dictionary field which can hold provider creation data"""
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""
    def validate(self, attrs):
        # As the PolicyBindingSerializer checks that the correct things can be bound to a target
        # but we don't have a target here as that's set by the blueprint, pass in an empty app
        # which will have the correct allowed combination of group/user/policy.
        attrs["target"] = Application()
        return super().validate(attrs)
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
 class TransactionApplicationSerializer(PassiveSerializer):
    """Serializer for creating a provider and an application in one transaction"""
@ -69,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
    provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
    provider = TransactionProviderField()
    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
    _provider_model: type[Provider] = None
    def validate_provider_model(self, fq_model_name: str) -> str:
@ -115,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                id="app",
            )
        )
        for binding in attrs.get("policy_bindings", []):
            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
            for key, value in binding.items():
                if not isinstance(value, Model):
                    continue
                binding[key] = value.pk
            blueprint.entries.append(
                BlueprintEntry(
                    model="authentik_policies.policybinding",
                    state=BlueprintEntryDesiredState.MUST_CREATED,
                    identifiers=binding,
                )
            )
        importer = Importer(blueprint, {})
        try:
            valid, _ = importer.validate(raise_validation_errors=True)
@ -152,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
    """Create provider and application and attach them in a single transaction"""
-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
    permission_classes = [IsAdminUser]
    @extend_schema(
        request=TransactionApplicationSerializer(),
@ -164,23 +133,8 @@ class TransactionalApplicationView(APIView):
        """Convert data into a blueprint, validate it and apply it"""
        data = TransactionApplicationSerializer(data=request.data)
        data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
+
-        for entry in blueprint.entries:
+        importer = Importer(data.validated_data, {})
            full_model = entry.get_model(blueprint)
            app, __, model = full_model.partition(".")
            if not request.user.has_perm(f"{app}.add_{model}"):
                raise PermissionDenied(
                    {
                        entry.id: _(
                            "User lacks permission to create {model}".format_map(
                                {
                                    "model": full_model,
                                }
                            )
                        )
                    }
                )
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
        response["applied"] = applied
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -585,7 +585,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        """Set password for user"""
        user: User = self.get_object()
        try:
-            user.set_password(request.data.get("password"), request=request)
+            user.set_password(request.data.get("password"))
            user.save()
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.impersonate")
    @extend_schema(
-        request=inline_serializer(
+        request=OpenApiTypes.NONE,
            "ImpersonationSerializer",
            {
                "reason": CharField(required=True),
            },
        ),
        responses={
            "204": OpenApiResponse(description="Successfully started impersonation"),
            "401": OpenApiResponse(description="Access denied"),
@ -684,7 +679,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
        reason = request.data.get("reason", "")
        # Check both object-level perms and global perms
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
@ -694,16 +688,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
        if not reason and request.tenant.impersonation_require_reason:
            LOGGER.debug(
                "User attempted to impersonate without providing a reason", user=request.user
            )
            return Response(status=401)
        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
        return Response(status=201)
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -44,12 +44,13 @@ class TokenBackend(InbuiltBackend):
        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
    ) -> User | None:
        try:
            user = User._default_manager.get_by_natural_key(username)
        except User.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password, request=request)
+            User().set_password(password)
            return None
        tokens = Token.filter_not_expired(
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -58,7 +58,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
            self._context["user"] = user
        if request:
            req.http_request = request
            self._context["http_request"] = request
        req.context.update(**kwargs)
        self._context["request"] = req
        self._context.update(**kwargs)
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -17,9 +17,7 @@ from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
-
+BANNER_TEXT = f"""### authentik shell ({get_full_version()})
 def get_banner_text(shell_type="shell") -> str:
    return f"""### authentik {shell_type} ({get_full_version()})
 ### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """
@ -116,4 +114,4 @@ class Command(BaseCommand):
            readline.parse_and_bind("tab: complete")
        # Run interactive shell
-        code.interact(banner=get_banner_text(), local=namespace)
+        code.interact(banner=BANNER_TEXT, local=namespace)
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -42,10 +42,8 @@ class ImpersonateMiddleware:
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
-        if locale_to_set:
+        with override(locale_to_set):
-            with override(locale_to_set):
+            return self.get_response(request)
                return self.get_response(request)
        return self.get_response(request)
 class RequestIDMiddleware:
--- a/authentik/core/migrations/0041_applicationentitlement.py
+++ b/authentik/core/migrations/0041_applicationentitlement.py
@ -1,45 +0,0 @@
 # Generated by Django 5.0.9 on 2024-11-20 15:16
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0040_provider_invalidation_flow"),
        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
    ]
    operations = [
        migrations.CreateModel(
            name="ApplicationEntitlement",
            fields=[
                (
                    "policybindingmodel_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_policies.policybindingmodel",
                    ),
                ),
                ("attributes", models.JSONField(blank=True, default=dict)),
                ("name", models.TextField()),
                (
                    "app",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.application"
                    ),
                ),
            ],
            options={
                "verbose_name": "Application Entitlement",
                "verbose_name_plural": "Application Entitlements",
                "unique_together": {("app", "name")},
            },
            bases=("authentik_policies.policybindingmodel", models.Model),
        ),
    ]
--- a/authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py
+++ b/authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py
@ -1,45 +0,0 @@
 # Generated by Django 5.0.10 on 2025-01-13 18:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0041_applicationentitlement"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(fields=["expires"], name="authentik_c_expires_08251d_idx"),
        ),
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(fields=["expiring"], name="authentik_c_expirin_9cd839_idx"),
        ),
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_c_expirin_195a84_idx"
            ),
        ),
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(fields=["session_key"], name="authentik_c_session_d0f005_idx"),
        ),
        migrations.AddIndex(
            model_name="token",
            index=models.Index(fields=["expires"], name="authentik_c_expires_a62b4b_idx"),
        ),
        migrations.AddIndex(
            model_name="token",
            index=models.Index(fields=["expiring"], name="authentik_c_expirin_a1b838_idx"),
        ),
        migrations.AddIndex(
            model_name="token",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_c_expirin_ba04d9_idx"
            ),
        ),
    ]
--- a/authentik/core/migrations/0043_alter_user_options.py
+++ b/authentik/core/migrations/0043_alter_user_options.py
@ -1,57 +0,0 @@
 # Generated by Django 5.0.10 on 2025-01-08 17:39
 from django.db import migrations
 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_user_debug_attribute(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from django.apps import apps as real_apps
    from django.contrib.auth.management import create_permissions
    db_alias = schema_editor.connection.alias
    User = apps.get_model("authentik_core", "User")
    USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
    # Permissions are only created _after_ migrations are run
    # - https://github.com/django/django/blob/43cdfa8b20e567a801b7d0a09ec67ddd062d5ea4/django/contrib/auth/apps.py#L19
    # - https://stackoverflow.com/a/72029063/1870445
    create_permissions(real_apps.get_app_config("authentik_core"), using=db_alias)
    Permission = apps.get_model("auth", "Permission")
    new_prem = Permission.objects.using(db_alias).get(codename="user_view_debug")
    db_alias = schema_editor.connection.alias
    for user in User.objects.using(db_alias).filter(
        **{f"attributes__{USER_ATTRIBUTE_DEBUG}": True}
    ):
        user.permissions.add(new_prem)
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
    ]
    operations = [
        migrations.AlterModelOptions(
            name="user",
            options={
                "permissions": [
                    ("reset_user_password", "Reset Password"),
                    ("impersonate", "Can impersonate other users"),
                    ("assign_user_permissions", "Can assign permissions to users"),
                    ("unassign_user_permissions", "Can unassign permissions from users"),
                    ("preview_user", "Can preview user data sent to providers"),
                    ("view_user_applications", "View applications the user has access to"),
                    ("user_view_debug", "User receives additional details for error messages"),
                ],
                "verbose_name": "User",
                "verbose_name_plural": "Users",
            },
        ),
        migrations.RunPython(migrate_user_debug_attribute),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -41,6 +41,7 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
 USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
 USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
@ -281,7 +282,6 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
            ("unassign_user_permissions", _("Can unassign permissions from users")),
            ("preview_user", _("Can preview user data sent to providers")),
            ("view_user_applications", _("View applications the user has access to")),
            ("user_view_debug", _("User receives additional details for error messages")),
        ]
        indexes = [
            models.Index(fields=["last_login"]),
@ -314,32 +314,6 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        always_merger.merge(final_attributes, self.attributes)
        return final_attributes
    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
        """Get all entitlements this user has for `app`."""
