Prep for monorepo use.

web: Update config. Flesh out build. Fix issue surrounding build. Fix paths. Update workspaces. Fix build steps. Apply linter. Temporarily remove problem rules. Add ignorefile. Prep for formatting. Lint website. Lint web, repo packages. Refine Prettier usage. Fix imports. Tidy build. Move node ignore files. Remove unused. Update job. Fix lint step. Build before compiling. Use root for paths. Fix issues surrounding import references, types, package names. Fix build paths. Tidy. Enforce prefix. Apply prefixes to imports. Enable linter, compiler, etc. Fix references. Update names. Mark optional. Revise mounts. Fix build order. Update package.json. Ignore all docusaurus. Fix paths, types. Clean up build steps, names. Fix paths. website: Fix nested paragraphs build warning. web: Enforce module resolution. Use consistent LTS version. Track Node version. Use default resolution. Test main entrypoint. Fix Node v20 compatibility. Add task names. WIP: Fix styles.
website: integrations: apache guacamole: Fix deprecated start-of-doc … (#14114 )
2025-04-17 02:46:10 +02:00 · 2025-04-16 15:45:44 -05:00 · 2025-04-16 15:45:20 -05:00 · 2025-04-16 15:16:01 -05:00 · 2025-04-16 15:50:26 +00:00 · 2025-04-16 15:50:10 +00:00
505 changed files with 69279 additions and 41490 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.3
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.editorconfig
+++ b/.editorconfig
@ -10,6 +10,9 @@ insert_final_newline = true
 [*.html]
 indent_size = 2

+[schemas/*.json]
+indent_size = 2
+
 [*.{yaml,yml}]
 indent_size = 2

--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -28,9 +28,9 @@ runs:
    - name: Setup node
      uses: actions/setup-node@v4
      with:
-        node-version-file: web/package.json
+        node-version-file: package.json
        cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: package-lock.json
    - name: Setup go
      uses: actions/setup-go@v5
      with:
@ -44,7 +44,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm ci
+        npm ci
    - name: Generate config
      shell: uv run python {0}
      run: |
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -1,5 +1,5 @@
 # Re-usable workflow for a single-architecture build
-name: Single-arch Container build
+name: "Single-arch Container build"

 on:
  workflow_call:
@ -42,7 +42,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3.6.0
      - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
@ -64,12 +64,12 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
+      - name: Make empty clients
        if: ${{ inputs.release }}
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
-      - name: generate ts client
+      - name: Generate TypeScript API Client
        if: ${{ !inputs.release }}
        run: make gen-client-ts
      - name: Build Docker Image
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -1,5 +1,5 @@
 # Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
+name: "Multi-arch container build"

 on:
  workflow_call:
@ -49,7 +49,7 @@ jobs:
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
      - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
@ -69,7 +69,7 @@ jobs:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
      - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/api-py-publish.yml
+++ b/.github/workflows/api-py-publish.yml
@ -1,4 +1,5 @@
-name: authentik-api-py-publish
+name: "Python API Publish"
+
 on:
  push:
    branches: [main]
@ -7,6 +8,7 @@ on:
  workflow_dispatch:
 jobs:
  build:
+    name: "Build and Publish"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    permissions:
@ -30,8 +32,7 @@ jobs:
        uses: actions/setup-python@v5
        with:
          python-version-file: "pyproject.toml"
-          cache: "poetry"
-      - name: Generate API Client
+      - name: Generate Python API Client
        run: make gen-client-py
      - name: Publish package
        working-directory: gen-py-api/
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -1,4 +1,4 @@
-name: authentik-api-ts-publish
+name: "TypeScript API Publish"
 on:
  push:
    branches: [main]
@ -7,6 +7,7 @@ on:
  workflow_dispatch:
 jobs:
  build:
+    name: "Build and Publish"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
@ -20,9 +21,9 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          registry-url: "https://registry.npmjs.org"
-      - name: Generate API Client
+      - name: Generate TypeScript API Client
        run: make gen-client-ts
      - name: Publish package
        working-directory: gen-ts-api/
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -1,4 +1,4 @@
-name: authentik-ci-aws-cfn
+name: "authentik CI AWS CloudFormation"

 on:
  push:
@ -18,6 +18,7 @@ env:

 jobs:
  check-changes-applied:
+    name: "Check changes applied"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -36,6 +37,7 @@ jobs:
          uv run make aws-cfn
          git diff --exit-code
  ci-aws-cfn-mark:
+    name: "CI AWS CloudFormation Mark"
    if: always()
    needs:
      - check-changes-applied
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-ci-main-daily
+name: "authentik CI Main Daily"

 on:
  workflow_dispatch:
@ -9,6 +9,7 @@ on:

 jobs:
  test-container:
+    name: "Test Container ${{ matrix.version }}"
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-ci-main
+name: "authentik CI Main"

 on:
  push:
@ -19,6 +19,7 @@ env:

 jobs:
  lint:
+    name: "Lint"
    strategy:
      fail-fast: false
      matrix:
@ -33,9 +34,10 @@ jobs:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: run job
+      - name: Run job ${{ matrix.job }}
        run: uv run make ci-${{ matrix.job }}
  test-migrations:
+    name: "Test Migrations"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -44,6 +46,7 @@ jobs:
      - name: run migrations
        run: uv run python -m lifecycle.migrate
  test-make-seed:
+    name: "Test Make Seed"
    runs-on: ubuntu-latest
    steps:
      - id: seed
@ -52,7 +55,7 @@ jobs:
    outputs:
      seed: ${{ steps.seed.outputs.seed }}
  test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: "Test Migrations From Stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5"
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: test-make-seed
@ -67,7 +70,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-      - name: checkout stable
+      - name: Checkout Stable
        run: |
          # Copy current, latest config to local
          # Temporarly comment the .github backup while migrating to uv
@ -84,9 +87,9 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
        continue-on-error: true
-      - name: run migrations to stable
+      - name: Run migrations to stable
        run: poetry run python -m lifecycle.migrate
-      - name: checkout current code
+      - name: Checkout current code
        run: |
          set -x
          git fetch
@ -97,10 +100,10 @@ jobs:
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
-      - name: migrate to latest
+      - name: Migrate to latest
        run: |
          uv run python -m lifecycle.migrate
-      - name: run tests
+      - name: Run tests
        env:
          # Test in the main database that we just migrated from the previous stable version
          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
@ -110,7 +113,7 @@ jobs:
        run: |
          uv run make ci-test
  test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: "Unit tests - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5"
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: test-make-seed
@ -146,6 +149,7 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  test-integration:
+    name: "Integration tests"
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
@ -154,7 +158,7 @@ jobs:
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.12.0
-      - name: run integration
+      - name: Run integration
        run: |
          uv run coverage run manage.py test tests/integration
          uv run coverage xml
@ -170,49 +174,50 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
-    name: test-e2e (${{ matrix.job.name }})
+    name: "Test E2E (${{ matrix.job.name }})"
    runs-on: ubuntu-latest
    timeout-minutes: 30
    strategy:
      fail-fast: false
      matrix:
        job:
-          - name: proxy
+          - name: Proxy Provider
            glob: tests/e2e/test_provider_proxy*
-          - name: oauth
+          - name: OAuth2 Provider
            glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-          - name: oauth-oidc
+          - name: OIDC Provider
            glob: tests/e2e/test_provider_oidc*
-          - name: saml
+          - name: SAML Provider
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-          - name: ldap
+          - name: LDAP Provider
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: radius
+          - name: RADIUS Provider
            glob: tests/e2e/test_provider_radius*
-          - name: scim
+          - name: SCIM Source
            glob: tests/e2e/test_source_scim*
-          - name: flows
+          - name: Flows
            glob: tests/e2e/test_flows*
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Setup e2e env (chrome, etc)
+      - name: Setup E2E env (chrome, etc)
        run: |
          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
      - id: cache-web
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
-      - name: prepare web ui
+          key: ${{ runner.os }}-web-${{ hashFiles('./package-lock.json', 'web/src/**') }}
+      - name: Prepare Web UI
        if: steps.cache-web.outputs.cache-hit != 'true'
-        working-directory: web
        run: |
          npm ci
-          make -C .. gen-client-ts
-          npm run build
-      - name: run e2e
+          make gen-client-ts
+          npm run build -w @goauthentik/web
+
+          npm run typecheck
+      - name: Run E2E tests
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
          uv run coverage xml
@ -228,6 +233,7 @@ jobs:
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
+    name: "CI Core Mark"
    if: always()
    needs:
      - lint
@ -242,6 +248,7 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
+    name: "Build"
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
@ -255,6 +262,7 @@ jobs:
      image_name: ghcr.io/goauthentik/dev-server
      release: false
  pr-comment:
+    name: "PR Comment"
    needs:
      - build
    runs-on: ubuntu-latest
@ -267,7 +275,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-ci-outpost
+name: "authentik CI Outpost"

 on:
  push:
@ -14,6 +14,7 @@ on:

 jobs:
  lint-golint:
+    name: "Lint Go"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -26,7 +27,7 @@ jobs:
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
-      - name: Generate API
+      - name: Generate Go API Client
        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v7
@ -35,6 +36,7 @@ jobs:
          args: --timeout 5000s --verbose
          skip-cache: true
  test-unittest:
+    name: "Unit Test Go"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -43,12 +45,13 @@ jobs:
          go-version-file: "go.mod"
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate Go API Client
        run: make gen-client-go
      - name: Go unittests
        run: |
          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
  ci-outpost-mark:
+    name: "CI Outpost Mark"
    if: always()
    needs:
      - lint-golint
@ -59,6 +62,7 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
+    name: "Build Container"
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@ -85,7 +89,7 @@ jobs:
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
@ -99,7 +103,7 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate API
+      - name: Generate Go API Client
        run: make gen-client-go
      - name: Build Docker Image
        id: push
@ -122,6 +126,7 @@ jobs:
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-binary:
+    name: "Build Binary"
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@ -140,21 +145,22 @@ jobs:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: npm ci
      - uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: Generate API
+      - name: Generate Go API Client
        run: make gen-client-go
      - name: Build web
-        working-directory: web/
        run: |
          npm ci
-          npm run build-proxy
+          npm run build-proxy -w @goauthentik/web
      - name: Build outpost
        run: |
          set -x
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -1,4 +1,4 @@
-name: authentik-ci-web
+name: CI Web UI

 on:
  push:
@ -13,54 +13,50 @@ on:

 jobs:
  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
-        project:
-          - web
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: ${{ matrix.project }}/package.json
-          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: Lint
-        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
-  build:
+    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
        run: npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
+        run: make gen-client-ts
+      - name: Build
+        run: |
+          npm run build -w @goauthentik/web
+      - name: Type check
+        run: |
+          npm run typecheck
+      - name: Lint
+        run: |
+          npm run lint -w @goauthentik/web
+          npm run lint:lockfile -w @goauthentik/web
+          npm run lit-analyse -w @goauthentik/web
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: npm ci
+      - name: Generate TypeScript API
        run: make gen-client-ts
      - name: build
-        working-directory: web/
-        run: npm run build
+        run: |
+          npm run build -w @goauthentik/web
+          npm run typecheck
  ci-web-mark:
+    name: CI Web Mark
    if: always()
    needs:
      - build
@ -71,6 +67,7 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  test:
+    name: Test
    needs:
      - ci-web-mark
    runs-on: ubuntu-latest
@ -78,13 +75,12 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
        run: npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test || exit 0
+      - name: Test Web UI
+        run: npm run test -w @goauthentik/web || exit 0
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -1,4 +1,4 @@
-name: authentik-ci-website
+name: CI Docs Website

 on:
  push:
@ -13,55 +13,59 @@ on:

 jobs:
  lint:
+    name: "Lint"
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
    steps:
      - uses: actions/checkout@v4
-      - working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: |
+          npm ci
+      - name: Generate TypeScript API
+        run: make gen-client-ts
+      - name: Lint Docs
+        run: |
+          npm run lint:prettier:check
+          npm run lint:lockfile -w @goauthentik/docs
  test:
+    name: "Test Docs"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        run: npm ci
-      - name: test
-        working-directory: website/
-        run: npm test
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: |
+          npm ci
+      - name: Generate TypeScript API
+        run: make gen-client-ts
+      - name: Test Docs
+        run: |
+          npm run test -w @goauthentik/docs
  build:
+    name: "Build Docs"
    runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
        run: npm ci
-      - name: build
-        working-directory: website/
-        run: npm run ${{ matrix.job }}
+      - name: Build
+        run: |
+          npm run build -w @goauthentik/docs
  ci-website-mark:
+    name: "CI Website Mark"
    if: always()
    needs:
      - lint
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -10,7 +10,7 @@ on:

 jobs:
  analyze:
-    name: Analyze
+    name: "Analyze"
    runs-on: ubuntu-latest
    permissions:
      actions: read
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -1,4 +1,4 @@
-name: authentik-gen-update-webauthn-mds
+name: "authentik CI Update WebAuthn MDS"
 on:
  workflow_dispatch:
  schedule:
@ -11,6 +11,7 @@ env:

 jobs:
  build:
+    name: "Update WebAuthn MDS"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gha-cache-cleanup.yml
+++ b/.github/workflows/gha-cache-cleanup.yml
@ -1,6 +1,6 @@
 ---
 # See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-name: Cleanup cache after PR is closed
+name: "Post-PR Closed Cache Cleanup"
 on:
  pull_request:
    types:
@ -12,6 +12,7 @@ permissions:

 jobs:
  cleanup:
+    name: "Cleanup Cache"
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -1,4 +1,4 @@
-name: ghcr-retention
+name: "authentik GHCR Retention Policy"

