wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
wip
2025-03-07 19:23:34 +01:00 · 2025-03-07 16:24:55 +01:00 · 2025-03-07 14:04:21 +01:00
405 changed files with 10868 additions and 17442 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.3
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,8 +17,6 @@ optional_value = final

 [bumpversion:file:pyproject.toml]

-[bumpversion:file:uv.lock]
-
 [bumpversion:file:package.json]

 [bumpversion:file:docker-compose.yml]
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@ -1,22 +0,0 @@
---
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
---
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -44,6 +44,7 @@ if is_release:
        ]
        if not prerelease:
            image_tags += [
+                f"{name}:latest",
                f"{name}:{version_family}",
            ]
 else:
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -9,22 +9,17 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Install apt deps
+    - name: Install poetry & deps
      shell: bash
      run: |
+        pipx install poetry || true
        sudo apt-get update
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
-      uses: astral-sh/setup-uv@v5
-      with:
-        enable-cache: true
-    - name: Setup python
+    - name: Setup python and restore poetry
      uses: actions/setup-python@v5
      with:
        python-version-file: "pyproject.toml"
-    - name: Install Python deps
-      shell: bash
-      run: uv sync --all-extras --dev --frozen
+        cache: "poetry"
    - name: Setup node
      uses: actions/setup-node@v4
      with:
@ -44,9 +39,10 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry sync
        cd web && npm ci
    - name: Generate config
-      shell: uv run python {0}
+      shell: poetry run python {0}
      run: |
        from authentik.lib.generators import generate_id
        from yaml import safe_dump
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -98,7 +98,7 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
    directory: "/"
    schedule:
      interval: daily
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -33,7 +33,7 @@ jobs:
          npm ci
      - name: Check changes have been applied
        run: |
-          uv run make aws-cfn
+          poetry run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
    if: always()
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -34,7 +34,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@ -42,7 +42,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
  test-make-seed:
    runs-on: ubuntu-latest
    steps:
@ -69,21 +69,19 @@ jobs:
          fetch-depth: 0
      - name: checkout stable
        run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
          # Copy current, latest config to local
-          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          # cp -R .github ..
+          cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          # rm -rf .github/ scripts/
-          # mv ../.github ../scripts .
-          rm -rf scripts/
-          mv ../scripts .
+          rm -rf .github/ scripts/
+          mv ../.github ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
-        continue-on-error: true
      - name: run migrations to stable
        run: poetry run python -m lifecycle.migrate
      - name: checkout current code
@ -93,13 +91,15 @@ jobs:
          git reset --hard HEAD
          git clean -d -fx .
          git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
      - name: Setup authentik env (ensure latest deps are installed)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: migrate to latest
        run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
      - name: run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
@ -108,7 +108,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
  test-unittest:
    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
@ -133,7 +133,7 @@ jobs:
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          uv run make ci-test
+          poetry run make ci-test
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -156,8 +156,8 @@ jobs:
        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
-          uv run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage run manage.py test tests/integration
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -214,8 +214,8 @@ jobs:
          npm run build
      - name: run e2e
        run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout 5000s --verbose
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -2,7 +2,7 @@ name: authentik-gen-update-webauthn-mds
 on:
  workflow_dispatch:
  schedule:
-    - cron: "30 1 1,15 * *"
+    - cron: '30 1 1,15 * *'

 env:
  POSTGRES_DB: authentik
@ -24,7 +24,7 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
+      - run: poetry run ak update_webauthn_mds
      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -21,8 +21,8 @@ jobs:
        uses: ./.github/actions/setup
      - name: generate docs
        run: |
-          uv run make migrate
-          uv run ak build_source_docs
+          poetry run make migrate
+          poetry run ak build_source_docs
      - name: Publish
        uses: netlify/actions/cli@master
        with:
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,27 +0,0 @@
-name: authentik-semgrep
-on:
-  workflow_dispatch: {}
-  pull_request: {}
-  push:
-    branches:
-      - main
-      - master
-    paths:
-      - .github/workflows/semgrep.yml
-  schedule:
-    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-    - cron: '12 15 * * *'
-jobs:
-  semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-    container:
-      image: semgrep/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@v4
-      - run: semgrep ci
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -36,10 +36,10 @@ jobs:
        run: make gen-client-ts
      - name: run extract
        run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
      - name: run compile
        run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -3,13 +3,8 @@
    "tasks": [
        {
            "label": "authentik/core: make",
-            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "lint-fix",
-                "lint"
-            ],
+            "command": "poetry",
+            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
            },
@ -17,12 +12,8 @@
        },
        {
            "label": "authentik/core: run",
-            "command": "uv",
-            "args": [
-                "run",
-                "ak",
-                "server"
-            ],
+            "command": "poetry",
+            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -32,17 +23,13 @@
        {
            "label": "authentik/web: make",
            "command": "make",
-            "args": [
-                "web"
-            ],
+            "args": ["web"],
            "group": "build"
        },
        {
            "label": "authentik/web: watch",
            "command": "make",
-            "args": [
-                "web-watch"
-            ],
+            "args": ["web-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -52,26 +39,19 @@
        {
            "label": "authentik: install",
            "command": "make",
-            "args": [
-                "install",
-                "-j4"
-            ],
+            "args": ["install", "-j4"],
            "group": "build"
        },
        {
            "label": "authentik/website: make",
            "command": "make",
-            "args": [
-                "website"
-            ],
+            "args": ["website"],
            "group": "build"
        },
        {
            "label": "authentik/website: watch",
            "command": "make",
-            "args": [
-                "website-watch"
-            ],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -80,12 +60,8 @@
        },
        {
            "label": "authentik/api: generate",
-            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "command": "poetry",
+            "args": ["run", "make", "gen"],
            "group": "build"
        }
    ]
--- a/2
+++ b/2
@ -10,7 +10,7 @@ schemas/                        @goauthentik/backend
 scripts/                        @goauthentik/backend
 tests/                          @goauthentik/backend
 pyproject.toml                  @goauthentik/backend
-uv.lock                         @goauthentik/backend
+poetry.lock                     @goauthentik/backend
 go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.

--- a/89
+++ b/89
@ -43,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build

 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@ -76,7 +76,7 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
+    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

 # Stage 4: MaxMind GeoIP
@ -93,59 +93,53 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.11 AS uv
-# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.9-slim-bookworm-fips AS python-base
-
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
-
-WORKDIR /ak-root/
-
-COPY --from=uv /uv /uvx /bin/
-
-# Stage 7: Python dependencies
-FROM python-base AS python-deps
+# Stage 5: Python dependencies
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT

-RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+WORKDIR /ak-root/poetry

-ENV PATH="/root/.cargo/bin:$PATH"
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
+
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs
-    clang libkrb5-dev sccache \
-    # xmlsec
-    libltdl-dev && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
+    python -m venv /ak-root/venv/ && \
+    bash -c "source ${VENV_PATH}/bin/activate && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"

-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
-
-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
-    --mount=type=bind,target=uv.lock,src=uv.lock \
-    --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-install-project --no-dev
-
-# Stage 8: Run
-FROM python-base AS final-image
+# Stage 6: Run
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -177,7 +171,7 @@ RUN apt-get update && \

 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
@ -186,7 +180,7 @@ COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
+COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
@ -197,6 +191,9 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
    GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/55
+++ b/55
@ -4,7 +4,7 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
+NPM_VERSION = $(shell poetry run python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"

@ -12,9 +12,9 @@ GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"

-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)

 all: lint-fix lint test gen web  ## Lint, build, and test everything

@ -32,37 +32,34 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage html
-	uv run coverage report
+	poetry run coverage run manage.py test --keepdb authentik
+	poetry run coverage html
+	poetry run coverage report

 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
+	poetry run black $(PY_SOURCES)
+	poetry run ruff check --fix $(PY_SOURCES)

 lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+	poetry run codespell -w

 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v

 core-install:
-	uv sync --frozen
+	poetry install

 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	poetry run python -m lifecycle.migrate

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

 aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn

-run:  ## Run the main authentik server process
-	uv run ak server
-
 core-i18n-extract:
-	uv run ak makemessages \
+	poetry run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@ -93,11 +90,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema > blueprints/schema.json
+		poetry run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		poetry run ak spectacular --file schema.yml

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@ -148,7 +145,7 @@ gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \
 		-i /local/schema.yml \
 		-g python \
 		-o /local/${GEN_API_PY} \
@ -176,7 +173,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	poetry run scripts/generate_config.py

 gen: gen-build gen-client-ts

@ -257,21 +254,21 @@ ci--meta-debug:
 	node --version

 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	poetry run black --check $(PY_SOURCES)

 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	poetry run ruff check $(PY_SOURCES)

 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	poetry run codespell -s

 ci-bandit: ci--meta-debug
-	uv run bandit -r $(PY_SOURCES)
+	poetry run bandit -r $(PY_SOURCES)

 ci-pending-migrations: ci--meta-debug
-	uv run ak makemigrations --check
+	poetry run ak makemigrations --check

 ci-test: ci--meta-debug
-	uv run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	uv run coverage report
-	uv run coverage xml
+	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	poetry run coverage report
+	poetry run coverage xml
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.3"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -59,7 +59,7 @@ class SystemInfoSerializer(PassiveSerializer):
            if not isinstance(value, str):
                continue
            actual_value = value
-            if raw_session is not None and raw_session in actual_value:
+            if raw_session in actual_value:
                actual_value = actual_value.replace(
                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
                )
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -49,8 +49,6 @@ class BrandSerializer(ModelSerializer):
            "branding_title",
            "branding_logo",
            "branding_favicon",
-            "branding_custom_css",
-            "branding_default_flow_background",
            "flow_authentication",
            "flow_invalidation",
            "flow_recovery",
@ -88,7 +86,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    branding_title = CharField()
    branding_logo = CharField(source="branding_logo_url")
    branding_favicon = CharField(source="branding_favicon_url")
-    branding_custom_css = CharField()
    ui_footer_links = ListField(
        child=FooterLinkSerializer(),
        read_only=True,
@ -128,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "branding_title",
        "branding_logo",
        "branding_favicon",
-        "branding_default_flow_background",
        "flow_authentication",
        "flow_invalidation",
        "flow_recovery",
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -1,35 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-22 01:51
-
-from pathlib import Path
-from django.db import migrations, models
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    Brand = apps.get_model("authentik_brands", "brand")
-
-    db_alias = schema_editor.connection.alias
-
-    path = Path("/web/dist/custom.css")
-    if not path.exists():
-        return
-    css = path.read_text()
-    Brand.objects.using(db_alias).update(branding_custom_css=css)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0007_brand_default_application"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_custom_css",
-            field=models.TextField(blank=True, default=""),
-        ),
-        migrations.RunPython(migrate_custom_css),
-    ]
--- a/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
+++ b/authentik/brands/migrations/0009_brand_branding_default_flow_background.py
@ -1,18 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-19 22:54
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0008_brand_branding_custom_css"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_default_flow_background",
-            field=models.TextField(default="/static/dist/assets/images/flow_background.jpg"),
-        ),
-    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@ -33,10 +33,6 @@ class Brand(SerializerModel):

    branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
    branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
-    branding_custom_css = models.TextField(default="", blank=True)
-    branding_default_flow_background = models.TextField(
-        default="/static/dist/assets/images/flow_background.jpg"
-    )

    flow_authentication = models.ForeignKey(
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
@ -88,12 +84,6 @@ class Brand(SerializerModel):
            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
        return self.branding_favicon