        if not app:
            return []
        all_groups = self.all_groups()
        qs = app.applicationentitlement_set.filter(
            Q(
                Q(bindings__user=self) | Q(bindings__group__in=all_groups),
                bindings__negate=False,
            )
            | Q(
                Q(~Q(bindings__user=self), bindings__user__isnull=False)
                | Q(~Q(bindings__group__in=all_groups), bindings__group__isnull=False),
                bindings__negate=True,
            ),
            bindings__enabled=True,
        ).order_by("name")
        return qs
    def app_entitlements_attributes(self, app: "Application | None") -> dict:
        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
        final_attributes = {}
        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
            always_merger.merge(final_attributes, attrs)
        return final_attributes
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.users import UserSerializer
@ -356,13 +330,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore
-    def set_password(self, raw_password, signal=True, sender=None, request=None):
+    def set_password(self, raw_password, signal=True, sender=None):
        if self.pk and signal:
            from authentik.core.signals import password_changed
            if not sender:
                sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password, request=request)
+            password_changed.send(sender=sender, user=self, password=raw_password)
        self.password_change_date = now()
        return super().set_password(raw_password)
@ -607,31 +581,6 @@ class Application(SerializerModel, PolicyBindingModel):
        verbose_name_plural = _("Applications")
 class ApplicationEntitlement(AttributesMixin, SerializerModel, PolicyBindingModel):
    """Application-scoped entitlement to control authorization in an application"""
    name = models.TextField()
    app = models.ForeignKey(Application, on_delete=models.CASCADE)
    class Meta:
        verbose_name = _("Application Entitlement")
        verbose_name_plural = _("Application Entitlements")
        unique_together = (("app", "name"),)
    def __str__(self):
        return f"Application Entitlement {self.name} for app {self.app_id}"
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.core.api.application_entitlements import ApplicationEntitlementSerializer
        return ApplicationEntitlementSerializer
    def supported_policy_binding_targets(self):
        return ["group", "user"]
 class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""
@ -846,11 +795,6 @@ class ExpiringModel(models.Model):
    class Meta:
        abstract = True
        indexes = [
            models.Index(fields=["expires"]),
            models.Index(fields=["expiring"]),
            models.Index(fields=["expiring", "expires"]),
        ]
    def expire_action(self, *args, **kwargs):
        """Handler which is called when this object is expired. By
@ -906,7 +850,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
    class Meta:
        verbose_name = _("Token")
        verbose_name_plural = _("Tokens")
-        indexes = ExpiringModel.Meta.indexes + [
+        indexes = [
            models.Index(fields=["identifier"]),
            models.Index(fields=["key"]),
        ]
@ -1006,9 +950,6 @@ class AuthenticatedSession(ExpiringModel):
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["session_key"]),
        ]
    def __str__(self) -> str:
        return f"Authenticated Session {self.session_key[:10]}"
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -238,7 +238,13 @@ class SourceFlowManager:
                self.request.GET,
                flow_slug=flow_slug,
            )
-        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)
+        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        if PLAN_CONTEXT_REDIRECT not in flow_context:
            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
        if not flow:
            return bad_request_message(
@ -259,7 +265,12 @@ class SourceFlowManager:
        if stages:
            for stage in stages:
                plan.append_stage(stage)
-        return plan.to_redirect(self.request, flow)
+        self.request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=flow.slug,
        )
    def handle_auth(
        self,
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -9,9 +9,6 @@
        versionFamily: "{{ version_family }}",
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
        {% for message in messages %}
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -9,8 +9,8 @@
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head_before %}
-<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
+<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
+    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
@ -50,7 +50,7 @@
    <div class="ak-login-container">
        <main class="pf-c-login__main">
            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
            </div>
            <header class="pf-c-login__main-header">
                <h1 class="pf-c-title pf-m-3xl">
--- a/authentik/core/tests/test_application_entitlements.py
+++ b/authentik/core/tests/test_application_entitlements.py
@ -1,153 +0,0 @@
 """Test Application Entitlements API"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 from authentik.core.models import Application, ApplicationEntitlement, Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 class TestApplicationEntitlements(APITestCase):
    """Test application entitlements"""
    def setUp(self) -> None:
        self.user = create_test_user()
        self.other_user = create_test_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
        )
        self.app: Application = Application.objects.create(
            name=generate_id(),
            slug=generate_id(),
            provider=self.provider,
        )
    def test_user(self):
        """Test user-direct assignment"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, user=self.user, order=0)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_group(self):
        """Test direct group"""
        group = Group.objects.create(name=generate_id())
        self.user.ak_groups.add(group)
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=group, order=0)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_group_indirect(self):
        """Test indirect group"""
        parent = Group.objects.create(name=generate_id())
        group = Group.objects.create(name=generate_id(), parent=parent)
        self.user.ak_groups.add(group)
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=parent, order=0)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_negate_user(self):
        """Test with negate flag"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_negate_group(self):
        """Test with negate flag"""
        other_group = Group.objects.create(name=generate_id())
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_api_perms_global(self):
        """Test API creation with global permissions"""
        assign_perm("authentik_core.add_applicationentitlement", self.user)
        assign_perm("authentik_core.view_application", self.user)
        self.client.force_login(self.user)
        res = self.client.post(
            reverse("authentik_api:applicationentitlement-list"),
            data={
                "name": generate_id(),
                "app": self.app.pk,
            },
        )
        self.assertEqual(res.status_code, 201)
    def test_api_perms_scoped(self):
        """Test API creation with scoped permissions"""
        assign_perm("authentik_core.add_applicationentitlement", self.user)
        assign_perm("authentik_core.view_application", self.user, self.app)
        self.client.force_login(self.user)
        res = self.client.post(
            reverse("authentik_api:applicationentitlement-list"),
            data={
                "name": generate_id(),
                "app": self.app.pk,
            },
        )
        self.assertEqual(res.status_code, 201)
    def test_api_perms_missing(self):
        """Test API creation with no permissions"""
        assign_perm("authentik_core.add_applicationentitlement", self.user)
        self.client.force_login(self.user)
        res = self.client.post(
            reverse("authentik_api:applicationentitlement-list"),
            data={
                "name": generate_id(),
                "app": self.app.pk,
            },
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
    def test_api_bindings_policy(self):
        """Test that API doesn't allow policies to be bound to this"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        policy = DummyPolicy.objects.create(name=generate_id())
        admin = create_test_admin_user()
