Translate noscript content.

core: Format and lint.
core: Format interface templates.
2025-04-17 15:09:52 +02:00 · 2025-04-17 02:08:45 +02:00 · 2025-04-17 02:08:27 +02:00 · 2025-04-17 02:00:56 +02:00 · 2025-04-17 02:00:04 +02:00 · 2025-04-17 01:58:14 +02:00
397 changed files with 41184 additions and 5021 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.3
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -30,7 +30,6 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
-          cache: "poetry"
      - name: Generate API Client
        run: make gen-client-py
      - name: Publish package
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -0,0 +1,45 @@
+name: authentik-packages-npm-publish
+on:
+  push:
+    branches: [main]
+    paths:
+      - packages/docusaurus-config
+      - packages/eslint-config
+      - packages/prettier-config
+      - packages/tsconfig
+  workflow_dispatch:
+jobs:
+  publish:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - docusaurus-config
+          - eslint-config
+          - prettier-config
+          - tsconfig
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: packages/${{ matrix.package }}/package.json
+          registry-url: "https://registry.npmjs.org"
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            packages/${{ matrix.package }}/package.json
+      - name: Publish package
+        if: steps.changed-files.outputs.any_changed == 'true'
+        working-directory: packages/${{ matrix.package}}
+        run: |
+          npm ci
+          npm run build
+          npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -11,6 +11,10 @@ local_settings.py
 db.sqlite3
 media

+# Node
+
+node_modules
+
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@ -33,6 +37,7 @@ eggs/
 lib64/
 parts/
 dist/
+out/
 sdist/
 var/
 wheels/
--- a/.prettierignore
+++ b/.prettierignore
@ -0,0 +1,47 @@
+# Prettier Ignorefile
+
+## Static Files
+**/LICENSE
+
+authentik/stages/**/*
+
+## Build asset directories
+coverage
+dist
+out
+.docusaurus
+website/docs/developer-docs/api/**/*
+
+## Environment
+*.env
+
+## Secrets
+*.secrets
+
+## Yarn
+.yarn/**/*
+
+## Node
+node_modules
+coverage
+
+## Configs
+*.log
+*.yaml
+*.yml
+
+# Templates
+# TODO: Rename affected files to *.template.* or similar.
+*.html
+*.mdx
+*.md
+
+## Import order matters
+poly.ts
+src/locale-codes.ts
+src/locales/
+
+# Storybook
+storybook-static/
+.storybook/css-import-maps*
+
--- a/2
+++ b/2
@ -23,6 +23,8 @@ docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
+# Web packages
+packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
--- a/4
+++ b/4
@ -94,9 +94,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.11 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.14 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.9-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.3"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -3,15 +3,20 @@
 {% load authentik_core %}

 {% block title %}
-API Browser - {{ brand.branding_title }}
+  API Browser - {{ brand.branding_title }}
 {% endblock %}

 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
-<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
+  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
+
+  <script
+    data-test-id="entrypoint"
+    src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}"
+    type="module">
+  </script>
 {% endblock %}

 {% block body %}
-<ak-api-browser schemaPath="{{ path }}"></ak-api-browser>
+  <ak-api-browser schemaPath="{{ path }}"></ak-api-browser>
 {% endblock %}
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ModelSerializer
+from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.blueprints.models import BlueprintInstance
@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.rbac.decorators import permission_required


--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -36,6 +36,7 @@ from authentik.core.models import (
    GroupSourceConnection,
    PropertyMapping,
    Provider,
+    Session,
    Source,
    User,
    UserSourceConnection,
@ -108,6 +109,7 @@ def excluded_models() -> list[type[Model]]:
        Policy,
        PolicyBindingModel,
        # Classes that have other dependencies
+        Session,
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -5,6 +5,7 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
+from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

@ -54,6 +55,11 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""

+    expires = DateTimeField(source="session.expires", read_only=True)
+    last_ip = IPAddressField(source="session.last_ip", read_only=True)
+    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
+    last_used = DateTimeField(source="session.last_used", read_only=True)
+
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
@ -62,19 +68,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session_key
+        return request._request.session.session_key == instance.session.session_key

    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.last_user_agent)
+        return user_agent_parser.Parse(instance.session.last_user_agent)

    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
        """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)

    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
        """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)

    class Meta:
        model = AuthenticatedSession
@ -90,6 +96,7 @@ class AuthenticatedSessionSerializer(ModelSerializer):
            "last_used",
            "expires",
        ]
+        extra_args = {"uuid": {"read_only": True}}


 class AuthenticatedSessionViewSet(
@ -101,9 +108,10 @@ class AuthenticatedSessionViewSet(
 ):
    """AuthenticatedSession Viewset"""

-    queryset = AuthenticatedSession.objects.all()
+    lookup_field = "uuid"
+    queryset = AuthenticatedSession.objects.select_related("session").all()
    serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "last_ip", "last_user_agent"]
-    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
+    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -179,10 +179,13 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "user",
            "source",
            "source_obj",
+            "identifier",
            "created",
+            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
+            "last_updated": {"read_only": True},
        }


@ -199,7 +202,7 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    filterset_fields = ["user", "source__slug"]
-    search_fields = ["source__slug"]
+    search_fields = ["user__username", "source__slug", "identifier"]
    ordering = ["source__slug", "pk"]
    owner_field = "user"

@ -218,9 +221,11 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "source_obj",
            "identifier",
            "created",
+            "last_updated",
        ]
        extra_kwargs = {
            "created": {"read_only": True},
+            "last_updated": {"read_only": True},
        }


@ -237,6 +242,5 @@ class GroupSourceConnectionViewSet(
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    filterset_fields = ["group", "source__slug"]
-    search_fields = ["source__slug"]
+    search_fields = ["group__name", "source__slug", "identifier"]
    ordering = ["source__slug", "pk"]
-    owner_field = "user"
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,14 +1,11 @@
 """User API Views"""

 from datetime import timedelta
-from importlib import import_module
 from json import loads
 from typing import Any

-from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.contrib.sessions.backends.base import SessionBase
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -72,8 +69,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
-    AuthenticatedSession,
    Group,
+    Session,
    Token,
    TokenIntents,
    User,
@ -92,7 +89,6 @@ from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


 class UserGroupSerializer(ModelSerializer):
@ -228,6 +224,7 @@ class UserSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
+            "date_joined",
            "is_superuser",
            "groups",
            "groups_obj",
@ -242,6 +239,7 @@ class UserSerializer(ModelSerializer):
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
+            "date_joined": {"read_only": True},
            "password_change_date": {"read_only": True},
        }

@ -774,10 +772,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
-            sessions = AuthenticatedSession.objects.filter(user=instance)
-            session_ids = sessions.values_list("session_key", flat=True)
-            for session in session_ids:
-                SessionStore(session).delete()
-            sessions.delete()
+            Session.objects.filter(authenticatedsession__user=instance).delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -20,6 +20,8 @@ from rest_framework.serializers import (
    raise_errors_on_nested_writes,
 )

+from authentik.rbac.permissions import assign_initial_permissions
+

 def is_dict(value: Any):
    """Ensure a value is a dictionary, useful for JSONFields"""
@ -29,6 +31,14 @@ def is_dict(value: Any):


 class ModelSerializer(BaseModelSerializer):
+    def create(self, validated_data):
+        instance = super().create(validated_data)
+
+        request = self.context.get("request")
+        if request and hasattr(request, "user") and not request.user.is_anonymous:
+            assign_initial_permissions(request.user, instance)
+
+        return instance

    def update(self, instance: Model, validated_data):
        raise_errors_on_nested_writes("update", self, validated_data)
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -24,6 +24,15 @@ class InbuiltBackend(ModelBackend):
        self.set_method("password", request)
        return user

+    async def aauthenticate(
+        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
+    ) -> User | None:
+        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
+        if not user:
+            return None
+        self.set_method("password", request)
+        return user
+
    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
--- a/authentik/core/management/commands/clearsessions.py
+++ b/authentik/core/management/commands/clearsessions.py
@ -0,0 +1,15 @@
+"""Change user type"""
+
+from importlib import import_module
+
+from django.conf import settings
+
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Delete all sessions"""
+
+    def handle_per_tenant(self, **options):
+        engine = import_module(settings.SESSION_ENGINE)
+        engine.SessionStore.clear_expired()
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -2,9 +2,14 @@

 from collections.abc import Callable
 from contextvars import ContextVar
+from functools import partial
 from uuid import uuid4

+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
+from django.utils.deprecation import MiddlewareMixin
+from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -20,6 +25,40 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)


+def get_user(request):
+    if not hasattr(request, "_cached_user"):
+        user = None
+        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
+            user = authenticated_session.user
+        request._cached_user = user or AnonymousUser()
+    return request._cached_user
+
+
+async def aget_user(request):
+    if not hasattr(request, "_cached_user"):
+        user = None
+        if (
+            authenticated_session := await request.session.aget("authenticatedsession", None)
+        ) is not None:
+            user = authenticated_session.user
+        request._cached_user = user or AnonymousUser()
+    return request._cached_user
+
+
+class AuthenticationMiddleware(MiddlewareMixin):
+    def process_request(self, request):
+        if not hasattr(request, "session"):
+            raise ImproperlyConfigured(
+                "The Django authentication middleware requires session "
+                "middleware to be installed. Edit your MIDDLEWARE setting to "
+                "insert "
+                "'authentik.root.middleware.SessionMiddleware' before "
+                "'authentik.core.middleware.AuthenticationMiddleware'."
+            )
+        request.user = SimpleLazyObject(lambda: get_user(request))
+        request.auser = partial(aget_user, request)
+
+
 class ImpersonateMiddleware:
    """Middleware to impersonate users"""

--- a/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
+++ b/authentik/core/migrations/0044_usersourceconnection_new_identifier.py
@ -0,0 +1,19 @@
+# Generated by Django 5.0.13 on 2025-04-07 14:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0043_alter_group_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="usersourceconnection",
+            name="new_identifier",
+            field=models.TextField(default=""),
+            preserve_default=False,
+        ),
+    ]
--- a/authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py
+++ b/authentik/core/migrations/0045_rename_new_identifier_usersourceconnection_identifier_and_more.py
@ -0,0 +1,30 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+        ("authentik_sources_kerberos", "0003_migrate_userkerberossourceconnection_identifier"),
+        ("authentik_sources_oauth", "0009_migrate_useroauthsourceconnection_identifier"),
+        ("authentik_sources_plex", "0005_migrate_userplexsourceconnection_identifier"),
+        ("authentik_sources_saml", "0019_migrate_usersamlsourceconnection_identifier"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="usersourceconnection",
+            old_name="new_identifier",
+            new_name="identifier",
+        ),
+        migrations.AddIndex(
+            model_name="usersourceconnection",
+            index=models.Index(fields=["identifier"], name="authentik_c_identif_59226f_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="usersourceconnection",
+            index=models.Index(
+                fields=["source", "identifier"], name="authentik_c_source__649e04_idx"
+            ),
+        ),
+    ]
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -0,0 +1,238 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:58
+
+import uuid
+import pickle  # nosec
+from django.core import signing
+from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
+from django.db import migrations, models
+import django.db.models.deletion
+from django.conf import settings
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.utils.timezone import now, timedelta
+from authentik.lib.migrations import progress_bar
+from authentik.root.middleware import ClientIPMiddleware
+
+
+SESSION_CACHE_ALIAS = "default"
+
+
+class PickleSerializer:
+    """
+    Simple wrapper around pickle to be used in signing.dumps()/loads() and
+    cache backends.
+    """
+
+    def __init__(self, protocol=None):
+        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
+
+    def dumps(self, obj):
+        """Pickle data to be stored in redis"""
+        return pickle.dumps(obj, self.protocol)
+
+    def loads(self, data):
+        """Unpickle data to be loaded from redis"""
+        return pickle.loads(data)  # nosec
+
+
+def _migrate_session(
+    apps,
+    db_alias,
+    session_key,
+    session_data,
+    expires,
+):
+    Session = apps.get_model("authentik_core", "Session")
+    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+
+    old_auth_session = (
+        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
+    )
+
+    args = {
+        "session_key": session_key,
+        "expires": expires,
+        "last_ip": ClientIPMiddleware.default_ip,
+        "last_user_agent": "",
+        "session_data": {},
+    }
+    for k, v in session_data.items():
+        if k == "authentik/stages/user_login/last_ip":
+            args["last_ip"] = v
+        elif k in ["last_user_agent", "last_used"]:
+            args[k] = v
+        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
+            pass
+        else:
+            args["session_data"][k] = v
+    if old_auth_session:
+        args["last_user_agent"] = old_auth_session.last_user_agent
+        args["last_used"] = old_auth_session.last_used
+
+    args["session_data"] = pickle.dumps(args["session_data"])
+    session = Session.objects.using(db_alias).create(**args)
+
+    if old_auth_session:
+        AuthenticatedSession.objects.using(db_alias).create(
+            session=session,
+            user=old_auth_session.user,
+        )
+
+
+def migrate_redis_sessions(apps, schema_editor):
+    from django.core.cache import caches
+
+    db_alias = schema_editor.connection.alias
+    cache = caches[SESSION_CACHE_ALIAS]
+
+    # Not a redis cache, skipping
+    if not hasattr(cache, "keys"):
+        return
+
+    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
+    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
+        _migrate_session(
+            apps=apps,
+            db_alias=db_alias,
+            session_key=key.removeprefix(KEY_PREFIX),
+            session_data=session_data,
+            expires=now() + timedelta(seconds=cache.ttl(key)),
+        )
+
+
+def migrate_database_sessions(apps, schema_editor):
+    DjangoSession = apps.get_model("sessions", "Session")
+    db_alias = schema_editor.connection.alias
+
+    print("\nMigration database sessions, this might take a couple of minutes...")
+    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
+        session_data = signing.loads(
+            django_session.session_data,
+            salt="django.contrib.sessions.SessionStore",
+            serializer=PickleSerializer,
+        )
+        _migrate_session(
+            apps=apps,
+            db_alias=db_alias,
+            session_key=django_session.session_key,
+            session_data=session_data,
+            expires=django_session.expire_date,
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("sessions", "0001_initial"),
+        ("authentik_core", "0045_rename_new_identifier_usersourceconnection_identifier_and_more"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+    ]
+
+    operations = [
+        # Rename AuthenticatedSession to OldAuthenticatedSession
+        migrations.RenameModel(
+            old_name="AuthenticatedSession",
+            new_name="OldAuthenticatedSession",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expires_cf4f72_idx",
+            old_name="authentik_c_expires_08251d_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_c1f17f_idx",
+            old_name="authentik_c_expirin_9cd839_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_e04f5d_idx",
+            old_name="authentik_c_expirin_195a84_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_session_a44819_idx",
+            old_name="authentik_c_session_d0f005_idx",
+        ),
+        migrations.RunSQL(
+            sql="ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
+            reverse_sql="ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
+        ),
+        # Create new Session and AuthenticatedSession models
+        migrations.CreateModel(
+            name="Session",
+            fields=[
+                (
+                    "session_key",
+                    models.CharField(
+                        max_length=40, primary_key=True, serialize=False, verbose_name="session key"
+                    ),
+                ),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                ("session_data", models.BinaryField(verbose_name="session data")),
+                ("last_ip", models.GenericIPAddressField()),
+                ("last_user_agent", models.TextField(blank=True)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+            ],
+            options={
+                "default_permissions": [],
+                "verbose_name": "Session",
+                "verbose_name_plural": "Sessions",
+            },
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expires", "session_key"], name="authentik_c_expires_c49143_idx"
+            ),
+        ),
+        migrations.CreateModel(
+            name="AuthenticatedSession",
+            fields=[
+                (
+                    "session",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.session",
+                    ),
+                ),
+                ("uuid", models.UUIDField(default=uuid.uuid4, unique=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Authenticated Session",
+                "verbose_name_plural": "Authenticated Sessions",
+            },
+        ),
+        migrations.RunPython(
+            code=migrate_redis_sessions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RunPython(
+            code=migrate_database_sessions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
--- a/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
+++ b/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
@ -0,0 +1,18 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0046_session_and_more"),
+        ("authentik_providers_rac", "0007_migrate_session"),
+        ("authentik_providers_oauth2", "0028_migrate_session"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="OldAuthenticatedSession",
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,6 +1,7 @@
 """authentik core models"""

 from datetime import datetime
+from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@ -9,6 +10,7 @@ from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
+from django.contrib.sessions.base_session import AbstractBaseSession
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
@ -646,19 +648,30 @@ class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""