 on:
  # schedule:
@ -8,7 +8,7 @@ on:
 jobs:
  clean-ghcr:
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    name: Delete old unused container images
+    name: "Delete old unused container images"
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-compress-images
+name: "authentik CI Image Compression"

 on:
  push:
@ -20,7 +20,7 @@ on:

 jobs:
  compress:
-    name: compress
+    name: "Compress Docker images"
    runs-on: ubuntu-latest
    # Don't run on forks. Token will not be available. Will run on main and open a PR anyway
    if: |
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -0,0 +1,45 @@
+name: authentik-packages-npm-publish
+on:
+  push:
+    branches: [main]
+    paths:
+      - packages/docusaurus-config
+      - packages/eslint-config
+      - packages/prettier-config
+      - packages/tsconfig
+  workflow_dispatch:
+jobs:
+  publish:
+    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - docusaurus-config
+          - eslint-config
+          - prettier-config
+          - tsconfig
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: packages/${{ matrix.package }}/package.json
+          registry-url: "https://registry.npmjs.org"
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            packages/${{ matrix.package }}/package.json
+      - name: Publish package
+        if: steps.changed-files.outputs.any_changed == 'true'
+        working-directory: packages/${{ matrix.package}}
+        run: |
+          npm ci
+          npm run build
+          npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -1,4 +1,4 @@
-name: authentik-publish-source-docs
+name: "authentik Publish Source Docs"

 on:
  push:
@ -12,6 +12,7 @@ env:

 jobs:
  publish-source-docs:
+    name: "Publish"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
@ -19,11 +20,11 @@ jobs:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: generate docs
+      - name: Generate docs
        run: |
          uv run make migrate
          uv run ak build_source_docs
-      - name: Publish
+      - name: Deploy to Netlify
        uses: netlify/actions/cli@master
        with:
          args: deploy --dir=source_docs --prod
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -1,4 +1,4 @@
-name: authentik-on-release-next-branch
+name: "authentik on Release Next Branch"

 on:
  schedule:
@ -11,6 +11,7 @@ permissions:

 jobs:
  update-next:
+    name: "Update Next Branch"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-on-release
+name: "Release publish"

 on:
  release:
@ -7,6 +7,7 @@ on:

 jobs:
  build-server:
+    name: "Build server"
    uses: ./.github/workflows/_reusable-docker-build.yaml
    secrets: inherit
    permissions:
@ -21,6 +22,7 @@ jobs:
      registry_dockerhub: true
      registry_ghcr: true
  build-outpost:
+    name: "Build outpost"
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload container images to ghcr.io
@ -45,14 +47,14 @@ jobs:
        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
-      - name: make empty clients
+      - name: Make empty clients
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
@ -85,6 +87,7 @@ jobs:
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost-binary:
+    name: "Build outpost binary"
    timeout-minutes: 120
    runs-on: ubuntu-latest
    permissions:
@ -106,14 +109,13 @@ jobs:
          go-version-file: "go.mod"
      - uses: actions/setup-node@v4
        with:
-          node-version-file: web/package.json
+          node-version-file: package.json
          cache: "npm"
-          cache-dependency-path: web/package-lock.json
+          cache-dependency-path: package-lock.json
      - name: Build web
-        working-directory: web/
        run: |
          npm ci
-          npm run build-proxy
+          npm run build-proxy -w @goauthentik/web
      - name: Build outpost
        run: |
          set -x
@ -129,6 +131,7 @@ jobs:
          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
          tag: ${{ github.ref }}
  upload-aws-cfn-template:
+    name: "Upload AWS CloudFormation template"
    permissions:
      # Needed for AWS login
      id-token: write
@ -150,6 +153,7 @@ jobs:
          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
+    name: "Test release"
    needs:
      - build-server
      - build-outpost
@ -166,6 +170,7 @@ jobs:
          docker compose start postgresql redis
          docker compose run -u root server test-all
  sentry-release:
+    name: "Sentry release"
    needs:
      - build-server
      - build-outpost
@ -173,7 +178,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-on-tag
+name: "authentik on Tag Release"

 on:
  push:
@ -8,7 +8,7 @@ on:

 jobs:
  build:
-    name: Create Release from Tag
+    name: "Create Release from Tag"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -20,7 +20,7 @@ jobs:
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: prepare variables
+      - name: Prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@ -1,13 +1,15 @@
-name: "authentik-repo-mirror"
+name: "authentik Repository Mirror"

 on: [push, delete]

 jobs:
  to_internal:
+    name: "Mirror to internal repository"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
+        name: "Checkout repository"
        with:
          fetch-depth: 0
      - if: ${{ env.MIRROR_KEY != '' }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -1,4 +1,4 @@
-name: "authentik-repo-stale"
+name: "authentik Repository Stale Issues"

 on:
  schedule:
@ -11,6 +11,7 @@ permissions:

 jobs:
  stale:
+    name: "Stale Issues"
    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,4 +1,4 @@
-name: authentik-semgrep
+name: "authentik CI Semgrep"
 on:
  workflow_dispatch: {}
  pull_request: {}
@ -13,7 +13,7 @@ on:
    - cron: '12 15 * * *'
 jobs:
  semgrep:
-    name: semgrep/ci
+    name: "semgrep/ci"
    runs-on: ubuntu-latest
    permissions:
      contents: read
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@ -1,4 +1,4 @@
-name: authentik-translation-advice
+name: "authentik Translations Advice"

 on:
  pull_request:
@ -16,6 +16,7 @@ permissions:

 jobs:
  post-comment:
+    name: "Post Comment"
    runs-on: ubuntu-latest
    steps:
      - name: Find Comment
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -1,5 +1,5 @@
 ---
-name: authentik-translate-extract-compile
+name: "authentik Extract & Compile Translations"
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
@ -16,6 +16,7 @@ env:

 jobs:
  compile:
+    name: "Compile Translations"
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
@ -32,15 +33,20 @@ jobs:
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate TypeScript API
        run: make gen-client-ts
-      - name: run extract
+      - name: Extract Translations
        run: |
          uv run make i18n-extract
-      - name: run compile
+      - name: Build Docs Site
+        run: npm run build-bundled -w @goauthentik/docs
+      - name: Build Web UI
+        run: npm run build -w @goauthentik/web
+      - name: Type check
+        run: npm run typecheck
+      - name: Compile Messages
        run: |
          uv run ak compilemessages
-          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -1,6 +1,6 @@
 # Rename transifex pull requests to have a correct naming
 # Also enables auto squash-merge
-name: authentik-translation-transifex-rename
+name: "authentik Translations Transifex PR Rename"

 on:
  pull_request:
@ -12,6 +12,7 @@ permissions:

 jobs:
  rename_pr:
+    name: "Rename PR"
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
    steps:
--- a/.gitignore
+++ b/.gitignore
@ -11,6 +11,10 @@ local_settings.py
 db.sqlite3
 media

+# Node
+
+node_modules
+
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@ -33,6 +37,7 @@ eggs/
 lib64/
 parts/
 dist/
+out/
 sdist/
 var/
 wheels/
@ -212,3 +217,26 @@ source_docs/

 ### Docker ###
 docker-compose.override.yml
+
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+node_modules/
+
+tsconfig.tsbuildinfo
+
+# Wireit's cache
+.wireit
+
+custom-elements.json
+
+
+### Development ###
+.drafts
--- a/.prettierignore
+++ b/.prettierignore
@ -0,0 +1,52 @@
+# Prettier Ignorefile
+
+## Static Files
+**/LICENSE
+
+authentik/stages/**/*
+authentik/sources/**/*
+schemas/**/*
+blueprints/**/*
+
+## Build asset directories
+coverage
+dist
+out
+.docusaurus
+.wireit
+website/docs/developer-docs/api/**/*
+
+## Environment
+*.env
+
+## Secrets
+*.secrets
+
+## Yarn
+.yarn/**/*
+
+## Node
+node_modules
+coverage
+
+## Configs
+*.log
+*.yaml
+*.yml
+
+# Templates
+# TODO: Rename affected files to *.template.* or similar.
+authentik/**/*.html
+*.html
+*.mdx
+*.md
+
+## Import order matters
+web/src/poly.ts
+web/src/locale-codes.ts
+web/src/locales/
+
+# Storybook
+storybook-static/
+.storybook/css-import-maps*
+
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -17,6 +17,6 @@
        "ms-python.vscode-pylance",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,7 +16,7 @@
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./web/node_modules/typescript/lib",
+    "typescript.tsdk": "./node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@ -30,7 +30,71 @@
        }
    ],
    "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [
-        ".github/workflows/ci-main.yml"
-    ]
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"],
+
+    "eslint.useFlatConfig": true,
+
+    "explorer.fileNesting.enabled": true,
+    "explorer.fileNesting.patterns": {
+        "*.mjs": "*.d.mts",
+        "*.cjs": "*.d.cts",
+        "package.json": "package-lock.json, yarn.lock, .yarnrc, .yarnrc.yml, .yarn, .nvmrc, .node-version",
+        "tsconfig.json": "tsconfig.*.json, jsconfig.json",
+        "Dockerfile": "*.Dockerfile"
+    },
+
+    "search.exclude": {
+        "**/node_modules": true,
+        "**/*.code-search": true,
+        "**/dist": true,
+        "**/out": true,
+        "**/package-lock.json": true
+    },
+
+    "[css]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[javascript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[javascriptreact]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[json]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[markdown]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[shellscript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[typescript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[typescriptreact]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[django-html]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+
+    "editor.codeActionsOnSave": {
+        "source.removeUnusedImports": "explicit"
+    },
+    // We use Prettier for formatting, but specifying these settings
+    // will ensure that VS Code's IntelliSense doesn't autocomplete unformatted code.
+    "javascript.format.semicolons": "insert",
+    "typescript.format.semicolons": "insert",
+    "javascript.preferences.quoteStyle": "double",
+    "typescript.preferences.quoteStyle": "double",
+    "github.copilot.enable": {
+        "*": true,
+        "plaintext": true,
+        "markdown": true,
+        "scminput": false,
+        "csv": false,
+        "json": true,
+        "yaml": true
+    }
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -4,12 +4,7 @@
        {
            "label": "authentik/core: make",
            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "lint-fix",
-                "lint"
-            ],
+            "args": ["run", "make", "lint-fix", "lint"],
            "presentation": {
                "panel": "new"
            },
@ -18,11 +13,7 @@
        {
            "label": "authentik/core: run",
            "command": "uv",
-            "args": [
-                "run",
-                "ak",
-                "server"
-            ],
+            "args": ["run", "ak", "server"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -32,17 +23,13 @@
        {
            "label": "authentik/web: make",
            "command": "make",
-            "args": [
-                "web"
-            ],
+            "args": ["web"],
            "group": "build"
        },
        {
            "label": "authentik/web: watch",
            "command": "make",
-            "args": [
-                "web-watch"
-            ],
+            "args": ["web-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -52,26 +39,19 @@
        {
            "label": "authentik: install",
            "command": "make",
-            "args": [
-                "install",
-                "-j4"
-            ],
+            "args": ["install", "-j4"],
            "group": "build"
        },
        {
            "label": "authentik/website: make",
            "command": "make",
-            "args": [
-                "website"
-            ],
+            "args": ["website"],
            "group": "build"
        },
        {
            "label": "authentik/website: watch",
            "command": "make",
-            "args": [
-                "website-watch"
-            ],
+            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
@ -81,11 +61,7 @@
        {
            "label": "authentik/api: generate",
            "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "args": ["run", "make", "gen"],
            "group": "build"
        }
    ]
--- a/2
+++ b/2
@ -23,6 +23,8 @@ docker-compose.yml              @goauthentik/infrastructure
 Makefile                        @goauthentik/infrastructure
 .editorconfig                   @goauthentik/infrastructure
 CODEOWNERS                      @goauthentik/infrastructure
+# Web packages
+packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
--- a/69
+++ b/69
@ -1,48 +1,31 @@
 # syntax=docker/dockerfile:1

-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+# Stage 1 Web UI and Documentation build

-ENV NODE_ENV=production
-
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder

-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production

-WORKDIR /work/web
+WORKDIR /work

-RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
-    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
+COPY ./package.json ./package.json
+COPY ./package-lock.json ./package-lock.json
+COPY ./packages ./packages
+COPY ./web ./web
+COPY ./website ./website

-COPY ./package.json /work
-COPY ./web /work/web/
-COPY ./website /work/website/
-COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
+COPY ./gen-ts-api ./gen-ts-api
+COPY ./blueprints ./blueprints
+COPY ./schema.yml ./schema.yml
+COPY ./SECURITY.md ./SECURITY.md

-RUN npm run build
+RUN --mount=type=cache,target=/root/.npm npm ci --include=dev
+
+RUN npm run build-bundled -w @goauthentik/docs
+RUN npm run build -w @goauthentik/web
+
+# Stage 2: Build go proxy

-# Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder

 ARG TARGETOS
@ -79,7 +62,8 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
    go build -o /go/authentik ./cmd/server

-# Stage 4: MaxMind GeoIP
+# Stage 3: MaxMind GeoIP
+
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@ -93,10 +77,11 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    mkdir -p /usr/share/GeoIP && \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.12 AS uv
-# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.9-slim-bookworm-fips AS python-base
+# Stage 4: Download uv
+FROM ghcr.io/astral-sh/uv:0.6.14 AS uv
+
+# Stage 5: Base python image
+FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@ -109,7 +94,7 @@ WORKDIR /ak-root/

 COPY --from=uv /uv /uvx /bin/

-# Stage 7: Python dependencies
+# Stage 6: Python dependencies
 FROM python-base AS python-deps

 ARG TARGETARCH
@ -144,7 +129,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-install-project --no-dev