        self.client.force_login(admin)
        response = self.client.post(
            reverse("authentik_api:policybinding-list"),
            data={
                "target": ent.pbm_uuid,
                "policy": policy.pk,
                "order": 0,
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"non_field_errors": ["One of 'group', 'user' must be set."]},
        )
    def test_api_bindings_group(self):
        """Test that API doesn't allow policies to be bound to this"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        group = Group.objects.create(name=generate_id())
        admin = create_test_admin_user()
        self.client.force_login(admin)
        response = self.client.post(
            reverse("authentik_api:policybinding-list"),
            data={
                "target": ent.pbm_uuid,
                "group": group.pk,
                "order": 0,
            },
        )
        self.assertEqual(response.status_code, 201)
        self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        response = self.client.get(reverse("authentik_api:user-me"))
@ -56,8 +55,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -77,8 +75,7 @@ class TestImpersonation(APITestCase):
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
-            ),
+            )
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 201)
@ -92,8 +89,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.other_user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 403)
@ -109,8 +105,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
@ -123,22 +118,7 @@ class TestImpersonation(APITestCase):
        self.client.force_login(self.user)
        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
            data={"reason": "some reason"},
        )
        self.assertEqual(response.status_code, 401)
        response = self.client.get(reverse("authentik_api:user-me"))
        response_body = loads(response.content.decode())
        self.assertEqual(response_body["user"]["username"], self.user.username)
    def test_impersonate_reason_required(self):
        """test impersonation that user must provide reason"""
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
            data={"reason": ""},
        )
        self.assertEqual(response.status_code, 401)
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -1,13 +1,11 @@
 """Test Transactional API"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
-from authentik.core.models import Application, Group
+from authentik.core.models import Application
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
@ -15,9 +13,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
    """Test Transactional API"""
    def setUp(self) -> None:
-        self.user = create_test_user()
+        self.user = create_test_admin_user()
        assign_perm("authentik_core.add_application", self.user)
        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
    def test_create_transactional(self):
        """Test transactional Application + provider creation"""
@ -46,66 +42,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
    def test_create_transactional_permission_denied(self):
        """Test transactional Application + provider creation (missing permissions)"""
        self.client.force_login(self.user)
        uid = generate_id()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_saml.samlprovider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "acs_url": "https://goauthentik.io",
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
        )
    def test_create_transactional_bindings(self):
        """Test transactional Application + provider creation"""
        assign_perm("authentik_policies.add_policybinding", self.user)
        self.client.force_login(self.user)
        uid = generate_id()
        group = Group.objects.create(name=generate_id())
        authorization_flow = create_test_flow()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(authorization_flow.pk),
                    "invalidation_flow": str(authorization_flow.pk),
                    "redirect_uris": [],
                },
                "policy_bindings": [{"group": group.pk, "order": 0}],
            },
        )
        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
        provider = OAuth2Provider.objects.filter(name=uid).first()
        self.assertIsNotNone(provider)
        app = Application.objects.filter(slug=uid).first()
        self.assertIsNotNone(app)
        self.assertEqual(app.provider.pk, provider.pk)
        binding = PolicyBinding.objects.filter(target=app).first()
        self.assertIsNotNone(binding)
        self.assertEqual(binding.target, app)
        self.assertEqual(binding.group, group)
    def test_create_transactional_invalid(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
@ -135,32 +71,3 @@ class TestTransactionalApplicationsAPI(APITestCase):
                }
            },
        )
    def test_create_transactional_duplicate_name_provider(self):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
        OAuth2Provider.objects.create(
            name=uid,
            authorization_flow=create_test_flow(),
            invalidation_flow=create_test_flow(),
        )
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
                "app": {
                    "name": uid,
                    "slug": uid,
                },
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
                    "authorization_flow": str(create_test_flow().pk),
                    "invalidation_flow": str(create_test_flow().pk),
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"provider": {"name": ["State is set to must_created and object exists already"]}},
        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
@ -70,7 +69,6 @@ urlpatterns = [
 api_urlpatterns = [
    ("core/authenticated_sessions", AuthenticatedSessionViewSet),
    ("core/applications", ApplicationViewSet),
    ("core/application_entitlements", ApplicationEntitlementViewSet),
    path(
        "core/transactional/applications/",
        TransactionalApplicationView.as_view(),
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -17,8 +17,10 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import (
    SESSION_KEY_APPLICATION_PRE,
    SESSION_KEY_PLAN,
    ToDefaultFlow,
 )
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
    PLAN_CONTEXT_CONSENT_HEADER,
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
@ -56,7 +58,8 @@ class RedirectToAppLaunch(View):
        except FlowNonApplicableException:
            raise Http404 from None
        plan.insert_stage(in_memory_stage(RedirectToAppStage))
-        return plan.to_redirect(request, flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
 class RedirectToAppStage(ChallengeStageView):
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -16,7 +16,6 @@ from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
 from authentik.core.models import UserTypes
 from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
@ -52,7 +51,6 @@ class InterfaceView(TemplateView):
        kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
        return super().get_context_data(**kwargs)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -28,6 +28,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
@ -35,7 +36,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
+from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()
--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@ -85,5 +85,5 @@ def certificate_discovery(self: SystemTask):
        if dirty:
            cert.save()
    self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=discovered))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": discovered})
    )
--- a/authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py
+++ b/authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py
@ -1,27 +0,0 @@
 # Generated by Django 5.0.10 on 2025-01-13 18:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_enterprise", "0003_remove_licenseusage_within_limits_and_more"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="licenseusage",
            index=models.Index(fields=["expires"], name="authentik_e_expires_3f2956_idx"),
        ),
        migrations.AddIndex(
            model_name="licenseusage",
            index=models.Index(fields=["expiring"], name="authentik_e_expirin_11d3d7_idx"),
        ),
        migrations.AddIndex(
            model_name="licenseusage",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_e_expirin_4d558f_idx"
            ),
        ),
    ]
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -93,4 +93,3 @@ class LicenseUsage(ExpiringModel):
    class Meta:
        verbose_name = _("License Usage")
        verbose_name_plural = _("License Usage Records")
        indexes = ExpiringModel.Meta.indexes