-    def branding_default_flow_background_url(self) -> str:
-        """Get branding_default_flow_background with the correct prefix"""
-        if self.branding_default_flow_background.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_default_flow_background
-        return self.branding_default_flow_background
-
    @property
    def serializer(self) -> Serializer:
        from authentik.brands.api import BrandSerializer
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -24,7 +24,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
-                "branding_custom_css": "",
                "matched_domain": brand.domain,
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -44,7 +43,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "custom",
-                "branding_custom_css": "",
                "matched_domain": "bar.baz",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -61,7 +59,6 @@ class TestBrands(APITestCase):
                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                "branding_favicon": "/static/dist/assets/icons/icon.png",
                "branding_title": "authentik",
-                "branding_custom_css": "",
                "matched_domain": "fallback",
                "ui_footer_links": [],
                "ui_theme": Themes.AUTOMATIC,
@ -124,27 +121,3 @@ class TestBrands(APITestCase):
                "subject": None,
            },
        )
-
-    def test_branding_url(self):
-        """Test branding attributes return correct values"""
-        brand = create_test_brand()
-        brand.branding_default_flow_background = "https://goauthentik.io/img/icon.png"
-        brand.branding_favicon = "https://goauthentik.io/img/icon.png"
-        brand.branding_logo = "https://goauthentik.io/img/icon.png"
-        brand.save()
-        self.assertEqual(
-            brand.branding_default_flow_background_url(), "https://goauthentik.io/img/icon.png"
-        )
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
-            {
-                "branding_logo": "https://goauthentik.io/img/icon.png",
-                "branding_favicon": "https://goauthentik.io/img/icon.png",
-                "branding_title": "authentik",
-                "branding_custom_css": "",
-                "matched_domain": brand.domain,
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-            },
-        )
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -46,7 +46,7 @@ LOGGER = get_logger()

 def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
    """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}app_access/{user_pk}"
+    key = f"{CACHE_PREFIX}/app_access/{user_pk}"
    if page_number:
        key += f"/{page_number}"
    return key
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -5,7 +5,6 @@ from collections.abc import Iterable
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
@ -155,17 +154,6 @@ class SourceViewSet(
            matching_sources.append(source_settings.validated_data)
        return Response(matching_sources)

-    def destroy(self, request: Request, *args, **kwargs):
-        """Prevent deletion of built-in sources"""
-        instance: Source = self.get_object()
-
-        if instance.managed == Source.MANAGED_INBUILT:
-            raise ValidationError(
-                {"detail": "Built-in sources cannot be deleted"}, code="protected"
-            )
-
-        return super().destroy(request, *args, **kwargs)
-

 class UserSourceConnectionSerializer(SourceSerializer):
    """User source connection"""
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,14 +1,13 @@
 """User API Views"""

 from datetime import timedelta
-from importlib import import_module
 from json import loads
 from typing import Any

-from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.core.cache import cache
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -92,7 +91,6 @@ from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


 class UserGroupSerializer(ModelSerializer):
@ -375,7 +373,7 @@ class UsersFilter(FilterSet):
        method="filter_attributes",
    )

-    is_superuser = BooleanFilter(field_name="ak_groups", method="filter_is_superuser")
+    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
    uuid = UUIDFilter(field_name="uuid")

    path = CharFilter(field_name="path")
@ -393,11 +391,6 @@ class UsersFilter(FilterSet):
        queryset=Group.objects.all().order_by("name"),
    )

-    def filter_is_superuser(self, queryset, name, value):
-        if value:
-            return queryset.filter(ak_groups__is_superuser=True).distinct()
-        return queryset.exclude(ak_groups__is_superuser=True).distinct()
-
    def filter_attributes(self, queryset, name, value):
        """Filter attributes by query args"""
        try:
@ -776,8 +769,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if not instance.is_active:
            sessions = AuthenticatedSession.objects.filter(user=instance)
            session_ids = sessions.values_list("session_key", flat=True)
-            for session in session_ids:
-                SessionStore(session).delete()
+            cache.delete_many(f"{KEY_PREFIX}{session}" for session in session_ids)
            sessions.delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -32,5 +32,5 @@ class AuthentikCoreConfig(ManagedAppConfig):
                "name": "authentik Built-in",
                "slug": "authentik-built-in",
            },
-            managed=Source.MANAGED_INBUILT,
+            managed="goauthentik.io/sources/inbuilt",
        )
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -678,8 +678,6 @@ class SourceGroupMatchingModes(models.TextChoices):
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""

-    MANAGED_INBUILT = "goauthentik.io/sources/inbuilt"
-
    name = models.TextField(help_text=_("Source's display Name."))
    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)

@ -761,17 +759,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
-        if self.managed == self.MANAGED_INBUILT:
-            return ""
        raise NotImplementedError

    @property
    def property_mapping_type(self) -> "type[PropertyMapping]":
        """Return property mapping type used by this object"""
-        if self.managed == self.MANAGED_INBUILT:
-            from authentik.core.models import PropertyMapping
-
-            return PropertyMapping
        raise NotImplementedError

    def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
@ -786,14 +778,10 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a user to build final properties upon."""
-        if self.managed == self.MANAGED_INBUILT:
-            return {}
        raise NotImplementedError

    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
        """Get base properties for a group to build final properties upon."""
-        if self.managed == self.MANAGED_INBUILT:
-            return {}
        raise NotImplementedError

    def __str__(self):
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,10 +1,7 @@
 """authentik core signals"""

-from importlib import import_module
-
-from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
@ -28,7 +25,6 @@ password_changed = Signal()
 login_failed = Signal()

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


@receiver(post_save, sender=Application)
@ -64,7 +60,8 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    SessionStore(instance.session_key).delete()
+    cache_key = f"{KEY_PREFIX}{instance.session_key}"
+    cache.delete(cache_key)


@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -36,7 +36,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@ -49,7 +48,6 @@ LOGGER = get_logger()

 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
-SESSION_KEY_SOURCE_FLOW_CONTEXT = "authentik/flows/source_flow_context"
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec


@ -210,8 +208,6 @@ class SourceFlowManager:
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
        flow_context.update(
            {
                # Since we authenticate the user by their token, they have no backend set
@ -265,7 +261,6 @@ class SourceFlowManager:
                plan.append_stage(stage)
        for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
            plan.append_stage(stage)
-        plan.context.update(self.request.session.get(SESSION_KEY_SOURCE_FLOW_CONTEXT, {}))
        return plan.to_redirect(self.request, flow)

    def handle_auth(
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,7 +4,7 @@
 {% load i18n %}

 {% block head_before %}
-<link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
+<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
+    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
--- a/authentik/core/tests/test_source_api.py
+++ b/authentik/core/tests/test_source_api.py
@ -1,19 +0,0 @@
-from django.apps import apps
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-from authentik.core.tests.utils import create_test_admin_user
-
-
-class TestSourceAPI(APITestCase):
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.client.force_login(self.user)
-
-    def test_builtin_source_used_by(self):
-        """Test Providers's types endpoint"""
-        apps.get_app_config("authentik_core").source_inbuilt()
-        response = self.client.get(
-            reverse("authentik_api:source-used-by", kwargs={"slug": "authentik-built-in"}),
-        )
-        self.assertEqual(response.status_code, 200)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -1,7 +1,6 @@
 """Test Users API"""

 from datetime import datetime
-from json import loads

 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
@ -16,12 +15,7 @@ from authentik.core.models import (
    User,
    UserTypes,
 )
-from authentik.core.tests.utils import (
-    create_test_admin_user,
-    create_test_brand,
-    create_test_flow,
-    create_test_user,
-)
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
@ -32,7 +26,7 @@ class TestUsersAPI(APITestCase):

    def setUp(self) -> None:
        self.admin = create_test_admin_user()
-        self.user = create_test_user()
+        self.user = User.objects.create(username="test-user")

    def test_filter_type(self):
        """Test API filtering by type"""
@ -47,35 +41,6 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

-    def test_filter_is_superuser(self):
-        """Test API filtering by superuser status"""
-        User.objects.all().delete()
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        # Test superuser
-        response = self.client.get(
-            reverse("authentik_api:user-list"),
-            data={
-                "is_superuser": True,
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content)
-        self.assertEqual(len(body["results"]), 1)
-        self.assertEqual(body["results"][0]["username"], admin.username)
-        # Test non-superuser
-        user = create_test_user()
-        response = self.client.get(
-            reverse("authentik_api:user-list"),
-            data={
-                "is_superuser": False,
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content)
-        self.assertEqual(len(body["results"]), 1, body)
-        self.assertEqual(body["results"][0]["username"], user.username)
-
    def test_list_with_groups(self):
        """Test listing with groups"""
        self.client.force_login(self.admin)
@ -134,8 +99,6 @@ class TestUsersAPI(APITestCase):
    def test_recovery_email_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
-        self.user.email = ""
-        self.user.save()
        response = self.client.post(
            reverse("authentik_api:user-recovery-email", kwargs={"pk": self.user.pk})
        )
--- a/authentik/enterprise/audit/apps.py
+++ b/authentik/enterprise/audit/apps.py
@ -9,7 +9,7 @@ class AuthentikEnterpriseAuditConfig(EnterpriseConfig):
    """Enterprise app config"""

    name = "authentik.enterprise.audit"
-    label = "authentik_enterprise_audit"
+    label = "authentik_audit"
    verbose_name = "authentik Enterprise.Audit"
    default = True