-# Stage 8: Run
+# Stage 7: Run
 FROM python-base AS final-image

 ARG VERSION
@ -189,7 +174,7 @@ COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=web-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip

 USER 1000
--- a/107
+++ b/107
@ -36,6 +36,13 @@ test: ## Run the server tests and produce a coverage report (locally)
 	uv run coverage html
 	uv run coverage report

+node-check-compile: ## Check and compile the TypeScript source code
+	npm run typecheck
+
+node-lint-fix: ## Lint and automatically fix errors in the javascript source code
+	lint-codespell
+	npm run lint:fix
+
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	uv run black $(PY_SOURCES)
 	uv run ruff check --fix $(PY_SOURCES)
@ -47,9 +54,6 @@ lint: ## Lint the python and golang sources
 	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v

-core-install:
-	uv sync --frozen
-
 migrate: ## Run the Authentik Django server's migrations
 	uv run python -m lifecycle.migrate

@ -72,7 +76,9 @@ core-i18n-extract:
 		--ignore website \
 		-l en

-install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
+install:  ## Install all requires dependencies for `web`, `website` and `core`
+	npm ci
+	uv sync --frozen

 dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
@ -94,6 +100,7 @@ gen-build:  ## Extract the schema from the database
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
 		uv run ak make_blueprint_schema > blueprints/schema.json
+
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
@ -101,19 +108,24 @@ gen-build:  ## Extract the schema from the database

 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
+
 	npx prettier --write changelog.md

 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
 	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
+
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
+
 	rm old_schema.yml
+
 	sed -i 's/{/&#123;/g' diff.md
 	sed -i 's/}/&#125;/g' diff.md
+
 	npx prettier --write diff.md

 gen-clean-ts:  ## Remove generated API client for Typescript
@ -133,46 +145,57 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
-		-i /local/schema.yml \
-		-g typescript-fetch \
-		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api-ts-config.yaml \
+		--input-spec /local/schema.yml \
+		--generator-name typescript-fetch \
+		--output /local/${GEN_API_TS} \
+		--config /local/scripts/api-ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-	mkdir -p web/node_modules/@goauthentik/api
-	cd ./${GEN_API_TS} && npm i
-	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
+
+	npm install

 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
+
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
-		-i /local/schema.yml \
-		-g python \
-		-o /local/${GEN_API_PY} \
-		-c /local/scripts/api-py-config.yaml \
+		--input-spec /local/schema.yml \
+		--generator-name python \
+		--output /local/${GEN_API_PY} \
+		--config /local/scripts/api-py-config.yaml \
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
+
 	pip install ./${GEN_API_PY}

 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml \
+		-O ./${GEN_API_GO}/config.yaml
+
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache \
+		-O ./${GEN_API_GO}/templates/README.mustache
+
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache \
+		-O ./${GEN_API_GO}/templates/go.mod.mustache
+
 	cp schema.yml ./${GEN_API_GO}/
+
 	docker run \
 		--rm -v ${PWD}/${GEN_API_GO}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
-		-i /local/schema.yml \
-		-g go \
-		-o /local/ \
-		-c /local/config.yaml
+		--input-spec /local/schema.yml \
+		--generator-name go \
+		--output /local/ \
+		--config /local/config.yaml
+
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/

 gen-dev-config:  ## Generate a local development config file
@ -184,56 +207,38 @@ gen: gen-build gen-client-ts
 ## Web
 #########################

-web-build: web-install  ## Build the Authentik UI
-	cd web && npm run build
-
-web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
-
-web-install:  ## Install the necessary libraries to build the Authentik UI
-	cd web && npm ci
+web: web-lint-fix web-lint node-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it

 web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
+	npm run test -w @goauthentik/web

 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	rm -rf web/dist/
-	mkdir web/dist/
-	touch web/dist/.gitkeep
-	cd web && npm run watch
+	npm run watch -w @goauthentik/web

 web-storybook-watch:  ## Build and run the storybook documentation server
-	cd web && npm run storybook
+	npm run storybook -w @goauthentik/web

 web-lint-fix:
-	cd web && npm run prettier
+	npm run prettier -w @goauthentik/web

 web-lint:
-	cd web && npm run lint
-	cd web && npm run lit-analyse
-
-web-check-compile:
-	cd web && npm run tsc
+	npm run lint -w @goauthentik/web
+	npm run lit-analyse -w @goauthentik/web

 web-i18n-extract:
-	cd web && npm run extract-locales
+	npm run extract-locales -w @goauthentik/web

 #########################
 ## Website
 #########################

-website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it
-
-website-install:
-	cd website && npm ci
-
-website-lint-fix: lint-codespell
-	cd website && npm run prettier
+website: node-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it

 website-build:
-	cd website && npm run build
+	npm run build -w @goauthentik/docs

 website-watch:  ## Build and watch the documentation website, updating automatically
-	cd website && npm run watch
+	npm run watch -w @goauthentik/docs

 #########################
 ## Docker
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.3"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ModelSerializer
+from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.blueprints.models import BlueprintInstance
@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.rbac.decorators import permission_required


--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -36,6 +36,7 @@ from authentik.core.models import (
    GroupSourceConnection,
    PropertyMapping,
    Provider,
+    Session,
    Source,
    User,
    UserSourceConnection,
@ -108,6 +109,7 @@ def excluded_models() -> list[type[Model]]:
        Policy,
        PolicyBindingModel,
        # Classes that have other dependencies
+        Session,
        AuthenticatedSession,
        # Classes which are only internally managed
        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -5,6 +5,7 @@ from typing import TypedDict
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
+from rest_framework.serializers import CharField, DateTimeField, IPAddressField
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

@ -54,6 +55,11 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""

+    expires = DateTimeField(source="session.expires", read_only=True)
+    last_ip = IPAddressField(source="session.last_ip", read_only=True)
+    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
+    last_used = DateTimeField(source="session.last_used", read_only=True)
+
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
@ -62,19 +68,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session_key
+        return request._request.session.session_key == instance.session.session_key

    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.last_user_agent)
+        return user_agent_parser.Parse(instance.session.last_user_agent)

    def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
        """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)

    def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
        """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)

    class Meta:
        model = AuthenticatedSession
@ -90,6 +96,7 @@ class AuthenticatedSessionSerializer(ModelSerializer):
            "last_used",
            "expires",
        ]
+        extra_args = {"uuid": {"read_only": True}}


 class AuthenticatedSessionViewSet(
@ -101,9 +108,10 @@ class AuthenticatedSessionViewSet(
 ):
    """AuthenticatedSession Viewset"""

-    queryset = AuthenticatedSession.objects.all()
+    lookup_field = "uuid"
+    queryset = AuthenticatedSession.objects.select_related("session").all()
    serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "last_ip", "last_user_agent"]
-    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
+    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
    ordering = ["user__username"]
    owner_field = "user"
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,14 +1,11 @@
 """User API Views"""

 from datetime import timedelta
-from importlib import import_module
 from json import loads
 from typing import Any

-from django.conf import settings
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.contrib.sessions.backends.base import SessionBase
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -72,8 +69,8 @@ from authentik.core.middleware import (
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
-    AuthenticatedSession,
    Group,
+    Session,
    Token,
    TokenIntents,
    User,
@ -92,7 +89,6 @@ from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


 class UserGroupSerializer(ModelSerializer):
@ -228,6 +224,7 @@ class UserSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
+            "date_joined",
            "is_superuser",
            "groups",
            "groups_obj",
@ -242,6 +239,7 @@ class UserSerializer(ModelSerializer):
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
+            "date_joined": {"read_only": True},
            "password_change_date": {"read_only": True},
        }

@ -774,10 +772,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        response = super().partial_update(request, *args, **kwargs)
        instance: User = self.get_object()
        if not instance.is_active:
-            sessions = AuthenticatedSession.objects.filter(user=instance)
-            session_ids = sessions.values_list("session_key", flat=True)
-            for session in session_ids:
-                SessionStore(session).delete()
-            sessions.delete()
+            Session.objects.filter(authenticatedsession__user=instance).delete()
            LOGGER.debug("Deleted user's sessions", user=instance.username)
        return response
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -20,6 +20,8 @@ from rest_framework.serializers import (
    raise_errors_on_nested_writes,
 )

+from authentik.rbac.permissions import assign_initial_permissions
+

 def is_dict(value: Any):
    """Ensure a value is a dictionary, useful for JSONFields"""
@ -29,6 +31,14 @@ def is_dict(value: Any):


 class ModelSerializer(BaseModelSerializer):
+    def create(self, validated_data):
+        instance = super().create(validated_data)
+
+        request = self.context.get("request")
+        if request and hasattr(request, "user") and not request.user.is_anonymous:
+            assign_initial_permissions(request.user, instance)
+
+        return instance

    def update(self, instance: Model, validated_data):
        raise_errors_on_nested_writes("update", self, validated_data)
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -24,6 +24,15 @@ class InbuiltBackend(ModelBackend):
        self.set_method("password", request)
        return user

+    async def aauthenticate(
+        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
+    ) -> User | None:
+        user = await super().aauthenticate(request, username=username, password=password, **kwargs)
+        if not user:
+            return None
+        self.set_method("password", request)
+        return user
+
    def set_method(self, method: str, request: HttpRequest | None, **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
--- a/authentik/core/management/commands/clearsessions.py
+++ b/authentik/core/management/commands/clearsessions.py
@ -0,0 +1,15 @@
+"""Change user type"""
+
+from importlib import import_module
+
+from django.conf import settings
+
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Delete all sessions"""
+
+    def handle_per_tenant(self, **options):
+        engine = import_module(settings.SESSION_ENGINE)
+        engine.SessionStore.clear_expired()
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -2,9 +2,14 @@

 from collections.abc import Callable
 from contextvars import ContextVar
+from functools import partial
 from uuid import uuid4

+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
+from django.utils.deprecation import MiddlewareMixin
+from django.utils.functional import SimpleLazyObject
 from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -20,6 +25,40 @@ CTX_HOST = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + "host", default=None)
 CTX_AUTH_VIA = ContextVar[str | None](STRUCTLOG_KEY_PREFIX + KEY_AUTH_VIA, default=None)


+def get_user(request):
+    if not hasattr(request, "_cached_user"):
+        user = None
+        if (authenticated_session := request.session.get("authenticatedsession", None)) is not None:
+            user = authenticated_session.user
+        request._cached_user = user or AnonymousUser()
+    return request._cached_user
+
+
+async def aget_user(request):
+    if not hasattr(request, "_cached_user"):
+        user = None
+        if (
+            authenticated_session := await request.session.aget("authenticatedsession", None)
+        ) is not None:
+            user = authenticated_session.user
+        request._cached_user = user or AnonymousUser()
+    return request._cached_user
+
+
+class AuthenticationMiddleware(MiddlewareMixin):
+    def process_request(self, request):
+        if not hasattr(request, "session"):
+            raise ImproperlyConfigured(
+                "The Django authentication middleware requires session "
+                "middleware to be installed. Edit your MIDDLEWARE setting to "
+                "insert "
+                "'authentik.root.middleware.SessionMiddleware' before "
+                "'authentik.core.middleware.AuthenticationMiddleware'."
+            )
+        request.user = SimpleLazyObject(lambda: get_user(request))
+        request.auser = partial(aget_user, request)
+
+
 class ImpersonateMiddleware:
    """Middleware to impersonate users"""