--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -1,8 +1,11 @@
 """RAC Provider API Views"""
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
@ -31,6 +34,12 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
        ]
 class ConnectionTokenOwnerFilter(OwnerFilter):
    """Owner filter for connection tokens (checks session's user)"""
    owner_key = "session__user"
 class ConnectionTokenViewSet(
    mixins.RetrieveModelMixin,
    mixins.UpdateModelMixin,
@ -46,4 +55,10 @@ class ConnectionTokenViewSet(
    filterset_fields = ["endpoint", "session__user", "provider"]
    search_fields = ["endpoint__name", "provider__name"]
    ordering = ["endpoint__name", "provider__name"]
-    owner_field = "session__user"
+    permission_classes = [OwnerSuperuserPermissions]
    filter_backends = [
        ConnectionTokenOwnerFilter,
        DjangoFilterBackend,
        OrderingFilter,
        SearchFilter,
    ]
--- a/authentik/enterprise/providers/rac/api/endpoints.py
+++ b/authentik/enterprise/providers/rac/api/endpoints.py
@ -96,7 +96,7 @@ class EndpointViewSet(UsedByMixin, ModelViewSet):
                OpenApiTypes.STR,
            ),
            OpenApiParameter(
-                name="list_rbac",
+                name="superuser_full_list",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.BOOL,
            ),
@ -110,8 +110,8 @@ class EndpointViewSet(UsedByMixin, ModelViewSet):
        """List accessible endpoints"""
        should_cache = request.GET.get("search", "") == ""
-        list_rbac = str(request.GET.get("list_rbac", "false")).lower() == "true"
+        superuser_full_list = str(request.GET.get("superuser_full_list", "false")).lower() == "true"
-        if list_rbac:
+        if superuser_full_list and request.user.is_superuser:
            return super().list(request)
        queryset = self._filter_queryset_for_list(self.get_queryset())
--- a/authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py
+++ b/authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py
@ -1,28 +0,0 @@
 # Generated by Django 5.0.10 on 2025-01-13 18:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
        ("authentik_providers_rac", "0005_alter_racpropertymapping_options"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="connectiontoken",
            index=models.Index(fields=["expires"], name="authentik_p_expires_91f148_idx"),
        ),
        migrations.AddIndex(
            model_name="connectiontoken",
            index=models.Index(fields=["expiring"], name="authentik_p_expirin_59a5a7_idx"),
        ),
        migrations.AddIndex(
            model_name="connectiontoken",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_p_expirin_aed3ca_idx"
            ),
        ),
    ]
--- a/authentik/enterprise/providers/rac/models.py
+++ b/authentik/enterprise/providers/rac/models.py
@ -159,9 +159,9 @@ class ConnectionToken(ExpiringModel):
            default_settings["port"] = str(port)
        else:
            default_settings["hostname"] = self.endpoint.host
-        if self.endpoint.protocol == Protocols.RDP:
+        default_settings["client-name"] = "authentik"
-            default_settings["resize-method"] = "display-update"
+        # default_settings["enable-drive"] = "true"
-        default_settings["client-name"] = f"authentik - {self.session.user}"
+        # default_settings["drive-name"] = "authentik"
        settings = {}
        always_merger.merge(settings, default_settings)
        always_merger.merge(settings, self.endpoint.provider.settings)
@ -211,4 +211,3 @@ class ConnectionToken(ExpiringModel):
    class Meta:
        verbose_name = _("RAC Connection token")
        verbose_name_plural = _("RAC Connection tokens")
        indexes = ExpiringModel.Meta.indexes
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -6,8 +6,8 @@
 <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="icon" href="{{ tenant.branding_favicon }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
 {% include "base/header_js.html" %}
 {% endblock %}
--- a/authentik/enterprise/providers/rac/tests/test_models.py
+++ b/authentik/enterprise/providers/rac/tests/test_models.py
@ -50,10 +50,9 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "resize-method": "display-update",
            },
        )
        # Set settings in provider
@ -64,11 +63,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "provider",
                "resize-method": "display-update",
            },
        )
        # Set settings in endpoint
@ -81,11 +79,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "endpoint",
                "resize-method": "display-update",
            },
        )
        # Set settings in token
@ -98,11 +95,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "token",
                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (provider)
@ -118,11 +114,10 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_provider",
                "resize-method": "display-update",
            },
        )
        # Set settings in property mapping (endpoint)
@ -140,12 +135,11 @@ class TestModels(TransactionTestCase):
            {
                "hostname": self.endpoint.host.split(":")[0],
                "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                "drive-path": path,
                "create-drive-path": "true",
                "level": "property_mapping_endpoint",
                "foo": "true",
                "bar": "6",
                "resize-method": "display-update",
            },
        )
--- a/authentik/enterprise/providers/rac/views.py
+++ b/authentik/enterprise/providers/rac/views.py
@ -18,7 +18,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.engine import PolicyEngine
@ -54,7 +56,12 @@ class RACStartView(EnterprisePolicyAccessView):
                provider=self.provider,
            )
        )
-        return plan.to_redirect(request, self.provider.authorization_flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            request.GET,
            flow_slug=self.provider.authorization_flow.slug,
        )
 class RACInterface(InterfaceView):
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -1,11 +1,14 @@
 """AuthenticatorEndpointGDTCStage API Views"""
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@ -64,7 +67,8 @@ class EndpointDeviceViewSet(
    search_fields = ["name"]
    filterset_fields = ["name"]
    ordering = ["name"]
-    owner_field = "user"
+    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 class EndpointAdminDeviceViewSet(ModelViewSet):
--- a/authentik/events/api/notifications.py
+++ b/authentik/events/api/notifications.py
@ -1,15 +1,17 @@
 """Notification API Views"""
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.events.api.events import EventSerializer
@ -55,7 +57,8 @@ class NotificationViewSet(
        "seen",
        "user",
    ]
-    owner_field = "user"
+    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    @extend_schema(
        request=OpenApiTypes.NONE,
@ -63,7 +66,7 @@ class NotificationViewSet(
            204: OpenApiResponse(description="Marked tasks as read successfully."),
        },
    )
-    @action(detail=False, methods=["post"], permission_classes=[IsAuthenticated])
+    @action(detail=False, methods=["post"])
    def mark_all_seen(self, request: Request) -> Response:
        """Mark all the user's notifications as seen"""
        Notification.objects.filter(user=request.user, seen=False).update(seen=True)
--- a/authentik/events/migrations/0008_event_authentik_e_expires_8c73a8_idx_and_more.py
+++ b/authentik/events/migrations/0008_event_authentik_e_expires_8c73a8_idx_and_more.py
@ -1,41 +0,0 @@
 # Generated by Django 5.0.10 on 2025-01-13 18:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="event",
            index=models.Index(fields=["expires"], name="authentik_e_expires_8c73a8_idx"),
        ),
        migrations.AddIndex(
            model_name="event",
            index=models.Index(fields=["expiring"], name="authentik_e_expirin_b5cb5e_idx"),
        ),
        migrations.AddIndex(
            model_name="event",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_e_expirin_e37180_idx"
            ),
        ),
        migrations.AddIndex(
            model_name="systemtask",
            index=models.Index(fields=["expires"], name="authentik_e_expires_4d3985_idx"),
        ),
        migrations.AddIndex(
            model_name="systemtask",
            index=models.Index(fields=["expiring"], name="authentik_e_expirin_81d649_idx"),
        ),
        migrations.AddIndex(
            model_name="systemtask",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_e_expirin_eb3598_idx"
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -60,7 +60,7 @@ def default_event_duration():
    """Default duration an Event is saved.