    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    EMAIL_LINK = "email_link", _(
-        "Link to a user with identical email address. Can have security implications "
-        "when a source doesn't validate email addresses."
+    EMAIL_LINK = (
+        "email_link",
+        _(
+            "Link to a user with identical email address. Can have security implications "
+            "when a source doesn't validate email addresses."
+        ),
    )
-    EMAIL_DENY = "email_deny", _(
-        "Use the user's email address, but deny enrollment when the email address already exists."
+    EMAIL_DENY = (
+        "email_deny",
+        _(
+            "Use the user's email address, but deny enrollment when the email address already "
+            "exists."
+        ),
    )
-    USERNAME_LINK = "username_link", _(
-        "Link to a user with identical username. Can have security implications "
-        "when a username is used with another source."
+    USERNAME_LINK = (
+        "username_link",
+        _(
+            "Link to a user with identical username. Can have security implications "
+            "when a username is used with another source."
+        ),
    )
-    USERNAME_DENY = "username_deny", _(
-        "Use the user's username, but deny enrollment when the username already exists."
+    USERNAME_DENY = (
+        "username_deny",
+        _("Use the user's username, but deny enrollment when the username already exists."),
    )


@ -666,12 +679,16 @@ class SourceGroupMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning groups"""

    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = "name_link", _(
-        "Link to a group with identical name. Can have security implications "
-        "when a group name is used with another source."
+    NAME_LINK = (
+        "name_link",
+        _(
+            "Link to a group with identical name. Can have security implications "
+            "when a group name is used with another source."
+        ),
    )
-    NAME_DENY = "name_deny", _(
-        "Use the group name, but deny enrollment when the name already exists."
+    NAME_DENY = (
+        "name_deny",
+        _("Use the group name, but deny enrollment when the name already exists."),
    )


@ -730,8 +747,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        choices=SourceGroupMatchingModes.choices,
        default=SourceGroupMatchingModes.IDENTIFIER,
        help_text=_(
-            "How the source determines if an existing group should be used or "
-            "a new group created."
+            "How the source determines if an existing group should be used or a new group created."
        ),
    )

@ -824,6 +840,7 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):

    user = models.ForeignKey(User, on_delete=models.CASCADE)
    source = models.ForeignKey(Source, on_delete=models.CASCADE)
+    identifier = models.TextField()

    objects = InheritanceManager()

@ -837,6 +854,10 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):

    class Meta:
        unique_together = (("user", "source"),)
+        indexes = (
+            models.Index(fields=("identifier",)),
+            models.Index(fields=("source", "identifier")),
+        )


 class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
@ -1007,45 +1028,75 @@ class PropertyMapping(SerializerModel, ManagedModel):
        verbose_name_plural = _("Property Mappings")


-class AuthenticatedSession(ExpiringModel):
-    """Additional session class for authenticated users. Augments the standard django session
-    to achieve the following:
-        - Make it queryable by user
-        - Have a direct connection to user objects
-        - Allow users to view their own sessions and terminate them
-        - Save structured and well-defined information.
-    """
+class Session(ExpiringModel, AbstractBaseSession):
+    """User session with extra fields for fast access"""

-    uuid = models.UUIDField(default=uuid4, primary_key=True)
+    # Remove upstream field because we're using our own ExpiringModel
+    expire_date = None
+    session_data = models.BinaryField(_("session data"))

-    session_key = models.CharField(max_length=40)
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-
-    last_ip = models.TextField()
+    # Keep in sync with Session.Keys
+    last_ip = models.GenericIPAddressField()
    last_user_agent = models.TextField(blank=True)
    last_used = models.DateTimeField(auto_now=True)

+    class Meta:
+        verbose_name = _("Session")
+        verbose_name_plural = _("Sessions")
+        indexes = ExpiringModel.Meta.indexes + [
+            models.Index(fields=["expires", "session_key"]),
+        ]
+        default_permissions = []
+
+    def __str__(self):
+        return self.session_key
+
+    class Keys(StrEnum):
+        """
+        Keys to be set with the session interface for the fields above to be updated.
+
+        If a field is added here that needs to be initialized when the session is initialized,
+        it must also be reflected in authentik.root.middleware.SessionMiddleware.process_request
+        and in authentik.core.sessions.SessionStore.__init__
+        """
+
+        LAST_IP = "last_ip"
+        LAST_USER_AGENT = "last_user_agent"
+        LAST_USED = "last_used"
+
+    @classmethod
+    def get_session_store_class(cls):
+        from authentik.core.sessions import SessionStore
+
+        return SessionStore
+
+    def get_decoded(self):
+        raise NotImplementedError
+
+
+class AuthenticatedSession(SerializerModel):
+    session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
+    # We use the session as primary key, but we need the API to be able to reference
+    # this object uniquely without exposing the session key
+    uuid = models.UUIDField(default=uuid4, unique=True)
+
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
-        indexes = ExpiringModel.Meta.indexes + [
-            models.Index(fields=["session_key"]),
-        ]

    def __str__(self) -> str:
-        return f"Authenticated Session {self.session_key[:10]}"
+        return f"Authenticated Session {str(self.pk)[:10]}"

    @staticmethod
    def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
        """Create a new session from a http request"""
-        from authentik.root.middleware import ClientIPMiddleware
-
-        if not hasattr(request, "session") or not request.session.session_key:
+        if not hasattr(request, "session") or not request.session.exists(
+            request.session.session_key
+        ):
            return None
        return AuthenticatedSession(
-            session_key=request.session.session_key,
+            session=Session.objects.filter(session_key=request.session.session_key).first(),
            user=user,
-            last_ip=ClientIPMiddleware.get_client_ip(request),
-            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
-            expires=request.session.get_expiry_date(),
        )
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@ -0,0 +1,168 @@
+"""authentik sessions engine"""
+
+import pickle  # nosec
+
+from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
+from django.contrib.sessions.backends.db import SessionStore as SessionBase
+from django.core.exceptions import SuspiciousOperation
+from django.utils import timezone
+from django.utils.functional import cached_property
+from structlog.stdlib import get_logger
+
+from authentik.root.middleware import ClientIPMiddleware
+
+LOGGER = get_logger()
+
+
+class SessionStore(SessionBase):
+    def __init__(self, session_key=None, last_ip=None, last_user_agent=""):
+        super().__init__(session_key)
+        self._create_kwargs = {
+            "last_ip": last_ip or ClientIPMiddleware.default_ip,
+            "last_user_agent": last_user_agent,
+        }
+
+    @classmethod
+    def get_model_class(cls):
+        from authentik.core.models import Session
+
+        return Session
+
+    @cached_property
+    def model_fields(self):
+        return [k.value for k in self.model.Keys]
+
+    def _get_session_from_db(self):
+        try:
+            return (
+                self.model.objects.select_related(
+                    "authenticatedsession",
+                    "authenticatedsession__user",
+                )
+                .prefetch_related(
+                    "authenticatedsession__user__groups",
+                    "authenticatedsession__user__user_permissions",
+                )
+                .get(
+                    session_key=self.session_key,
+                    expires__gt=timezone.now(),
+                )
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
+            if isinstance(exc, SuspiciousOperation):
+                LOGGER.warning(str(exc))
+            self._session_key = None
+
+    async def _aget_session_from_db(self):
+        try:
+            return (
+                await self.model.objects.select_related(
+                    "authenticatedsession",
+                    "authenticatedsession__user",
+                )
+                .prefetch_related(
+                    "authenticatedsession__user__groups",
+                    "authenticatedsession__user__user_permissions",
+                )
+                .aget(
+                    session_key=self.session_key,
+                    expires__gt=timezone.now(),
+                )
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
+            if isinstance(exc, SuspiciousOperation):
+                LOGGER.warning(str(exc))
+            self._session_key = None
+
+    def encode(self, session_dict):
+        return pickle.dumps(session_dict, protocol=pickle.HIGHEST_PROTOCOL)
+
+    def decode(self, session_data):
+        try:
+            return pickle.loads(session_data)  # nosec
+        except pickle.PickleError:
+            # ValueError, unpickling exceptions. If any of these happen, just return an empty
+            # dictionary (an empty session)
+            pass
+        return {}
+
+    def load(self):
+        s = self._get_session_from_db()
+        if s:
+            return {
+                "authenticatedsession": getattr(s, "authenticatedsession", None),
+                **{k: getattr(s, k) for k in self.model_fields},
+                **self.decode(s.session_data),
+            }
+        else:
+            return {}
+
+    async def aload(self):
+        s = await self._aget_session_from_db()
+        if s:
+            return {
+                "authenticatedsession": getattr(s, "authenticatedsession", None),
+                **{k: getattr(s, k) for k in self.model_fields},
+                **self.decode(s.session_data),
+            }
+        else:
+            return {}
+
+    def create_model_instance(self, data):
+        args = {
+            "session_key": self._get_or_create_session_key(),
+            "expires": self.get_expiry_date(),
+            "session_data": {},
+            **self._create_kwargs,
+        }
+        for k, v in data.items():
+            # Don't save:
+            # - unused auth data
+            # - related models
+            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
+                pass
+            elif k in self.model_fields:
+                args[k] = v
+            else:
+                args["session_data"][k] = v
+        args["session_data"] = self.encode(args["session_data"])
+        return self.model(**args)
+
+    async def acreate_model_instance(self, data):
+        args = {
+            "session_key": await self._aget_or_create_session_key(),
+            "expires": await self.aget_expiry_date(),
+            "session_data": {},
+            **self._create_kwargs,
+        }
+        for k, v in data.items():
+            # Don't save:
+            # - unused auth data
+            # - related models
+            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
+                pass
+            elif k in self.model_fields:
+                args[k] = v
+            else:
+                args["session_data"][k] = v
+        args["session_data"] = self.encode(args["session_data"])
+        return self.model(**args)
+
+    @classmethod
+    def clear_expired(cls):
+        cls.get_model_class().objects.filter(expires__lt=timezone.now()).delete()
+
+    @classmethod
+    async def aclear_expired(cls):
+        await cls.get_model_class().objects.filter(expires__lt=timezone.now()).adelete()
+
+    def cycle_key(self):
+        data = self._session
+        key = self.session_key
+        self.create()
+        self._session_cache = data
+        if key:
+            self.delete(key)
+        if (authenticated_session := data.get("authenticatedsession")) is not None:
+            authenticated_session.session_id = self.session_key
+            authenticated_session.save(force_insert=True)
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,14 +1,10 @@
 """authentik core signals"""

-from importlib import import_module
-
-from django.conf import settings
-from django.contrib.auth.signals import user_logged_in, user_logged_out
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_save, pre_delete, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
@ -18,6 +14,7 @@ from authentik.core.models import (
    AuthenticatedSession,
    BackchannelProvider,
    ExpiringModel,
+    Session,
    User,
    default_token_duration,
 )
@ -28,7 +25,6 @@ password_changed = Signal()
 login_failed = Signal()

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


@receiver(post_save, sender=Application)
@ -53,18 +49,10 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
        session.save()


-@receiver(user_logged_out)
-def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
-    """Delete AuthenticatedSession if it exists"""
-    if not request.session or not request.session.session_key:
-        return
-    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
-
-
-@receiver(pre_delete, sender=AuthenticatedSession)
+@receiver(post_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    SessionStore(instance.session_key).delete()
+    Session.objects.filter(session_key=instance.pk).delete()


@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -36,7 +36,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@ -210,8 +209,6 @@ class SourceFlowManager:
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
        flow_context.update(
            {
                # Since we authenticate the user by their token, they have no backend set
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -2,22 +2,16 @@

 from datetime import datetime, timedelta

-from django.conf import ImproperlyConfigured
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
-from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger

 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
    USER_ATTRIBUTE_GENERATED,
-    AuthenticatedSession,
    ExpiringModel,
    User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
@ -38,40 +32,6 @@ def clean_expired_models(self: SystemTask):
            obj.expire_action()
        LOGGER.debug("Expired models", model=cls, amount=amount)
        messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
-    # Special case
-    amount = 0
-
-    for session in AuthenticatedSession.objects.all():
-        match CONFIG.get("session_storage", "cache"):
-            case "cache":
-                cache_key = f"{KEY_PREFIX}{session.session_key}"
-                value = None
-                try:
-                    value = cache.get(cache_key)
-
-                except Exception as exc:
-                    LOGGER.debug("Failed to get session from cache", exc=exc)
-                if not value:
-                    session.delete()
-                    amount += 1
-            case "db":
-                if not (
-                    DBSessionStore.get_model_class()
-                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
-                    .exists()
-                ):
-                    session.delete()
-                    amount += 1
-            case _:
-                # Should never happen, as we check for other values in authentik/root/settings.py
-                raise ImproperlyConfigured(
-                    "Invalid session_storage setting, allowed values are db and cache"
-                )
-    if CONFIG.get("session_storage", "cache") == "db":
-        DBSessionStore.clear_expired()
-    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
-
-    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
    self.set_status(TaskStatus.SUCCESSFUL, *messages)


--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -2,30 +2,35 @@
 {% get_current_language as LANGUAGE_CODE %}