--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -0,0 +1,238 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:58
+
+import uuid
+import pickle  # nosec
+from django.core import signing
+from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
+from django.db import migrations, models
+import django.db.models.deletion
+from django.conf import settings
+from django.contrib.sessions.backends.cache import KEY_PREFIX
+from django.utils.timezone import now, timedelta
+from authentik.lib.migrations import progress_bar
+from authentik.root.middleware import ClientIPMiddleware
+
+
+SESSION_CACHE_ALIAS = "default"
+
+
+class PickleSerializer:
+    """
+    Simple wrapper around pickle to be used in signing.dumps()/loads() and
+    cache backends.
+    """
+
+    def __init__(self, protocol=None):
+        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
+
+    def dumps(self, obj):
+        """Pickle data to be stored in redis"""
+        return pickle.dumps(obj, self.protocol)
+
+    def loads(self, data):
+        """Unpickle data to be loaded from redis"""
+        return pickle.loads(data)  # nosec
+
+
+def _migrate_session(
+    apps,
+    db_alias,
+    session_key,
+    session_data,
+    expires,
+):
+    Session = apps.get_model("authentik_core", "Session")
+    OldAuthenticatedSession = apps.get_model("authentik_core", "OldAuthenticatedSession")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+
+    old_auth_session = (
+        OldAuthenticatedSession.objects.using(db_alias).filter(session_key=session_key).first()
+    )
+
+    args = {
+        "session_key": session_key,
+        "expires": expires,
+        "last_ip": ClientIPMiddleware.default_ip,
+        "last_user_agent": "",
+        "session_data": {},
+    }
+    for k, v in session_data.items():
+        if k == "authentik/stages/user_login/last_ip":
+            args["last_ip"] = v
+        elif k in ["last_user_agent", "last_used"]:
+            args[k] = v
+        elif args in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY]:
+            pass
+        else:
+            args["session_data"][k] = v
+    if old_auth_session:
+        args["last_user_agent"] = old_auth_session.last_user_agent
+        args["last_used"] = old_auth_session.last_used
+
+    args["session_data"] = pickle.dumps(args["session_data"])
+    session = Session.objects.using(db_alias).create(**args)
+
+    if old_auth_session:
+        AuthenticatedSession.objects.using(db_alias).create(
+            session=session,
+            user=old_auth_session.user,
+        )
+
+
+def migrate_redis_sessions(apps, schema_editor):
+    from django.core.cache import caches
+
+    db_alias = schema_editor.connection.alias
+    cache = caches[SESSION_CACHE_ALIAS]
+
+    # Not a redis cache, skipping
+    if not hasattr(cache, "keys"):
+        return
+
+    print("\nMigrating Redis sessions to database, this might take a couple of minutes...")
+    for key, session_data in progress_bar(cache.get_many(cache.keys(f"{KEY_PREFIX}*")).items()):
+        _migrate_session(
+            apps=apps,
+            db_alias=db_alias,
+            session_key=key.removeprefix(KEY_PREFIX),
+            session_data=session_data,
+            expires=now() + timedelta(seconds=cache.ttl(key)),
+        )
+
+
+def migrate_database_sessions(apps, schema_editor):
+    DjangoSession = apps.get_model("sessions", "Session")
+    db_alias = schema_editor.connection.alias
+
+    print("\nMigration database sessions, this might take a couple of minutes...")
+    for django_session in progress_bar(DjangoSession.objects.using(db_alias).all()):
+        session_data = signing.loads(
+            django_session.session_data,
+            salt="django.contrib.sessions.SessionStore",
+            serializer=PickleSerializer,
+        )
+        _migrate_session(
+            apps=apps,
+            db_alias=db_alias,
+            session_key=django_session.session_key,
+            session_data=session_data,
+            expires=django_session.expire_date,
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("sessions", "0001_initial"),
+        ("authentik_core", "0045_rename_new_identifier_usersourceconnection_identifier_and_more"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+    ]
+
+    operations = [
+        # Rename AuthenticatedSession to OldAuthenticatedSession
+        migrations.RenameModel(
+            old_name="AuthenticatedSession",
+            new_name="OldAuthenticatedSession",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expires_cf4f72_idx",
+            old_name="authentik_c_expires_08251d_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_c1f17f_idx",
+            old_name="authentik_c_expirin_9cd839_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_expirin_e04f5d_idx",
+            old_name="authentik_c_expirin_195a84_idx",
+        ),
+        migrations.RenameIndex(
+            model_name="oldauthenticatedsession",
+            new_name="authentik_c_session_a44819_idx",
+            old_name="authentik_c_session_d0f005_idx",
+        ),
+        migrations.RunSQL(
+            sql="ALTER INDEX authentik_core_authenticatedsession_user_id_5055b6cf RENAME TO authentik_core_oldauthenticatedsession_user_id_5055b6cf",
+            reverse_sql="ALTER INDEX authentik_core_oldauthenticatedsession_user_id_5055b6cf RENAME TO authentik_core_authenticatedsession_user_id_5055b6cf",
+        ),
+        # Create new Session and AuthenticatedSession models
+        migrations.CreateModel(
+            name="Session",
+            fields=[
+                (
+                    "session_key",
+                    models.CharField(
+                        max_length=40, primary_key=True, serialize=False, verbose_name="session key"
+                    ),
+                ),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                ("session_data", models.BinaryField(verbose_name="session data")),
+                ("last_ip", models.GenericIPAddressField()),
+                ("last_user_agent", models.TextField(blank=True)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+            ],
+            options={
+                "default_permissions": [],
+                "verbose_name": "Session",
+                "verbose_name_plural": "Sessions",
+            },
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_d2f607_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_7c2cfb_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_1ab2e4_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="session",
+            index=models.Index(
+                fields=["expires", "session_key"], name="authentik_c_expires_c49143_idx"
+            ),
+        ),
+        migrations.CreateModel(
+            name="AuthenticatedSession",
+            fields=[
+                (
+                    "session",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.session",
+                    ),
+                ),
+                ("uuid", models.UUIDField(default=uuid.uuid4, unique=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Authenticated Session",
+                "verbose_name_plural": "Authenticated Sessions",
+            },
+        ),
+        migrations.RunPython(
+            code=migrate_redis_sessions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+        migrations.RunPython(
+            code=migrate_database_sessions,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
--- a/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
+++ b/authentik/core/migrations/0047_delete_oldauthenticatedsession.py
@ -0,0 +1,18 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0046_session_and_more"),
+        ("authentik_providers_rac", "0007_migrate_session"),
+        ("authentik_providers_oauth2", "0028_migrate_session"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name="OldAuthenticatedSession",
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -1,6 +1,7 @@
 """authentik core models"""

 from datetime import datetime
+from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@ -9,6 +10,7 @@ from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
+from django.contrib.sessions.base_session import AbstractBaseSession
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
@ -646,19 +648,30 @@ class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""

    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    EMAIL_LINK = "email_link", _(
-        "Link to a user with identical email address. Can have security implications "
-        "when a source doesn't validate email addresses."
+    EMAIL_LINK = (
+        "email_link",
+        _(
+            "Link to a user with identical email address. Can have security implications "
+            "when a source doesn't validate email addresses."
+        ),
    )
-    EMAIL_DENY = "email_deny", _(
-        "Use the user's email address, but deny enrollment when the email address already exists."
+    EMAIL_DENY = (
+        "email_deny",
+        _(
+            "Use the user's email address, but deny enrollment when the email address already "
+            "exists."
+        ),
    )
-    USERNAME_LINK = "username_link", _(
-        "Link to a user with identical username. Can have security implications "
-        "when a username is used with another source."
+    USERNAME_LINK = (
+        "username_link",
+        _(
+            "Link to a user with identical username. Can have security implications "
+            "when a username is used with another source."
+        ),
    )
-    USERNAME_DENY = "username_deny", _(
-        "Use the user's username, but deny enrollment when the username already exists."
+    USERNAME_DENY = (
+        "username_deny",
+        _("Use the user's username, but deny enrollment when the username already exists."),
    )


@ -666,12 +679,16 @@ class SourceGroupMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning groups"""

    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = "name_link", _(
-        "Link to a group with identical name. Can have security implications "
-        "when a group name is used with another source."
+    NAME_LINK = (
+        "name_link",
+        _(
+            "Link to a group with identical name. Can have security implications "
+            "when a group name is used with another source."
+        ),
    )
-    NAME_DENY = "name_deny", _(
-        "Use the group name, but deny enrollment when the name already exists."
+    NAME_DENY = (
+        "name_deny",
+        _("Use the group name, but deny enrollment when the name already exists."),
    )


@ -730,8 +747,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        choices=SourceGroupMatchingModes.choices,
        default=SourceGroupMatchingModes.IDENTIFIER,
        help_text=_(
-            "How the source determines if an existing group should be used or "
-            "a new group created."
+            "How the source determines if an existing group should be used or a new group created."
        ),
    )

@ -1012,45 +1028,75 @@ class PropertyMapping(SerializerModel, ManagedModel):
        verbose_name_plural = _("Property Mappings")


-class AuthenticatedSession(ExpiringModel):
-    """Additional session class for authenticated users. Augments the standard django session
-    to achieve the following:
-        - Make it queryable by user
-        - Have a direct connection to user objects
-        - Allow users to view their own sessions and terminate them
-        - Save structured and well-defined information.
-    """
+class Session(ExpiringModel, AbstractBaseSession):
+    """User session with extra fields for fast access"""

-    uuid = models.UUIDField(default=uuid4, primary_key=True)
+    # Remove upstream field because we're using our own ExpiringModel
+    expire_date = None
+    session_data = models.BinaryField(_("session data"))

-    session_key = models.CharField(max_length=40)
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-
-    last_ip = models.TextField()
+    # Keep in sync with Session.Keys
+    last_ip = models.GenericIPAddressField()
    last_user_agent = models.TextField(blank=True)
    last_used = models.DateTimeField(auto_now=True)

+    class Meta:
+        verbose_name = _("Session")
+        verbose_name_plural = _("Sessions")
+        indexes = ExpiringModel.Meta.indexes + [
+            models.Index(fields=["expires", "session_key"]),
+        ]
+        default_permissions = []
+
+    def __str__(self):
+        return self.session_key
+
+    class Keys(StrEnum):
+        """
+        Keys to be set with the session interface for the fields above to be updated.
+
+        If a field is added here that needs to be initialized when the session is initialized,
+        it must also be reflected in authentik.root.middleware.SessionMiddleware.process_request
+        and in authentik.core.sessions.SessionStore.__init__
+        """
+
+        LAST_IP = "last_ip"
+        LAST_USER_AGENT = "last_user_agent"
+        LAST_USED = "last_used"
+
+    @classmethod
+    def get_session_store_class(cls):
+        from authentik.core.sessions import SessionStore
+
+        return SessionStore
+
+    def get_decoded(self):
+        raise NotImplementedError
+
+
+class AuthenticatedSession(SerializerModel):
+    session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
+    # We use the session as primary key, but we need the API to be able to reference
+    # this object uniquely without exposing the session key
+    uuid = models.UUIDField(default=uuid4, unique=True)
+
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
-        indexes = ExpiringModel.Meta.indexes + [
-            models.Index(fields=["session_key"]),
-        ]

    def __str__(self) -> str:
-        return f"Authenticated Session {self.session_key[:10]}"
+        return f"Authenticated Session {str(self.pk)[:10]}"

    @staticmethod
    def from_request(request: HttpRequest, user: User) -> Optional["AuthenticatedSession"]:
        """Create a new session from a http request"""
-        from authentik.root.middleware import ClientIPMiddleware
-
-        if not hasattr(request, "session") or not request.session.session_key:
+        if not hasattr(request, "session") or not request.session.exists(
+            request.session.session_key
+        ):
            return None
        return AuthenticatedSession(
-            session_key=request.session.session_key,
+            session=Session.objects.filter(session_key=request.session.session_key).first(),
            user=user,
-            last_ip=ClientIPMiddleware.get_client_ip(request),
-            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
-            expires=request.session.get_expiry_date(),
        )
--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@ -0,0 +1,168 @@
+"""authentik sessions engine"""
+
+import pickle  # nosec
+
+from django.contrib.auth import BACKEND_SESSION_KEY, HASH_SESSION_KEY, SESSION_KEY
+from django.contrib.sessions.backends.db import SessionStore as SessionBase
+from django.core.exceptions import SuspiciousOperation
+from django.utils import timezone
+from django.utils.functional import cached_property
+from structlog.stdlib import get_logger
+
+from authentik.root.middleware import ClientIPMiddleware
+
+LOGGER = get_logger()
+
+
+class SessionStore(SessionBase):
+    def __init__(self, session_key=None, last_ip=None, last_user_agent=""):
+        super().__init__(session_key)
+        self._create_kwargs = {
+            "last_ip": last_ip or ClientIPMiddleware.default_ip,
+            "last_user_agent": last_user_agent,
+        }
+
+    @classmethod
+    def get_model_class(cls):
+        from authentik.core.models import Session
+
+        return Session
+
+    @cached_property
+    def model_fields(self):
+        return [k.value for k in self.model.Keys]
+
+    def _get_session_from_db(self):
+        try:
+            return (
+                self.model.objects.select_related(
+                    "authenticatedsession",
+                    "authenticatedsession__user",
+                )
+                .prefetch_related(
+                    "authenticatedsession__user__groups",
+                    "authenticatedsession__user__user_permissions",
+                )
+                .get(
+                    session_key=self.session_key,
+                    expires__gt=timezone.now(),
+                )
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
+            if isinstance(exc, SuspiciousOperation):
+                LOGGER.warning(str(exc))
+            self._session_key = None
+
+    async def _aget_session_from_db(self):
+        try:
+            return (
+                await self.model.objects.select_related(
+                    "authenticatedsession",
+                    "authenticatedsession__user",
+                )
+                .prefetch_related(
+                    "authenticatedsession__user__groups",
+                    "authenticatedsession__user__user_permissions",
+                )
+                .aget(
+                    session_key=self.session_key,
+                    expires__gt=timezone.now(),
+                )
+            )
+        except (self.model.DoesNotExist, SuspiciousOperation) as exc:
+            if isinstance(exc, SuspiciousOperation):
+                LOGGER.warning(str(exc))
+            self._session_key = None
+
+    def encode(self, session_dict):
+        return pickle.dumps(session_dict, protocol=pickle.HIGHEST_PROTOCOL)
+
+    def decode(self, session_data):
+        try:
+            return pickle.loads(session_data)  # nosec
+        except pickle.PickleError:
+            # ValueError, unpickling exceptions. If any of these happen, just return an empty
+            # dictionary (an empty session)
+            pass
+        return {}
+
+    def load(self):
+        s = self._get_session_from_db()
+        if s:
+            return {
+                "authenticatedsession": getattr(s, "authenticatedsession", None),
+                **{k: getattr(s, k) for k in self.model_fields},
+                **self.decode(s.session_data),
+            }
+        else:
+            return {}
+
+    async def aload(self):
+        s = await self._aget_session_from_db()
+        if s:
+            return {
+                "authenticatedsession": getattr(s, "authenticatedsession", None),
+                **{k: getattr(s, k) for k in self.model_fields},
+                **self.decode(s.session_data),
+            }
+        else:
+            return {}
+
+    def create_model_instance(self, data):
+        args = {
+            "session_key": self._get_or_create_session_key(),
+            "expires": self.get_expiry_date(),
+            "session_data": {},
+            **self._create_kwargs,
+        }
+        for k, v in data.items():
+            # Don't save:
+            # - unused auth data
+            # - related models
+            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
+                pass
+            elif k in self.model_fields:
+                args[k] = v
+            else:
+                args["session_data"][k] = v
+        args["session_data"] = self.encode(args["session_data"])
+        return self.model(**args)
+
+    async def acreate_model_instance(self, data):
+        args = {
+            "session_key": await self._aget_or_create_session_key(),
+            "expires": await self.aget_expiry_date(),
+            "session_data": {},
+            **self._create_kwargs,
+        }
+        for k, v in data.items():
+            # Don't save:
+            # - unused auth data
+            # - related models
+            if k in [SESSION_KEY, BACKEND_SESSION_KEY, HASH_SESSION_KEY, "authenticatedsession"]:
+                pass
+            elif k in self.model_fields:
+                args[k] = v
+            else:
+                args["session_data"][k] = v
+        args["session_data"] = self.encode(args["session_data"])
+        return self.model(**args)
+
+    @classmethod
+    def clear_expired(cls):
+        cls.get_model_class().objects.filter(expires__lt=timezone.now()).delete()
+
+    @classmethod
+    async def aclear_expired(cls):
+        await cls.get_model_class().objects.filter(expires__lt=timezone.now()).adelete()
+
+    def cycle_key(self):
+        data = self._session
+        key = self.session_key
+        self.create()
+        self._session_cache = data
+        if key:
+            self.delete(key)
+        if (authenticated_session := data.get("authenticatedsession")) is not None:
+            authenticated_session.session_id = self.session_key
+            authenticated_session.save(force_insert=True)
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,14 +1,10 @@
 """authentik core signals"""