--- a/authentik/enterprise/audit/models.py
+++ b/authentik/enterprise/audit/models.py
@ -0,0 +1,107 @@
+from django.contrib.contenttypes.models import ContentType
+from django.contrib.contenttypes.fields import GenericForeignKey
+from authentik.lib.models import SerializerModel
+from django.db import models
+from uuid import uuid4
+from authentik.core.models import Group, User
+
+
+# # Names
+# Lifecycle
+# Access reviews
+# Access lifecycle
+# Governance
+# Audit
+# Compliance
+
+# Lifecycle
+# Lifecycle review
+# Review
+# Access review
+# Compliance review
+# X Scheduled review
+
+
+# Only some objects supported?
+#
+# For disabling support:
+# Application
+# Provider
+# Outpost (simply setting the list of providers to empty in the outpost itself)
+# Flow
+# Users
+# Groups <- will get tricky
+# Roles
+# Sources
+# Tokens (api, app_pass)
+# Brands
+# Outpost integrations
+#
+# w/o disabling support
+# System Settings
+# everything else
+#   would need to show in an audit dashboard cause not all have pages to get details
+
+# "default" policy for objects, by default, everlasting
+
+
+class AuditPolicyFailAction(models.TextChoices):
+    # For preview
+    NOTHING = "nothing"
+    # Disable the thing failing, HOW
+    DISABLE = "disable"
+    # Emit events
+    WARN = "warn"
+
+
+class LifecycleRule(SerializerModel):
+    pass
+
+
+class ReviewRule(SerializerModel):
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+
+    # Check every 6 months, allow for daily/weekly/first of month, etc.
+    interval = models.TextField()  # timedelta
+    # Preventive notification
+    reminder_interval = models.TextField()  # timedelta
+
+    # Must be checked by these
+    groups = models.ManyToManyField(Group)
+    users = models.ManyToManyField(User)
+
+    # How many of the above must approve
+    required_approvals = models.IntegerField(default=1)
+
+    # How long to wait before executing fail action
+    grace_period = models.TextField()  # timedelta
+
+    # What to do if not reviewed in time
+    fail_action = models.CharField(choices=AuditPolicyFailAction)
+
+
+class AuditPolicyBinding(SerializerModel):
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+
+    # Many to many ? Bind users/groups here instead of on the policy ?
+    policy = models.ForeignKey(AuditPolicy, on_delete=models.PROTECT)
+
+    content_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)
+    object_id = models.TextField(blank=True)  # optional to apply on all objects of specific type
+    content_object = GenericForeignKey("content_type", "object_id")
+
+    # valid -> waiting review -> valid
+    # valid -> waiting review -> review overdue -> valid
+    # valid -> waiting review -> review overdue -> failed -> valid
+    # look at django-fsm or django-viewflow
+    status = models.TextField()
+
+    class Meta:
+        indexes = (
+            models.Index(fields=["content_type"]),
+            models.Index(fields=["content_type", "object_id"]),
+        )
+
+
+class AuditHistory:
+    pass
--- a/authentik/enterprise/stages/source/stage.py
+++ b/authentik/enterprise/stages/source/stage.py
@ -11,14 +11,13 @@ from guardian.shortcuts import get_anonymous_user
 from authentik.core.models import Source, User
 from authentik.core.sources.flow_manager import (
    SESSION_KEY_OVERRIDE_FLOW_TOKEN,
-    SESSION_KEY_SOURCE_FLOW_CONTEXT,
    SESSION_KEY_SOURCE_FLOW_STAGES,
 )
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.flows.models import FlowToken, in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_IS_REDIRECTED, PLAN_CONTEXT_IS_RESTORED
+from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED
 from authentik.flows.stage import ChallengeStageView, StageView
 from authentik.lib.utils.time import timedelta_from_string

@ -54,9 +53,6 @@ class SourceStageView(ChallengeStageView):
        resume_token = self.create_flow_token()
        self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN] = resume_token
        self.request.session[SESSION_KEY_SOURCE_FLOW_STAGES] = [in_memory_stage(SourceStageFinal)]
-        self.request.session[SESSION_KEY_SOURCE_FLOW_CONTEXT] = {
-            PLAN_CONTEXT_IS_REDIRECTED: self.executor.flow,
-        }
        return self.login_button.challenge

    def create_flow_token(self) -> FlowToken:
--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -50,8 +50,7 @@ class NotificationTransportSerializer(ModelSerializer):
            "mode",
            "mode_verbose",
            "webhook_url",
-            "webhook_mapping_body",
-            "webhook_mapping_headers",
+            "webhook_mapping",
            "send_once",
        ]

--- a/authentik/events/migrations/0009_remove_notificationtransport_webhook_mapping_and_more.py
+++ b/authentik/events/migrations/0009_remove_notificationtransport_webhook_mapping_and_more.py
@ -1,43 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-20 19:54
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_events", "0008_event_authentik_e_expires_8c73a8_idx_and_more"),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name="notificationtransport",
-            old_name="webhook_mapping",
-            new_name="webhook_mapping_body",
-        ),
-        migrations.AlterField(
-            model_name="notificationtransport",
-            name="webhook_mapping_body",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Customize the body of the request. Mapping should return data that is JSON-serializable.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="+",
-                to="authentik_events.notificationwebhookmapping",
-            ),
-        ),
-        migrations.AddField(
-            model_name="notificationtransport",
-            name="webhook_mapping_headers",
-            field=models.ForeignKey(
-                default=None,
-                help_text="Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="+",
-                to="authentik_events.notificationwebhookmapping",
-            ),
-        ),
-    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -336,27 +336,8 @@ class NotificationTransport(SerializerModel):
    mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)

    webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
-    webhook_mapping_body = models.ForeignKey(
-        "NotificationWebhookMapping",
-        on_delete=models.SET_DEFAULT,
-        null=True,
-        default=None,
-        related_name="+",
-        help_text=_(
-            "Customize the body of the request. "
-            "Mapping should return data that is JSON-serializable."
-        ),
-    )
-    webhook_mapping_headers = models.ForeignKey(
-        "NotificationWebhookMapping",
-        on_delete=models.SET_DEFAULT,
-        null=True,
-        default=None,
-        related_name="+",
-        help_text=_(
-            "Configure additional headers to be sent. "
-            "Mapping should return a dictionary of key-value pairs"
-        ),
+    webhook_mapping = models.ForeignKey(
+        "NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
    )
    send_once = models.BooleanField(
        default=False,
@ -379,8 +360,8 @@ class NotificationTransport(SerializerModel):

    def send_local(self, notification: "Notification") -> list[str]:
        """Local notification delivery"""
-        if self.webhook_mapping_body:
-            self.webhook_mapping_body.evaluate(
+        if self.webhook_mapping:
+            self.webhook_mapping.evaluate(
                user=notification.user,
                request=None,
                notification=notification,
@ -399,18 +380,9 @@ class NotificationTransport(SerializerModel):
        if notification.event and notification.event.user:
            default_body["event_user_email"] = notification.event.user.get("email", None)
            default_body["event_user_username"] = notification.event.user.get("username", None)
-        headers = {}
-        if self.webhook_mapping_body:
+        if self.webhook_mapping:
            default_body = sanitize_item(
-                self.webhook_mapping_body.evaluate(
-                    user=notification.user,
-                    request=None,
-                    notification=notification,
-                )
-            )
-        if self.webhook_mapping_headers:
-            headers = sanitize_item(
-                self.webhook_mapping_headers.evaluate(
+                self.webhook_mapping.evaluate(
                    user=notification.user,
                    request=None,
                    notification=notification,
@ -420,7 +392,6 @@ class NotificationTransport(SerializerModel):
            response = get_http_session().post(
                self.webhook_url,
                json=default_body,
-                headers=headers,
            )
            response.raise_for_status()
        except RequestException as exc:
--- a/authentik/events/tests/test_notifications.py
+++ b/authentik/events/tests/test_notifications.py
@ -120,7 +120,7 @@ class TestEventsNotifications(APITestCase):
        )

        transport = NotificationTransport.objects.create(
-            name=generate_id(), webhook_mapping_body=mapping, mode=TransportMode.LOCAL
+            name=generate_id(), webhook_mapping=mapping, mode=TransportMode.LOCAL
        )
        NotificationRule.objects.filter(name__startswith="default").delete()
        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
--- a/authentik/events/tests/test_transports.py
+++ b/authentik/events/tests/test_transports.py
@ -60,25 +60,20 @@ class TestEventTransports(TestCase):

    def test_transport_webhook_mapping(self):
        """Test webhook transport with custom mapping"""
-        mapping_body = NotificationWebhookMapping.objects.create(
+        mapping = NotificationWebhookMapping.objects.create(
            name=generate_id(), expression="return request.user"
        )
-        mapping_headers = NotificationWebhookMapping.objects.create(
-            name=generate_id(), expression="""return {"foo": "bar"}"""
-        )
        transport: NotificationTransport = NotificationTransport.objects.create(
            name=generate_id(),
            mode=TransportMode.WEBHOOK,
            webhook_url="http://localhost:1234/test",
-            webhook_mapping_body=mapping_body,
-            webhook_mapping_headers=mapping_headers,
+            webhook_mapping=mapping,
        )
        with Mocker() as mocker:
            mocker.post("http://localhost:1234/test")
            transport.send(self.notification)
            self.assertEqual(mocker.call_count, 1)
            self.assertEqual(mocker.request_history[0].method, "POST")
-            self.assertEqual(mocker.request_history[0].headers["foo"], "bar")
            self.assertJSONEqual(
                mocker.request_history[0].body.decode(),
                {"email": self.user.email, "pk": self.user.pk, "username": self.user.username},
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -6,7 +6,6 @@ from typing import TYPE_CHECKING
 from uuid import uuid4

 from django.db import models
-from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from model_utils.managers import InheritanceManager
 from rest_framework.serializers import BaseSerializer
@ -179,12 +178,11 @@ class Flow(SerializerModel, PolicyBindingModel):
        help_text=_("Required level of authentication and authorization to access a flow."),
    )

-    def background_url(self, request: HttpRequest | None = None) -> str:
+    @property
+    def background_url(self) -> str:
        """Get the URL to the background image. If the name is /static or starts with http
        it is returned as-is"""
        if not self.background:
-            if request:
-                return request.brand.branding_default_flow_background_url()
            return (
                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
            )
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -184,7 +184,7 @@ class ChallengeStageView(StageView):
                flow_info = ContextualFlowInfo(
                    data={
                        "title": self.format_title(),
-                        "background": self.executor.flow.background_url(self.request),
+                        "background": self.executor.flow.background_url,
                        "cancel_url": reverse("authentik_flows:cancel"),
                        "layout": self.executor.flow.layout,
                    }
--- a/authentik/flows/tests/init.py
+++ b/authentik/flows/tests/init.py
@ -27,6 +27,7 @@ class FlowTestCase(APITestCase):
        self.assertIsNotNone(raw_response["component"])
        if flow:
            self.assertIn("flow_info", raw_response)
+            self.assertEqual(raw_response["flow_info"]["background"], flow.background_url)
            self.assertEqual(
                raw_response["flow_info"]["cancel_url"], reverse("authentik_flows:cancel")
            )
--- a/authentik/flows/tests/test_api.py
+++ b/authentik/flows/tests/test_api.py
@ -1,11 +1,9 @@
 """API flow tests"""

-from json import loads
-
 from django.urls import reverse
 from rest_framework.test import APITestCase

-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.api.stages import StageSerializer, StageViewSet
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage
 from authentik.lib.generators import generate_id
@ -79,22 +77,6 @@ class TestFlowsAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(response.content, {"diagram": DIAGRAM_EXPECTED})

-    def test_api_background(self):
-        """Test custom background"""
-        user = create_test_admin_user()
-        self.client.force_login(user)
-
-        flow = create_test_flow()
-        response = self.client.get(reverse("authentik_api:flow-detail", kwargs={"slug": flow.slug}))
-        body = loads(response.content.decode())
-        self.assertEqual(body["background"], "/static/dist/assets/images/flow_background.jpg")
-
-        flow.background = "https://goauthentik.io/img/icon.png"
-        flow.save()
-        response = self.client.get(reverse("authentik_api:flow-detail", kwargs={"slug": flow.slug}))
-        body = loads(response.content.decode())
-        self.assertEqual(body["background"], "https://goauthentik.io/img/icon.png")
-
    def test_api_diagram_no_stages(self):
        """Test flow diagram with no stages."""
        user = create_test_admin_user()
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -49,7 +49,7 @@ class TestFlowInspector(APITestCase):
                "captcha_stage": None,
                "component": "ak-stage-identification",
                "flow_info": {
-                    "background": "/static/dist/assets/images/flow_background.jpg",
+                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": flow.title,
                    "layout": "stacked",
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -69,7 +69,6 @@ SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
 SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
-SESSION_KEY_AUTH_STARTED = "authentik/flows/auth_started"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"