    This is used as a fallback when no brand is available"""
    try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
        return now() + timedelta_from_string(tenant.event_retention)
    except Tenant.DoesNotExist:
        return now() + timedelta(days=365)
@ -306,7 +306,7 @@ class Event(SerializerModel, ExpiringModel):
    class Meta:
        verbose_name = _("Event")
        verbose_name_plural = _("Events")
-        indexes = ExpiringModel.Meta.indexes + [
+        indexes = [
            models.Index(fields=["action"]),
            models.Index(fields=["user"]),
            models.Index(fields=["app"]),
@ -694,4 +694,3 @@ class SystemTask(SerializerModel, ExpiringModel):
        permissions = [("run_task", _("Run task"))]
        verbose_name = _("System Task")
        verbose_name_plural = _("System Tasks")
        indexes = ExpiringModel.Meta.indexes
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -106,9 +106,9 @@ def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_
@receiver(password_changed)
-def on_password_changed(sender, user: User, password: str, request: HttpRequest | None, **_):
+def on_password_changed(sender, user: User, password: str, **_):
    """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(request, user=user)
+    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
@receiver(post_save, sender=Event)
--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -138,6 +138,7 @@ def notification_cleanup(self: SystemTask):
    """Cleanup seen notifications and notifications whose event expired."""
    notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
    amount = notifications.count()
-    notifications.delete()
+    for notification in notifications:
        notification.delete()
    LOGGER.debug("Expired notifications", amount=amount)
    self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -1,7 +1,5 @@
 """Flow Stage API Views"""
 from uuid import uuid4
 from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
@ -29,11 +27,6 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):
    component = SerializerMethodField()
    flow_set = FlowSetSerializer(many=True, required=False)
    def to_representation(self, instance: Stage):
        if isinstance(instance, Stage) and instance.is_in_memory:
            instance.stage_uuid = uuid4()
        return super().to_representation(instance)
    def get_component(self, obj: Stage) -> str:
        """Get object type so that we know how to edit the object"""
        if obj.__class__ == Stage:
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -97,9 +97,12 @@ class FlowErrorChallenge(Challenge):
        if not request or not error:
            return
        self.initial_data["request_id"] = request.request_id
        from authentik.core.models import USER_ATTRIBUTE_DEBUG
        if request.user and request.user.is_authenticated:
-            if request.user.has_perm("authentik_core.user_view_debug"):
+            if request.user.is_superuser or request.user.group_attributes(request).get(
                USER_ATTRIBUTE_DEBUG, False
            ):
                self.initial_data["error"] = str(error)
                self.initial_data["traceback"] = exception_to_string(error)
--- a/authentik/flows/migrations/0012_auto_20200908_1542_squashed_0017_auto_20210329_1334.py
+++ b/authentik/flows/migrations/0012_auto_20200908_1542_squashed_0017_auto_20210329_1334.py
@ -88,8 +88,7 @@ class Migration(migrations.Migration):
            model_name="flowstagebinding",
            name="re_evaluate_policies",
            field=models.BooleanField(
-                default=False,
+                default=False, help_text="Evaluate policies when the Stage is present to the user."
                help_text="Evaluate policies when the Stage is presented to the user.",
            ),
        ),
        migrations.AddField(
--- a/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py
+++ b/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py
@ -20,7 +20,7 @@ class Migration(migrations.Migration):
            model_name="flowstagebinding",
            name="re_evaluate_policies",
            field=models.BooleanField(
-                default=True, help_text="Evaluate policies when the Stage is presented to the user."
+                default=True, help_text="Evaluate policies when the Stage is present to the user."
            ),
        ),
    ]
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -40,7 +40,6 @@ class Migration(migrations.Migration):
                    ("require_authenticated", "Require Authenticated"),
                    ("require_unauthenticated", "Require Unauthenticated"),
                    ("require_superuser", "Require Superuser"),
                    ("require_redirect", "Require Redirect"),
                    ("require_outpost", "Require Outpost"),
                ],
                default="none",
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -14,7 +14,6 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
 from authentik.lib.config import CONFIG
 from authentik.lib.models import InheritanceForeignKey, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel
@ -33,7 +32,6 @@ class FlowAuthenticationRequirement(models.TextChoices):
    REQUIRE_AUTHENTICATED = "require_authenticated"
    REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
    REQUIRE_SUPERUSER = "require_superuser"
    REQUIRE_REDIRECT = "require_redirect"
    REQUIRE_OUTPOST = "require_outpost"
@ -102,12 +100,8 @@ class Stage(SerializerModel):
        user settings are available, or a challenge."""
        return None
    @property
    def is_in_memory(self):
        return hasattr(self, "__in_memory_type")
    def __str__(self):
-        if self.is_in_memory:
+        if hasattr(self, "__in_memory_type"):
            return f"In-memory Stage {getattr(self, '__in_memory_type')}"
        return f"Stage {self.name}"
@ -183,13 +177,9 @@ class Flow(SerializerModel, PolicyBindingModel):
        """Get the URL to the background image. If the name is /static or starts with http
        it is returned as-is"""
        if not self.background:
-            return (
+            return "/static/dist/assets/images/flow_background.jpg"
-                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
+        if self.background.name.startswith("http") or self.background.name.startswith("/static"):
            )
        if self.background.name.startswith("http"):
            return self.background.name
        if self.background.name.startswith("/static"):
            return CONFIG.get("web.path", "/")[:-1] + self.background.name
        return self.background.url
    stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
@ -231,7 +221,7 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
    )
    re_evaluate_policies = models.BooleanField(
        default=True,
-        help_text=_("Evaluate policies when the Stage is presented to the user."),
+        help_text=_("Evaluate policies when the Stage is present to the user."),
    )
    invalid_response_action = models.TextField(
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -1,10 +1,10 @@
 """Flows Planner"""
 from dataclasses import dataclass, field
-from typing import TYPE_CHECKING, Any
+from typing import Any
 from django.core.cache import cache
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@ -23,15 +23,10 @@ from authentik.flows.models import (
    in_memory_stage,
 )
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware
 if TYPE_CHECKING:
    from authentik.flows.stage import StageView
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
 PLAN_CONTEXT_SSO = "is_sso"
@ -42,8 +37,6 @@ PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
 PLAN_CONTEXT_IS_REDIRECTED = "is_redirected"
 PLAN_CONTEXT_REDIRECT_STAGE_TARGET = "redirect_stage_target"
 CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
@ -117,62 +110,6 @@ class FlowPlan:
        """Check if there are any stages left in this plan"""
        return len(self.markers) + len(self.bindings) > 0
    def requires_flow_executor(
        self,
        allowed_silent_types: list["StageView"] | None = None,
    ):
        # Check if we actually need to show the Flow executor, or if we can jump straight to the end
        found_unskippable = True
        if allowed_silent_types:
            LOGGER.debug("Checking if we can skip the flow executor...")