-from importlib import import_module
-
-from django.conf import settings
-from django.contrib.auth.signals import user_logged_in, user_logged_out
-from django.contrib.sessions.backends.base import SessionBase
+from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
-from django.db.models.signals import post_save, pre_delete, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
@ -18,6 +14,7 @@ from authentik.core.models import (
    AuthenticatedSession,
    BackchannelProvider,
    ExpiringModel,
+    Session,
    User,
    default_token_duration,
 )
@ -28,7 +25,6 @@ password_changed = Signal()
 login_failed = Signal()

 LOGGER = get_logger()
-SessionStore: SessionBase = import_module(settings.SESSION_ENGINE).SessionStore


@receiver(post_save, sender=Application)
@ -53,18 +49,10 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
        session.save()


-@receiver(user_logged_out)
-def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
-    """Delete AuthenticatedSession if it exists"""
-    if not request.session or not request.session.session_key:
-        return
-    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
-
-
-@receiver(pre_delete, sender=AuthenticatedSession)
+@receiver(post_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
-    SessionStore(instance.session_key).delete()
+    Session.objects.filter(session_key=instance.pk).delete()


@receiver(pre_save)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -36,7 +36,6 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
-from authentik.lib.utils.urls import is_url_absolute
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@ -210,8 +209,6 @@ class SourceFlowManager:
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
-        if not is_url_absolute(final_redirect):
-            final_redirect = "authentik_core:if-user"
        flow_context.update(
            {
                # Since we authenticate the user by their token, they have no backend set
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -2,22 +2,16 @@

 from datetime import datetime, timedelta

-from django.conf import ImproperlyConfigured
-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.contrib.sessions.backends.db import SessionStore as DBSessionStore
-from django.core.cache import cache
 from django.utils.timezone import now
 from structlog.stdlib import get_logger

 from authentik.core.models import (
    USER_ATTRIBUTE_EXPIRES,
    USER_ATTRIBUTE_GENERATED,
-    AuthenticatedSession,
    ExpiringModel,
    User,
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
@ -38,40 +32,6 @@ def clean_expired_models(self: SystemTask):
            obj.expire_action()
        LOGGER.debug("Expired models", model=cls, amount=amount)
        messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
-    # Special case
-    amount = 0
-
-    for session in AuthenticatedSession.objects.all():
-        match CONFIG.get("session_storage", "cache"):
-            case "cache":
-                cache_key = f"{KEY_PREFIX}{session.session_key}"
-                value = None
-                try:
-                    value = cache.get(cache_key)
-
-                except Exception as exc:
-                    LOGGER.debug("Failed to get session from cache", exc=exc)
-                if not value:
-                    session.delete()
-                    amount += 1
-            case "db":
-                if not (
-                    DBSessionStore.get_model_class()
-                    .objects.filter(session_key=session.session_key, expire_date__gt=now())
-                    .exists()
-                ):
-                    session.delete()
-                    amount += 1
-            case _:
-                # Should never happen, as we check for other values in authentik/root/settings.py
-                raise ImproperlyConfigured(
-                    "Invalid session_storage setting, allowed values are db and cache"
-                )
-    if CONFIG.get("session_storage", "cache") == "db":
-        DBSessionStore.clear_expired()
-    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
-
-    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
    self.set_status(TaskStatus.SUCCESSFUL, *messages)


--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -2,20 +2,22 @@
 {% get_current_language as LANGUAGE_CODE %}

 <script>
-    window.authentik = {
-        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        brand: JSON.parse('{{ brand_json|escapejs }}'),
-        versionFamily: "{{ version_family }}",
-        versionSubdomain: "{{ version_subdomain }}",
-        build: "{{ build }}",
-        api: {
-            base: "{{ base_url }}",
-            relBase: "{{ base_url_rel }}",
-        },
-    };
+  window.authentik = {
+    locale: "{{ LANGUAGE_CODE }}",
+    config: JSON.parse("{{ config_json|escapejs }}" || "{}"),
+    brand: JSON.parse("{{ brand_json|escapejs }}" || "{}"),
+    versionFamily: "{{ version_family }}",
+    versionSubdomain: "{{ version_subdomain }}",
+    build: "{{ build }}",
+    api: {
+      base: "{{ base_url }}",
+      relBase: "{{ base_url_rel }}",
+    },
+  };
+
+  {% if messages %}
    window.addEventListener("DOMContentLoaded", function () {
-        {% for message in messages %}
+      {% for message in messages %}
        window.dispatchEvent(
            new CustomEvent("ak-message", {
                bubbles: true,
@ -26,6 +28,7 @@
                },
            }),
        );
-        {% endfor %}
+      {% endfor %}
    });
+  {% endif %}
 </script>
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -2,31 +2,79 @@
 {% load i18n %}
 {% load authentik_core %}

-<!DOCTYPE html>
+<!doctype html>

 <html>
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
-        <meta name="darkreader-lock">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
-        {% block head %}
-        {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-    </head>
-    <body>
-        {% block body %}
-        {% endblock %}
-        {% block scripts %}
-        {% endblock %}
-    </body>
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
+
+    {% comment %}
+    Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we
+    default to a dark theme based on preferred colour-scheme
+    {% endcomment %}
+
+    <meta name="darkreader-lock" />
+
+    <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+
+    <link rel="icon" href="{{ brand.branding_favicon_url }}" />
+    <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}" />
+
+    {% block head_before %}
+    {% endblock %}
+
+    <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}" />
+
+    <style data-test-id="color-scheme">
+      @media (prefers-color-scheme: dark) {
+        :root {
+          color-scheme: dark light;
+        }
+      }
+
+      @media (prefers-color-scheme: light) {
+        :root {
+          color-scheme: light dark;
+        }
+      }
+    </style>
+
+    <style data-test-id="custom-branding-css">
+      {{ brand.branding_custom_css }}
+    </style>
+
+    <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+    <script
+      src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}"
+      type="module"
+    ></script>
+
+    {% block head %}
+    {% endblock %}
+
+    <meta name="sentry-trace" content="{{ sentry_trace }}" />
+  </head>
+
+  <body>
+    {% block body %}{% endblock %}
+    {% block scripts %}{% endblock %}
+
+    <noscript>
+      <style>
+        body {
+          font-family: var(--ak-font-family-base), sans-serif;
+        }
+      </style>
+
+      <h1>
+        JavaScript is required to use
+        {% trans title|default:brand.branding_title %}
+      </h1>
+      <p>
+        Please enable JavaScript in your browser settings and reload the page. If you are using a
+        browser extension that blocks JavaScript, please disable it for this site.
+      </p>
+    </noscript>
+  </body>
 </html>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -4,14 +4,16 @@

 {% block head %}
 <script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
+
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)" />
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)" />
 {% include "base/header_js.html" %}
 {% endblock %}

 {% block body %}
 <ak-message-container></ak-message-container>
+
 <ak-interface-admin>
-    <ak-loading></ak-loading>
+  <ak-loading></ak-loading>
 </ak-interface-admin>
 {% endblock %}
--- a/authentik/core/templates/if/error.html
+++ b/authentik/core/templates/if/error.html
@ -13,9 +13,14 @@

 {% block card %}
 <form method="POST" class="pf-c-form">
-    <p>{% trans message %}</p>
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go home' %}
-    </a>
+  <p>{% trans message %}</p>
+
+  <a
+    id="ak-back-home"
+    href="{% url 'authentik_core:root-redirect' %}"
+    class="pf-c-button pf-m-primary"
+  >
+    {% trans 'Go home' %}
+  </a>
 </form>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -4,14 +4,17 @@

 {% block head %}
 <script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
-<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
+
+<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)" />
+<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)" />
+
 {% include "base/header_js.html" %}
 {% endblock %}

 {% block body %}
 <ak-message-container></ak-message-container>
+
 <ak-interface-user>
-    <ak-loading></ak-loading>
+  <ak-loading></ak-loading>
 </ak-interface-user>
 {% endblock %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -5,78 +5,82 @@

 {% block head_before %}
 <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}" />
+<link
+  rel="stylesheet"
+  type="text/css"
+  href="{% static 'dist/theme-dark.css' %}"
+  media="(prefers-color-scheme: dark)"
+/>
 {% include "base/header_js.html" %}
 {% endblock %}

 {% block head %}
-<style>
-:root {
+<style data-test-id="base-full-root-styles">
+  :root {
    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
-}
-/* Form with user */
-.form-control-static {
+  }
+  /* Form with user */
+  .form-control-static {
    margin-top: var(--pf-global--spacer--sm);
    display: flex;
    align-items: center;
    justify-content: space-between;
-}
-.form-control-static .avatar {
+  }
+  .form-control-static .avatar {
    display: flex;
    align-items: center;
-}
-.form-control-static img {
+  }
+  .form-control-static img {
    margin-right: var(--pf-global--spacer--xs);
-}
-.form-control-static a {
+  }
+  .form-control-static a {
    padding-top: var(--pf-global--spacer--xs);
    padding-bottom: var(--pf-global--spacer--xs);
    line-height: var(--pf-global--spacer--xl);
-}
+  }
 </style>
 {% endblock %}

 {% block body %}
-<div class="pf-c-background-image">
-</div>
+<div class="pf-c-background-image"></div>
 <ak-message-container></ak-message-container>
 <div class="pf-c-login stacked">
-    <div class="ak-login-container">
-        <main class="pf-c-login__main">
-            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
-            </div>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    {% block card_title %}
-                    {% endblock %}
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                {% block card %}
-                {% endblock %}
-            </div>
-        </main>
-        <footer class="pf-c-login__footer">
-            <ul class="pf-c-list pf-m-inline">
-                {% for link in footer_links %}
-                <li>
-                    <a href="{{ link.href }}">{{ link.name }}</a>
-                </li>
-                {% endfor %}
-                <li>
-                    <span>
-                        {% trans 'Powered by authentik' %}
-                    </span>
-                </li>
-            </ul>
-        </footer>
-    </div>
+  <div class="ak-login-container">
+    <main class="pf-c-login__main">
+      <div class="pf-c-login__main-header pf-c-brand ak-brand">
+        <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+      </div>
+      <header class="pf-c-login__main-header">
+        <h1 class="pf-c-title pf-m-3xl">
+          {% block card_title %}
+          {% endblock %}
+        </h1>
+      </header>
+      <div class="pf-c-login__main-body">
+        {% block card %}
+        {% endblock %}
+      </div>
+    </main>
+    <footer class="pf-c-login__footer">
+      <ul class="pf-c-list pf-m-inline">
+        {% for link in footer_links %}
+        <li>
+          <a href="{{ link.href }}">{{ link.name }}</a>
+        </li>
+        {% endfor %}
+        <li>
+          <span>
+            {% trans 'Powered by authentik' %}
+          </span>
+        </li>
+      </ul>
+    </footer>
+  </div>
 </div>
 {% endblock %}
--- a/authentik/core/tests/test_api_utils.py
+++ b/authentik/core/tests/test_api_utils.py
@ -1,9 +1,17 @@
 """Test API Utils"""

 from rest_framework.exceptions import ValidationError
+from rest_framework.serializers import (
+    HyperlinkedModelSerializer,
+)
+from rest_framework.serializers import (
+    ModelSerializer as BaseModelSerializer,
+)
 from rest_framework.test import APITestCase

+from authentik.core.api.utils import ModelSerializer as CustomModelSerializer
 from authentik.core.api.utils import is_dict
+from authentik.lib.utils.reflection import all_subclasses


 class TestAPIUtils(APITestCase):
@ -14,3 +22,14 @@ class TestAPIUtils(APITestCase):
        self.assertIsNone(is_dict({}))
        with self.assertRaises(ValidationError):
            is_dict("foo")
+
+    def test_all_serializers_descend_from_custom(self):
+        """Test that every serializer we define descends from our own ModelSerializer"""
+        # Weirdly, there's only one serializer in `rest_framework` which descends from
+        # ModelSerializer: HyperlinkedModelSerializer
+        expected = {CustomModelSerializer, HyperlinkedModelSerializer}
+        actual = set(all_subclasses(BaseModelSerializer)) - set(
+            all_subclasses(CustomModelSerializer)
+        )
+
+        self.assertEqual(expected, actual)
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -5,7 +5,7 @@ from json import loads
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, Session, User
 from authentik.core.tests.utils import create_test_admin_user