@ -454,7 +453,6 @@ class FlowExecutorView(APIView):
            SESSION_KEY_APPLICATION_PRE,
            SESSION_KEY_PLAN,
            SESSION_KEY_GET,
-            SESSION_KEY_AUTH_STARTED,
            # We might need the initial POST payloads for later requests
            # SESSION_KEY_POST,
            # We don't delete the history on purpose, as a user might
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -6,22 +6,14 @@ from django.shortcuts import get_object_or_404
 from ua_parser.user_agent_parser import Parse

 from authentik.core.views.interface import InterfaceView
-from authentik.flows.models import Flow, FlowDesignation
-from authentik.flows.views.executor import SESSION_KEY_AUTH_STARTED
+from authentik.flows.models import Flow


 class FlowInterfaceView(InterfaceView):
    """Flow interface"""

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["flow"] = flow
-        if (
-            not self.request.user.is_authenticated
-            and flow.designation == FlowDesignation.AUTHENTICATION
-        ):
-            self.request.session[SESSION_KEY_AUTH_STARTED] = True
-            self.request.session.save()
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)

--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,20 +1,5 @@
-# authentik configuration
-#
-# https://docs.goauthentik.io/docs/install-config/configuration/
-#
-# To override the settings in this file, run the following command from the repository root:
-#
-# ```shell
-# make gen-dev-config
-# ```
-#
-# You may edit the generated file to override the configuration below.  
-#
-# When making modifying the default configuration file, 
-# ensure that the corresponding documentation is updated to match.
-#
-# @see {@link ../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information.
-
+# update website/docs/install-config/configuration/configuration.mdx
+# This is the default configuration file
 postgresql:
  host: localhost
  name: authentik
@ -60,8 +45,6 @@ redis:
 #   url: ""
 #   transport_options: ""

-http_timeout: 30
-
 cache:
  # url: ""
  timeout: 300
--- a/authentik/lib/models.py
+++ b/authentik/lib/models.py
@ -18,15 +18,6 @@ class SerializerModel(models.Model):
    @property
    def serializer(self) -> type[BaseSerializer]:
        """Get serializer for this model"""
-        # Special handling for built-in source
-        if (
-            hasattr(self, "managed")
-            and hasattr(self, "MANAGED_INBUILT")
-            and self.managed == self.MANAGED_INBUILT
-        ):
-            from authentik.core.api.sources import SourceSerializer
-
-            return SourceSerializer
        raise NotImplementedError


--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -16,40 +16,7 @@ def authentik_user_agent() -> str:
    return f"authentik@{get_full_version()}"


-class TimeoutSession(Session):
-    """Always set a default HTTP request timeout"""
-
-    def __init__(self, default_timeout=None):
-        super().__init__()
-        self.timeout = default_timeout
-
-    def send(
-        self,
-        request,
-        *,
-        stream=...,
-        verify=...,
-        proxies=...,
-        cert=...,
-        timeout=...,
-        allow_redirects=...,
-        **kwargs,
-    ):
-        if not timeout and self.timeout:
-            timeout = self.timeout
-        return super().send(
-            request,
-            stream=stream,
-            verify=verify,
-            proxies=proxies,
-            cert=cert,
-            timeout=timeout,
-            allow_redirects=allow_redirects,
-            **kwargs,
-        )
-
-
-class DebugSession(TimeoutSession):
+class DebugSession(Session):
    """requests session which logs http requests and responses"""

    def send(self, req: PreparedRequest, *args, **kwargs):
@ -75,9 +42,8 @@ class DebugSession(TimeoutSession):

 def get_http_session() -> Session:
    """Get a requests session with common headers"""
-    session = TimeoutSession()
+    session = Session()
    if CONFIG.get_bool("debug") or CONFIG.get("log_level") == "trace":
        session = DebugSession()
    session.headers["User-Agent"] = authentik_user_agent()
-    session.timeout = CONFIG.get_optional_int("http_timeout")
    return session
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -13,7 +13,6 @@ from paramiko.ssh_exception import SSHException
 from structlog.stdlib import get_logger
 from yaml import safe_dump

-from authentik import __version__
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.docker_ssh import DockerInlineSSH, SSHManagedExternallyException
@ -185,7 +184,7 @@ class DockerController(BaseController):
        try:
            self.client.images.pull(image)
        except DockerException:  # pragma: no cover
-            image = f"ghcr.io/goauthentik/{self.outpost.type}:{__version__}"
+            image = f"ghcr.io/goauthentik/{self.outpost.type}:latest"
            self.client.images.pull(image)
        return image

--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -1,6 +1,5 @@
 """Base Kubernetes Reconciler"""

-import re
 from dataclasses import asdict
 from json import dumps
 from typing import TYPE_CHECKING, Generic, TypeVar
@ -68,8 +67,7 @@ class KubernetesObjectReconciler(Generic[T]):
    @property
    def name(self) -> str:
        """Get the name of the object this reconciler manages"""
-
-        base_name = (
+        return (
            self.controller.outpost.config.object_naming_template
            % {
                "name": slugify(self.controller.outpost.name),
@ -77,16 +75,6 @@ class KubernetesObjectReconciler(Generic[T]):
            }
        ).lower()

-        formatted = slugify(base_name)
-        formatted = re.sub(r"[^a-z0-9-]", "-", formatted)
-        formatted = re.sub(r"-+", "-", formatted)
-        formatted = formatted[:63]
-
-        if not formatted:
-            formatted = f"outpost-{self.controller.outpost.uuid.hex}"[:63]
-
-        return formatted
-
    def get_patched_reference_object(self) -> T:
        """Get patched reference object"""
        reference = self.get_reference_object()
@ -124,6 +112,7 @@ class KubernetesObjectReconciler(Generic[T]):
            try:
                current = self.retrieve()
            except (OpenApiException, HTTPError) as exc:
+
                if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                    self.logger.debug("Failed to get current, triggering recreate")
                    raise NeedsRecreate from exc
@ -167,6 +156,7 @@ class KubernetesObjectReconciler(Generic[T]):
            self.delete(current)
            self.logger.debug("Removing")
        except (OpenApiException, HTTPError) as exc:
+
            if isinstance(exc, ApiException) and exc.status == HttpResponseNotFound.status_code:
                self.logger.debug("Failed to get current, assuming non-existent")
                return
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -61,14 +61,9 @@ class KubernetesController(BaseController):
    client: KubernetesClient
    connection: KubernetesServiceConnection

-    def __init__(
-        self,
-        outpost: Outpost,
-        connection: KubernetesServiceConnection,
-        client: KubernetesClient | None = None,
-    ) -> None:
+    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection) -> None:
        super().__init__(outpost, connection)
-        self.client = client if client else KubernetesClient(connection)
+        self.client = KubernetesClient(connection)
        self.reconcilers = {
            SecretReconciler.reconciler_name(): SecretReconciler,
            DeploymentReconciler.reconciler_name(): DeploymentReconciler,
--- a/authentik/outposts/tests/test_controller_k8s.py
+++ b/authentik/outposts/tests/test_controller_k8s.py
@ -1,44 +0,0 @@
-"""Kubernetes controller tests"""
-
-from django.test import TestCase
-
-from authentik.blueprints.tests import reconcile_app
-from authentik.lib.generators import generate_id
-from authentik.outposts.apps import MANAGED_OUTPOST
-from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
-from authentik.outposts.controllers.kubernetes import KubernetesController
-from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
-
-
-class KubernetesControllerTests(TestCase):
-    """Kubernetes controller tests"""
-
-    @reconcile_app("authentik_outposts")
-    def setUp(self) -> None:
-        self.outpost = Outpost.objects.create(
-            name="test",
-            type=OutpostType.PROXY,
-        )
-        self.integration = KubernetesServiceConnection(name="test")
-
-    def test_gen_name(self):
-        """Ensure the generated name is valid"""
-        controller = KubernetesController(
-            Outpost.objects.filter(managed=MANAGED_OUTPOST).first(),
-            self.integration,
-            # Pass something not-none as client so we don't
-            # attempt to connect to K8s as that's not needed
-            client=self,
-        )
-        rec = DeploymentReconciler(controller)
-        self.assertEqual(rec.name, "ak-outpost-authentik-embedded-outpost")
-
-        controller.outpost.name = generate_id()
-        self.assertLess(len(rec.name), 64)
-
-        # Test custom naming template
-        _cfg = controller.outpost.config
-        _cfg.object_naming_template = ""
-        controller.outpost.config = _cfg
-        self.assertEqual(rec.name, f"outpost-{controller.outpost.uuid.hex}")
-        self.assertLess(len(rec.name), 64)
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@ -35,4 +35,3 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
    label = "authentik_policies"
    verbose_name = "authentik Policies"
    default = True
-    mountpoint = "policy/"
--- a/authentik/policies/templates/policies/buffer.html
+++ b/authentik/policies/templates/policies/buffer.html
@ -1,89 +0,0 @@
-{% extends 'login/base_full.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block head %}
-{{ block.super }}
-<script>
-  let redirecting = false;
-  const checkAuth = async () => {
-    if (redirecting) return true;
-    const url = "{{ check_auth_url }}";
-    console.debug("authentik/policies/buffer: Checking authentication...");
-    try {
-      const result = await fetch(url, {
-        method: "HEAD",
-      });
-      if (result.status >= 400) {
-        return false
-      }
-      console.debug("authentik/policies/buffer: Continuing");
-      redirecting = true;
-      if ("{{ auth_req_method }}" === "post") {
-        document.querySelector("form").submit();
-      } else {
-        window.location.assign("{{ continue_url|escapejs }}");
-      }
-    } catch {
-      return false;
-    }
-  };
-  let timeout = 100;
-  let offset = 20;
-  let attempt = 0;
-  const main = async () => {
-    attempt += 1;
-    await checkAuth();
-    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
-    setTimeout(main, timeout);
-    timeout += (offset * attempt);
-    if (timeout >= 2000) {
-      timeout = 2000;
-    }
-  }
-  document.addEventListener("visibilitychange", async () => {
-    if (document.hidden) return;
-    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
-    await checkAuth();
-  });
-  main();
-</script>
-{% endblock %}
-
-{% block title %}
-{% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
-{% endblock %}
-
-{% block card_title %}
-{% trans 'Waiting for authentication...' %}
-{% endblock %}
-
-{% block card %}
-<form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
-  {% if auth_req_method == "post" %}
-    {% for key, value in auth_req_body.items %}
-      <input type="hidden" name="{{ key }}" value="{{ value }}" />
-    {% endfor %}
-  {% endif %}
-  <div class="pf-c-empty-state">
-    <div class="pf-c-empty-state__content">
-      <div class="pf-c-empty-state__icon">
-        <span class="pf-c-spinner pf-m-xl" role="progressbar">
-          <span class="pf-c-spinner__clipper"></span>
-          <span class="pf-c-spinner__lead-ball"></span>
-          <span class="pf-c-spinner__tail-ball"></span>
-        </span>
-      </div>
-      <h1 class="pf-c-title pf-m-lg">
-        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
-      </h1>
-    </div>
-  </div>
-  <div class="pf-c-form__group pf-m-action">
-    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
-      {% trans "Authenticate in this tab" %}
-    </a>
-  </div>
-</form>
-{% endblock %}
--- a/authentik/policies/tests/test_views.py
+++ b/authentik/policies/tests/test_views.py
@ -1,121 +0,0 @@
-from django.contrib.auth.models import AnonymousUser
-from django.contrib.sessions.middleware import SessionMiddleware
-from django.http import HttpResponse
-from django.test import RequestFactory, TestCase
-from django.urls import reverse
-
-from authentik.core.models import Application, Provider
-from authentik.core.tests.utils import create_test_flow, create_test_user
-from authentik.flows.models import FlowDesignation
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import dummy_get_response
-from authentik.policies.views import (
-    QS_BUFFER_ID,
-    SESSION_KEY_BUFFER,
-    BufferedPolicyAccessView,
-    BufferView,
-    PolicyAccessView,
-)
-
-
-class TestPolicyViews(TestCase):
-    """Test PolicyAccessView"""
-
-    def setUp(self):
-        super().setUp()
-        self.factory = RequestFactory()
-        self.user = create_test_user()
-
-    def test_pav(self):
-        """Test simple policy access view"""
-        provider = Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-
-        class TestView(PolicyAccessView):
-            def resolve_provider_application(self):
-                self.provider = provider
-                self.application = app
-
-            def get(self, *args, **kwargs):
-                return HttpResponse("foo")
-
-        req = self.factory.get("/")
-        req.user = self.user
-        res = TestView.as_view()(req)
-        self.assertEqual(res.status_code, 200)
-        self.assertEqual(res.content, b"foo")
-
-    def test_pav_buffer(self):
-        """Test simple policy access view"""
-        provider = Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-
-        class TestView(BufferedPolicyAccessView):
-            def resolve_provider_application(self):
-                self.provider = provider
-                self.application = app
-
-            def get(self, *args, **kwargs):
-                return HttpResponse("foo")
-
-        req = self.factory.get("/")
-        req.user = AnonymousUser()
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(req)
-        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
-        req.session.save()
-        res = TestView.as_view()(req)
-        self.assertEqual(res.status_code, 302)
-        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
-
-    def test_pav_buffer_skip(self):
-        """Test simple policy access view (skip buffer)"""
-        provider = Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-
-        class TestView(BufferedPolicyAccessView):
-            def resolve_provider_application(self):
-                self.provider = provider
-                self.application = app
-
-            def get(self, *args, **kwargs):
-                return HttpResponse("foo")
-
-        req = self.factory.get("/?skip_buffer=true")
-        req.user = AnonymousUser()
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(req)
-        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
-        req.session.save()
-        res = TestView.as_view()(req)
-        self.assertEqual(res.status_code, 302)
-        self.assertTrue(res.url.startswith(reverse("authentik_flows:default-authentication")))
-
-    def test_buffer(self):
-        """Test buffer view"""
-        uid = generate_id()
-        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
-        req.user = AnonymousUser()
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(req)
-        ts = generate_id()
-        req.session[SESSION_KEY_BUFFER % uid] = {
-            "method": "get",
-            "body": {},
-            "url": f"/{ts}",
-        }
-        req.session.save()
-
-        res = BufferView.as_view()(req)
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(ts, res.render().content.decode())
--- a/authentik/policies/urls.py
+++ b/authentik/policies/urls.py
@ -1,14 +1,7 @@
 """API URLs"""