 <script>
-    window.authentik = {
-        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        brand: JSON.parse('{{ brand_json|escapejs }}'),
-        versionFamily: "{{ version_family }}",
-        versionSubdomain: "{{ version_subdomain }}",
-        build: "{{ build }}",
-        api: {
-            base: "{{ base_url }}",
-            relBase: "{{ base_url_rel }}",
-        },
-    };
-    window.addEventListener("DOMContentLoaded", function () {
-        {% for message in messages %}
-        window.dispatchEvent(
-            new CustomEvent("ak-message", {
-                bubbles: true,
-                composed: true,
-                detail: {
-                    level: "{{ message.tags|escapejs }}",
-                    message: "{{ message.message|escapejs }}",
-                },
-            }),
-        );
-        {% endfor %}
-    });
+  window.authentik = {
+    locale: "{{ LANGUAGE_CODE }}",
+    config: JSON.parse('{{ config_json|escapejs }}' || '{}'),
+    brand: JSON.parse('{{ brand_json|escapejs }}' || '{}'),
+    versionFamily: '{{ version_family }}',
+    versionSubdomain: '{{ version_subdomain }}',
+    build: '{{ build }}',
+    api: {
+      base: '{{ base_url }}',
+      relBase: '{{ base_url_rel }}',
+    },
+  };
 </script>
+
+{% if messages %}
+  <script>
+    window.addEventListener("DOMContentLoaded", function () {
+      {% for message in messages %}
+        window.dispatchEvent(
+          new CustomEvent("ak-message", {
+              bubbles: true,
+              composed: true,
+              detail: {
+                  level: "{{ message.tags|escapejs }}",
+                  message: "{{ message.message|escapejs }}",
+              },
+          }),
+        );
+      {% endfor %}
+    });
+  </script>
+{% endif %}
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -2,31 +2,85 @@
 {% load i18n %}
 {% load authentik_core %}

-<!DOCTYPE html>
+<!doctype html>
+<html lang="{{ get_current_language }}">
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

-<html>
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
-        <meta name="darkreader-lock">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
-        {% block head %}
-        {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-    </head>
-    <body>
-        {% block body %}
-        {% endblock %}
-        {% block scripts %}
-        {% endblock %}
-    </body>
+    {% comment %}
+      Darkreader breaks the site regardless of theme as its not compatible with webcomponents,
+      and we default to a dark theme based on preferred colour-scheme.
+    {% endcomment %}
+
+    <meta name="darkreader-lock">
+
+    <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+
+    <link rel="icon" href="{{ brand.branding_favicon_url }}">
+    <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+
+    {% block head_before %}
+    {% endblock %}
+
+    <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+
+    <style data-test-id="color-scheme">
+      @media (prefers-color-scheme: dark) {
+        :root {
+          color-scheme: dark light;
+        }
+      }
+
+      @media (prefers-color-scheme: light) {
+        :root {
+          color-scheme: light dark;
+        }
+      }
+    </style>
+
+    <style data-test-id="custom-branding-css">
+      {{ brand.branding_custom_css }}
+    </style>
+
+    <script
+      data-test-id="entrypoint-polyfill"
+      src="{% versioned_script 'dist/poly-%v.js' %}"
+      type="module">
+    </script>
+
+    <script
+      data-test-id="entrypoint-loading"
+      src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}"
+      type="module">
+    </script>
+
+    {% block head %}
+    {% endblock %}
+
+    <meta name="sentry-trace" content="{{ sentry_trace }}">
+  </head>
+
+  <body>
+    {% block body %}{% endblock %}
+    {% block scripts %}{% endblock %}
+
+    <noscript>
+      <style>
+        body {
+          font-family: var(--ak-font-family-base), sans-serif;
+        }
+      </style>
+
+      <h1>
+        {% blocktrans with brand_title=title|default:brand.branding_title %}
+          JavaScript is required to use {{ brand_title }}
+        {% endblocktrans %}
+      </h1>
+
+      <p>
+        {% trans 'Please enable JavaScript in your browser settings and reload the page. If you are using a browser extension that blocks JavaScript, please disable it for this site.' %}
+      </p>
+    </noscript>
+  </body>
 </html>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -3,15 +3,22 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-{% include "base/header_js.html" %}
+  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
+
+  {% include "base/header_js.html" %}
+
+  <script
+    data-test-id="entrypoint"
+    src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}"
+    type="module">
+  </script>
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-admin>
+  <ak-message-container></ak-message-container>
+
+  <ak-interface-admin>
    <ak-loading></ak-loading>
-</ak-interface-admin>
+  </ak-interface-admin>
 {% endblock %}
--- a/authentik/core/templates/if/error.html
+++ b/authentik/core/templates/if/error.html
@ -4,18 +4,22 @@
 {% load i18n %}

 {% block title %}
-{{ brand.branding_title }}
+  {{ brand.branding_title }}
 {% endblock %}

 {% block card_title %}
-{% trans title %}
+  {% trans title %}
 {% endblock %}

 {% block card %}
-<form method="POST" class="pf-c-form">
+  <form method="POST" class="pf-c-form">
    <p>{% trans message %}</p>
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go home' %}
+
+    <a
+      id="ak-back-home"
+      href="{% url 'authentik_core:root-redirect' %}"
+      class="pf-c-button pf-m-primary">
+      {% trans 'Go home' %}
    </a>
-</form>
+  </form>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -3,15 +3,22 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
-<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
-{% include "base/header_js.html" %}
+  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
+
+  {% include "base/header_js.html" %}
+
+  <script
+    data-test-id="entrypoint"
+    src="{% versioned_script 'dist/user/UserInterface-%v.js' %}"
+    type="module">
+  </script>
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-user>
+  <ak-message-container></ak-message-container>
+
+  <ak-interface-user>
    <ak-loading></ak-loading>
-</ak-interface-user>
+  </ak-interface-user>
 {% endblock %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,79 +4,93 @@
 {% load i18n %}

 {% block head_before %}
-<link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
-{% include "base/header_js.html" %}
+  <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}">
+
+  <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+  <link
+    rel="stylesheet"
+    type="text/css"
+    href="{% static 'dist/theme-dark.css' %}"
+    media="(prefers-color-scheme: dark)"
+ >
+
+  {% include "base/header_js.html" %}
 {% endblock %}

 {% block head %}
-<style>
-:root {
-    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
-}
-/* Form with user */
-.form-control-static {
-    margin-top: var(--pf-global--spacer--sm);
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-}
-.form-control-static .avatar {
-    display: flex;
-    align-items: center;
-}
-.form-control-static img {
-    margin-right: var(--pf-global--spacer--xs);
-}
-.form-control-static a {
-    padding-top: var(--pf-global--spacer--xs);
-    padding-bottom: var(--pf-global--spacer--xs);
-    line-height: var(--pf-global--spacer--xl);
-}
-</style>
+  <style data-test-id="base-full-root-styles">
+    :root {
+      --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
+      --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
+      --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
+      --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
+      --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
+      --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
+    }
+
+    /* Form with user */
+    .form-control-static {
+      margin-top: var(--pf-global--spacer--sm);
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+    }
+
+    .form-control-static .avatar {
+      display: flex;
+      align-items: center;
+    }
+
+    .form-control-static img {
+      margin-right: var(--pf-global--spacer--xs);
+    }
+
+    .form-control-static a {
+      padding-top: var(--pf-global--spacer--xs);
+      padding-bottom: var(--pf-global--spacer--xs);
+      line-height: var(--pf-global--spacer--xl);
+    }
+  </style>
 {% endblock %}

 {% block body %}
-<div class="pf-c-background-image">
-</div>
-<ak-message-container></ak-message-container>
-<div class="pf-c-login stacked">
+  <div class="pf-c-background-image"></div>
+
+  <ak-message-container></ak-message-container>
+
+  <div class="pf-c-login stacked">
    <div class="ak-login-container">
-        <main class="pf-c-login__main">
-            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
-            </div>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    {% block card_title %}
-                    {% endblock %}
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                {% block card %}
-                {% endblock %}
-            </div>
-        </main>
-        <footer class="pf-c-login__footer">
-            <ul class="pf-c-list pf-m-inline">
-                {% for link in footer_links %}
-                <li>
-                    <a href="{{ link.href }}">{{ link.name }}</a>
-                </li>
-                {% endfor %}
-                <li>
-                    <span>
-                        {% trans 'Powered by authentik' %}
-                    </span>
-                </li>
-            </ul>
-        </footer>
+      <main class="pf-c-login__main">
+        <div class="pf-c-login__main-header pf-c-brand ak-brand">
+          <img src="{{ brand.branding_logo_url }}" alt="authentik Logo">
+        </div>
+
+        <header class="pf-c-login__main-header">
+          <h1 class="pf-c-title pf-m-3xl">
+            {% block card_title %}
+            {% endblock %}
+          </h1>
+        </header>
+
+        <div class="pf-c-login__main-body">
+          {% block card %}
+          {% endblock %}
+        </div>
+      </main>
+
+      <footer class="pf-c-login__footer">
+        <ul class="pf-c-list pf-m-inline">
+          {% for link in footer_links %}
+            <li>
+              <a href="{{ link.href }}">{{ link.name }}</a>
+            </li>
+          {% endfor %}
+
+          <li>
+            <span>{% trans 'Powered by authentik' %}</span>
+          </li>
+        </ul>
+      </footer>
    </div>
-</div>
+  </div>
 {% endblock %}
--- a/authentik/core/tests/test_api_utils.py
+++ b/authentik/core/tests/test_api_utils.py
@ -1,9 +1,17 @@
 """Test API Utils"""

 from rest_framework.exceptions import ValidationError
+from rest_framework.serializers import (
+    HyperlinkedModelSerializer,
+)
+from rest_framework.serializers import (
+    ModelSerializer as BaseModelSerializer,
+)
 from rest_framework.test import APITestCase

+from authentik.core.api.utils import ModelSerializer as CustomModelSerializer
 from authentik.core.api.utils import is_dict
+from authentik.lib.utils.reflection import all_subclasses


 class TestAPIUtils(APITestCase):
@ -14,3 +22,14 @@ class TestAPIUtils(APITestCase):
        self.assertIsNone(is_dict({}))
        with self.assertRaises(ValidationError):
            is_dict("foo")
+
+    def test_all_serializers_descend_from_custom(self):
+        """Test that every serializer we define descends from our own ModelSerializer"""
+        # Weirdly, there's only one serializer in `rest_framework` which descends from
+        # ModelSerializer: HyperlinkedModelSerializer
+        expected = {CustomModelSerializer, HyperlinkedModelSerializer}
+        actual = set(all_subclasses(BaseModelSerializer)) - set(
+            all_subclasses(CustomModelSerializer)
+        )
+
+        self.assertEqual(expected, actual)
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -5,7 +5,7 @@ from json import loads
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, Session, User
 from authentik.core.tests.utils import create_test_admin_user


@ -30,3 +30,18 @@ class TestAuthenticatedSessionsAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["pagination"]["count"], 1)
+
+    def test_delete(self):
+        """Test deletion"""
+        self.client.force_login(self.user)
+        self.assertEqual(AuthenticatedSession.objects.all().count(), 1)
+        self.assertEqual(Session.objects.all().count(), 1)
+        response = self.client.delete(
+            reverse(
+                "authentik_api:authenticatedsession-detail",
+                kwargs={"uuid": AuthenticatedSession.objects.first().uuid},
+            )
+        )
+        self.assertEqual(response.status_code, 204)
+        self.assertEqual(AuthenticatedSession.objects.all().count(), 0)
+        self.assertEqual(Session.objects.all().count(), 0)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -3,8 +3,6 @@
 from datetime import datetime
 from json import loads

-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

@ -12,6 +10,7 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
+    Session,
    Token,
    User,
    UserTypes,
@ -381,12 +380,15 @@ class TestUsersAPI(APITestCase):
        """Ensure sessions are deleted when a user is deactivated"""
        user = create_test_admin_user()
        session_id = generate_id()
-        AuthenticatedSession.objects.create(
-            user=user,
+        session = Session.objects.create(
            session_key=session_id,
-            last_ip="",
+            last_ip="255.255.255.255",
+            last_user_agent="",
+        )
+        AuthenticatedSession.objects.create(
+            session=session,
+            user=user,
        )
-        cache.set(KEY_PREFIX + session_id, "foo")

        self.client.force_login(self.admin)
        response = self.client.patch(
@ -397,5 +399,7 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

-        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
-        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
+        self.assertFalse(Session.objects.filter(session_key=session_id).exists())
+        self.assertFalse(
+            AuthenticatedSession.objects.filter(session__session_key=session_id).exists()
+        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -1,7 +1,5 @@
 """authentik URL Configuration"""

-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
@ -13,7 +11,11 @@ from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.property_mappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
-from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
+from authentik.core.api.sources import (
+    GroupSourceConnectionViewSet,
+    SourceViewSet,
+    UserSourceConnectionViewSet,
+)
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
@ -25,7 +27,7 @@ from authentik.core.views.interface import (
    RootRedirectView,
 )
 from authentik.flows.views.interface import FlowInterfaceView
-from authentik.root.asgi_middleware import SessionMiddleware
+from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware

@ -81,6 +83,7 @@ api_urlpatterns = [
    ("core/tokens", TokenViewSet),
    ("sources/all", SourceViewSet),
    ("sources/user_connections/all", UserSourceConnectionViewSet),
+    ("sources/group_connections/all", GroupSourceConnectionViewSet),
    ("providers/all", ProviderViewSet),
    ("propertymappings/all", PropertyMappingViewSet),
    ("authenticators/all", DeviceViewSet, "device"),
@ -94,9 +97,7 @@ api_urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/client/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(MessageConsumer.as_asgi())))
-        ),
+        ChannelsLoggingMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi())),
    ),
 ]

--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -102,7 +102,7 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi
            "format": "complex",
            "session": {
                "format": "opaque",
-                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
+                "id": sha256(instance.session.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
--- a/authentik/enterprise/providers/ssf/views/stream.py
+++ b/authentik/enterprise/providers/ssf/views/stream.py
@ -4,10 +4,9 @@ from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from structlog.stdlib import get_logger

-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.enterprise.providers.ssf.models import (
    DeliveryMethods,
    EventTypes,
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -2,11 +2,11 @@

 from rest_framework import mixins
 from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -59,7 +59,7 @@ def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | Non
        session = request_or_session.session
    if isinstance(request_or_session, AuthenticatedSession):
        SessionStore = _session_engine.SessionStore
-        session = SessionStore(request_or_session.session_key)
+        session = SessionStore(request_or_session.session.session_key)
    return session.get(SESSION_LOGIN_EVENT, None)


--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -2,53 +2,63 @@
 {% load i18n %}
 {% load authentik_core %}

-<!DOCTYPE html>
+<!doctype html>

 <html lang="en">
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-        {% include "base/header_js.html" %}
-        <style>
-          html,
-          body {
-            height: 100%;
-          }
-          body {
-            background-image: url("{{ flow.background_url }}");
-            background-repeat: no-repeat;
-            background-size: cover;
-          }
-          .card {
-            padding: 3rem;
-          }
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

-          .form-signin {
-            max-width: 330px;
-            padding: 1rem;
-          }
+    <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>