@ -30,3 +30,18 @@ class TestAuthenticatedSessionsAPI(APITestCase):
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["pagination"]["count"], 1)
+
+    def test_delete(self):
+        """Test deletion"""
+        self.client.force_login(self.user)
+        self.assertEqual(AuthenticatedSession.objects.all().count(), 1)
+        self.assertEqual(Session.objects.all().count(), 1)
+        response = self.client.delete(
+            reverse(
+                "authentik_api:authenticatedsession-detail",
+                kwargs={"uuid": AuthenticatedSession.objects.first().uuid},
+            )
+        )
+        self.assertEqual(response.status_code, 204)
+        self.assertEqual(AuthenticatedSession.objects.all().count(), 0)
+        self.assertEqual(Session.objects.all().count(), 0)
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -3,8 +3,6 @@
 from datetime import datetime
 from json import loads

-from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

@ -12,6 +10,7 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
+    Session,
    Token,
    User,
    UserTypes,
@ -381,12 +380,15 @@ class TestUsersAPI(APITestCase):
        """Ensure sessions are deleted when a user is deactivated"""
        user = create_test_admin_user()
        session_id = generate_id()
-        AuthenticatedSession.objects.create(
-            user=user,
+        session = Session.objects.create(
            session_key=session_id,
-            last_ip="",
+            last_ip="255.255.255.255",
+            last_user_agent="",
+        )
+        AuthenticatedSession.objects.create(
+            session=session,
+            user=user,
        )
-        cache.set(KEY_PREFIX + session_id, "foo")

        self.client.force_login(self.admin)
        response = self.client.patch(
@ -397,5 +399,7 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 200)

-        self.assertIsNone(cache.get(KEY_PREFIX + session_id))
-        self.assertFalse(AuthenticatedSession.objects.filter(session_key=session_id).exists())
+        self.assertFalse(Session.objects.filter(session_key=session_id).exists())
+        self.assertFalse(
+            AuthenticatedSession.objects.filter(session__session_key=session_id).exists()
+        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -1,7 +1,5 @@
 """authentik URL Configuration"""

-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
@ -29,7 +27,7 @@ from authentik.core.views.interface import (
    RootRedirectView,
 )
 from authentik.flows.views.interface import FlowInterfaceView
-from authentik.root.asgi_middleware import SessionMiddleware
+from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware

@ -99,9 +97,7 @@ api_urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/client/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(MessageConsumer.as_asgi())))
-        ),
+        ChannelsLoggingMiddleware(AuthMiddlewareStack(MessageConsumer.as_asgi())),
    ),
 ]

--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -102,7 +102,7 @@ def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSessi
            "format": "complex",
            "session": {
                "format": "opaque",
-                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
+                "id": sha256(instance.session.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
--- a/authentik/enterprise/providers/ssf/views/stream.py
+++ b/authentik/enterprise/providers/ssf/views/stream.py
@ -4,10 +4,9 @@ from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer
 from structlog.stdlib import get_logger

-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.enterprise.providers.ssf.models import (
    DeliveryMethods,
    EventTypes,
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -2,11 +2,11 @@

 from rest_framework import mixins
 from rest_framework.permissions import IsAdminUser
-from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -59,7 +59,7 @@ def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | Non
        session = request_or_session.session
    if isinstance(request_or_session, AuthenticatedSession):
        SessionStore = _session_engine.SessionStore
-        session = SessionStore(request_or_session.session_key)
+        session = SessionStore(request_or_session.session.session_key)
    return session.get(SESSION_LOGIN_EVENT, None)


--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -2,53 +2,52 @@
 {% load i18n %}
 {% load authentik_core %}

-<!DOCTYPE html>
+<!doctype html>

 <html lang="en">
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-        {% include "base/header_js.html" %}
-        <style>
-          html,
-          body {
-            height: 100%;
-          }
-          body {
-            background-image: url("{{ flow.background_url }}");
-            background-repeat: no-repeat;
-            background-size: cover;
-          }
-          .card {
-            padding: 3rem;
-          }
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
+    <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+    <link rel="icon" href="{{ brand.branding_favicon_url }}" />
+    <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}" />
+    {% block head_before %}
+    {% endblock %}
+    <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}" />
+    <meta name="sentry-trace" content="{{ sentry_trace }}" />
+    {% include "base/header_js.html" %}
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+      body {
+        background-image: url("{{ flow.background_url }}");
+        background-repeat: no-repeat;
+        background-size: cover;
+      }
+      .card {
+        padding: 3rem;
+      }

-          .form-signin {
-            max-width: 330px;
-            padding: 1rem;
-          }
+      .form-signin {
+        max-width: 330px;
+        padding: 1rem;
+      }

-          .form-signin .form-floating:focus-within {
-            z-index: 2;
-          }
-          .brand-icon {
-            max-width: 100%;
-          }
-        </style>
-    </head>
-    <body class="d-flex align-items-center py-4 bg-body-tertiary">
-      <div class="card m-auto">
-        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
-        </main>
-        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
-      </div>
-      <script src="{% static 'dist/sfe/index.js' %}"></script>
-    </body>
+      .form-signin .form-floating:focus-within {
+        z-index: 2;
+      }
+      .brand-icon {
+        max-width: 100%;
+      }
+    </style>
+  </head>
+  <body class="d-flex align-items-center py-4 bg-body-tertiary">
+    <div class="card m-auto">
+      <main class="form-signin w-100 m-auto" id="flow-sfe-container"></main>
+      <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
+    </div>
+    <script src="{% static 'dist/sfe/index.js' %}"></script>
+  </body>
 </html>
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -1,34 +1,40 @@
 {% extends "base/skeleton.html" %}
-
 {% load static %}
 {% load authentik_core %}

 {% block head_before %}
 {{ block.super }}
+
 <link rel="prefetch" href="{{ flow.background_url }}" />
+
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: !navigator.webdriver };</script>
-{% endif %}
-{% include "base/header_js.html" %}
 <script>
-window.authentik.flow = {
-    "layout": "{{ flow.layout }}",
-};
+  ShadyDOM = { force: !navigator.webdriver };
+</script>
+{% endif %}
+
+{% include "base/header_js.html" %}
+
+<script>
+  window.authentik.flow = {
+    layout: "{{ flow.layout }}",
+  };
 </script>
 {% endblock %}

 {% block head %}
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
-<style>
-:root {
+
+<style data-test-id="flow-root-styles">
+  :root {
    --ak-flow-background: url("{{ flow.background_url }}");
-}
+  }
 </style>
 {% endblock %}

 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-flow-executor flowSlug="{{ flow.slug }}">
-    <ak-loading></ak-loading>
+  <ak-loading></ak-loading>
 </ak-flow-executor>
 {% endblock %}
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -356,6 +356,14 @@ def redis_url(db: int) -> str:
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
+
+    pool_options = False
+    use_pool = config.get_bool("postgresql.use_pool", False)
+    if use_pool:
+        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
+        if not pool_options:
+            pool_options = True
+
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
@ -369,6 +377,7 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                "sslrootcert": config.get("postgresql.sslrootcert"),
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
+                "pool": pool_options,
            },
            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -21,6 +21,7 @@ postgresql:
  user: authentik
  port: 5432
  password: "env://POSTGRES_PASSWORD"
+  use_pool: False
  test:
    name: test_authentik
  default_schema: public
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -18,7 +18,7 @@ from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger

-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.events.models import Event
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.utils.http import get_http_session
@ -203,9 +203,7 @@ class BaseEvaluator:
            provider = OAuth2Provider.objects.get(name=provider)
        session = None
        if hasattr(request, "session") and request.session.session_key:
-            session = AuthenticatedSession.objects.filter(
-                session_key=request.session.session_key
-            ).first()
+            session = request.session["authenticatedsession"]
        access_token = AccessToken(
            provider=provider,
            user=user,
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -217,6 +217,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -267,6 +268,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -285,6 +287,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -333,6 +336,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -351,6 +355,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -394,6 +399,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -412,6 +418,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -451,6 +458,7 @@ class TestConfig(TestCase):
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -469,6 +477,7 @@ class TestConfig(TestCase):
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
+                        "pool": False,
                        "sslcert": "bar",
                        "sslkey": "foo",
                        "sslmode": "foo",
@ -484,3 +493,87 @@ class TestConfig(TestCase):
                },
            },
        )
+
+    def test_db_pool(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": True,
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
+
+    def test_db_pool_options(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        config.set(
+            "postgresql.pool_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "max_size": 15,
+                    }
+                ).encode()
+            ).decode(),
+        )
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": {
+                            "max_size": 15,
+                        },
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
--- a/authentik/policies/geoip/models.py
+++ b/authentik/policies/geoip/models.py
@ -66,7 +66,9 @@ class GeoIPPolicy(Policy):
        if not static_results and not dynamic_results:
            return PolicyResult(True)

-        passing = any(r.passing for r in static_results) and all(r.passing for r in dynamic_results)
+        static_passing = any(r.passing for r in static_results) if static_results else True
+        dynamic_passing = all(r.passing for r in dynamic_results)
+        passing = static_passing and dynamic_passing
        messages = chain(
            *[r.messages for r in static_results], *[r.messages for r in dynamic_results]
        )
@ -113,13 +115,19 @@ class GeoIPPolicy(Policy):
        to previous authentication requests"""
        # Get previous login event and GeoIP data
        previous_logins = Event.objects.filter(
-            action=EventAction.LOGIN, user__pk=request.user.pk, context__geo__isnull=False
+            action=EventAction.LOGIN,
+            user__pk=request.user.pk,  # context__geo__isnull=False
        ).order_by("-created")[: self.history_login_count]
        _now = now()
        geoip_data: GeoIPDict | None = request.context.get("geoip")
        if not geoip_data:
            return PolicyResult(False)
+        if not previous_logins.exists():
+            return PolicyResult(True)
+        result = False
        for previous_login in previous_logins:
+            if "geo" not in previous_login.context:
+                continue
            previous_login_geoip: GeoIPDict = previous_login.context["geo"]

            # Figure out distance
@ -142,7 +150,8 @@ class GeoIPPolicy(Policy):
                (MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km
            ):
                return PolicyResult(False, _("Distance is further than possible."))
-        return PolicyResult(True)
+            result = True
+        return PolicyResult(result)

    class Meta(Policy.PolicyMeta):
        verbose_name = _("GeoIP Policy")
--- a/authentik/policies/geoip/tests.py
+++ b/authentik/policies/geoip/tests.py
@ -163,7 +163,7 @@ class TestGeoIPPolicy(TestCase):
        result: PolicyResult = policy.passes(self.request)
        self.assertFalse(result.passing)

-    def test_history_impossible_travel(self):
+    def test_history_impossible_travel_failing(self):
        """Test history checks"""
        Event.objects.create(
            action=EventAction.LOGIN,
@ -181,6 +181,24 @@ class TestGeoIPPolicy(TestCase):
        result: PolicyResult = policy.passes(self.request)
        self.assertFalse(result.passing)

+    def test_history_impossible_travel_passing(self):
+        """Test history checks"""
+        Event.objects.create(
+            action=EventAction.LOGIN,
+            user=get_user(self.user),
+            context={
+                # Random location in Canada
+                "geo": {"lat": 55.868351, "long": -104.441011},
+            },
+        )
+        # Same location
+        self.request.context["geoip"] = {"lat": 55.868351, "long": -104.441011}
+
+        policy = GeoIPPolicy.objects.create(check_impossible_travel=True)
+
+        result: PolicyResult = policy.passes(self.request)
+        self.assertTrue(result.passing)
+
    def test_history_no_geoip(self):
        """Test history checks (previous login with no geoip data)"""
        Event.objects.create(
@ -195,3 +213,18 @@ class TestGeoIPPolicy(TestCase):

        result: PolicyResult = policy.passes(self.request)
        self.assertFalse(result.passing)
+
+    def test_impossible_travel_no_geoip(self):
+        """Test impossible travel checks (previous login with no geoip data)"""
+        Event.objects.create(
+            action=EventAction.LOGIN,
+            user=get_user(self.user),
+            context={},
+        )
+        # Random location in Poland
+        self.request.context["geoip"] = {"lat": 50.950613, "long": 20.363679}
+
+        policy = GeoIPPolicy.objects.create(check_impossible_travel=True)
+
+        result: PolicyResult = policy.passes(self.request)
+        self.assertFalse(result.passing)
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -2,7 +2,6 @@

 from django.contrib.auth.signals import user_logged_in
 from django.db import transaction
-from django.db.models import F
 from django.dispatch import receiver
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
@ -13,20 +12,29 @@ from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.policies.reputation.models import Reputation, reputation_expiry
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.identification.signals import identification_failed
+from authentik.tenants.utils import get_current_tenant

 LOGGER = get_logger()


+def clamp(value, min, max):
+    return sorted([min, value, max])[1]
+
+
 def update_score(request: HttpRequest, identifier: str, amount: int):
    """Update score for IP and User"""
    remote_ip = ClientIPMiddleware.get_client_ip(request)
+    tenant = get_current_tenant()
+    new_score = clamp(amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit)

    with transaction.atomic():
        reputation, created = Reputation.objects.select_for_update().get_or_create(
            ip=remote_ip,
            identifier=identifier,
            defaults={
-                "score": amount,
+                "score": clamp(
+                    amount, tenant.reputation_lower_limit, tenant.reputation_upper_limit
+                ),
                "ip_geo_data": GEOIP_CONTEXT_PROCESSOR.city_dict(remote_ip) or {},
                "ip_asn_data": ASN_CONTEXT_PROCESSOR.asn_dict(remote_ip) or {},
                "expires": reputation_expiry(),
@ -34,9 +42,15 @@ def update_score(request: HttpRequest, identifier: str, amount: int):
        )

        if not created:
-            reputation.score = F("score") + amount
+            new_score = clamp(
+                reputation.score + amount,
+                tenant.reputation_lower_limit,
+                tenant.reputation_upper_limit,
+            )
+            reputation.score = new_score
            reputation.save()
-    LOGGER.info("Updated score", amount=amount, for_user=identifier, for_ip=remote_ip)
+
+    LOGGER.info("Updated score", amount=new_score, for_user=identifier, for_ip=remote_ip)