-from django.urls import path
-
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
-from authentik.policies.views import BufferView
-
-urlpatterns = [
-    path("buffer", BufferView.as_view(), name="buffer"),
-]

 api_urlpatterns = [
    ("policies/all", PolicyViewSet),
--- a/authentik/policies/views.py
+++ b/authentik/policies/views.py
@ -1,37 +1,23 @@
 """authentik access helper classes"""

 from typing import Any
-from uuid import uuid4

 from django.contrib import messages
 from django.contrib.auth.mixins import AccessMixin
 from django.contrib.auth.views import redirect_to_login
-from django.http import HttpRequest, HttpResponse, QueryDict
-from django.shortcuts import redirect
-from django.urls import reverse
-from django.utils.http import urlencode
+from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
-from django.views.generic.base import TemplateView, View
+from django.views.generic.base import View
 from structlog.stdlib import get_logger

 from authentik.core.models import Application, Provider, User
-from authentik.flows.models import Flow, FlowDesignation
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import (
-    SESSION_KEY_APPLICATION_PRE,
-    SESSION_KEY_AUTH_STARTED,
-    SESSION_KEY_PLAN,
-    SESSION_KEY_POST,
-)
+from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_POST
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyRequest, PolicyResult

 LOGGER = get_logger()
-QS_BUFFER_ID = "af_bf_id"
-QS_SKIP_BUFFER = "skip_buffer"
-SESSION_KEY_BUFFER = "authentik/policies/pav_buffer/%s"


 class RequestValidationError(SentryIgnoredException):
@ -139,65 +125,3 @@ class PolicyAccessView(AccessMixin, View):
            for message in result.messages:
                messages.error(self.request, _(message))
        return result
-
-
-def url_with_qs(url: str, **kwargs):
-    """Update/set querystring of `url` with the parameters in `kwargs`. Original query string
-    parameters are retained"""
-    if "?" not in url:
-        return url + f"?{urlencode(kwargs)}"
-    url, _, qs = url.partition("?")
-    qs = QueryDict(qs, mutable=True)
-    qs.update(kwargs)
-    return url + f"?{urlencode(qs.items())}"
-
-
-class BufferView(TemplateView):
-    """Buffer view"""
-
-    template_name = "policies/buffer.html"
-
-    def get_context_data(self, **kwargs):
-        buf_id = self.request.GET.get(QS_BUFFER_ID)
-        buffer: dict = self.request.session.get(SESSION_KEY_BUFFER % buf_id)
-        kwargs["auth_req_method"] = buffer["method"]
-        kwargs["auth_req_body"] = buffer["body"]
-        kwargs["auth_req_url"] = url_with_qs(buffer["url"], **{QS_SKIP_BUFFER: True})
-        kwargs["check_auth_url"] = reverse("authentik_api:user-me")
-        kwargs["continue_url"] = url_with_qs(buffer["url"], **{QS_BUFFER_ID: buf_id})
-        return super().get_context_data(**kwargs)
-
-
-class BufferedPolicyAccessView(PolicyAccessView):
-    """PolicyAccessView which buffers access requests in case the user is not logged in"""
-
-    def handle_no_permission(self):
-        plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
-        authenticating = self.request.session.get(SESSION_KEY_AUTH_STARTED)
-        if plan:
-            flow = Flow.objects.filter(pk=plan.flow_pk).first()
-            if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
-                LOGGER.debug("Not buffering request, no flow or flow not for authentication")
-                return super().handle_no_permission()
-        if not plan and authenticating is None:
-            LOGGER.debug("Not buffering request, no flow plan active")
-            return super().handle_no_permission()
-        if self.request.GET.get(QS_SKIP_BUFFER):
-            LOGGER.debug("Not buffering request, explicit skip")
-            return super().handle_no_permission()
-        buffer_id = str(uuid4())
-        LOGGER.debug("Buffering access request", bf_id=buffer_id)
-        self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
-            "body": self.request.POST,
-            "url": self.request.build_absolute_uri(self.request.get_full_path()),
-            "method": self.request.method.lower(),
-        }
-        return redirect(
-            url_with_qs(reverse("authentik_policies:buffer"), **{QS_BUFFER_ID: buffer_id})
-        )
-
-    def dispatch(self, request, *args, **kwargs):
-        response = super().dispatch(request, *args, **kwargs)
-        if QS_BUFFER_ID in self.request.GET:
-            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
-        return response
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -30,7 +30,7 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
-from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
+from authentik.policies.views import PolicyAccessView, RequestValidationError
 from authentik.providers.oauth2.constants import (
    PKCE_METHOD_PLAIN,
    PKCE_METHOD_S256,
@ -254,10 +254,10 @@ class OAuthAuthorizationParams:
            raise AuthorizeError(self.redirect_uri, "invalid_scope", self.grant_type, self.state)
        if SCOPE_OFFLINE_ACCESS in self.scope:
            # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
-            # Don't explicitly request consent with offline_access, as the spec allows for
-            # "other conditions for processing the request permitting offline access to the
-            # requested resources are in place"
-            # which we interpret as "the admin picks an authorization flow with or without consent"
+            if PROMPT_CONSENT not in self.prompt:
+                # Instead of ignoring the `offline_access` scope when `prompt`
+                # isn't set to `consent`, we set override it ourselves
+                self.prompt.add(PROMPT_CONSENT)
            if self.response_type not in [
                ResponseTypes.CODE,
                ResponseTypes.CODE_TOKEN,
@ -328,7 +328,7 @@ class OAuthAuthorizationParams:
        return code


-class AuthorizationFlowInitView(BufferedPolicyAccessView):
+class AuthorizationFlowInitView(PolicyAccessView):
    """OAuth2 Flow initializer, checks access to application and starts flow"""

    params: OAuthAuthorizationParams
--- a/authentik/providers/rac/apps.py
+++ b/authentik/providers/rac/apps.py
@ -1,9 +1,9 @@
 """RAC app config"""

-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig


-class AuthentikProviderRAC(ManagedAppConfig):
+class AuthentikProviderRAC(AppConfig):
    """authentik rac app config"""

    name = "authentik.providers.rac"
--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@ -4,7 +4,8 @@ from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
-from django.db.models.signals import post_delete, post_save, pre_delete
+from django.db.models import Model
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

@ -45,8 +46,12 @@ def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **
    )


-@receiver([post_save, post_delete], sender=Endpoint)
-def post_save_post_delete_endpoint(**_):
-    """Clear user's endpoint cache upon endpoint creation or deletion"""
+@receiver(post_save, sender=Endpoint)
+def post_save_endpoint(sender: type[Model], instance, created: bool, **_):
+    """Clear user's endpoint cache upon endpoint creation"""
+    if not created:  # pragma: no cover
+        return
+
+    # Delete user endpoint cache
    keys = cache.keys(user_endpoint_cache_key("*"))
    cache.delete_many(keys)
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -18,11 +18,11 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider


-class RACStartView(BufferedPolicyAccessView):
+class RACStartView(PolicyAccessView):
    """Start a RAC connection by checking access and creating a connection token"""

    endpoint: Endpoint
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -180,7 +180,6 @@ class SAMLProviderSerializer(ProviderSerializer):
            "session_valid_not_on_or_after",
            "property_mappings",
            "name_id_mapping",
-            "authn_context_class_ref_mapping",
            "digest_algorithm",
            "signature_algorithm",
            "signing_kp",
--- a/authentik/providers/saml/migrations/0017_samlprovider_authn_context_class_ref_mapping.py
+++ b/authentik/providers/saml/migrations/0017_samlprovider_authn_context_class_ref_mapping.py
@ -1,28 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-18 17:41
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_saml", "0016_samlprovider_encryption_kp_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="samlprovider",
-            name="authn_context_class_ref_mapping",
-            field=models.ForeignKey(
-                blank=True,
-                default=None,
-                help_text="Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                related_name="+",
-                to="authentik_providers_saml.samlpropertymapping",
-                verbose_name="AuthnContextClassRef Property Mapping",
-            ),
-        ),
-    ]
--- a/authentik/providers/saml/migrations/0018_alter_samlprovider_acs_url.py
+++ b/authentik/providers/saml/migrations/0018_alter_samlprovider_acs_url.py
@ -1,22 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-31 13:50
-
-import authentik.lib.models
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_saml", "0017_samlprovider_authn_context_class_ref_mapping"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="samlprovider",
-            name="acs_url",
-            field=models.TextField(
-                validators=[authentik.lib.models.DomainlessURLValidator(schemes=("http", "https"))],
-                verbose_name="ACS URL",
-            ),
-        ),
-    ]
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -10,7 +10,6 @@ from structlog.stdlib import get_logger
 from authentik.core.api.object_types import CreatableType
 from authentik.core.models import PropertyMapping, Provider
 from authentik.crypto.models import CertificateKeyPair
-from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
@ -41,9 +40,7 @@ class SAMLBindings(models.TextChoices):
 class SAMLProvider(Provider):
    """SAML 2.0 Endpoint for applications which support SAML."""