-          .form-signin .form-floating:focus-within {
-            z-index: 2;
-          }
-          .brand-icon {
-            max-width: 100%;
-          }
-        </style>
-    </head>
-    <body class="d-flex align-items-center py-4 bg-body-tertiary">
-      <div class="card m-auto">
-        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
-        </main>
-        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
-      </div>
-      <script src="{% static 'dist/sfe/index.js' %}"></script>
-    </body>
+    <link rel="icon" href="{{ brand.branding_favicon_url }}">
+    <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+
+    {% block head_before %}
+    {% endblock %}
+
+    <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
+    <meta name="sentry-trace" content="{{ sentry_trace }}">
+
+    {% include "base/header_js.html" %}
+
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+
+      body {
+        background-image: url("{{ flow.background_url }}");
+        background-repeat: no-repeat;
+        background-size: cover;
+      }
+
+      .card {
+        padding: 3rem;
+      }
+
+      .form-signin {
+        max-width: 330px;
+        padding: 1rem;
+      }
+
+      .form-signin .form-floating:focus-within {
+        z-index: 2;
+      }
+
+      .brand-icon {
+        max-width: 100%;
+      }
+    </style>
+  </head>
+
+  <body class="d-flex align-items-center py-4 bg-body-tertiary">
+    <div class="card m-auto">
+      <main class="form-signin w-100 m-auto" id="flow-sfe-container"></main>
+      <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
+    </div>
+
+    <script src="{% static 'dist/sfe/index.js' %}"></script>
+  </body>
 </html>
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -4,31 +4,45 @@
 {% load authentik_core %}

 {% block head_before %}
-{{ block.super }}
-<link rel="prefetch" href="{{ flow.background_url }}" />
-{% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: !navigator.webdriver };</script>
-{% endif %}
-{% include "base/header_js.html" %}
-<script>
-window.authentik.flow = {
-    "layout": "{{ flow.layout }}",
-};
-</script>
+  {{ block.super }}
+
+  <link rel="prefetch" href="{{ flow.background_url }}">
+
+  {% if flow.compatibility_mode and not inspector %}
+    <script>
+      window.ShadyDOM = { force: !navigator.webdriver };
+    </script>
+  {% endif %}
+
+  {% include "base/header_js.html" %}
+
+  <script>
+    window.authentik.flow = {
+      layout: "{{ flow.layout }}",
+    };
+  </script>
+
+  <meta name="ak-flow-layout" content="{{ flow.layout }}">
+
 {% endblock %}

 {% block head %}
-<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
-<style>
-:root {
-    --ak-flow-background: url("{{ flow.background_url }}");
-}
-</style>
+  <script
+    data-test-id="entrypoint"
+    src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}"
+    type="module">
+  </script>
+
+  <style data-test-id="flow-root-styles">
+    :root {
+      --ak-flow-background: url("{{ flow.background_url }}");
+    }
+  </style>
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-flow-executor flowSlug="{{ flow.slug }}">
+  <ak-message-container></ak-message-container>
+  <ak-flow-executor flowSlug="{{ flow.slug }}">
    <ak-loading></ak-loading>
-</ak-flow-executor>
+  </ak-flow-executor>
 {% endblock %}
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -356,6 +356,14 @@ def redis_url(db: int) -> str:
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
+
+    pool_options = False
+    use_pool = config.get_bool("postgresql.use_pool", False)
+    if use_pool:
+        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
+        if not pool_options:
+            pool_options = True
+
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
@ -369,6 +377,7 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslrootcert": config.get("postgresql.sslrootcert"),
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
+                "pool": pool_options,
            },
            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -21,6 +21,7 @@ postgresql:
  user: authentik
  port: 5432
  password: "env://POSTGRES_PASSWORD"
+  use_pool: False
  test:
    name: test_authentik
  default_schema: public
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -18,7 +18,7 @@ from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger

-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.events.models import Event
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
@ -203,9 +203,7 @@ class BaseEvaluator:
            provider = OAuth2Provider.objects.get(name=provider)
        session = None
        if hasattr(request, "session") and request.session.session_key:
-            session = AuthenticatedSession.objects.filter(
-                session_key=request.session.session_key
-            ).first()
+            session = request.session["authenticatedsession"]
        access_token = AccessToken(
            provider=provider,
            user=user,
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -217,6 +217,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -267,6 +268,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -285,6 +287,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -333,6 +336,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -351,6 +355,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -394,6 +399,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -412,6 +418,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -451,6 +458,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -469,6 +477,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "bar",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -484,3 +493,87 @@ class TestConfig(TestCase):
                },
            },
        )
+
+    def test_db_pool(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": True,
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
+
+    def test_db_pool_options(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        config.set(
+            "postgresql.pool_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "max_size": 15,
+                    }
+                ).encode()
+            ).decode(),
+        )
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": {
+                            "max_size": 15,
+                        },
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
--- a/authentik/policies/geoip/models.py
+++ b/authentik/policies/geoip/models.py
@ -66,7 +66,9 @@ class GeoIPPolicy(Policy):
        if not static_results and not dynamic_results:
            return PolicyResult(True)

-        passing = any(r.passing for r in static_results) and all(r.passing for r in dynamic_results)
+        static_passing = any(r.passing for r in static_results) if static_results else True
+        dynamic_passing = all(r.passing for r in dynamic_results)
+        passing = static_passing and dynamic_passing
        messages = chain(
            *[r.messages for r in static_results], *[r.messages for r in dynamic_results]
        )
@ -113,13 +115,19 @@ class GeoIPPolicy(Policy):
        to previous authentication requests"""
        # Get previous login event and GeoIP data
        previous_logins = Event.objects.filter(
-            action=EventAction.LOGIN, user__pk=request.user.pk, context__geo__isnull=False
+            action=EventAction.LOGIN,
+            user__pk=request.user.pk,  # context__geo__isnull=False
        ).order_by("-created")[: self.history_login_count]
        _now = now()
        geoip_data: GeoIPDict | None = request.context.get("geoip")
        if not geoip_data:
            return PolicyResult(False)
+        if not previous_logins.exists():
+            return PolicyResult(True)
+        result = False
        for previous_login in previous_logins:
+            if "geo" not in previous_login.context:
+                continue
            previous_login_geoip: GeoIPDict = previous_login.context["geo"]

            # Figure out distance
@ -142,7 +150,8 @@ class GeoIPPolicy(Policy):
                (MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km
            ):
                return PolicyResult(False, _("Distance is further than possible."))
-        return PolicyResult(True)
+            result = True
+        return PolicyResult(result)

    class Meta(Policy.PolicyMeta):
        verbose_name = _("GeoIP Policy")
--- a/authentik/policies/geoip/tests.py
+++ b/authentik/policies/geoip/tests.py
@ -163,7 +163,7 @@ class TestGeoIPPolicy(TestCase):
        result: PolicyResult = policy.passes(self.request)
        self.assertFalse(result.passing)

-    def test_history_impossible_travel(self):
+    def test_history_impossible_travel_failing(self):
        """Test history checks"""
        Event.objects.create(
            action=EventAction.LOGIN,
@ -181,6 +181,24 @@ class TestGeoIPPolicy(TestCase):
        result: PolicyResult = policy.passes(self.request)
        self.assertFalse(result.passing)

+    def test_history_impossible_travel_passing(self):
+        """Test history checks"""
+        Event.objects.create(
+            action=EventAction.LOGIN,
+            user=get_user(self.user),
+            context={
+                # Random location in Canada
+                "geo": {"lat": 55.868351, "long": -104.441011},
+            },
+        )
+        # Same location
+        self.request.context["geoip"] = {"lat": 55.868351, "long": -104.441011}
+
+        policy = GeoIPPolicy.objects.create(check_impossible_travel=True)
+
+        result: PolicyResult = policy.passes(self.request)
+        self.assertTrue(result.passing)
+
    def test_history_no_geoip(self):
        """Test history checks (previous login with no geoip data)"""
        Event.objects.create(
@ -195,3 +213,18 @@ class TestGeoIPPolicy(TestCase):

        result: PolicyResult = policy.passes(self.request)
        self.assertFalse(result.passing)
+
+    def test_impossible_travel_no_geoip(self):
+        """Test impossible travel checks (previous login with no geoip data)"""
+        Event.objects.create(
+            action=EventAction.LOGIN,
+            user=get_user(self.user),
+            context={},
+        )
+        # Random location in Poland
+        self.request.context["geoip"] = {"lat": 50.950613, "long": 20.363679}
+
+        policy = GeoIPPolicy.objects.create(check_impossible_travel=True)
+
+        result: PolicyResult = policy.passes(self.request)
+        self.assertFalse(result.passing)
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -2,7 +2,6 @@

 from django.contrib.auth.signals import user_logged_in
 from django.db import transaction
-from django.db.models import F
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
@ -13,20 +12,29 @@ from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.policies.reputation.models import Reputation, reputation_expiry
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.identification.signals import identification_failed
+from authentik.tenants.utils import get_current_tenant

 LOGGER = get_logger()


+def clamp(value, min, max):
+    return sorted([min, value, max])[1]
+
+
 def update_score(request: HttpRequest, identifier: str, amount: int):
    """Update score for IP and User"""
    remote_ip = ClientIPMiddleware.get_client_ip(request)
+    tenant = get_current_tenant()
+    new_score = clamp(amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit)

    with transaction.atomic():
        reputation, created = Reputation.objects.select_for_update().get_or_create(
            ip=remote_ip,
            identifier=identifier,
            defaults={
-                "score": amount,
+                "score": clamp(
+                    amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit
+                ),
                "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
                "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
                "expires": reputation_expiry(),
@ -34,9 +42,15 @@ def update_score(request: HttpRequest, identifier: str, amount: int):
        )

        if not created:
-            reputation.score = F("score") + amount
+            new_score = clamp(
+                reputation.score + amount,
+                tenant.reputation_lower_limit,
+                tenant.reputation_upper_limit,
+            )
+            reputation.score = new_score
            reputation.save()
-    LOGGER.info("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
+
+    LOGGER.info("Updated score", amount=new_score, for_user=identifier, for_ip=remote_ip)


@receiver(login_failed)
--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -6,9 +6,11 @@ from authentik.core.models import User
 from authentik.lib.generators import generate_id
 from authentik.policies.reputation.api import ReputationPolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy
+from authentik.policies.reputation.signals import update_score
 from authentik.policies.types import PolicyRequest
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import authenticate
+from authentik.tenants.models import DEFAULT_REPUTATION_LOWER_LIMIT, DEFAULT_REPUTATION_UPPER_LIMIT


 class TestReputationPolicy(TestCase):
@ -17,36 +19,48 @@ class TestReputationPolicy(TestCase):
    def setUp(self):
        self.request_factory = RequestFactory()
        self.request = self.request_factory.get("/")
-        self.test_ip = "127.0.0.1"
-        self.test_username = "test"
+        self.ip = "127.0.0.1"
+        self.username = "username"
+        self.password = generate_id()
        # We need a user for the one-to-one in userreputation
-        self.user = User.objects.create(username=self.test_username)
+        self.user = User.objects.create(username=self.username)
+        self.user.set_password(self.password)
        self.backends = [BACKEND_INBUILT]

    def test_ip_reputation(self):
        """test IP reputation"""
        # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
-        )
-        self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(ip=self.ip).score, -1)

    def test_user_reputation(self):
        """test User reputation"""
        # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
-        )
-        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(identifier=self.username).score, -1)

    def test_update_reputation(self):
        """test reputation update"""
-        Reputation.objects.create(identifier=self.test_username, ip=self.test_ip, score=43)
+        Reputation.objects.create(identifier=self.username, ip=self.ip, score=4)
        # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(identifier=self.username).score, 3)
+
+    def test_reputation_lower_limit(self):
+        """test reputation lower limit"""
+        Reputation.objects.create(identifier=self.username, ip=self.ip)
+        update_score(self.request, identifier=self.username, amount=-1000)
+        self.assertEqual(
+            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_LOWER_LIMIT
+        )
+
+    def test_reputation_upper_limit(self):
+        """test reputation upper limit"""
+        Reputation.objects.create(identifier=self.username, ip=self.ip)
+        update_score(self.request, identifier=self.username, amount=1000)
+        self.assertEqual(
+            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_UPPER_LIMIT
        )
-        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, 42)

    def test_policy(self):
        """Test Policy"""
--- a/authentik/policies/templates/policies/buffer.html
+++ b/authentik/policies/templates/policies/buffer.html
@ -5,21 +5,28 @@

 {% block head %}
 {{ block.super }}
+
 <script>
  let redirecting = false;
+
  const checkAuth = async () => {
    if (redirecting) return true;
+
    const url = "{{ check_auth_url }}";
    console.debug("authentik/policies/buffer: Checking authentication...");
+
    try {
      const result = await fetch(url, {
        method: "HEAD",
      });
+
      if (result.status >= 400) {
        return false
      }
+
      console.debug("authentik/policies/buffer: Continuing");
      redirecting = true;
+
      if ("{{ auth_req_method }}" === "post") {
        document.querySelector("form").submit();
      } else {
@ -29,61 +36,75 @@
      return false;
    }
  };
+
  let timeout = 100;
  let offset = 20;
  let attempt = 0;
+
  const main = async () => {
    attempt += 1;
+
    await checkAuth();
+
    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
+
    setTimeout(main, timeout);
+
    timeout += (offset * attempt);
+
    if (timeout >= 2000) {
      timeout = 2000;
    }
  }
+
  document.addEventListener("visibilitychange", async () => {
    if (document.hidden) return;
+
    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
+
    await checkAuth();
  });
+
  main();
 </script>
 {% endblock %}

 {% block title %}
-{% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
+  {% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
 {% endblock %}

 {% block card_title %}
-{% trans 'Waiting for authentication...' %}
+  {% trans 'Waiting for authentication...' %}
 {% endblock %}

 {% block card %}
-<form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
-  {% if auth_req_method == "post" %}
-    {% for key, value in auth_req_body.items %}
-      <input type="hidden" name="{{ key }}" value="{{ value }}" />
-    {% endfor %}
-  {% endif %}
-  <div class="pf-c-empty-state">
-    <div class="pf-c-empty-state__content">
-      <div class="pf-c-empty-state__icon">
-        <span class="pf-c-spinner pf-m-xl" role="progressbar">
-          <span class="pf-c-spinner__clipper"></span>
-          <span class="pf-c-spinner__lead-ball"></span>
-          <span class="pf-c-spinner__tail-ball"></span>
-        </span>
+  <form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
+    {% if auth_req_method == "post" %}
+      {% for key, value in auth_req_body.items %}
+        <input type="hidden" name="{{ key }}" value="{{ value }}">
+      {% endfor %}
+    {% endif %}
+
+    <div class="pf-c-empty-state">
+      <div class="pf-c-empty-state__content">
+        <div class="pf-c-empty-state__icon">
+          <span class="pf-c-spinner pf-m-xl" role="progressbar">
+            <span class="pf-c-spinner__clipper"></span>
+            <span class="pf-c-spinner__lead-ball"></span>
+            <span class="pf-c-spinner__tail-ball"></span>
+          </span>
+        </div>
+
+        <h1 class="pf-c-title pf-m-lg">
+          {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
+        </h1>
      </div>
-      <h1 class="pf-c-title pf-m-lg">
-        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
-      </h1>
    </div>
-  </div>
-  <div class="pf-c-form__group pf-m-action">
-    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
-      {% trans "Authenticate in this tab" %}
-    </a>
-  </div>
-</form>
+
+    <div class="pf-c-form__group pf-m-action">
+      <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
+        {% trans "Authenticate in this tab" %}
+      </a>
+    </div>
+  </form>
 {% endblock %}
--- a/authentik/policies/templates/policies/denied.html
+++ b/authentik/policies/templates/policies/denied.html
@ -13,63 +13,69 @@