            # Policies applied to the flow have already been evaluated, so we're checking for stages
            # allow-listed or bindings that require a policy re-eval
            found_unskippable = False
            for binding, marker in zip(self.bindings, self.markers, strict=True):
                if binding.stage.view not in allowed_silent_types:
                    found_unskippable = True
                if marker and isinstance(marker, ReevaluateMarker):
                    found_unskippable = True
        LOGGER.debug("Required flow executor status", status=found_unskippable)
        return found_unskippable
    def to_redirect(
        self,
        request: HttpRequest,
        flow: Flow,
        allowed_silent_types: list["StageView"] | None = None,
    ) -> HttpResponse:
        """Redirect to the flow executor for this flow plan"""
        from authentik.flows.views.executor import (
            SESSION_KEY_PLAN,
            FlowExecutorView,
        )
        request.session[SESSION_KEY_PLAN] = self
        requires_flow_executor = self.requires_flow_executor(allowed_silent_types)
        if not requires_flow_executor:
            # No unskippable stages found, so we can directly return the response of the last stage
            final_stage: type[StageView] = self.bindings[-1].stage.view
            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
            temp_exec.current_stage = self.bindings[-1].stage
            stage = final_stage(request=request, executor=temp_exec)
            return stage.dispatch(request)
        get_qs = request.GET.copy()
        if request.user.is_authenticated and (
            # Object-scoped permission or global permission
            request.user.has_perm("authentik_flows.inspect_flow", flow)
            or request.user.has_perm("authentik_flows.inspect_flow")
        ):
            get_qs["inspector"] = "available"
        return redirect_with_qs(
            "authentik_core:if-flow",
            get_qs,
            flow_slug=flow.slug,
        )
 class FlowPlanner:
    """Execute all policies to plan out a flat list of all Stages
@ -191,7 +128,7 @@ class FlowPlanner:
        self.flow = flow
        self._logger = get_logger().bind(flow_slug=flow.slug)
-    def _check_authentication(self, request: HttpRequest, context: dict[str, Any]):
+    def _check_authentication(self, request: HttpRequest):
        """Check the flow's authentication level is matched by `request`"""
        if (
            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
@ -208,11 +145,6 @@ class FlowPlanner:
            and not request.user.is_superuser
        ):
            raise FlowNonApplicableException()
        if (
            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_REDIRECT
            and context.get(PLAN_CONTEXT_IS_REDIRECTED) is None
        ):
            raise FlowNonApplicableException()
        outpost_user = ClientIPMiddleware.get_outpost_user(request)
        if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
            if not outpost_user:
@ -244,13 +176,18 @@ class FlowPlanner:
            )
            context = default_context or {}
            # Bit of a workaround here, if there is a pending user set in the default context
-            # we use that user for our cache key to make sure they don't get the generic response
+            # we use that user for our cache key
            # to make sure they don't get the generic response
            if context and PLAN_CONTEXT_PENDING_USER in context:
                user = context[PLAN_CONTEXT_PENDING_USER]
            else:
                user = request.user
-
+                # We only need to check the flow authentication if it's planned without a user
-            context.update(self._check_authentication(request, context))
+                # in the context, as a user in the context can only be set via the explicit code API
                # or if a flow is restarted due to `invalid_response_action` being set to
                # `restart_with_context`, which can only happen if the user was already authorized
                # to use the flow
                context.update(self._check_authentication(request))
            # First off, check the flow's direct policy bindings
            # to make sure the user even has access to the flow
            engine = PolicyEngine(self.flow, user, request)
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -93,11 +93,7 @@ class ChallengeStageView(StageView):
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Return a challenge for the frontend to solve"""
-        try:
+        challenge = self._get_challenge(*args, **kwargs)
            challenge = self._get_challenge(*args, **kwargs)
        except StageInvalidException as exc:
            self.logger.debug("Got StageInvalidException", exc=exc)
            return self.executor.stage_invalid()
        if not challenge.is_valid():
            self.logger.warning(
                "f(ch): Invalid challenge",
@ -173,7 +169,11 @@ class ChallengeStageView(StageView):
                stage_type=self.__class__.__name__, method="get_challenge"
            ).time(),
        ):
-            challenge = self.get_challenge(*args, **kwargs)
+            try:
                challenge = self.get_challenge(*args, **kwargs)
            except StageInvalidException as exc:
                self.logger.debug("Got StageInvalidException", exc=exc)
                return self.executor.stage_invalid()
        with start_span(
            op="authentik.flow.stage._get_challenge",
            name=self.__class__.__name__,
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -9,8 +9,8 @@
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
--- a/authentik/flows/tests/test_executor.py
+++ b/authentik/flows/tests/test_executor.py
@ -7,8 +7,8 @@ from django.http import HttpRequest, HttpResponse
 from django.test.client import RequestFactory
 from django.urls import reverse
-from authentik.core.models import Group, User
+from authentik.core.models import User
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.tests.utils import create_test_flow
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import (
    FlowDeniedAction,
@ -255,11 +255,7 @@ class TestFlowExecutor(FlowTestCase):
        )
        binding = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
            stage=DummyStage.objects.create(name=generate_id()),
            order=0,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -282,8 +278,8 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding)
            self.assertEqual(plan.bindings[1], binding2)
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
            # Second request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -305,11 +301,7 @@ class TestFlowExecutor(FlowTestCase):
        )
        binding = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
            stage=DummyStage.objects.create(name=generate_id()),
            order=0,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -318,11 +310,7 @@ class TestFlowExecutor(FlowTestCase):
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
            stage=DummyStage.objects.create(name=generate_id()),
            order=2,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@ -340,9 +328,9 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[1], binding2)
            self.assertEqual(plan.bindings[2], binding3)
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-            self.assertEqual(plan.markers[2].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[2], StageMarker)
            # Second request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -353,8 +341,8 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding2)
            self.assertEqual(plan.bindings[1], binding3)
-            self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertEqual(plan.markers[1].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[1], StageMarker)
        # third request, this should trigger the re-evaluate
        # We do this request without the patch, so the policy results in false
@ -372,11 +360,7 @@ class TestFlowExecutor(FlowTestCase):
        )
        binding = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
            stage=DummyStage.objects.create(name=generate_id()),
            order=0,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -385,11 +369,7 @@ class TestFlowExecutor(FlowTestCase):
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
            stage=DummyStage.objects.create(name=generate_id()),
            order=2,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        PolicyBinding.objects.create(policy=true_policy, target=binding2, order=0)
@ -407,9 +387,9 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[1], binding2)
            self.assertEqual(plan.bindings[2], binding3)
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-            self.assertEqual(plan.markers[2].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[2], StageMarker)
            # Second request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -420,8 +400,8 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding2)
            self.assertEqual(plan.bindings[1], binding3)
-            self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertEqual(plan.markers[1].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[1], StageMarker)
            # Third request, this passes the first dummy stage
            response = self.client.post(exec_url)
@ -431,7 +411,7 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[0], binding3)
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
        # third request, this should trigger the re-evaluate
        # We do this request without the patch, so the policy results in false
@ -449,11 +429,7 @@ class TestFlowExecutor(FlowTestCase):
        )
        binding = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
            stage=DummyStage.objects.create(name=generate_id()),
            order=0,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
@ -468,11 +444,7 @@ class TestFlowExecutor(FlowTestCase):
            re_evaluate_policies=True,
        )