@receiver(login_failed)
--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -6,9 +6,11 @@ from authentik.core.models import User
 from authentik.lib.generators import generate_id
 from authentik.policies.reputation.api import ReputationPolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy
+from authentik.policies.reputation.signals import update_score
 from authentik.policies.types import PolicyRequest
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import authenticate
+from authentik.tenants.models import DEFAULT_REPUTATION_LOWER_LIMIT, DEFAULT_REPUTATION_UPPER_LIMIT


 class TestReputationPolicy(TestCase):
@ -17,36 +19,48 @@ class TestReputationPolicy(TestCase):
    def setUp(self):
        self.request_factory = RequestFactory()
        self.request = self.request_factory.get("/")
-        self.test_ip = "127.0.0.1"
-        self.test_username = "test"
+        self.ip = "127.0.0.1"
+        self.username = "username"
+        self.password = generate_id()
        # We need a user for the one-to-one in userreputation
-        self.user = User.objects.create(username=self.test_username)
+        self.user = User.objects.create(username=self.username)
+        self.user.set_password(self.password)
        self.backends = [BACKEND_INBUILT]

    def test_ip_reputation(self):
        """test IP reputation"""
        # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
-        )
-        self.assertEqual(Reputation.objects.get(ip=self.test_ip).score, -1)
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(ip=self.ip).score, -1)

    def test_user_reputation(self):
        """test User reputation"""
        # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
-        )
-        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, -1)
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(identifier=self.username).score, -1)

    def test_update_reputation(self):
        """test reputation update"""
-        Reputation.objects.create(identifier=self.test_username, ip=self.test_ip, score=43)
+        Reputation.objects.create(identifier=self.username, ip=self.ip, score=4)
        # Trigger negative reputation
-        authenticate(
-            self.request, self.backends, username=self.test_username, password=self.test_username
+        authenticate(self.request, self.backends, username=self.username, password=self.username)
+        self.assertEqual(Reputation.objects.get(identifier=self.username).score, 3)
+
+    def test_reputation_lower_limit(self):
+        """test reputation lower limit"""
+        Reputation.objects.create(identifier=self.username, ip=self.ip)
+        update_score(self.request, identifier=self.username, amount=-1000)
+        self.assertEqual(
+            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_LOWER_LIMIT
+        )
+
+    def test_reputation_upper_limit(self):
+        """test reputation upper limit"""
+        Reputation.objects.create(identifier=self.username, ip=self.ip)
+        update_score(self.request, identifier=self.username, amount=1000)
+        self.assertEqual(
+            Reputation.objects.get(identifier=self.username).score, DEFAULT_REPUTATION_UPPER_LIMIT
        )
-        self.assertEqual(Reputation.objects.get(identifier=self.test_username).score, 42)

    def test_policy(self):
        """Test Policy"""
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -126,7 +126,7 @@ class IDToken:
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
        if token.session:
-            id_token.sid = hash_session_key(token.session.session_key)
+            id_token.sid = hash_session_key(token.session.session.session_key)

        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
        auth_event = get_login_event(token.session)
--- a/authentik/providers/oauth2/migrations/0028_migrate_session.py
+++ b/authentik/providers/oauth2/migrations/0028_migrate_session.py
@ -0,0 +1,116 @@
+# Generated by Django 5.0.11 on 2025-01-27 13:00
+
+from django.db import migrations
+import django.db.models.deletion
+from django.db import migrations, models
+from functools import partial
+
+
+def migrate_sessions(apps, schema_editor, model):
+    Model = apps.get_model("authentik_providers_oauth2", model)
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    db_alias = schema_editor.connection.alias
+
+    for obj in Model.objects.using(db_alias).all():
+        if not obj.old_session:
+            continue
+        obj.session = (
+            AuthenticatedSession.objects.using(db_alias)
+            .filter(session__session_key=obj.old_session.session_key)
+            .first()
+        )
+        if obj.session:
+            obj.save()
+        else:
+            obj.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+        ("authentik_core", "0046_session_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="accesstoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="authorizationcode",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="devicetoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.RenameField(
+            model_name="refreshtoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.AddField(
+            model_name="accesstoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="authorizationcode",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="devicetoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.AddField(
+            model_name="refreshtoken",
+            name="session",
+            field=models.ForeignKey(
+                default=None,
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RunPython(code=partial(migrate_sessions, model="AccessToken")),
+        migrations.RunPython(code=partial(migrate_sessions, model="AuthorizationCode")),
+        migrations.RunPython(code=partial(migrate_sessions, model="DeviceToken")),
+        migrations.RunPython(code=partial(migrate_sessions, model="RefreshToken")),
+        migrations.RemoveField(
+            model_name="accesstoken",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="authorizationcode",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="devicetoken",
+            name="old_session",
+        ),
+        migrations.RemoveField(
+            model_name="refreshtoken",
+            name="old_session",
+        ),
+    ]
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@ -1,18 +1,30 @@
 from django.contrib.auth.signals import user_logged_out
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.oauth2.models import AccessToken, DeviceToken, RefreshToken


@receiver(user_logged_out)
-def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, **_):
-    """Revoke access tokens upon user logout"""
+def user_logged_out_oauth_tokens_removal(sender, request: HttpRequest, user: User, **_):
+    """Revoke tokens upon user logout"""
    if not request.session or not request.session.session_key:
        return
-    AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
+    AccessToken.objects.filter(
+        user=user,
+        session__session__session_key=request.session.session_key,
+    ).delete()
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def user_session_deleted_oauth_tokens_removal(sender, instance: AuthenticatedSession, **_):
+    """Revoke tokens upon user logout"""
+    AccessToken.objects.filter(
+        user=instance.user,
+        session__session__session_key=instance.session.session_key,
+    ).delete()


@receiver(post_save, sender=User)
@ -20,6 +32,6 @@ def user_deactivated(sender, instance: User, **_):
    """Remove user tokens when deactivated"""
    if instance.is_active:
        return
-    AccessToken.objects.filter(session__user=instance).delete()
-    RefreshToken.objects.filter(session__user=instance).delete()
-    DeviceToken.objects.filter(session__user=instance).delete()
+    AccessToken.objects.filter(user=instance).delete()
+    RefreshToken.objects.filter(user=instance).delete()
+    DeviceToken.objects.filter(user=instance).delete()
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -7,12 +7,13 @@ from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone

-from authentik.core.models import Application
+from authentik.core.models import Application, AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import (
    AccessToken,
    ClientTypes,
+    DeviceToken,
    IDToken,
    OAuth2Provider,
    RedirectURI,
@ -20,6 +21,7 @@ from authentik.providers.oauth2.models import (
    RefreshToken,
 )
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
+from authentik.root.middleware import ClientIPMiddleware


 class TesOAuth2Revoke(OAuthTestCase):
@ -135,3 +137,86 @@ class TesOAuth2Revoke(OAuthTestCase):
            },
        )
        self.assertEqual(res.status_code, 200)
+
+    def test_revoke_logout(self):
+        """Test revoke on logout"""
+        self.client.force_login(self.user)
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            session=self.client.session["authenticatedsession"],
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        self.client.logout()
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+
+    def test_revoke_session_delete(self):
+        """Test revoke on logout"""
+        session = AuthenticatedSession.objects.create(
+            session=Session.objects.create(
+                session_key=generate_id(),
+                last_ip=ClientIPMiddleware.default_ip,
+            ),
+            user=self.user,
+        )
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            session=session,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        session.delete()
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+
+    def test_revoke_user_deactivated(self):
+        """Test revoke on logout"""
+        AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        RefreshToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        DeviceToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            _scope="openid user profile",
+        )
+
+        self.user.is_active = False
+        self.user.save()
+
+        self.assertEqual(AccessToken.objects.all().count(), 0)
+        self.assertEqual(RefreshToken.objects.all().count(), 0)
+        self.assertEqual(DeviceToken.objects.all().count(), 0)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -15,7 +15,7 @@ from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
 from authentik.flows.challenge import (
@ -316,9 +316,7 @@ class OAuthAuthorizationParams:
            expires=now + timedelta_from_string(self.provider.access_code_validity),
            scope=self.scope,
            nonce=self.nonce,
-            session=AuthenticatedSession.objects.filter(
-                session_key=request.session.session_key
-            ).first(),
+            session=request.session["authenticatedsession"],
        )

        if self.code_challenge and self.code_challenge_method:
@ -615,9 +613,7 @@ class OAuthFulfillmentStage(StageView):
            expires=access_token_expiry,
            provider=self.provider,
            auth_time=auth_event.created if auth_event else now,
-            session=AuthenticatedSession.objects.filter(
-                session_key=self.request.session.session_key
-            ).first(),
+            session=self.request.session["authenticatedsession"],
        )

        id_token = IDToken.new(self.provider, token, self.request)
--- a/authentik/providers/proxy/signals.py
+++ b/authentik/providers/proxy/signals.py
@ -20,4 +20,4 @@ def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
-    proxy_on_logout.delay(instance.session_key)
+    proxy_on_logout.delay(instance.session.session_key)
--- a/authentik/providers/rac/migrations/0007_migrate_session.py
+++ b/authentik/providers/rac/migrations/0007_migrate_session.py
@ -0,0 +1,60 @@
+# Generated by Django 5.0.11 on 2025-01-27 12:59
+
+from django.db import migrations
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+def migrate_sessions(apps, schema_editor):
+    ConnectionToken = apps.get_model("authentik_providers_rac", "ConnectionToken")
+    AuthenticatedSession = apps.get_model("authentik_core", "AuthenticatedSession")
+    db_alias = schema_editor.connection.alias
+
+    for token in ConnectionToken.objects.using(db_alias).all():
+        token.session = (
+            AuthenticatedSession.objects.using(db_alias)
+            .filter(session_key=token.old_session.session_key)
+            .first()
+        )
+        if token.session:
+            token.save()
+        else:
+            token.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_rac", "0006_connectiontoken_authentik_p_expires_91f148_idx_and_more"),
+        ("authentik_core", "0046_session_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="connectiontoken",
+            old_name="session",
+            new_name="old_session",
+        ),
+        migrations.AddField(
+            model_name="connectiontoken",
+            name="session",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RunPython(code=migrate_sessions),
+        migrations.AlterField(
+            model_name="connectiontoken",
+            name="session",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                to="authentik_core.authenticatedsession",
+            ),
+        ),
+        migrations.RemoveField(
+            model_name="connectiontoken",
+            name="old_session",
+        ),
+    ]
--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@ -8,7 +8,7 @@ from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest

-from authentik.core.models import User
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
 from authentik.providers.rac.consumer_client import (
    RAC_CLIENT_GROUP_SESSION,
@ -32,6 +32,18 @@ def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    )


+@receiver(pre_delete, sender=AuthenticatedSession)
+def user_session_deleted(sender, instance: AuthenticatedSession, **_):
+    layer = get_channel_layer()
+    async_to_sync(layer.group_send)(
+        RAC_CLIENT_GROUP_SESSION
+        % {
+            "session": instance.session.session_key,
+        },
+        {"type": "event.disconnect", "reason": "session_logout"},
+    )
+
+
@receiver(pre_delete, sender=ConnectionToken)
 def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **_):
    """Disconnect session when connection token is deleted"""
--- a/authentik/providers/rac/templates/if/rac.html
+++ b/authentik/providers/rac/templates/if/rac.html
@ -4,10 +4,13 @@

 {% block head %}
 <script src="{% versioned_script 'dist/rac/index-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)" />
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)" />
+
+<link rel="icon" href="{{ tenant.branding_favicon_url }}" />
+<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}" />
+
 {% include "base/header_js.html" %}
 {% endblock %}

--- a/authentik/providers/rac/tests/test_models.py
+++ b/authentik/providers/rac/tests/test_models.py
@ -2,7 +2,7 @@

 from django.test import TransactionTestCase

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application, AuthenticatedSession, Session
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.providers.rac.models import (
@ -36,13 +36,15 @@ class TestModels(TransactionTestCase):

    def test_settings_merge(self):
        """Test settings merge"""
+        session = Session.objects.create(
+            session_key=generate_id(),
+            last_ip="255.255.255.255",
+        )
+        auth_session = AuthenticatedSession.objects.create(session=session, user=self.user)
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            session=AuthenticatedSession.objects.create(
-                user=self.user,
-                session_key=generate_id(),
-            ),
+            session=auth_session,
        )
        path = f"/tmp/connection/{token.token}"  # nosec
        self.assertEqual(
--- a/authentik/providers/rac/urls.py
+++ b/authentik/providers/rac/urls.py
@ -1,7 +1,5 @@
 """rac urls"""

-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.urls import path

 from authentik.outposts.channels import TokenOutpostMiddleware
@ -12,7 +10,7 @@ from authentik.providers.rac.api.providers import RACProviderViewSet
 from authentik.providers.rac.consumer_client import RACClientConsumer
 from authentik.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.providers.rac.views import RACInterface, RACStartView
-from authentik.root.asgi_middleware import SessionMiddleware
+from authentik.root.asgi_middleware import AuthMiddlewareStack
 from authentik.root.middleware import ChannelsLoggingMiddleware

 urlpatterns = [
@ -31,9 +29,7 @@ urlpatterns = [
 websocket_urlpatterns = [
    path(
        "ws/rac/<str:token>/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(RACClientConsumer.as_asgi())))
-        ),
+        ChannelsLoggingMiddleware(AuthMiddlewareStack(RACClientConsumer.as_asgi())),
    ),
    path(
        "ws/outpost_rac/<str:channel>/",
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -8,7 +8,7 @@ from django.urls import reverse
 from django.utils.timezone import now
 from django.utils.translation import gettext as _