 {% block card %}
 <form class="pf-c-form">
-    {% csrf_token %}
-    {% if user.is_authenticated %}
-        <div class="pf-c-form__group">
-            <div class="form-control-static">
-                <div class="avatar">
-                    <img class="pf-c-avatar" src="{{ user.avatar }}" alt="{% trans "User's avatar" %}" />
-                    {{ user.username }}
-                </div>
-                <div slot="link">
-                    <a href="{{ cancel }}">{% trans "Not you?" %}</a>
-                </div>
-            </div>
-        </div>
-    {% endif %}
+  {% csrf_token %}
+
+  {% if user.is_authenticated %}
    <div class="pf-c-form__group">
-        <p>
-            <i class="pf-icon pf-icon-error-circle-o"></i>
-            {% trans 'Request has been denied.' %}
-        </p>
-        {% if error %}
-        <hr>
-        <p>
-            {{ error }}
-        </p>
-        {% endif %}
-        {% if policy_result %}
-            <hr>
-            {% if policy_result.messages %}
-            <em>{% trans 'Messages:' %}</em>
-            <ul class="pf-c-list">
-                {% for message in policy_result.messages %}
-                <li>
-                    {{ message }}
-                </li>
-                {% endfor %}
-            </ul>
-            {% endif %}
-            {% if policy_result.source_results %}
-            <em>{% trans 'Explanation:' %}</em>
-            <ul class="pf-c-list">
-                {% for source_result in policy_result.source_results %}
-                <li>
-                    {% blocktrans with name=source_result.source_binding result=source_result.passing %}
-                    Policy binding '{{ name }}' returned result '{{ result }}'
-                    {% endblocktrans %}
-                    {% if source_result.messages %}
-                    <ul class="pf-c-list">
-                        {% for message in source_result.messages %}
-                            <li>{{ message }}</li>
-                        {% endfor %}
-                    </ul>
-                    {% endif %}
-                </li>
-                {% endfor %}
-            </ul>
-            {% endif %}
-        {% endif %}
+      <div class="form-control-static">
+        <div class="avatar">
+          <img class="pf-c-avatar" src="{{ user.avatar }}" alt="{% trans "User's avatar" %}">
+          {{ user.username }}
+        </div>
+        <div slot="link">
+          <a href="{{ cancel }}">{% trans "Not you?" %}</a>
+        </div>
+      </div>
    </div>
+  {% endif %}
+
+  <div class="pf-c-form__group">
+    <p>
+      <i class="pf-icon pf-icon-error-circle-o"></i>
+      {% trans 'Request has been denied.' %}
+    </p>
+
+    {% if error %}
+      <hr>
+
+      <p>{{ error }}</p>
+    {% endif %}
+
+    {% if policy_result %}
+      <hr>
+
+      {% if policy_result.messages %}
+        <em>{% trans 'Messages:' %}</em>
+
+        <ul class="pf-c-list">
+          {% for message in policy_result.messages %}
+            <li>{{ message }}</li>
+          {% endfor %}
+        </ul>
+      {% endif %}
+
+      {% if policy_result.source_results %}
+        <em>{% trans 'Explanation:' %}</em>
+
+        <ul class="pf-c-list">
+          {% for source_result in policy_result.source_results %}
+            <li>
+              {% blocktrans with name=source_result.source_binding result=source_result.passing %}
+              Policy binding '{{ name }}' returned result '{{ result }}'
+              {% endblocktrans %}
+
+              {% if source_result.messages %}
+                <ul class="pf-c-list">
+                  {% for message in source_result.messages %}
+                    <li>{{ message }}</li>
+                  {% endfor %}
+                </ul>
+              {% endif %}
+            </li>
+          {% endfor %}
+        </ul>
+      {% endif %}
+    {% endif %}
+  </div>
 </form>
 {% endblock %}
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -126,7 +126,7 @@ class IDToken:
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
        if token.session:
-            id_token.sid = hash_session_key(token.session.session_key)
+            id_token.sid = hash_session_key(token.session.session.session_key)

        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
        auth_event = get_login_event(token.session)
--- a/authentik/providers/oauth2/migrations/0028_migrate_session.py
+++ b/authentik/providers/oauth2/migrations/0028_migrate_session.py
@ -0,0 +1,116 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:00
+
+from django.db import migrations
+import django.db.models.deletion
+from django.db import migrations, models
+from functools import partial
+
+
+def migrate_sessions(apps, schema_editor, model):
+    Model = apps.get_model("authentik_providers_oauth2", model)
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    db_alias = schema_editor.connection.alias
+
+    for obj in Model.objects.using(db_alias).all():
+        if not obj.old_session:
+            continue
+        obj.session = (
+            AuthenticatedSession.objects.using(db_alias)
+            .filter(session__session_key=obj.old_session.session_key)
+            .first()
+        )
+        if obj.session:
+            obj.save()
+        else:
+            obj.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_core", "0046_session_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="accesstoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="authorizationcode",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="devicetoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="refreshtoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.AddField(
+            model_name="accesstoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="authorizationcode",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="devicetoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="refreshtoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RunPython(code=partial(migrate_sessions, model="AccessToken")),
+        migrations.RunPython(code=partial(migrate_sessions, model="AuthorizationCode")),
+        migrations.RunPython(code=partial(migrate_sessions, model="DeviceToken")),
+        migrations.RunPython(code=partial(migrate_sessions, model="RefreshToken")),
+        migrations.RemoveField(
+            model_name="accesstoken",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="authorizationcode",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="devicetoken",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="refreshtoken",
+            name="old_session",
+        ),
+    ]
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@ -1,18 +1,30 @@
 from django.contrib.auth.signals import user_logged_out
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.oauth2.models import AccessToken, DeviceToken, RefreshToken


@receiver(user_logged_out)
-def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, **_):
-    """Revoke access tokens upon user logout"""
+def user_logged_out_oauth_tokens_removal(sender, request: HttpRequest, user: User, **_):
+    """Revoke tokens upon user logout"""
    if not request.session or not request.session.session_key:
        return
-    AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
+    AccessToken.objects.filter(
+        user=user,
+        session__session__session_key=request.session.session_key,
+    ).delete()
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def user_session_deleted_oauth_tokens_removal(sender, instance: AuthenticatedSession, **_):
+    """Revoke tokens upon user logout"""
+    AccessToken.objects.filter(
+        user=instance.user,
+        session__session__session_key=instance.session.session_key,
+    ).delete()


@receiver(post_save, sender=User)
@ -20,6 +32,6 @@ def user_deactivated(sender, instance: User, **_):
    """Remove user tokens when deactivated"""
    if instance.is_active:
        return
-    AccessToken.objects.filter(session__user=instance).delete()
-    RefreshToken.objects.filter(session__user=instance).delete()
-    DeviceToken.objects.filter(session__user=instance).delete()
+    AccessToken.objects.filter(user=instance).delete()
+    RefreshToken.objects.filter(user=instance).delete()
+    DeviceToken.objects.filter(user=instance).delete()
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -7,12 +7,13 @@ from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone

-from authentik.core.models import Application
+from authentik.core.models import Application, AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import (
    AccessToken,
    ClientTypes,
+    DeviceToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
@ -20,6 +21,7 @@ from authentik.providers.oauth2.models import (
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
+from authentik.root.middleware import ClientIPMiddleware


 class TesOAuth2Revoke(OAuthTestCase):
@ -135,3 +137,86 @@ class TesOAuth2Revoke(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 200)
+
+    def test_revoke_logout(self):
+        """Test revoke on logout"""
+        self.client.force_login(self.user)
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            session=self.client.session["authenticatedsession"],
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        self.client.logout()
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+
+    def test_revoke_session_delete(self):
+        """Test revoke on logout"""
+        session = AuthenticatedSession.objects.create(
+            session=Session.objects.create(
+                session_key=generate_id(),
+                last_ip=ClientIPMiddleware.default_ip,
+            ),
+            user=self.user,
+        )
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            session=session,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        session.delete()
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+
+    def test_revoke_user_deactivated(self):
+        """Test revoke on logout"""
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        RefreshToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        DeviceToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            _scope="openid user profile",
+        )
+
+        self.user.is_active = False
+        self.user.save()
+
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+        self.assertEqual(RefreshToken.objects.all().count(), 0)
+        self.assertEqual(DeviceToken.objects.all().count(), 0)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -15,7 +15,7 @@ from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
 from authentik.flows.challenge import (
@ -316,9 +316,7 @@ class OAuthAuthorizationParams:
            expires=now + timedelta_from_string(self.provider.access_code_validity),
            scope=self.scope,
            nonce=self.nonce,
-            session=AuthenticatedSession.objects.filter(
-                session_key=request.session.session_key
-            ).first(),
+            session=request.session["authenticatedsession"],
        )

        if self.code_challenge and self.code_challenge_method:
@ -615,9 +613,7 @@ class OAuthFulfillmentStage(StageView):
            expires=access_token_expiry,
            provider=self.provider,
            auth_time=auth_event.created if auth_event else now,
-            session=AuthenticatedSession.objects.filter(
-                session_key=self.request.session.session_key
-            ).first(),
+            session=self.request.session["authenticatedsession"],
        )

        id_token = IDToken.new(self.provider, token, self.request)
--- a/authentik/providers/proxy/signals.py
+++ b/authentik/providers/proxy/signals.py
@ -20,4 +20,4 @@ def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
-    proxy_on_logout.delay(instance.session_key)
+    proxy_on_logout.delay(instance.session.session_key)
--- a/authentik/providers/rac/migrations/0007_migrate_session.py
+++ b/authentik/providers/rac/migrations/0007_migrate_session.py
@ -0,0 +1,60 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:59
+
+from django.db import migrations
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+def migrate_sessions(apps, schema_editor):
+    ConnectionToken = apps.get_model("authentik_providers_rac", "ConnectionToken")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    db_alias = schema_editor.connection.alias
+
+    for token in ConnectionToken.objects.using(db_alias).all():
+        token.session = (
+            AuthenticatedSession.objects.using(db_alias)
+            .filter(session_key=token.old_session.session_key)
+            .first()
+        )
+        if token.session:
+            token.save()
+        else:
+            token.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+        ("authentik_core", "0046_session_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="connectiontoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.AddField(
+            model_name="connectiontoken",
+            name="session",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RunPython(code=migrate_sessions),
+        migrations.AlterField(
+            model_name="connectiontoken",
+            name="session",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RemoveField(
+            model_name="connectiontoken",
+            name="old_session",
+        ),
+    ]
--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@ -8,7 +8,7 @@ from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
 from authentik.providers.rac.consumer_client import (
    RAC_CLIENT_GROUP_SESSION,
@ -32,6 +32,18 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    )


+@receiver(pre_delete, sender=AuthenticatedSession)
+def user_session_deleted(sender, instance: AuthenticatedSession, **_):
+    layer = get_channel_layer()
+    async_to_sync(layer.group_send)(
+        RAC_CLIENT_GROUP_SESSION
+        % {
+            "session": instance.session.session_key,
+        },
+        {"type": "event.disconnect", "reason": "session_logout"},
+    )
+
+
@receiver(pre_delete, sender=ConnectionToken)
 def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **_):
    """Disconnect session when connection token is deleted"""
--- a/authentik/providers/rac/templates/if/rac.html
+++ b/authentik/providers/rac/templates/if/rac.html
@ -3,16 +3,22 @@
 {% load authentik_core %}

 {% block head %}
-<script src="{% versioned_script 'dist/rac/index-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
-{% include "base/header_js.html" %}
+  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
+  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
+
+  <link rel="icon" href="{{ tenant.branding_favicon_url }}">
+  <link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+
+  {% include "base/header_js.html" %}
+
+  <script
+    src="{% versioned_script 'dist/rac/index-%v.js' %}"
+    type="module">
+  </script>
 {% endblock %}

 {% block body %}
-<ak-rac token="{{ url_kwargs.token }}" endpointName="{{ token.endpoint.name }}">
-  <ak-loading></ak-loading>
-</ak-rac>
+  <ak-rac token="{{ url_kwargs.token }}" endpointName="{{ token.endpoint.name }}">
+    <ak-loading></ak-loading>
+  </ak-rac>
 {% endblock %}
--- a/authentik/providers/rac/tests/test_models.py
+++ b/authentik/providers/rac/tests/test_models.py
@ -2,7 +2,7 @@

 from django.test import TransactionTestCase

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application, AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.providers.rac.models import (
@ -36,13 +36,15 @@ class TestModels(TransactionTestCase):

    def test_settings_merge(self):
        """Test settings merge"""
+        session = Session.objects.create(
+            session_key=generate_id(),
+            last_ip="255.255.255.255",
+        )
+        auth_session = AuthenticatedSession.objects.create(session=session, user=self.user)
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            session=AuthenticatedSession.objects.create(
-                user=self.user,
-                session_key=generate_id(),
-            ),
+            session=auth_session,
        )
        path = f"/tmp/connection/{token.token}"  # nosec
        self.assertEqual(
--- a/authentik/providers/rac/urls.py
+++ b/authentik/providers/rac/urls.py
@ -1,7 +1,5 @@
 """rac urls"""

-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.urls import path

 from authentik.outposts.channels import TokenOutpostMiddleware
@ -12,7 +10,7 @@ from authentik.providers.rac.api.providers import RACProviderViewSet
 from authentik.providers.rac.consumer_client import RACClientConsumer
 from authentik.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.providers.rac.views import RACInterface, RACStartView
-from authentik.root.asgi_middleware import SessionMiddleware
+from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.middleware import ChannelsLoggingMiddleware

 urlpatterns = [
@ -31,9 +29,7 @@ urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/rac/<str:token>/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(RACClientConsumer.as_asgi())))
-        ),
+        ChannelsLoggingMiddleware(AuthMiddlewareStack(RACClientConsumer.as_asgi())),
    ),
    path(
        "ws/outpost_rac/<str:channel>/",
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -8,7 +8,7 @@ from django.urls import reverse
 from django.utils.timezone import now
 from django.utils.translation import gettext as _