        binding4 = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
            stage=DummyStage.objects.create(name=generate_id()),
            order=2,
            evaluate_on_plan=True,
            re_evaluate_policies=False,
        )
        PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@ -493,10 +465,10 @@ class TestFlowExecutor(FlowTestCase):
            self.assertEqual(plan.bindings[2], binding3)
            self.assertEqual(plan.bindings[3], binding4)
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-            self.assertEqual(plan.markers[2].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[2], ReevaluateMarker)
-            self.assertEqual(plan.markers[3].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[3], StageMarker)
        # Second request, this passes the first dummy stage
        response = self.client.post(exec_url)
@ -547,9 +519,9 @@ class TestFlowExecutor(FlowTestCase):
        )
        # Stage 0 is a deny stage that is added dynamically
        # when the reputation policy says so
-        deny_stage = DenyStage.objects.create(name=generate_id())
+        deny_stage = DenyStage.objects.create(name="deny")
        reputation_policy = ReputationPolicy.objects.create(
-            name=generate_id(), threshold=-1, check_ip=False
+            name="reputation", threshold=-1, check_ip=False
        )
        deny_binding = FlowStageBinding.objects.create(
            target=flow,
@ -562,7 +534,7 @@ class TestFlowExecutor(FlowTestCase):
        # Stage 1 is an identification stage
        ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
+            name="ident",
            user_fields=[UserFields.E_MAIL],
            pretend_user_exists=False,
        )
@ -587,64 +559,3 @@ class TestFlowExecutor(FlowTestCase):
        )
        response = self.client.post(exec_url, {"uid_field": "invalid-string"}, follow=True)
        self.assertStageResponse(response, flow, component="ak-stage-access-denied")
    def test_re_evaluate_group_binding(self):
        """Test re-evaluate stage binding that has a policy binding to a group"""
        flow = create_test_flow()
        user_group_membership = create_test_user()
        user_direct_binding = create_test_user()
        user_other = create_test_user()
        group_a = Group.objects.create(name=generate_id())
        user_group_membership.ak_groups.add(group_a)
        # Stage 0 is an identification stage
        ident_stage = IdentificationStage.objects.create(
            name=generate_id(),
            user_fields=[UserFields.USERNAME],
            pretend_user_exists=False,
        )
        FlowStageBinding.objects.create(
            target=flow,
            stage=ident_stage,
            order=0,
        )
        # Stage 1 is a dummy stage that is only shown for users in group_a
        dummy_stage = DummyStage.objects.create(name=generate_id())
        dummy_binding = FlowStageBinding.objects.create(target=flow, stage=dummy_stage, order=1)
        PolicyBinding.objects.create(group=group_a, target=dummy_binding, order=0)
        PolicyBinding.objects.create(user=user_direct_binding, target=dummy_binding, order=0)
        # Stage 2 is a deny stage that (in this case) only user_b will see
        deny_stage = DenyStage.objects.create(name=generate_id())
        FlowStageBinding.objects.create(target=flow, stage=deny_stage, order=2)
        exec_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
        with self.subTest(f"Test user access through group: {user_group_membership}"):
            self.client.logout()
            # First request, run the planner
            response = self.client.get(exec_url)
            self.assertStageResponse(response, flow, component="ak-stage-identification")
            response = self.client.post(
                exec_url, {"uid_field": user_group_membership.username}, follow=True
            )
            self.assertStageResponse(response, flow, component="ak-stage-dummy")
        with self.subTest(f"Test user access through user: {user_direct_binding}"):
            self.client.logout()
            # First request, run the planner
            response = self.client.get(exec_url)
            self.assertStageResponse(response, flow, component="ak-stage-identification")
            response = self.client.post(
                exec_url, {"uid_field": user_direct_binding.username}, follow=True
            )
            self.assertStageResponse(response, flow, component="ak-stage-dummy")
        with self.subTest(f"Test user has no access: {user_other}"):
            self.client.logout()
            # First request, run the planner
            response = self.client.get(exec_url)
            self.assertStageResponse(response, flow, component="ak-stage-identification")
            response = self.client.post(exec_url, {"uid_field": user_other.username}, follow=True)
            self.assertStageResponse(response, flow, component="ak-stage-access-denied")
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -8,7 +8,6 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, InvalidResponseAction
 from authentik.lib.generators import generate_id
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields
@ -27,7 +26,7 @@ class TestFlowInspector(APITestCase):
        # Stage 1 is an identification stage
        ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
+            name="ident",
            user_fields=[UserFields.USERNAME],
        )
        FlowStageBinding.objects.create(
@ -36,8 +35,9 @@ class TestFlowInspector(APITestCase):
            order=1,
            invalid_response_action=InvalidResponseAction.RESTART_WITH_CONTEXT,
        )
-        dummy_stage = DummyStage.objects.create(name=generate_id())
+        FlowStageBinding.objects.create(
-        FlowStageBinding.objects.create(target=flow, stage=dummy_stage, order=1)
+            target=flow, stage=DummyStage.objects.create(name="dummy2"), order=1
        )
        res = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
@ -68,11 +68,9 @@ class TestFlowInspector(APITestCase):
        )
        content = loads(ins.content)
        self.assertEqual(content["is_completed"], False)
        self.assertEqual(content["current_plan"]["current_stage"]["stage_obj"]["name"], "ident")
        self.assertEqual(
-            content["current_plan"]["current_stage"]["stage_obj"]["name"], ident_stage.name
+            content["current_plan"]["next_planned_stage"]["stage_obj"]["name"], "dummy2"
        )
        self.assertEqual(
            content["current_plan"]["next_planned_stage"]["stage_obj"]["name"], dummy_stage.name
        )
        self.client.post(
@ -86,12 +84,8 @@ class TestFlowInspector(APITestCase):
        )
        content = loads(ins.content)
        self.assertEqual(content["is_completed"], False)
-        self.assertEqual(
+        self.assertEqual(content["plans"][0]["current_stage"]["stage_obj"]["name"], "ident")
-            content["plans"][0]["current_stage"]["stage_obj"]["name"], ident_stage.name
+        self.assertEqual(content["current_plan"]["current_stage"]["stage_obj"]["name"], "dummy2")
        )
        self.assertEqual(
            content["current_plan"]["current_stage"]["stage_obj"]["name"], dummy_stage.name
        )
        self.assertEqual(
            content["current_plan"]["plan_context"]["pending_user"]["username"], self.admin.username
        )
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@ -5,8 +5,6 @@ from unittest.mock import MagicMock, Mock, PropertyMock, patch
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
 from django.http import HttpRequest
 from django.shortcuts import redirect
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
@ -16,20 +14,8 @@ from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import (
+from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
-    FlowAuthenticationRequirement,
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
    FlowDesignation,
    FlowStageBinding,
    in_memory_stage,
 )
 from authentik.flows.planner import (
    PLAN_CONTEXT_IS_REDIRECTED,
    PLAN_CONTEXT_PENDING_USER,
    FlowPlanner,
    cache_key,
 )
 from authentik.flows.stage import StageView
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
@ -87,24 +73,6 @@ class TestFlowPlanner(TestCase):
        planner.allow_empty_flows = True
        planner.plan(request)
    def test_authentication_redirect_required(self):
        """Test flow authentication (redirect required)"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.REQUIRE_REDIRECT
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        with self.assertRaises(FlowNonApplicableException):
            planner.plan(request)
        context = {}
        context[PLAN_CONTEXT_IS_REDIRECTED] = create_test_flow()
        planner.plan(request, context)
    @reconcile_app("authentik_outposts")
    def test_authentication_outpost(self):
        """Test flow authentication (outpost)"""
@ -154,7 +122,7 @@ class TestFlowPlanner(TestCase):
        """Test planner cache"""
        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
+            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
        )
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
@ -173,7 +141,7 @@ class TestFlowPlanner(TestCase):
        """Test planner with default_context"""
        flow = create_test_flow()
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
+            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
        )
        user = User.objects.create(username="test-user")
@ -192,7 +160,7 @@ class TestFlowPlanner(TestCase):
        FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
+            stage=DummyStage.objects.create(name="dummy1"),
            order=0,
            re_evaluate_policies=True,
        )
@ -205,7 +173,7 @@ class TestFlowPlanner(TestCase):
        planner = FlowPlanner(flow)
        plan = planner.plan(request)
-        self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
+        self.assertIsInstance(plan.markers[0], ReevaluateMarker)
    def test_planner_reevaluate_actual(self):
        """Test planner with re-evaluate"""
@ -213,14 +181,11 @@ class TestFlowPlanner(TestCase):