-    acs_url = models.TextField(
-        validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL")
-    )
+    acs_url = models.URLField(verbose_name=_("ACS URL"))
    audience = models.TextField(
        default="",
        blank=True,
@ -74,20 +71,6 @@ class SAMLProvider(Provider):
            "the NameIDPolicy of the incoming request will be considered"
        ),
    )
-    authn_context_class_ref_mapping = models.ForeignKey(
-        "SAMLPropertyMapping",
-        default=None,
-        blank=True,
-        null=True,
-        on_delete=models.SET_DEFAULT,
-        verbose_name=_("AuthnContextClassRef Property Mapping"),
-        related_name="+",
-        help_text=_(
-            "Configure how the AuthnContextClassRef value will be created. When left empty, "
-            "the AuthnContextClassRef will be set based on which authentication methods the user "
-            "used to authenticate."
-        ),
-    )

    assertion_valid_not_before = models.TextField(
        default="minutes=-5",
@ -187,6 +170,7 @@ class SAMLProvider(Provider):
    def launch_url(self) -> str | None:
        """Use IDP-Initiated SAML flow as launch URL"""
        try:
+
            return reverse(
                "authentik_providers_saml:sso-init",
                kwargs={"application_slug": self.application.slug},
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -1,6 +1,5 @@
 """SAML Assertion generator"""

-from datetime import datetime
 from hashlib import sha256
 from types import GeneratorType

@ -53,7 +52,6 @@ class AssertionProcessor:
    _assertion_id: str
    _response_id: str

-    _auth_instant: str
    _valid_not_before: str
    _session_not_on_or_after: str
    _valid_not_on_or_after: str
@ -67,11 +65,6 @@ class AssertionProcessor:
        self._assertion_id = get_random_id()
        self._response_id = get_random_id()

-        _login_event = get_login_event(self.http_request)
-        _login_time = datetime.now()
-        if _login_event:
-            _login_time = _login_event.created
-        self._auth_instant = get_time_string(_login_time)
        self._valid_not_before = get_time_string(
            timedelta_from_string(self.provider.assertion_valid_not_before)
        )
@ -138,7 +131,7 @@ class AssertionProcessor:
    def get_assertion_auth_n_statement(self) -> Element:
        """Generate AuthnStatement with AuthnContext and ContextClassRef Elements."""
        auth_n_statement = Element(f"{{{NS_SAML_ASSERTION}}}AuthnStatement")
-        auth_n_statement.attrib["AuthnInstant"] = self._auth_instant
+        auth_n_statement.attrib["AuthnInstant"] = self._valid_not_before
        auth_n_statement.attrib["SessionIndex"] = sha256(
            self.http_request.session.session_key.encode("ascii")
        ).hexdigest()
@ -165,28 +158,6 @@ class AssertionProcessor:
                auth_n_context_class_ref.text = (
                    "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
                )
-        if self.provider.authn_context_class_ref_mapping:
-            try:
-                value = self.provider.authn_context_class_ref_mapping.evaluate(
-                    user=self.http_request.user,
-                    request=self.http_request,
-                    provider=self.provider,
-                )
-                if value is not None:
-                    auth_n_context_class_ref.text = str(value)
-                return auth_n_statement
-            except PropertyMappingExpressionException as exc:
-                Event.new(
-                    EventAction.CONFIGURATION_ERROR,
-                    message=(
-                        "Failed to evaluate property-mapping: "
-                        f"'{self.provider.authn_context_class_ref_mapping.name}'"
-                    ),
-                    provider=self.provider,
-                    mapping=self.provider.authn_context_class_ref_mapping,
-                ).from_http(self.http_request)
-                LOGGER.warning("Failed to evaluate property mapping", exc=exc)
-                return auth_n_statement
        return auth_n_statement

    def get_assertion_conditions(self) -> Element:
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@ -294,61 +294,6 @@ class TestAuthNRequest(TestCase):
        self.assertEqual(parsed_request.id, "aws_LDxLGeubpc5lx12gxCgS6uPbix1yd5re")
        self.assertEqual(parsed_request.name_id_policy, SAML_NAME_ID_FORMAT_EMAIL)

-    def test_authn_context_class_ref_mapping(self):
-        """Test custom authn_context_class_ref"""
-        authn_context_class_ref = generate_id()
-        mapping = SAMLPropertyMapping.objects.create(
-            name=generate_id(), expression=f"""return '{authn_context_class_ref}'"""
-        )
-        self.provider.authn_context_class_ref_mapping = mapping
-        self.provider.save()
-        user = create_test_admin_user()
-        http_request = get_request("/", user=user)
-
-        # First create an AuthNRequest
-        request_proc = RequestProcessor(self.source, http_request, "test_state")
-        request = request_proc.build_auth_n()
-
-        # To get an assertion we need a parsed request (parsed by provider)
-        parsed_request = AuthNRequestParser(self.provider).parse(
-            b64encode(request.encode()).decode(), "test_state"
-        )
-        # Now create a response and convert it to string (provider)
-        response_proc = AssertionProcessor(self.provider, http_request, parsed_request)
-        response = response_proc.build_response()
-        self.assertIn(user.username, response)
-        self.assertIn(authn_context_class_ref, response)
-
-    def test_authn_context_class_ref_mapping_invalid(self):
-        """Test custom authn_context_class_ref (invalid)"""
-        mapping = SAMLPropertyMapping.objects.create(name=generate_id(), expression="q")
-        self.provider.authn_context_class_ref_mapping = mapping
-        self.provider.save()
-        user = create_test_admin_user()
-        http_request = get_request("/", user=user)
-
-        # First create an AuthNRequest
-        request_proc = RequestProcessor(self.source, http_request, "test_state")
-        request = request_proc.build_auth_n()
-
-        # To get an assertion we need a parsed request (parsed by provider)
-        parsed_request = AuthNRequestParser(self.provider).parse(
-            b64encode(request.encode()).decode(), "test_state"
-        )
-        # Now create a response and convert it to string (provider)
-        response_proc = AssertionProcessor(self.provider, http_request, parsed_request)
-        response = response_proc.build_response()
-        self.assertIn(user.username, response)
-
-        events = Event.objects.filter(
-            action=EventAction.CONFIGURATION_ERROR,
-        )
-        self.assertTrue(events.exists())
-        self.assertEqual(
-            events.first().context["message"],
-            f"Failed to evaluate property-mapping: '{mapping.name}'",
-        )
-
    def test_request_attributes(self):
        """Test full SAML Request/Response flow, fully signed"""
        user = create_test_admin_user()
@ -376,10 +321,8 @@ class TestAuthNRequest(TestCase):
        request = request_proc.build_auth_n()

        # Create invalid PropertyMapping
-        mapping = SAMLPropertyMapping.objects.create(
-            name=generate_id(), saml_name="test", expression="q"
-        )
-        self.provider.property_mappings.add(mapping)
+        scope = SAMLPropertyMapping.objects.create(name="test", saml_name="test", expression="q")
+        self.provider.property_mappings.add(scope)

        # To get an assertion we need a parsed request (parsed by provider)
        parsed_request = AuthNRequestParser(self.provider).parse(
@ -395,7 +338,7 @@ class TestAuthNRequest(TestCase):
        self.assertTrue(events.exists())
        self.assertEqual(
            events.first().context["message"],
-            f"Failed to evaluate property-mapping: '{mapping.name}'",
+            "Failed to evaluate property-mapping: 'test'",
        )

    def test_idp_initiated(self):
--- a/authentik/providers/saml/utils/time.py
+++ b/authentik/providers/saml/utils/time.py
@ -1,16 +1,12 @@
 """Time utilities"""

-from datetime import datetime, timedelta
-
-from django.utils.timezone import now
+import datetime


-def get_time_string(delta: timedelta | datetime | None = None) -> str:
+def get_time_string(delta: datetime.timedelta | None = None) -> str:
    """Get Data formatted in SAML format"""
    if delta is None:
-        delta = timedelta()
-    if isinstance(delta, timedelta):
-        final = now() + delta
-    else:
-        final = delta
+        delta = datetime.timedelta()
+    now = datetime.datetime.now()
+    final = now + delta
    return final.strftime("%Y-%m-%dT%H:%M:%SZ")
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@ -15,7 +15,7 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_POST
 from authentik.lib.views import bad_request_message
-from authentik.policies.views import BufferedPolicyAccessView
+from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
@ -35,7 +35,7 @@ from authentik.stages.consent.stage import (
 LOGGER = get_logger()


-class SAMLSSOView(BufferedPolicyAccessView):
+class SAMLSSOView(PolicyAccessView):
    """SAML SSO Base View, which plans a flow and injects our final stage.
    Calls get/post handler."""

@ -83,7 +83,7 @@ class SAMLSSOView(BufferedPolicyAccessView):

    def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
        """GET and POST use the same handler, but we can't
-        override .dispatch easily because BufferedPolicyAccessView's dispatch"""
+        override .dispatch easily because PolicyAccessView's dispatch"""
        return self.get(request, application_slug)