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application
 from authentik.core.views.interface import InterfaceView
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import RedirectChallenge
@ -113,9 +113,7 @@ class RACFinalStage(RedirectStage):
            provider=self.provider,
            endpoint=self.endpoint,
            settings=self.executor.plan.context.get("connection_settings", {}),
-            session=AuthenticatedSession.objects.filter(
-                session_key=self.request.session.session_key
-            ).first(),
+            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
        )
--- a/authentik/rbac/api/initial_permissions.py
+++ b/authentik/rbac/api/initial_permissions.py
@ -0,0 +1,41 @@
+"""RBAC Initial Permissions"""
+
+from rest_framework.serializers import ListSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.rbac.api.rbac import PermissionSerializer
+from authentik.rbac.models import InitialPermissions
+
+
+class InitialPermissionsSerializer(ModelSerializer):
+    """InitialPermissions serializer"""
+
+    permissions_obj = ListSerializer(
+        child=PermissionSerializer(),
+        read_only=True,
+        source="permissions",
+        required=False,
+    )
+
+    class Meta:
+        model = InitialPermissions
+        fields = [
+            "pk",
+            "name",
+            "mode",
+            "role",
+            "permissions",
+            "permissions_obj",
+        ]
+
+
+class InitialPermissionsViewSet(UsedByMixin, ModelViewSet):
+    """InitialPermissions viewset"""
+
+    queryset = InitialPermissions.objects.all()
+    serializer_class = InitialPermissionsSerializer
+    search_fields = ["name"]
+    ordering = ["name"]
+    filterset_fields = ["name"]
--- a/authentik/rbac/migrations/0005_initialpermissions.py
+++ b/authentik/rbac/migrations/0005_initialpermissions.py
@ -0,0 +1,39 @@
+# Generated by Django 5.0.13 on 2025-04-07 13:05
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("auth", "0012_alter_user_first_name_max_length"),
+        ("authentik_rbac", "0004_alter_systempermission_options"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="InitialPermissions",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("name", models.TextField(max_length=150, unique=True)),
+                ("mode", models.CharField(choices=[("user", "User"), ("role", "Role")])),
+                ("permissions", models.ManyToManyField(blank=True, to="auth.permission")),
+                (
+                    "role",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_rbac.role"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Initial Permissions",
+                "verbose_name_plural": "Initial Permissions",
+            },
+        ),
+    ]
--- a/authentik/rbac/models.py
+++ b/authentik/rbac/models.py
@ -3,6 +3,7 @@
 from uuid import uuid4

 from django.contrib.auth.management import _get_all_permissions
+from django.contrib.auth.models import Permission
 from django.db import models
 from django.db.transaction import atomic
 from django.utils.translation import gettext_lazy as _
@ -75,6 +76,35 @@ class Role(SerializerModel):
        ]


+class InitialPermissionsMode(models.TextChoices):
+    """Determines which entity the initial permissions are assigned to."""
+
+    USER = "user", _("User")
+    ROLE = "role", _("Role")
+
+
+class InitialPermissions(SerializerModel):
+    """Assigns permissions for newly created objects."""
+
+    name = models.TextField(max_length=150, unique=True)
+    mode = models.CharField(choices=InitialPermissionsMode.choices)
+    role = models.ForeignKey(Role, on_delete=models.CASCADE)
+    permissions = models.ManyToManyField(Permission, blank=True)
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.rbac.api.initial_permissions import InitialPermissionsSerializer
+
+        return InitialPermissionsSerializer
+
+    def __str__(self) -> str:
+        return f"Initial Permissions for Role #{self.role_id}, applying to #{self.mode}"
+
+    class Meta:
+        verbose_name = _("Initial Permissions")
+        verbose_name_plural = _("Initial Permissions")
+
+
 class SystemPermission(models.Model):
    """System-wide permissions that are not related to any direct
    database model"""
--- a/authentik/rbac/permissions.py
+++ b/authentik/rbac/permissions.py
@ -1,9 +1,13 @@
 """RBAC Permissions"""

+from django.contrib.contenttypes.models import ContentType
 from django.db.models import Model
+from guardian.shortcuts import assign_perm
 from rest_framework.permissions import BasePermission, DjangoObjectPermissions
 from rest_framework.request import Request

+from authentik.rbac.models import InitialPermissions, InitialPermissionsMode
+

 class ObjectPermissions(DjangoObjectPermissions):
    """RBAC Permissions"""
@ -51,3 +55,20 @@ def HasPermission(*perm: str) -> type[BasePermission]:
            return bool(request.user and request.user.has_perms(perm))

    return checker
+
+
+# TODO: add `user: User` type annotation without circular dependencies.
+# The author of this function isn't proficient/patient enough to do it.
+def assign_initial_permissions(user, instance: Model):
+    # Performance here should not be an issue, but if needed, there are many optimization routes
+    initial_permissions_list = InitialPermissions.objects.filter(role__group__in=user.groups.all())
+    for initial_permissions in initial_permissions_list:
+        for permission in initial_permissions.permissions.all():
+            if permission.content_type != ContentType.objects.get_for_model(instance):
+                continue
+            assign_to = (
+                user
+                if initial_permissions.mode == InitialPermissionsMode.USER
+                else initial_permissions.role.group
+            )
+            assign_perm(permission, assign_to, instance)
--- a/authentik/rbac/tests/test_initial_permissions.py
+++ b/authentik/rbac/tests/test_initial_permissions.py
@ -0,0 +1,116 @@
+"""Test InitialPermissions"""
+
+from django.contrib.auth.models import Permission
+from guardian.shortcuts import assign_perm
+from rest_framework.reverse import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Group
+from authentik.core.tests.utils import create_test_user
+from authentik.lib.generators import generate_id
+from authentik.rbac.models import InitialPermissions, InitialPermissionsMode, Role
+from authentik.stages.dummy.models import DummyStage
+
+
+class TestInitialPermissions(APITestCase):
+    """Test InitialPermissions"""
+
+    def setUp(self) -> None:
+        self.user = create_test_user()
+        self.same_role_user = create_test_user()
+        self.different_role_user = create_test_user()
+
+        self.role = Role.objects.create(name=generate_id())
+        self.different_role = Role.objects.create(name=generate_id())
+
+        self.group = Group.objects.create(name=generate_id())
+        self.different_group = Group.objects.create(name=generate_id())
+
+        self.group.roles.add(self.role)
+        self.group.users.add(self.user, self.same_role_user)
+        self.different_group.roles.add(self.different_role)
+        self.different_group.users.add(self.different_role_user)
+
+        self.ip = InitialPermissions.objects.create(
+            name=generate_id(), mode=InitialPermissionsMode.USER, role=self.role
+        )
+        self.view_role = Permission.objects.filter(codename="view_role").first()
+        self.ip.permissions.add(self.view_role)
+
+        assign_perm("authentik_rbac.add_role", self.user)
+        self.client.force_login(self.user)
+
+    def test_different_role(self):
+        """InitialPermissions for different role does nothing"""
+        self.ip.role = self.different_role
+        self.ip.save()
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role))
+
+    def test_different_model(self):
+        """InitialPermissions for different model does nothing"""
+        assign_perm("authentik_stages_dummy.add_dummystage", self.user)
+
+        self.client.post(
+            reverse("authentik_api:stages-dummy-list"), {"name": "test-stage", "throw-error": False}
+        )
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role))
+        stage = DummyStage.objects.filter(name="test-stage").first()
+        self.assertFalse(self.user.has_perm("authentik_stages_dummy.view_dummystage", stage))
+
+    def test_mode_user(self):
+        """InitialPermissions adds user permission in user mode"""
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertFalse(self.same_role_user.has_perm("authentik_rbac.view_role", role))
+
+    def test_mode_role(self):
+        """InitialPermissions adds role permission in role mode"""
+        self.ip.mode = InitialPermissionsMode.ROLE
+        self.ip.save()
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role))
+
+    def test_many_permissions(self):
+        """InitialPermissions can add multiple permissions"""
+        change_role = Permission.objects.filter(codename="change_role").first()
+        self.ip.permissions.add(change_role)
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role))
+
+    def test_permissions_separated_by_role(self):
+        """When the triggering user is part of two different roles with InitialPermissions in role
+        mode, it only adds permissions to the relevant role."""
+        self.ip.mode = InitialPermissionsMode.ROLE
+        self.ip.save()
+        different_ip = InitialPermissions.objects.create(
+            name=generate_id(), mode=InitialPermissionsMode.ROLE, role=self.different_role
+        )
+        change_role = Permission.objects.filter(codename="change_role").first()
+        different_ip.permissions.add(change_role)
+        self.different_group.users.add(self.user)
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role))
+        self.assertFalse(self.different_role_user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role))
+        self.assertFalse(self.same_role_user.has_perm("authentik_rbac.change_role", role))
+        self.assertTrue(self.different_role_user.has_perm("authentik_rbac.change_role", role))
--- a/authentik/rbac/urls.py
+++ b/authentik/rbac/urls.py
@ -1,5 +1,6 @@
 """RBAC API urls"""

+from authentik.rbac.api.initial_permissions import InitialPermissionsViewSet
 from authentik.rbac.api.rbac import RBACPermissionViewSet
 from authentik.rbac.api.rbac_assigned_by_roles import RoleAssignedPermissionViewSet
 from authentik.rbac.api.rbac_assigned_by_users import UserAssignedPermissionViewSet
@ -21,5 +22,6 @@ api_urlpatterns = [
    ("rbac/permissions/users", UserPermissionViewSet, "permissions-users"),
    ("rbac/permissions/roles", RolePermissionViewSet, "permissions-roles"),
    ("rbac/permissions", RBACPermissionViewSet),
-    ("rbac/roles", RoleViewSet),
+    ("rbac/roles", RoleViewSet, "roles"),
+    ("rbac/initial_permissions", InitialPermissionsViewSet, "initial-permissions"),
 ]
--- a/authentik/recovery/tests.py
+++ b/authentik/recovery/tests.py
@ -50,7 +50,7 @@ class TestRecovery(TestCase):
        )
        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
        self.client.get(reverse("authentik_recovery:use-token", kwargs={"key": token.key}))
-        self.assertEqual(int(self.client.session["_auth_user_id"]), token.user.pk)
+        self.assertEqual(self.client.session["authenticatedsession"].user.pk, token.user.pk)

    def test_recovery_view_invalid(self):
        """Test recovery view with invalid token"""
--- a/authentik/root/asgi_middleware.py
+++ b/authentik/root/asgi_middleware.py
@ -1,8 +1,12 @@
 """ASGI middleware"""

+from channels.auth import UserLazyObject
 from channels.db import database_sync_to_async
+from channels.middleware import BaseMiddleware
+from channels.sessions import CookieMiddleware
 from channels.sessions import InstanceSessionWrapper as UpstreamInstanceSessionWrapper
 from channels.sessions import SessionMiddleware as UpstreamSessionMiddleware
+from django.contrib.auth.models import AnonymousUser

 from authentik.root.middleware import SessionMiddleware as HTTPSessionMiddleware

@ -33,3 +37,48 @@ class SessionMiddleware(UpstreamSessionMiddleware):
        await wrapper.resolve_session()

        return await self.inner(wrapper.scope, receive, wrapper.send)
+
+
+@database_sync_to_async
+def get_user(scope):
+    """
+    Return the user model instance associated with the given scope.
+    If no user is retrieved, return an instance of `AnonymousUser`.
+    """
+    if "session" not in scope:
+        raise ValueError(
+            "Cannot find session in scope. You should wrap your consumer in SessionMiddleware."
+        )
+    user = None
+    if (authenticated_session := scope["session"].get("authenticated_session", None)) is not None:
+        user = authenticated_session.user
+    return user or AnonymousUser()
+
+
+class AuthMiddleware(BaseMiddleware):
+    def populate_scope(self, scope):
+        # Make sure we have a session
+        if "session" not in scope:
+            raise ValueError(
+                "AuthMiddleware cannot find session in scope. SessionMiddleware must be above it."
+            )
+        # Add it to the scope if it's not there already
+        if "user" not in scope:
+            scope["user"] = UserLazyObject()
+
+    async def resolve_scope(self, scope):
+        scope["user"]._wrapped = await get_user(scope)
+
+    async def __call__(self, scope, receive, send):
+        scope = dict(scope)
+        # Scope injection/mutation per this middleware's needs.
+        self.populate_scope(scope)
+        # Grab the finalized/resolved scope
+        await self.resolve_scope(scope)
+
+        return await super().__call__(scope, receive, send)
+
+
+# Handy shortcut for applying all three layers at once
+def AuthMiddlewareStack(inner):
+    return CookieMiddleware(SessionMiddleware(AuthMiddleware(inner)))
--- a/authentik/root/middleware.py
+++ b/authentik/root/middleware.py
@ -49,7 +49,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
        return False

    @staticmethod
-    def decode_session_key(key: str) -> str:
+    def decode_session_key(key: str | None) -> str | None:
        """Decode raw session cookie, and parse JWT"""
        # We need to support the standard django format of just a session key
        # for testing setups, where the session is directly set
@ -64,7 +64,11 @@ class SessionMiddleware(UpstreamSessionMiddleware):
    def process_request(self, request: HttpRequest):
        raw_session = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        session_key = SessionMiddleware.decode_session_key(raw_session)
-        request.session = self.SessionStore(session_key)
+        request.session = self.SessionStore(
+            session_key,
+            last_ip=ClientIPMiddleware.get_client_ip(request),
+            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
+        )

    def process_response(self, request: HttpRequest, response: HttpResponse) -> HttpResponse:
        """
--- a/authentik/root/sessions/pickle.py
+++ b/authentik/root/sessions/pickle.py
@ -1,23 +0,0 @@
-"""
-Module for abstract serializer/unserializer base classes.
-"""
-
-import pickle  # nosec
-
-
-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        """Pickle data to be stored in redis"""
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -7,7 +7,6 @@ from pathlib import Path

 import orjson
 from celery.schedules import crontab
-from django.conf import ImproperlyConfigured
 from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace

@ -43,7 +42,6 @@ SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False

 AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
    BACKEND_INBUILT,
    BACKEND_APP_PASSWORD,
    BACKEND_LDAP,
@ -229,17 +227,7 @@ CACHES = {
 DJANGO_REDIS_SCAN_ITERSIZE = 1000
 DJANGO_REDIS_IGNORE_EXCEPTIONS = True
 DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
-match CONFIG.get("session_storage", "cache"):
-    case "cache":
-        SESSION_ENGINE = "django.contrib.sessions.backends.cache"
-    case "db":
-        SESSION_ENGINE = "django.contrib.sessions.backends.db"
-    case _:
-        raise ImproperlyConfigured(
-            "Invalid session_storage setting, allowed values are db and cache"
-        )
-SESSION_SERIALIZER = "authentik.root.sessions.pickle.PickleSerializer"
-SESSION_CACHE_ALIAS = "default"
+SESSION_ENGINE = "authentik.core.sessions"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
@ -256,7 +244,7 @@ MIDDLEWARE = [
    "django_prometheus.middleware.PrometheusBeforeMiddleware",
    "authentik.root.middleware.ClientIPMiddleware",
    "authentik.stages.user_login.middleware.BoundSessionMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "authentik.core.middleware.AuthenticationMiddleware",
    "authentik.core.middleware.RequestIDMiddleware",
    "authentik.brands.middleware.BrandMiddleware",
    "authentik.events.middleware.AuditMiddleware",
--- a/authentik/root/test_plugin.py
+++ b/authentik/root/test_plugin.py
@ -28,8 +28,8 @@ def pytest_report_header(*_, **__):


 def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item]) -> None:
-    current_id = int(environ.get("CI_RUN_ID", 0)) - 1
-    total_ids = int(environ.get("CI_TOTAL_RUNS", 0))
+    current_id = int(environ.get("CI_RUN_ID", "0")) - 1
+    total_ids = int(environ.get("CI_TOTAL_RUNS", "0"))

    if total_ids:
        num_tests = len(items)
--- a/authentik/sources/kerberos/api/source_connection.py
+++ b/authentik/sources/kerberos/api/source_connection.py
@ -1,13 +1,11 @@
-"""Kerberos Source Serializer"""
-
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.sources import (
    GroupSourceConnectionSerializer,
    GroupSourceConnectionViewSet,
    UserSourceConnectionSerializer,
+    UserSourceConnectionViewSet,
 )
-from authentik.core.api.used_by import UsedByMixin
 from authentik.sources.kerberos.models import (
    GroupKerberosSourceConnection,
    UserKerberosSourceConnection,
@ -15,33 +13,20 @@ from authentik.sources.kerberos.models import (


 class UserKerberosSourceConnectionSerializer(UserSourceConnectionSerializer):
-    """Kerberos Source Serializer"""
-
-    class Meta:
+    class Meta(UserSourceConnectionSerializer.Meta):
        model = UserKerberosSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["identifier"]


-class UserKerberosSourceConnectionViewSet(UsedByMixin, ModelViewSet):
-    """Source Viewset"""
-
+class UserKerberosSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
    queryset = UserKerberosSourceConnection.objects.all()
    serializer_class = UserKerberosSourceConnectionSerializer
-    filterset_fields = ["source__slug"]
-    search_fields = ["source__slug"]
-    ordering = ["source__slug"]
-    owner_field = "user"


 class GroupKerberosSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    """OAuth Group-Source connection Serializer"""
-
    class Meta(GroupSourceConnectionSerializer.Meta):
        model = GroupKerberosSourceConnection


-class GroupKerberosSourceConnectionViewSet(GroupSourceConnectionViewSet):
-    """Group-source connection Viewset"""
-
+class GroupKerberosSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
    queryset = GroupKerberosSourceConnection.objects.all()
    serializer_class = GroupKerberosSourceConnectionSerializer
--- a/authentik/sources/kerberos/migrations/0003_migrate_userkerberossourceconnection_identifier.py
+++ b/authentik/sources/kerberos/migrations/0003_migrate_userkerberossourceconnection_identifier.py
@ -0,0 +1,28 @@
+from django.db import migrations
+
+
+def migrate_identifier(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    UserKerberosSourceConnection = apps.get_model(
+        "authentik_sources_kerberos", "UserKerberosSourceConnection"
+    )
+
+    for connection in UserKerberosSourceConnection.objects.using(db_alias).all():
+        connection.new_identifier = connection.identifier
+        connection.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_kerberos", "0002_kerberossource_kadmin_type"),
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+    ]
+
+    operations = [
+        migrations.RunPython(code=migrate_identifier, reverse_code=migrations.RunPython.noop),
+        migrations.RemoveField(
+            model_name="userkerberossourceconnection",
+            name="identifier",
+        ),
+    ]
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -372,8 +372,6 @@ class KerberosSourcePropertyMapping(PropertyMapping):
 class UserKerberosSourceConnection(UserSourceConnection):
    """Connection to configured Kerberos Sources."""

-    identifier = models.TextField()
-
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.sources.kerberos.api.source_connection import (
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -15,11 +15,22 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer
-from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.sources import (
+    GroupSourceConnectionSerializer,
+    GroupSourceConnectionViewSet,
+    SourceSerializer,
+    UserSourceConnectionSerializer,
+    UserSourceConnectionViewSet,
+)
 from authentik.core.api.used_by import UsedByMixin
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.sync.outgoing.api import SyncStatusSerializer
-from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
+from authentik.sources.ldap.models import (
+    GroupLDAPSourceConnection,
+    LDAPSource,
+    LDAPSourcePropertyMapping,
+    UserLDAPSourceConnection,
+)
 from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES


@ -99,6 +110,7 @@ class LDAPSourceSerializer(SourceSerializer):
            "sync_groups",
            "sync_parent_group",
            "connectivity",
+            "lookup_groups_from_user",
        ]
        extra_kwargs = {"bind_password": {"write_only": True}}

@ -134,6 +146,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
        "sync_parent_group",
        "user_property_mappings",
        "group_property_mappings",
+        "lookup_groups_from_user",
    ]
    search_fields = ["name", "slug"]
    ordering = ["name"]
@ -219,3 +232,23 @@ class LDAPSourcePropertyMappingViewSet(UsedByMixin, ModelViewSet):
    filterset_class = LDAPSourcePropertyMappingFilter
    search_fields = ["name"]
    ordering = ["name"]
+
+
+class UserLDAPSourceConnectionSerializer(UserSourceConnectionSerializer):
+    class Meta(UserSourceConnectionSerializer.Meta):
+        model = UserLDAPSourceConnection
+
+
+class UserLDAPSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
+    queryset = UserLDAPSourceConnection.objects.all()
+    serializer_class = UserLDAPSourceConnectionSerializer
+
+
+class GroupLDAPSourceConnectionSerializer(GroupSourceConnectionSerializer):
+    class Meta(GroupSourceConnectionSerializer.Meta):
+        model = GroupLDAPSourceConnection
+
+
+class GroupLDAPSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
+    queryset = GroupLDAPSourceConnection.objects.all()
+    serializer_class = GroupLDAPSourceConnectionSerializer
--- a/authentik/sources/ldap/migrations/0007_ldapsource_lookup_groups_from_user.py
+++ b/authentik/sources/ldap/migrations/0007_ldapsource_lookup_groups_from_user.py
@ -0,0 +1,24 @@
+# Generated by Django 5.0.13 on 2025-03-26 17:06
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_sources_ldap",
+            "0006_rename_ldappropertymapping_ldapsourcepropertymapping_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapsource",
+            name="lookup_groups_from_user",
+            field=models.BooleanField(
+                default=False,
+                help_text="Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory",
+            ),
+        ),
+    ]
--- a/authentik/sources/ldap/migrations/0008_groupldapsourceconnection_userldapsourceconnection.py
+++ b/authentik/sources/ldap/migrations/0008_groupldapsourceconnection_userldapsourceconnection.py
@ -0,0 +1,57 @@
+# Generated by Django 5.0.14 on 2025-04-11 11:46
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+        ("authentik_sources_ldap", "0007_ldapsource_lookup_groups_from_user"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="GroupLDAPSourceConnection",
+            fields=[
+                (
+                    "groupsourceconnection_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.groupsourceconnection",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Group LDAP Source Connection",
+                "verbose_name_plural": "Group LDAP Source Connections",
+            },
+            bases=("authentik_core.groupsourceconnection",),
+        ),
+        migrations.CreateModel(
+            name="UserLDAPSourceConnection",
+            fields=[
+                (
+                    "usersourceconnection_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.usersourceconnection",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "User LDAP Source Connection",
+                "verbose_name_plural": "User LDAP Source Connections",
+            },
+            bases=("authentik_core.usersourceconnection",),
+        ),
+    ]
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@ -15,7 +15,13 @@ from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
 from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer

-from authentik.core.models import Group, PropertyMapping, Source
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    PropertyMapping,
+    Source,
+    UserSourceConnection,
+)
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
 from authentik.lib.models import DomainlessURLValidator
@ -123,6 +129,14 @@ class LDAPSource(Source):
        Group, blank=True, null=True, default=None, on_delete=models.SET_DEFAULT
    )

+    lookup_groups_from_user = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Lookup group membership based on a user attribute instead of a group attribute. "
+            "This allows nested group resolution on systems like FreeIPA and Active Directory"
+        ),
+    )
+
    @property
    def component(self) -> str:
        return "ak-source-ldap-form"
@ -304,3 +318,31 @@ class LDAPSourcePropertyMapping(PropertyMapping):
    class Meta:
        verbose_name = _("LDAP Source Property Mapping")
        verbose_name_plural = _("LDAP Source Property Mappings")
+
+
+class UserLDAPSourceConnection(UserSourceConnection):
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.sources.ldap.api import (
+            UserLDAPSourceConnectionSerializer,
+        )
+
+        return UserLDAPSourceConnectionSerializer
+
+    class Meta:
+        verbose_name = _("User LDAP Source Connection")
+        verbose_name_plural = _("User LDAP Source Connections")
+
+
+class GroupLDAPSourceConnection(GroupSourceConnection):
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.sources.ldap.api import (
+            GroupLDAPSourceConnectionSerializer,
+        )
+
+        return GroupLDAPSourceConnectionSerializer
+
+    class Meta:
+        verbose_name = _("Group LDAP Source Connection")
+        verbose_name_plural = _("Group LDAP Source Connections")
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -14,7 +14,12 @@ from authentik.core.models import Group
 from authentik.core.sources.mapper import SourceMapper
 from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import StopSync
-from authentik.sources.ldap.models import LDAP_UNIQUENESS, LDAPSource, flatten
+from authentik.sources.ldap.models import (
+    LDAP_UNIQUENESS,
+    GroupLDAPSourceConnection,
+    LDAPSource,
+    flatten,
+)
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer


@ -89,6 +94,12 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                    defaults,
                )
                self._logger.debug("Created group with attributes", **defaults)
+                if not GroupLDAPSourceConnection.objects.filter(
+                    source=self._source, identifier=uniq
+                ):
+                    GroupLDAPSourceConnection.objects.create(
+                        source=self._source, group=ak_group, identifier=uniq
+                    )
            except SkipObjectException:
                continue
            except PropertyMappingExpressionException as exc:
--- a/authentik/sources/ldap/sync/membership.py
+++ b/authentik/sources/ldap/sync/membership.py
@ -28,15 +28,17 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
        if not self._source.sync_groups:
            self.message("Group syncing is disabled for this Source")
            return iter(())
+
+        # If we are looking up groups from users, we don't need to fetch the group membership field
+        attributes = [self._source.object_uniqueness_field, LDAP_DISTINGUISHED_NAME]
+        if not self._source.lookup_groups_from_user:
+            attributes.append(self._source.group_membership_field)
+
        return self.search_paginator(
            search_base=self.base_dn_groups,
            search_filter=self._source.group_object_filter,
            search_scope=SUBTREE,
-            attributes=[
-                self._source.group_membership_field,
-                self._source.object_uniqueness_field,
-                LDAP_DISTINGUISHED_NAME,
-            ],
+            attributes=attributes,
            **kwargs,
        )

@ -47,9 +49,24 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
            return -1
        membership_count = 0
        for group in page_data:
-            if "attributes" not in group:
-                continue
-            members = group.get("attributes", {}).get(self._source.group_membership_field, [])
+            if self._source.lookup_groups_from_user:
+                group_dn = group.get("dn", {})
+                group_filter = f"({self._source.group_membership_field}={group_dn})"
+                group_members = self._source.connection().extend.standard.paged_search(
+                    search_base=self.base_dn_users,
+                    search_filter=group_filter,
+                    search_scope=SUBTREE,
+                    attributes=[self._source.object_uniqueness_field],
+                )
+                members = []
+                for group_member in group_members:
+                    group_member_dn = group_member.get("dn", {})
+                    members.append(group_member_dn)
+            else:
+                if "attributes" not in group:
+                    continue
+                members = group.get("attributes", {}).get(self._source.group_membership_field, [])
+
            ak_group = self.get_group(group)
            if not ak_group:
                continue
@ -68,7 +85,7 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
                        "ak_groups__in": [ak_group],
                    }
                )
-            )
+            ).distinct()
            membership_count += 1
            membership_count += users.count()
            ak_group.users.set(users)
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -14,7 +14,12 @@ from authentik.core.models import User
 from authentik.core.sources.mapper import SourceMapper
 from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import StopSync
-from authentik.sources.ldap.models import LDAP_UNIQUENESS, LDAPSource, flatten
+from authentik.sources.ldap.models import (
+    LDAP_UNIQUENESS,
+    LDAPSource,
+    UserLDAPSourceConnection,
+    flatten,
+)
 from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
@ -85,6 +90,12 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                ak_user, created = User.update_or_create_attributes(
                    {f"attributes__{LDAP_UNIQUENESS}": uniq}, defaults
                )
+                if not UserLDAPSourceConnection.objects.filter(
+                    source=self._source, identifier=uniq
+                ):
+                    UserLDAPSourceConnection.objects.create(
+                        source=self._source, user=ak_user, identifier=uniq
+                    )
            except PropertyMappingExpressionException as exc:
                raise StopSync(exc, None, exc.mapping) from exc
            except SkipObjectException:
--- a/authentik/sources/ldap/tests/mock_freeipa.py
+++ b/authentik/sources/ldap/tests/mock_freeipa.py
@ -96,6 +96,26 @@ def mock_freeipa_connection(password: str) -> Connection:
            "objectClass": "posixAccount",
        },
    )
+    # User with groups in memberOf attribute
+    connection.strategy.add_entry(
+        "cn=user4,ou=users,dc=goauthentik,dc=io",
+        {
+            "name": "user4_sn",
+            "uid": "user4_sn",
+            "objectClass": "person",
+            "memberOf": [
+                "cn=reverse-lookup-group,ou=groups,dc=goauthentik,dc=io",
+            ],
+        },
+    )
+    connection.strategy.add_entry(
+        "cn=reverse-lookup-group,ou=groups,dc=goauthentik,dc=io",
+        {
+            "cn": "reverse-lookup-group",
+            "uid": "reverse-lookup-group",
+            "objectClass": "groupOfNames",
+        },
+    )
    # Locked out user
    connection.strategy.add_entry(
        "cn=user-nsaccountlock,ou=users,dc=goauthentik,dc=io",
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -162,6 +162,43 @@ class LDAPSyncTests(TestCase):
            self.assertFalse(User.objects.filter(username="user1_sn").exists())
            self.assertFalse(User.objects.get(username="user-nsaccountlock").is_active)