        false_policy = DummyPolicy.objects.create(result=False, wait_min=1, wait_max=2)
        binding = FlowStageBinding.objects.create(
-            target=flow,
+            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
            stage=DummyStage.objects.create(name=generate_id()),
            order=0,
            re_evaluate_policies=False,
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
+            stage=DummyStage.objects.create(name="dummy2"),
            order=1,
            re_evaluate_policies=True,
        )
@ -244,103 +209,5 @@ class TestFlowPlanner(TestCase):
            self.assertEqual(plan.bindings[0], binding)
            self.assertEqual(plan.bindings[1], binding2)
            self.assertEqual(plan.markers[0].__class__, StageMarker)
            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
            self.assertIsInstance(plan.markers[0], StageMarker)
            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
    def test_to_redirect(self):
        """Test to_redirect and skipping the flow executor"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        self.assertTrue(plan.requires_flow_executor())
        self.assertEqual(
            plan.to_redirect(request, flow).url,
            reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug}),
        )
    def test_to_redirect_skip_simple(self):
        """Test to_redirect and skipping the flow executor"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        class TStageView(StageView):
            def dispatch(self, request: HttpRequest, *args, **kwargs):
                return redirect("https://authentik.company")
        plan.append_stage(in_memory_stage(TStageView))
        self.assertFalse(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
        self.assertEqual(
            plan.to_redirect(request, flow, allowed_silent_types=[TStageView]).url,
            "https://authentik.company",
        )
    def test_to_redirect_skip_stage(self):
        """Test to_redirect and skipping the flow executor
        (with a stage bound that cannot be skipped)"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        FlowStageBinding.objects.create(
            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
        )
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        class TStageView(StageView):
            def dispatch(self, request: HttpRequest, *args, **kwargs):
                return redirect("https://authentik.company")
        plan.append_stage(in_memory_stage(TStageView))
        self.assertTrue(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
    def test_to_redirect_skip_policies(self):
        """Test to_redirect and skipping the flow executor
        (with a marker on the stage view type that can be skipped)
        Note that this is not actually used anywhere in the code, all stages that are dynamically
        added are statically added"""
        flow = create_test_flow()
        flow.authentication = FlowAuthenticationRequirement.NONE
        request = self.request_factory.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        request.user = AnonymousUser()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        plan = planner.plan(request)
        class TStageView(StageView):
            def dispatch(self, request: HttpRequest, *args, **kwargs):
                return redirect("https://authentik.company")
        plan.append_stage(in_memory_stage(TStageView), ReevaluateMarker(None))
        self.assertTrue(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -171,8 +171,7 @@ class FlowExecutorView(APIView):
                    # Existing plan is deleted from session and instance
                    self.plan = None
                    self.cancel()
-                else:
+                self._logger.debug("f(exec): Continuing existing plan")
                    self._logger.debug("f(exec): Continuing existing plan")
            # Initial flow request, check if we have an upstream query string passed in
            request.session[SESSION_KEY_GET] = get_params
@ -598,4 +597,9 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            raise Http404 from None
-        return plan.to_redirect(request, stage.configure_flow)
+        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
            self.request.GET,
            flow_slug=stage.configure_flow.slug,
        )
--- a/authentik/flows/views/inspector.py
+++ b/authentik/flows/views/inspector.py
@ -78,9 +78,7 @@ class FlowInspectorView(APIView):
        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        if settings.DEBUG:
            return
-        if request.user.has_perm(
+        if request.user.has_perm("authentik_flow.inspect_flow", self.flow):
            "authentik_flows.inspect_flow", self.flow
        ) or request.user.has_perm("authentik_flows.inspect_flow"):
            return
        raise Http404
@ -96,9 +94,6 @@ class FlowInspectorView(APIView):
        """Get current flow state and record it"""
        plans = []
        for plan in request.session.get(SESSION_KEY_HISTORY, []):
            plan: FlowPlan
            if plan.flow_pk != self.flow.pk.hex:
                continue
            plan_serializer = FlowInspectorPlanSerializer(
                instance=plan, context={"request": request}
            )
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -280,24 +280,9 @@ class ConfigLoader:
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default
    def get_optional_int(self, path: str, default=None) -> int | None:
        """Wrapper for get that converts value into int or None if set"""
        value = self.get(path, default)
        try:
            return int(value)
        except (ValueError, TypeError) as exc:
            if value is None or (isinstance(value, str) and value.lower() == "null"):
                return None
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default
    def get_bool(self, path: str, default=False) -> bool:
        """Wrapper for get that converts value into boolean"""
-        value = self.get(path, UNSET)
+        return str(self.get(path, default)).lower() == "true"
        if value is UNSET:
            return default
        return str(self.get(path)).lower() == "true"
    def get_keys(self, path: str, sep=".") -> list[str]:
        """List attribute keys by using yaml path"""
@ -369,33 +354,20 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
                "postgresql.disable_server_side_cursors", False
            ),
            "TEST": {
                "NAME": config.get("postgresql.test.name"),
            },
        }
    }
    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        if disable_server_side_cursors is not UNSET:
            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
    if config.get_bool("postgresql.use_pgbouncer", False):
        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
        db["default"]["CONN_MAX_AGE"] = None  # persistent
        if disable_server_side_cursors is not UNSET:
            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
        if conn_max_age is not UNSET:
            db["default"]["CONN_MAX_AGE"] = conn_max_age
    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -6,6 +6,8 @@ postgresql:
  user: authentik
  port: 5432
  password: "env://POSTGRES_PASSWORD"
  use_pgbouncer: false
  use_pgpool: false
  test:
    name: test_authentik
  read_replicas: {}
@ -133,7 +135,6 @@ web:
  # No default here as it's set dynamically
  # workers: 2
  threads: 4
  path: /
 worker:
  concurrency: 2
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -9,25 +9,20 @@ from typing import Any
 from cachetools import TLRUCache, cached
 from django.core.exceptions import FieldError
 from django.http import HttpRequest
 from django.utils.text import slugify
 from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.events.models import Event
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import Policy, PolicyBinding
 from authentik.policies.process import PolicyProcess
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 from authentik.stages.authenticator import devices_for_user
 LOGGER = get_logger()
@ -61,7 +56,6 @@ class BaseEvaluator:
            "ak_logger": get_logger(self._filename).bind(),
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_user_has_authenticator": BaseEvaluator.expr_func_user_has_authenticator,
            "ak_create_jwt": self.expr_create_jwt,
            "ip_address": ip_address,
            "ip_network": ip_network,
            "list_flatten": BaseEvaluator.expr_flatten,
@ -188,36 +182,6 @@ class BaseEvaluator:
        proc = PolicyProcess(PolicyBinding(policy=policy), request=req, connection=None)
        return proc.profiling_wrapper()
    def expr_create_jwt(
        self,
        user: User,
        provider: OAuth2Provider | str,
        scopes: list[str],
        validity: str = "seconds=60",
    ) -> str | None:
        """Issue a JWT for a given provider"""
        request: HttpRequest = self._context.get("http_request")
        if not request:
            return None
        if not isinstance(provider, OAuth2Provider):
            provider = OAuth2Provider.objects.get(name=provider)
        session = None
        if hasattr(request, "session") and request.session.session_key:
            session = AuthenticatedSession.objects.filter(
                session_key=request.session.session_key
            ).first()
        access_token = AccessToken(
            provider=provider,
            user=user,
            expires=now() + timedelta_from_string(validity),
            scope=scopes,
            auth_time=now(),
            session=session,
        )
        access_token.id_token = IDToken.new(provider, access_token, request)
        access_token.save()
        return access_token.token
    def wrap_expression(self, expression: str) -> str:
        """Wrap expression in a function, call it, and save the result as `result`"""
        handler_signature = ",".join(sanitize_arg(x) for x in self._context.keys())
--- a/Show More
+++ b/Show More
		`@ -1 +1 @@`
			`website/docs/developer-docs/index.md`				`website/developer-docs/index.md`