--- a/authentik/providers/scim/api/groups.py
+++ b/authentik/providers/scim/api/groups.py
@ -24,9 +24,7 @@ class SCIMProviderGroupSerializer(ModelSerializer):
            "group",
            "group_obj",
            "provider",
-            "attributes",
        ]
-        extra_kwargs = {"attributes": {"read_only": True}}


 class SCIMProviderGroupViewSet(
--- a/authentik/providers/scim/api/providers.py
+++ b/authentik/providers/scim/api/providers.py
@ -28,7 +28,6 @@ class SCIMProviderSerializer(ProviderSerializer):
            "url",
            "verify_certificates",
            "token",
-            "compatibility_mode",
            "exclude_users_service_account",
            "filter_group",
            "dry_run",
--- a/authentik/providers/scim/api/users.py
+++ b/authentik/providers/scim/api/users.py
@ -24,9 +24,7 @@ class SCIMProviderUserSerializer(ModelSerializer):
            "user",
            "user_obj",
            "provider",
-            "attributes",
        ]
-        extra_kwargs = {"attributes": {"read_only": True}}


 class SCIMProviderUserViewSet(
--- a/authentik/providers/scim/clients/base.py
+++ b/authentik/providers/scim/clients/base.py
@ -22,7 +22,7 @@ from authentik.lib.sync.outgoing.exceptions import (
 from authentik.lib.utils.http import get_http_session
 from authentik.providers.scim.clients.exceptions import SCIMRequestException
 from authentik.providers.scim.clients.schema import ServiceProviderConfiguration
-from authentik.providers.scim.models import SCIMCompatibilityMode, SCIMProvider
+from authentik.providers.scim.models import SCIMProvider

 if TYPE_CHECKING:
    from django.db.models import Model
@ -90,14 +90,9 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
        """Get Service provider config"""
        default_config = ServiceProviderConfiguration.default()
        try:
-            config = ServiceProviderConfiguration.model_validate(
+            return ServiceProviderConfiguration.model_validate(
                self._request("GET", "/ServiceProviderConfig")
            )
-            if self.provider.compatibility_mode == SCIMCompatibilityMode.AWS:
-                config.patch.supported = False
-            if self.provider.compatibility_mode == SCIMCompatibilityMode.SLACK:
-                config.filter.supported = True
-            return config
        except (ValidationError, SCIMRequestException, NotFoundSyncException) as exc:
            self.logger.warning("failed to get ServiceProviderConfig", exc=exc)
            return default_config
--- a/authentik/providers/scim/clients/groups.py
+++ b/authentik/providers/scim/clients/groups.py
@ -102,7 +102,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
        if not scim_id or scim_id == "":
            raise StopSync("SCIM Response with missing or invalid `id`")
        connection = SCIMProviderGroup.objects.create(
-            provider=self.provider, group=group, scim_id=scim_id, attributes=response
+            provider=self.provider, group=group, scim_id=scim_id
        )
        users = list(group.users.order_by("id").values_list("id", flat=True))
        self._patch_add_users(connection, users)
@ -243,10 +243,9 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
            if user.value not in users_should:
                users_to_remove.append(user.value)
        # Check users that should be in the group and add them
-        if current_group.members is not None:
-            for user in users_should:
-                if len([x for x in current_group.members if x.value == user]) < 1:
-                    users_to_add.append(user)
+        for user in users_should:
+            if len([x for x in current_group.members if x.value == user]) < 1:
+                users_to_add.append(user)
        # Only send request if we need to make changes
        if len(users_to_add) < 1 and len(users_to_remove) < 1:
            return
--- a/authentik/providers/scim/clients/users.py
+++ b/authentik/providers/scim/clients/users.py
@ -1,12 +1,10 @@
 """User client"""

-from django.db import transaction
-from django.utils.http import urlencode
 from pydantic import ValidationError

 from authentik.core.models import User
 from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.lib.sync.outgoing.exceptions import ObjectExistsSyncException, StopSync
+from authentik.lib.sync.outgoing.exceptions import StopSync
 from authentik.policies.utils import delete_none_values
 from authentik.providers.scim.clients.base import SCIMClient
 from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
@ -57,44 +55,24 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
    def create(self, user: User):
        """Create user from scratch and create a connection object"""
        scim_user = self.to_schema(user, None)
-        with transaction.atomic():
-            try:
-                response = self._request(
-                    "POST",
-                    "/Users",
-                    json=scim_user.model_dump(
-                        mode="json",
-                        exclude_unset=True,
-                    ),
-                )
-            except ObjectExistsSyncException as exc:
-                if not self._config.filter.supported:
-                    raise exc
-                users = self._request(
-                    "GET", f"/Users?{urlencode({'filter': f'userName eq {scim_user.userName}'})}"
-                )
-                users_res = users.get("Resources", [])
-                if len(users_res) < 1:
-                    raise exc
-                return SCIMProviderUser.objects.create(
-                    provider=self.provider,
-                    user=user,
-                    scim_id=users_res[0]["id"],
-                    attributes=users_res[0],
-                )
-            else:
-                scim_id = response.get("id")
-                if not scim_id or scim_id == "":
-                    raise StopSync("SCIM Response with missing or invalid `id`")
-                return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=scim_id, attributes=response
-                )
+        response = self._request(
+            "POST",
+            "/Users",
+            json=scim_user.model_dump(
+                mode="json",
+                exclude_unset=True,
+            ),
+        )
+        scim_id = response.get("id")
+        if not scim_id or scim_id == "":
+            raise StopSync("SCIM Response with missing or invalid `id`")
+        return SCIMProviderUser.objects.create(provider=self.provider, user=user, scim_id=scim_id)

    def update(self, user: User, connection: SCIMProviderUser):
        """Update existing user"""
        scim_user = self.to_schema(user, connection)
        scim_user.id = connection.scim_id
-        response = self._request(
+        self._request(
            "PUT",
            f"/Users/{connection.scim_id}",
            json=scim_user.model_dump(
@ -102,5 +80,3 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
                exclude_unset=True,
            ),
        )
-        connection.attributes = response
-        connection.save()
--- a/authentik/providers/scim/migrations/0012_scimprovider_compatibility_mode.py
+++ b/authentik/providers/scim/migrations/0012_scimprovider_compatibility_mode.py
@ -1,24 +0,0 @@
-# Generated by Django 5.0.12 on 2025-03-07 23:35
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_scim", "0011_scimprovider_dry_run"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimprovider",
-            name="compatibility_mode",
-            field=models.CharField(
-                choices=[("default", "Default"), ("aws", "AWS"), ("slack", "Slack")],
-                default="default",
-                help_text="Alter authentik behavior for vendor-specific SCIM implementations.",
-                max_length=30,
-                verbose_name="SCIM Compatibility Mode",
-            ),
-        ),
-    ]
--- a/authentik/providers/scim/migrations/0013_scimprovidergroup_attributes_and_more.py
+++ b/authentik/providers/scim/migrations/0013_scimprovidergroup_attributes_and_more.py
@ -1,23 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-18 13:47
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_scim", "0012_scimprovider_compatibility_mode"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimprovidergroup",
-            name="attributes",
-            field=models.JSONField(default=dict),
-        ),
-        migrations.AddField(
-            model_name="scimprovideruser",
-            name="attributes",
-            field=models.JSONField(default=dict),
-        ),
-    ]
--- a/authentik/providers/scim/models.py
+++ b/authentik/providers/scim/models.py
@ -22,7 +22,6 @@ class SCIMProviderUser(SerializerModel):
    scim_id = models.TextField()
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    provider = models.ForeignKey("SCIMProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)

    @property
    def serializer(self) -> type[Serializer]:
@ -44,7 +43,6 @@ class SCIMProviderGroup(SerializerModel):
    scim_id = models.TextField()
    group = models.ForeignKey(Group, on_delete=models.CASCADE)
    provider = models.ForeignKey("SCIMProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)

    @property
    def serializer(self) -> type[Serializer]:
@ -59,14 +57,6 @@ class SCIMProviderGroup(SerializerModel):
        return f"SCIM Provider Group {self.group_id} to {self.provider_id}"


-class SCIMCompatibilityMode(models.TextChoices):
-    """SCIM compatibility mode"""
-
-    DEFAULT = "default", _("Default")
-    AWS = "aws", _("AWS")
-    SLACK = "slack", _("Slack")
-
-
 class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
    """SCIM 2.0 provider to create users and groups in external applications"""

@ -87,14 +77,6 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
        help_text=_("Property mappings used for group creation/updating."),
    )

-    compatibility_mode = models.CharField(
-        max_length=30,
-        choices=SCIMCompatibilityMode.choices,
-        default=SCIMCompatibilityMode.DEFAULT,
-        verbose_name=_("SCIM Compatibility Mode"),
-        help_text=_("Alter authentik behavior for vendor-specific SCIM implementations."),
-    )
-
    @property
    def icon_url(self) -> str | None:
        return static("authentik/sources/scim.png")
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -68,6 +68,8 @@ class OAuth2Client(BaseOAuthClient):
            error_desc = self.get_request_arg("error_description", None)
            return {"error": error_desc or error or _("No token received.")}
        args = {
+            "client_id": self.get_client_id(),
+            "client_secret": self.get_client_secret(),
            "redirect_uri": callback,
            "code": code,
            "grant_type": "authorization_code",
--- a/authentik/sources/oauth/tasks.py
+++ b/authentik/sources/oauth/tasks.py
@ -28,7 +28,7 @@ def update_well_known_jwks(self: SystemTask):
            LOGGER.warning("Failed to update well_known", source=source, exc=exc, text=text)
            messages.append(f"Failed to update OIDC configuration for {source.slug}")
            continue
-        config: dict = well_known_config.json()
+        config = well_known_config.json()
        try:
            dirty = False
            source_attr_key = (
@ -40,9 +40,7 @@ def update_well_known_jwks(self: SystemTask):
            for source_attr, config_key in source_attr_key:
                # Check if we're actually changing anything to only
                # save when something has changed
-                if config_key not in config:
-                    continue
-                if getattr(source, source_attr, "") != config.get(config_key, ""):
+                if getattr(source, source_attr, "") != config[config_key]:
                    dirty = True
                setattr(source, source_attr, config[config_key])
        except (IndexError, KeyError) as exc:
--- a/authentik/sources/oauth/types/reddit.py
+++ b/authentik/sources/oauth/types/reddit.py
@ -25,10 +25,8 @@ class RedditOAuth2Client(UserprofileHeaderAuthClient):

    def get_access_token(self, **request_kwargs):
        "Fetch access token from callback request."
-        request_kwargs["auth"] = HTTPBasicAuth(
-            self.source.consumer_key, self.source.consumer_secret
-        )
-        return super().get_access_token(**request_kwargs)
+        auth = HTTPBasicAuth(self.source.consumer_key, self.source.consumer_secret)
+        return super().get_access_token(auth=auth)


 class RedditOAuth2Callback(OAuthCallback):
--- a/authentik/sources/saml/migrations/0018_alter_samlsource_slo_url_alter_samlsource_sso_url.py
+++ b/authentik/sources/saml/migrations/0018_alter_samlsource_slo_url_alter_samlsource_sso_url.py
@ -1,35 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-31 13:53
-
-import authentik.lib.models
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_sources_saml", "0017_fix_x509subjectname"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="samlsource",
-            name="slo_url",
-            field=models.TextField(
-                blank=True,
-                default=None,
-                help_text="Optional URL if your IDP supports Single-Logout.",
-                null=True,
-                validators=[authentik.lib.models.DomainlessURLValidator(schemes=("http", "https"))],
-                verbose_name="SLO URL",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="samlsource",
-            name="sso_url",
-            field=models.TextField(
-                help_text="URL that the initial Login request is sent to.",
-                validators=[authentik.lib.models.DomainlessURLValidator(schemes=("http", "https"))],
-                verbose_name="SSO URL",
-            ),
-        ),
-    ]
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@ -20,7 +20,6 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.challenge import RedirectChallenge
 from authentik.flows.models import Flow
 from authentik.lib.expression.evaluator import BaseEvaluator
-from authentik.lib.models import DomainlessURLValidator
 from authentik.lib.utils.time import timedelta_string_validator
 from authentik.sources.saml.processors.constants import (
    DSA_SHA1,
@ -92,13 +91,11 @@ class SAMLSource(Source):
        help_text=_("Also known as Entity ID. Defaults the Metadata URL."),
    )