+    def test_sync_groups_freeipa_memberOf(self):
+        """Test group sync when membership is derived from memberOf user attribute"""
+        self.source.object_uniqueness_field = "uid"
+        self.source.group_object_filter = "(objectClass=groupOfNames)"
+        self.source.lookup_groups_from_user = True
+        self.source.group_membership_field = "memberOf"
+        self.source.user_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
+            )
+        )
+        self.source.group_property_mappings.set(
+            LDAPSourcePropertyMapping.objects.filter(
+                managed="goauthentik.io/sources/ldap/openldap-cn"
+            )
+        )
+        connection = MagicMock(return_value=mock_freeipa_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync_full()
+            group_sync = GroupLDAPSynchronizer(self.source)
+            group_sync.sync_full()
+            membership_sync = MembershipLDAPSynchronizer(self.source)
+            membership_sync.sync_full()
+
+            self.assertTrue(
+                User.objects.filter(username="user4_sn").exists(), "User does not exist"
+            )
+            # Test if membership mapping based on memberOf works.
+            memberof_group = Group.objects.filter(name="reverse-lookup-group")
+            self.assertTrue(memberof_group.exists(), "Group does not exist")
+            self.assertTrue(
+                memberof_group.first().users.filter(username="user4_sn").exists(),
+                "User not a member of the group",
+            )
+
    def test_sync_groups_ad(self):
        """Test group sync"""
        self.source.user_property_mappings.set(
--- a/authentik/sources/ldap/urls.py
+++ b/authentik/sources/ldap/urls.py
@ -1,8 +1,15 @@
 """API URLs"""

-from authentik.sources.ldap.api import LDAPSourcePropertyMappingViewSet, LDAPSourceViewSet
+from authentik.sources.ldap.api import (
+    GroupLDAPSourceConnectionViewSet,
+    LDAPSourcePropertyMappingViewSet,
+    LDAPSourceViewSet,
+    UserLDAPSourceConnectionViewSet,
+)

 api_urlpatterns = [
    ("propertymappings/source/ldap", LDAPSourcePropertyMappingViewSet),
    ("sources/ldap", LDAPSourceViewSet),
+    ("sources/user_connections/ldap", UserLDAPSourceConnectionViewSet),
+    ("sources/group_connections/ldap", GroupLDAPSourceConnectionViewSet),
 ]
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -130,6 +130,7 @@ class OAuthSourceSerializer(SourceSerializer):
            "oidc_well_known_url",
            "oidc_jwks_url",
            "oidc_jwks",
+            "authorization_code_auth_method",
        ]
        extra_kwargs = {
            "consumer_secret": {"write_only": True},
--- a/authentik/sources/oauth/api/source_connection.py
+++ b/authentik/sources/oauth/api/source_connection.py
@ -1,5 +1,3 @@
-"""OAuth Source Serializer"""
-
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.sources import (
@ -12,11 +10,9 @@ from authentik.sources.oauth.models import GroupOAuthSourceConnection, UserOAuth


 class UserOAuthSourceConnectionSerializer(UserSourceConnectionSerializer):
-    """OAuth Source Serializer"""
-
    class Meta(UserSourceConnectionSerializer.Meta):
        model = UserOAuthSourceConnection
-        fields = UserSourceConnectionSerializer.Meta.fields + ["identifier", "access_token"]
+        fields = UserSourceConnectionSerializer.Meta.fields + ["access_token"]
        extra_kwargs = {
            **UserSourceConnectionSerializer.Meta.extra_kwargs,
            "access_token": {"write_only": True},
@ -24,21 +20,15 @@ class UserOAuthSourceConnectionSerializer(UserSourceConnectionSerializer):


 class UserOAuthSourceConnectionViewSet(UserSourceConnectionViewSet, ModelViewSet):
-    """Source Viewset"""
-
    queryset = UserOAuthSourceConnection.objects.all()
    serializer_class = UserOAuthSourceConnectionSerializer


 class GroupOAuthSourceConnectionSerializer(GroupSourceConnectionSerializer):
-    """OAuth Group-Source connection Serializer"""
-
    class Meta(GroupSourceConnectionSerializer.Meta):
        model = GroupOAuthSourceConnection


 class GroupOAuthSourceConnectionViewSet(GroupSourceConnectionViewSet, ModelViewSet):
-    """Group-source connection Viewset"""
-
    queryset = GroupOAuthSourceConnection.objects.all()
    serializer_class = GroupOAuthSourceConnectionSerializer
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -6,11 +6,15 @@ from urllib.parse import parse_qsl

 from django.utils.crypto import constant_time_compare, get_random_string
 from django.utils.translation import gettext as _
+from requests.auth import AuthBase, HTTPBasicAuth
 from requests.exceptions import RequestException
 from requests.models import Response
 from structlog.stdlib import get_logger

 from authentik.sources.oauth.clients.base import BaseOAuthClient
+from authentik.sources.oauth.models import (
+    AuthorizationCodeAuthMethod,
+)

 LOGGER = get_logger()
 SESSION_KEY_OAUTH_PKCE = "authentik/sources/oauth/pkce"
@ -55,6 +59,30 @@ class OAuth2Client(BaseOAuthClient):
        """Get client secret"""
        return self.source.consumer_secret

+    def get_access_token_args(self, callback: str, code: str) -> dict[str, Any]:
+        args = {
+            "redirect_uri": callback,
+            "code": code,
+            "grant_type": "authorization_code",
+        }
+        if SESSION_KEY_OAUTH_PKCE in self.request.session:
+            args["code_verifier"] = self.request.session[SESSION_KEY_OAUTH_PKCE]
+        if (
+            self.source.source_type.authorization_code_auth_method
+            == AuthorizationCodeAuthMethod.POST_BODY
+        ):
+            args["client_id"] = self.get_client_id()
+            args["client_secret"] = self.get_client_secret()
+        return args
+
+    def get_access_token_auth(self) -> AuthBase | None:
+        if (
+            self.source.source_type.authorization_code_auth_method
+            == AuthorizationCodeAuthMethod.BASIC_AUTH
+        ):
+            return HTTPBasicAuth(self.get_client_id(), self.get_client_secret())
+        return None
+
    def get_access_token(self, **request_kwargs) -> dict[str, Any] | None:
        """Fetch access token from callback request."""
        callback = self.request.build_absolute_uri(self.callback or self.request.path)
@ -67,13 +95,6 @@ class OAuth2Client(BaseOAuthClient):
            error = self.get_request_arg("error", None)
            error_desc = self.get_request_arg("error_description", None)
            return {"error": error_desc or error or _("No token received.")}
-        args = {
-            "redirect_uri": callback,
-            "code": code,
-            "grant_type": "authorization_code",
-        }
-        if SESSION_KEY_OAUTH_PKCE in self.request.session:
-            args["code_verifier"] = self.request.session[SESSION_KEY_OAUTH_PKCE]
        try:
            access_token_url = self.source.source_type.access_token_url or ""
            if self.source.source_type.urls_customizable and self.source.access_token_url:
@ -81,8 +102,8 @@ class OAuth2Client(BaseOAuthClient):
            response = self.do_request(
                "post",
                access_token_url,
-                auth=(self.get_client_id(), self.get_client_secret()),
-                data=args,
+                auth=self.get_access_token_auth(),
+                data=self.get_access_token_args(callback, code),
                headers=self._default_headers,
                **request_kwargs,
            )
--- a/authentik/sources/oauth/migrations/0009_migrate_useroauthsourceconnection_identifier.py
+++ b/authentik/sources/oauth/migrations/0009_migrate_useroauthsourceconnection_identifier.py
@ -0,0 +1,28 @@
+from django.db import migrations
+
+
+def migrate_identifier(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    UserOAuthSourceConnection = apps.get_model(
+        "authentik_sources_oauth", "UserOAuthSourceConnection"
+    )
+
+    for connection in UserOAuthSourceConnection.objects.using(db_alias).all():
+        connection.new_identifier = connection.identifier
+        connection.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0008_groupoauthsourceconnection_and_more"),
+        ("authentik_core", "0044_usersourceconnection_new_identifier"),
+    ]
+
+    operations = [
+        migrations.RunPython(code=migrate_identifier, reverse_code=migrations.RunPython.noop),
+        migrations.RemoveField(
+            model_name="useroauthsourceconnection",
+            name="identifier",
+        ),
+    ]
--- a/authentik/sources/oauth/migrations/0010_oauthsource_authorization_code_auth_method.py
+++ b/authentik/sources/oauth/migrations/0010_oauthsource_authorization_code_auth_method.py
@ -0,0 +1,25 @@
+# Generated by Django 5.0.14 on 2025-04-11 18:09
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0009_migrate_useroauthsourceconnection_identifier"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="oauthsource",
+            name="authorization_code_auth_method",
+            field=models.TextField(
+                choices=[
+                    ("basic_auth", "HTTP Basic Authentication"),
+                    ("post_body", "Include the client ID and secret as request parameters"),
+                ],
+                default="basic_auth",
+                help_text="How to perform authentication during an authorization_code token request flow",
+            ),
+        ),
+    ]
--- a/authentik/sources/oauth/models.py
+++ b/authentik/sources/oauth/models.py
@ -21,6 +21,11 @@ if TYPE_CHECKING:
    from authentik.sources.oauth.types.registry import SourceType


+class AuthorizationCodeAuthMethod(models.TextChoices):
+    BASIC_AUTH = "basic_auth", _("HTTP Basic Authentication")
+    POST_BODY = "post_body", _("Include the client ID and secret as request parameters")
+
+
 class OAuthSource(NonCreatableType, Source):
    """Login using a Generic OAuth provider."""

@ -61,6 +66,14 @@ class OAuthSource(NonCreatableType, Source):
    oidc_jwks_url = models.TextField(default="", blank=True)
    oidc_jwks = models.JSONField(default=dict, blank=True)

+    authorization_code_auth_method = models.TextField(
+        choices=AuthorizationCodeAuthMethod.choices,
+        default=AuthorizationCodeAuthMethod.BASIC_AUTH,
+        help_text=_(
+            "How to perform authentication during an authorization_code token request flow"
+        ),
+    )
+
    @property
    def source_type(self) -> type["SourceType"]:
        """Return the provider instance for this source"""
@ -286,7 +299,6 @@ class OAuthSourcePropertyMapping(PropertyMapping):
 class UserOAuthSourceConnection(UserSourceConnection):
    """Authorized remote OAuth provider."""

-    identifier = models.CharField(max_length=255)
    access_token = models.TextField(blank=True, null=True, default=None)

    @property
--- a/authentik/sources/oauth/tests/test_client.py
+++ b/authentik/sources/oauth/tests/test_client.py
@ -0,0 +1,69 @@
+from django.test import RequestFactory, TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.lib.generators import generate_id
+from authentik.sources.oauth.clients.oauth2 import OAuth2Client
+from authentik.sources.oauth.models import AuthorizationCodeAuthMethod, OAuthSource
+from authentik.sources.oauth.types.oidc import OpenIDConnectClient
+
+
+class TestOAuthClient(TestCase):
+    """OAuth Source tests"""
+
+    def setUp(self):
+        self.source = OAuthSource.objects.create(
+            name="test",
+            slug="test",
+            provider_type="openidconnect",
+            authorization_url="",
+            profile_url="",
+            consumer_key=generate_id(),
+        )
+        self.factory = RequestFactory()
+
+    def test_client_post_body_auth(self):
+        """Test login_challenge"""
+        self.source.provider_type = "apple"
+        self.source.save()
+        request = self.factory.get("/")
+        request.session = {}
+        request.user = get_anonymous_user()
+        client = OAuth2Client(self.source, request)
+        self.assertIsNone(client.get_access_token_auth())
+        args = client.get_access_token_args("", "")
+        self.assertIn("client_id", args)
+        self.assertIn("client_secret", args)
+
+    def test_client_basic_auth(self):
+        """Test login_challenge"""
+        self.source.provider_type = "reddit"
+        self.source.save()
+        request = self.factory.get("/")
+        request.session = {}
+        request.user = get_anonymous_user()
+        client = OAuth2Client(self.source, request)
+        self.assertIsNotNone(client.get_access_token_auth())
+        args = client.get_access_token_args("", "")
+        self.assertNotIn("client_id", args)
+        self.assertNotIn("client_secret", args)
+
+    def test_client_openid_auth(self):
+        """Test login_challenge"""
+        request = self.factory.get("/")
+        request.session = {}
+        request.user = get_anonymous_user()
+        client = OpenIDConnectClient(self.source, request)
+
+        self.assertIsNotNone(client.get_access_token_auth())
+        args = client.get_access_token_args("", "")
+        self.assertNotIn("client_id", args)
+        self.assertNotIn("client_secret", args)
+
+        self.source.authorization_code_auth_method = AuthorizationCodeAuthMethod.POST_BODY
+        self.source.save()
+        client = OpenIDConnectClient(self.source, request)
+
+        self.assertIsNone(client.get_access_token_auth())
+        args = client.get_access_token_args("", "")
+        self.assertIn("client_id", args)
+        self.assertIn("client_secret", args)
--- a/authentik/sources/oauth/types/apple.py
+++ b/authentik/sources/oauth/types/apple.py
@ -11,7 +11,7 @@ from structlog.stdlib import get_logger

 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
-from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.models import AuthorizationCodeAuthMethod, OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
@ -105,6 +105,8 @@ class AppleType(SourceType):
    access_token_url = "https://appleid.apple.com/auth/token"  # nosec
    profile_url = ""

+    authorization_code_auth_method = AuthorizationCodeAuthMethod.POST_BODY
+
    def login_challenge(self, source: OAuthSource, request: HttpRequest) -> Challenge:
        """Pre-general all the things required for the JS SDK"""
        apple_client = AppleOAuthClient(
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@ -6,6 +6,7 @@ from requests import RequestException
 from structlog.stdlib import get_logger

 from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient
+from authentik.sources.oauth.models import AuthorizationCodeAuthMethod
 from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.redirect import OAuthRedirect
@ -77,6 +78,8 @@ class AzureADType(SourceType):
    )
    oidc_jwks_url = "https://login.microsoftonline.com/common/discovery/keys"

+    authorization_code_auth_method = AuthorizationCodeAuthMethod.POST_BODY
+
    def get_base_user_properties(self, info: dict[str, Any], **kwargs) -> dict[str, Any]:
        mail = info.get("mail", None) or info.get("otherMails", [None])[0]
        # Format group info
--- a/authentik/sources/oauth/types/facebook.py
+++ b/authentik/sources/oauth/types/facebook.py
@ -2,8 +2,8 @@

 from typing import Any

+from authentik.sources.oauth.models import AuthorizationCodeAuthMethod
 from authentik.sources.oauth.types.registry import SourceType, registry
-from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect


@ -16,15 +16,10 @@ class FacebookOAuthRedirect(OAuthRedirect):
        }


-class FacebookOAuth2Callback(OAuthCallback):
-    """Facebook OAuth2 Callback"""
-
-
@registry.register()
 class FacebookType(SourceType):
    """Facebook Type definition"""

-    callback_view = FacebookOAuth2Callback
    redirect_view = FacebookOAuthRedirect
    verbose_name = "Facebook"
    name = "facebook"
@ -33,6 +28,8 @@ class FacebookType(SourceType):
    access_token_url = "https://graph.facebook.com/v7.0/oauth/access_token"  # nosec
    profile_url = "https://graph.facebook.com/v7.0/me?fields=id,name,email"

+    authorization_code_auth_method = AuthorizationCodeAuthMethod.POST_BODY
+
    def get_base_user_properties(self, info: dict[str, Any], **kwargs) -> dict[str, Any]:
        return {
            "username": info.get("name"),
--- a/Show More
+++ b/Show More