-    sso_url = models.TextField(
-        validators=[DomainlessURLValidator(schemes=("http", "https"))],
+    sso_url = models.URLField(
        verbose_name=_("SSO URL"),
        help_text=_("URL that the initial Login request is sent to."),
    )
-    slo_url = models.TextField(
-        validators=[DomainlessURLValidator(schemes=("http", "https"))],
+    slo_url = models.URLField(
        default=None,
        blank=True,
        null=True,
--- a/authentik/sources/saml/views.py
+++ b/authentik/sources/saml/views.py
@ -33,7 +33,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@ -74,8 +73,6 @@ class InitiateView(View):
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
        kwargs.update(
            {
                PLAN_CONTEXT_SSO: True,
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/email/migrations/0005_alter_emailstage_token_expiry.py
+++ b/authentik/stages/email/migrations/0005_alter_emailstage_token_expiry.py
@ -1,54 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-27 04:32
-
-import authentik.lib.utils.time
-from authentik.lib.utils.time import timedelta_from_string
-from django.db import migrations, models
-
-
-def convert_integer_to_string_format(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    EmailStage = apps.get_model("authentik_stages_email", "EmailStage")
-    for stage in EmailStage.objects.using(db_alias).all():
-        stage.token_expiry = f"minutes={stage.token_expiry}"
-        stage.save(using=db_alias)
-
-
-def convert_string_to_integer_format(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    EmailStage = apps.get_model("authentik_stages_email", "EmailStage")
-    for stage in EmailStage.objects.using(db_alias).all():
-        # Check if token_expiry is a string
-        if isinstance(stage.token_expiry, str):
-            try:
-                # Use the timedelta_from_string utility to convert to timedelta
-                # then convert to minutes by dividing seconds by 60
-                td = timedelta_from_string(stage.token_expiry)
-                minutes_value = int(td.total_seconds() / 60)
-                stage.token_expiry = minutes_value
-                stage.save(using=db_alias)
-            except (ValueError, TypeError):
-                # If the string can't be parsed or converted properly, skip
-                pass
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_stages_email", "0004_emailstage_activate_user_on_success"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="emailstage",
-            name="token_expiry",
-            field=models.TextField(
-                default="minutes=30",
-                help_text="Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).",
-                validators=[authentik.lib.utils.time.timedelta_string_validator],
-            ),
-        ),
-        migrations.RunPython(
-            convert_integer_to_string_format,
-            convert_string_to_integer_format,
-        ),
-    ]
--- a/authentik/stages/email/models.py
+++ b/authentik/stages/email/models.py
@ -14,7 +14,6 @@ from structlog.stdlib import get_logger

 from authentik.flows.models import Stage
 from authentik.lib.config import CONFIG
-from authentik.lib.utils.time import timedelta_string_validator

 LOGGER = get_logger()

@ -75,10 +74,8 @@ class EmailStage(Stage):
        default=False, help_text=_("Activate users upon completion of stage.")
    )

-    token_expiry = models.TextField(
-        default="minutes=30",
-        validators=[timedelta_string_validator],
-        help_text=_("Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."),
+    token_expiry = models.IntegerField(
+        default=30, help_text=_("Time in minutes the token sent is valid.")
    )
    subject = models.TextField(default="authentik")
    template = models.TextField(default=EmailTemplates.PASSWORD_RESET)
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -22,7 +22,6 @@ from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, PLAN_CONTEXT_PENDI
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
 from authentik.lib.utils.errors import exception_to_string
-from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -74,8 +73,8 @@ class EmailStageView(ChallengeStageView):
        """Get token"""
        pending_user = self.get_pending_user()
        current_stage: EmailStage = self.executor.current_stage
-        valid_delta = timedelta_from_string(current_stage.token_expiry) + timedelta(
-            minutes=1
+        valid_delta = timedelta(
+            minutes=current_stage.token_expiry + 1
        )  # + 1 because django timesince always rounds down
        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
        # Don't check for validity here, we only care if the token exists
--- a/authentik/stages/email/tests/test_sending.py
+++ b/authentik/stages/email/tests/test_sending.py
@ -8,7 +8,7 @@ from django.core.mail.backends.locmem import EmailBackend
 from django.urls import reverse

 from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
@ -67,36 +67,6 @@ class TestEmailStageSending(FlowTestCase):
            self.assertEqual(event.context["to_email"], [f"{self.user.name} <{self.user.email}>"])
            self.assertEqual(event.context["from_email"], "system@authentik.local")

-    def test_newlines_long_name(self):
-        """Test with pending user"""
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
-        long_user = create_test_user()
-        long_user.name = "Test User\r\n Many Words\r\n"
-        long_user.save()
-        plan.context[PLAN_CONTEXT_PENDING_USER] = long_user
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-        Event.objects.filter(action=EventAction.EMAIL_SENT).delete()
-
-        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        with patch(
-            "authentik.stages.email.models.EmailStage.backend_class",
-            PropertyMock(return_value=EmailBackend),
-        ):
-            response = self.client.post(url)
-            self.assertEqual(response.status_code, 200)
-            self.assertStageResponse(
-                response,
-                self.flow,
-                response_errors={
-                    "non_field_errors": [{"string": "email-sent", "code": "email-sent"}]
-                },
-            )
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(mail.outbox[0].subject, "authentik")
-            self.assertEqual(mail.outbox[0].to, [f"Test User   Many Words   <{long_user.email}>"])
-
    def test_pending_fake_user(self):
        """Test with pending (fake) user"""
        self.flow.designation = FlowDesignation.RECOVERY
--- a/authentik/stages/email/utils.py
+++ b/authentik/stages/email/utils.py
@ -32,14 +32,7 @@ class TemplateEmailMessage(EmailMultiAlternatives):
        sanitized_to = []
        # Ensure that all recipients are valid
        for recipient_name, recipient_email in to:
-            # Remove any newline characters from name and email before sanitizing
-            clean_name = (
-                recipient_name.replace("\n", " ").replace("\r", " ") if recipient_name else ""
-            )
-            clean_email = (
-                recipient_email.replace("\n", "").replace("\r", "") if recipient_email else ""
-            )
-            sanitized_to.append(sanitize_address((clean_name, clean_email), "utf-8"))
+            sanitized_to.append(sanitize_address((recipient_name, recipient_email), "utf-8"))
        super().__init__(to=sanitized_to, **kwargs)
        if not template_name:
            return
--- a/blueprints/example/flows-recovery-email-verification.yaml
+++ b/blueprints/example/flows-recovery-email-verification.yaml
@ -57,7 +57,7 @@ entries:
      use_ssl: false
      timeout: 10
      from_address: system@authentik.local
-      token_expiry: minutes=30
+      token_expiry: 30
      subject: authentik
      template: email/password_reset.html
      activate_user_on_success: true
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.2.3 Blueprint schema",
+    "title": "authentik 2025.2.1 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -6423,6 +6423,8 @@
                },
                "acs_url": {
                    "type": "string",
+                    "format": "uri",
+                    "maxLength": 200,
                    "minLength": 1,
                    "title": "ACS URL"
                },
@ -6460,11 +6462,6 @@
                    "title": "NameID Property Mapping",
                    "description": "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be considered"
                },
-                "authn_context_class_ref_mapping": {
-                    "type": "integer",
-                    "title": "AuthnContextClassRef Property Mapping",
-                    "description": "Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate."
-                },
                "digest_algorithm": {
                    "type": "string",
                    "enum": [
@ -6664,16 +6661,6 @@
                    "title": "Token",
                    "description": "Authentication token"
                },
-                "compatibility_mode": {
-                    "type": "string",
-                    "enum": [
-                        "default",
-                        "aws",
-                        "slack"
-                    ],
-                    "title": "SCIM Compatibility Mode",
-                    "description": "Alter authentik behavior for vendor-specific SCIM implementations."
-                },
                "exclude_users_service_account": {
                    "type": "boolean",
                    "title": "Exclude users service account"
@ -8731,6 +8718,8 @@
                },
                "sso_url": {
                    "type": "string",
+                    "format": "uri",
+                    "maxLength": 200,
                    "minLength": 1,
                    "title": "SSO URL",
                    "description": "URL that the initial Login request is sent to."
@ -8740,6 +8729,8 @@
                        "string",
                        "null"
                    ],
+                    "format": "uri",
+                    "maxLength": 200,
                    "title": "SLO URL",
                    "description": "Optional URL if your IDP supports Single-Logout."
                },
@ -11378,10 +11369,11 @@
                    "title": "From address"
                },
                "token_expiry": {
-                    "type": "string",
-                    "minLength": 1,
+                    "type": "integer",
+                    "minimum": -2147483648,
+                    "maximum": 2147483647,
                    "title": "Token expiry",
-                    "description": "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+                    "description": "Time in minutes the token sent is valid."
                },
                "subject": {
                    "type": "string",
@ -13010,15 +13002,6 @@
                    "minLength": 1,
                    "title": "Branding favicon"
                },
-                "branding_custom_css": {
-                    "type": "string",
-                    "title": "Branding custom css"
-                },
-                "branding_default_flow_background": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Branding default flow background"
-                },
                "flow_authentication": {
                    "type": "string",
                    "format": "uuid",
@ -14900,15 +14883,9 @@
                    "type": "string",
                    "title": "Webhook url"
                },
-                "webhook_mapping_body": {
+                "webhook_mapping": {
                    "type": "integer",
-                    "title": "Webhook mapping body",
-                    "description": "Customize the body of the request. Mapping should return data that is JSON-serializable."
-                },
-                "webhook_mapping_headers": {
-                    "type": "integer",
-                    "title": "Webhook mapping headers",
-                    "description": "Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs"
+                    "title": "Webhook mapping"
                },
                "send_once": {
                    "type": "boolean",
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -1,14 +1,17 @@
 module goauthentik.io

-go 1.24.0
+go 1.23.0
+
+toolchain go1.24.0
+
 require (
 	beryju.io/ldap v0.1.0
-	github.com/coreos/go-oidc/v3 v3.13.0
+	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/getsentry/sentry-go v0.31.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/go-openapi/runtime v0.28.0
-	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
@ -20,13 +23,13 @@ require (
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.0
 	github.com/prometheus/client_golang v1.21.1
-	github.com/redis/go-redis/v9 v9.7.3
+	github.com/redis/go-redis/v9 v9.7.1
 	github.com/sethvargo/go-envconfig v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025023.2
+	goauthentik.io/api/v3 v3.2025021.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.28.0
 	golang.org/x/sync v0.12.0
@ -73,9 +76,9 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -55,8 +55,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
-github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
+github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -113,8 +113,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@ -248,8 +248,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
-github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
+github.com/redis/go-redis/v9 v9.7.1 h1:4LhKRCIduqXqtvCUlaq9c8bdHOkICjDMrr1+Zb3osAc=
+github.com/redis/go-redis/v9 v9.7.1/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025023.2 h1:4XHlnykN5jQH78liQ4cp2Jf8eigvQImIJp+A+bsq1nA=
-goauthentik.io/api/v3 v3.2025023.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025021.2 h1:9y87piH47omtkWxQpKZaKai/+jh+cJdLxj5MC2Y/ZLI=
+goauthentik.io/api/v3 v3.2025021.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -313,8 +313,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -386,9 +386,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -450,8 +449,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@ -472,9 +471,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	ab42a62916	wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 19:23:34 +01:00
Marc 'risson' Schmitt	ef8d2bdd40	wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 16:24:55 +01:00
Marc 'risson' Schmitt	32f4e08eac	writting down thoughts Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2025-03-07 14:04:21 +01:00