-from authentik.core.models import Application, AuthenticatedSession
+from authentik.core.models import Application
 from authentik.core.views.interface import InterfaceView
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import RedirectChallenge
@ -113,9 +113,7 @@ class RACFinalStage(RedirectStage):
            provider=self.provider,
            endpoint=self.endpoint,
            settings=self.executor.plan.context.get("connection_settings", {}),
-            session=AuthenticatedSession.objects.filter(
-                session_key=self.request.session.session_key
-            ).first(),
+            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
        )
--- a/authentik/rbac/api/initial_permissions.py
+++ b/authentik/rbac/api/initial_permissions.py
@ -0,0 +1,41 @@
+"""RBAC Initial Permissions"""
+
+from rest_framework.serializers import ListSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.rbac.api.rbac import PermissionSerializer
+from authentik.rbac.models import InitialPermissions
+
+
+class InitialPermissionsSerializer(ModelSerializer):
+    """InitialPermissions serializer"""
+
+    permissions_obj = ListSerializer(
+        child=PermissionSerializer(),
+        read_only=True,
+        source="permissions",
+        required=False,
+    )
+
+    class Meta:
+        model = InitialPermissions
+        fields = [
+            "pk",
+            "name",
+            "mode",
+            "role",
+            "permissions",
+            "permissions_obj",
+        ]
+
+
+class InitialPermissionsViewSet(UsedByMixin, ModelViewSet):
+    """InitialPermissions viewset"""
+
+    queryset = InitialPermissions.objects.all()
+    serializer_class = InitialPermissionsSerializer
+    search_fields = ["name"]
+    ordering = ["name"]
+    filterset_fields = ["name"]
--- a/authentik/rbac/migrations/0005_initialpermissions.py
+++ b/authentik/rbac/migrations/0005_initialpermissions.py
@ -0,0 +1,39 @@
+# Generated by Django 5.0.13 on 2025-04-07 13:05
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("auth", "0012_alter_user_first_name_max_length"),
+        ("authentik_rbac", "0004_alter_systempermission_options"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="InitialPermissions",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("name", models.TextField(max_length=150, unique=True)),
+                ("mode", models.CharField(choices=[("user", "User"), ("role", "Role")])),
+                ("permissions", models.ManyToManyField(blank=True, to="auth.permission")),
+                (
+                    "role",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_rbac.role"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Initial Permissions",
+                "verbose_name_plural": "Initial Permissions",
+            },
+        ),
+    ]
--- a/authentik/rbac/models.py
+++ b/authentik/rbac/models.py
@ -3,6 +3,7 @@
 from uuid import uuid4

 from django.contrib.auth.management import _get_all_permissions
+from django.contrib.auth.models import Permission
 from django.db import models
 from django.db.transaction import atomic
 from django.utils.translation import gettext_lazy as _
@ -75,6 +76,35 @@ class Role(SerializerModel):
        ]


+class InitialPermissionsMode(models.TextChoices):
+    """Determines which entity the initial permissions are assigned to."""
+
+    USER = "user", _("User")
+    ROLE = "role", _("Role")
+
+
+class InitialPermissions(SerializerModel):
+    """Assigns permissions for newly created objects."""
+
+    name = models.TextField(max_length=150, unique=True)
+    mode = models.CharField(choices=InitialPermissionsMode.choices)
+    role = models.ForeignKey(Role, on_delete=models.CASCADE)
+    permissions = models.ManyToManyField(Permission, blank=True)
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.rbac.api.initial_permissions import InitialPermissionsSerializer
+
+        return InitialPermissionsSerializer
+
+    def __str__(self) -> str:
+        return f"Initial Permissions for Role #{self.role_id}, applying to #{self.mode}"
+
+    class Meta:
+        verbose_name = _("Initial Permissions")
+        verbose_name_plural = _("Initial Permissions")
+
+
 class SystemPermission(models.Model):
    """System-wide permissions that are not related to any direct
    database model"""
--- a/authentik/rbac/permissions.py
+++ b/authentik/rbac/permissions.py
@ -1,9 +1,13 @@
 """RBAC Permissions"""

+from django.contrib.contenttypes.models import ContentType
 from django.db.models import Model
+from guardian.shortcuts import assign_perm
 from rest_framework.permissions import BasePermission, DjangoObjectPermissions
 from rest_framework.request import Request

+from authentik.rbac.models import InitialPermissions, InitialPermissionsMode
+

 class ObjectPermissions(DjangoObjectPermissions):
    """RBAC Permissions"""
@ -51,3 +55,20 @@ def HasPermission(*perm: str) -> type[BasePermission]:
            return bool(request.user and request.user.has_perms(perm))

    return checker
+
+
+# TODO: add `user: User` type annotation without circular dependencies.
+# The author of this function isn't proficient/patient enough to do it.
+def assign_initial_permissions(user, instance: Model):
+    # Performance here should not be an issue, but if needed, there are many optimization routes
+    initial_permissions_list = InitialPermissions.objects.filter(role__group__in=user.groups.all())
+    for initial_permissions in initial_permissions_list:
+        for permission in initial_permissions.permissions.all():
+            if permission.content_type != ContentType.objects.get_for_model(instance):
+                continue
+            assign_to = (
+                user
+                if initial_permissions.mode == InitialPermissionsMode.USER
+                else initial_permissions.role.group
+            )
+            assign_perm(permission, assign_to, instance)
--- a/authentik/rbac/tests/test_initial_permissions.py
+++ b/authentik/rbac/tests/test_initial_permissions.py
@ -0,0 +1,116 @@
+"""Test InitialPermissions"""
+
+from django.contrib.auth.models import Permission
+from guardian.shortcuts import assign_perm
+from rest_framework.reverse import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Group
+from authentik.core.tests.utils import create_test_user
+from authentik.lib.generators import generate_id
+from authentik.rbac.models import InitialPermissions, InitialPermissionsMode, Role
+from authentik.stages.dummy.models import DummyStage
+
+
+class TestInitialPermissions(APITestCase):
+    """Test InitialPermissions"""
+
+    def setUp(self) -> None:
+        self.user = create_test_user()
+        self.same_role_user = create_test_user()
+        self.different_role_user = create_test_user()
+
+        self.role = Role.objects.create(name=generate_id())
+        self.different_role = Role.objects.create(name=generate_id())
+
+        self.group = Group.objects.create(name=generate_id())
+        self.different_group = Group.objects.create(name=generate_id())
+
+        self.group.roles.add(self.role)
+        self.group.users.add(self.user, self.same_role_user)
+        self.different_group.roles.add(self.different_role)
+        self.different_group.users.add(self.different_role_user)
+
+        self.ip = InitialPermissions.objects.create(
+            name=generate_id(), mode=InitialPermissionsMode.USER, role=self.role
+        )
+        self.view_role = Permission.objects.filter(codename="view_role").first()
+        self.ip.permissions.add(self.view_role)
+
+        assign_perm("authentik_rbac.add_role", self.user)
+        self.client.force_login(self.user)
+
+    def test_different_role(self):
+        """InitialPermissions for different role does nothing"""
+        self.ip.role = self.different_role
+        self.ip.save()
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role))
+
+    def test_different_model(self):
+        """InitialPermissions for different model does nothing"""
+        assign_perm("authentik_stages_dummy.add_dummystage", self.user)
+
+        self.client.post(
+            reverse("authentik_api:stages-dummy-list"), {"name": "test-stage", "throw-error": False}
+        )
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertFalse(self.user.has_perm("authentik_rbac.view_role", role))
+        stage = DummyStage.objects.filter(name="test-stage").first()
+        self.assertFalse(self.user.has_perm("authentik_stages_dummy.view_dummystage", stage))
+
+    def test_mode_user(self):
+        """InitialPermissions adds user permission in user mode"""
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertFalse(self.same_role_user.has_perm("authentik_rbac.view_role", role))
+
+    def test_mode_role(self):
+        """InitialPermissions adds role permission in role mode"""
+        self.ip.mode = InitialPermissionsMode.ROLE
+        self.ip.save()
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role))
+
+    def test_many_permissions(self):
+        """InitialPermissions can add multiple permissions"""
+        change_role = Permission.objects.filter(codename="change_role").first()
+        self.ip.permissions.add(change_role)
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role))
+
+    def test_permissions_separated_by_role(self):
+        """When the triggering user is part of two different roles with InitialPermissions in role
+        mode, it only adds permissions to the relevant role."""
+        self.ip.mode = InitialPermissionsMode.ROLE
+        self.ip.save()
+        different_ip = InitialPermissions.objects.create(
+            name=generate_id(), mode=InitialPermissionsMode.ROLE, role=self.different_role
+        )
+        change_role = Permission.objects.filter(codename="change_role").first()
+        different_ip.permissions.add(change_role)
+        self.different_group.users.add(self.user)
+
+        self.client.post(reverse("authentik_api:roles-list"), {"name": "test-role"})
+
+        role = Role.objects.filter(name="test-role").first()
+        self.assertTrue(self.user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.same_role_user.has_perm("authentik_rbac.view_role", role))
+        self.assertFalse(self.different_role_user.has_perm("authentik_rbac.view_role", role))
+        self.assertTrue(self.user.has_perm("authentik_rbac.change_role", role))
+        self.assertFalse(self.same_role_user.has_perm("authentik_rbac.change_role", role))
+        self.assertTrue(self.different_role_user.has_perm("authentik_rbac.change_role", role))
--- a/authentik/rbac/urls.py
+++ b/authentik/rbac/urls.py
@ -1,5 +1,6 @@
 """RBAC API urls"""

+from authentik.rbac.api.initial_permissions import InitialPermissionsViewSet
 from authentik.rbac.api.rbac import RBACPermissionViewSet
 from authentik.rbac.api.rbac_assigned_by_roles import RoleAssignedPermissionViewSet
 from authentik.rbac.api.rbac_assigned_by_users import UserAssignedPermissionViewSet
@ -21,5 +22,6 @@ api_urlpatterns = [
    ("rbac/permissions/users", UserPermissionViewSet, "permissions-users"),
    ("rbac/permissions/roles", RolePermissionViewSet, "permissions-roles"),
    ("rbac/permissions", RBACPermissionViewSet),
-    ("rbac/roles", RoleViewSet),
+    ("rbac/roles", RoleViewSet, "roles"),
+    ("rbac/initial_permissions", InitialPermissionsViewSet, "initial-permissions"),
 ]
--- a/authentik/recovery/tests.py
+++ b/authentik/recovery/tests.py
@ -50,7 +50,7 @@ class TestRecovery(TestCase):
        )
        token = Token.objects.get(intent=TokenIntents.INTENT_RECOVERY, user=self.user)
        self.client.get(reverse("authentik_recovery:use-token", kwargs={"key": token.key}))
-        self.assertEqual(int(self.client.session["_auth_user_id"]), token.user.pk)
+        self.assertEqual(self.client.session["authenticatedsession"].user.pk, token.user.pk)

    def test_recovery_view_invalid(self):
        """Test recovery view with invalid token"""
--- a/authentik/root/asgi_middleware.py
+++ b/authentik/root/asgi_middleware.py
@ -1,8 +1,12 @@
 """ASGI middleware"""

+from channels.auth import UserLazyObject
 from channels.db import database_sync_to_async
+from channels.middleware import BaseMiddleware
+from channels.sessions import CookieMiddleware
 from channels.sessions import InstanceSessionWrapper as UpstreamInstanceSessionWrapper
 from channels.sessions import SessionMiddleware as UpstreamSessionMiddleware
+from django.contrib.auth.models import AnonymousUser

 from authentik.root.middleware import SessionMiddleware as HTTPSessionMiddleware

@ -33,3 +37,48 @@ class SessionMiddleware(UpstreamSessionMiddleware):
        await wrapper.resolve_session()

        return await self.inner(wrapper.scope, receive, wrapper.send)
+
+
+@database_sync_to_async
+def get_user(scope):
+    """
+    Return the user model instance associated with the given scope.
+    If no user is retrieved, return an instance of `AnonymousUser`.
+    """
+    if "session" not in scope:
+        raise ValueError(
+            "Cannot find session in scope. You should wrap your consumer in SessionMiddleware."
+        )
+    user = None
+    if (authenticated_session := scope["session"].get("authenticated_session", None)) is not None:
+        user = authenticated_session.user
+    return user or AnonymousUser()
+
+
+class AuthMiddleware(BaseMiddleware):
+    def populate_scope(self, scope):
+        # Make sure we have a session
+        if "session" not in scope:
+            raise ValueError(
+                "AuthMiddleware cannot find session in scope. SessionMiddleware must be above it."
+            )
+        # Add it to the scope if it's not there already
+        if "user" not in scope:
+            scope["user"] = UserLazyObject()
+
+    async def resolve_scope(self, scope):
+        scope["user"]._wrapped = await get_user(scope)
+
+    async def __call__(self, scope, receive, send):
+        scope = dict(scope)
+        # Scope injection/mutation per this middleware's needs.
+        self.populate_scope(scope)
+        # Grab the finalized/resolved scope
+        await self.resolve_scope(scope)
+
+        return await super().__call__(scope, receive, send)
+
+
+# Handy shortcut for applying all three layers at once
+def AuthMiddlewareStack(inner):
+    return CookieMiddleware(SessionMiddleware(AuthMiddleware(inner)))
--- a/authentik/root/middleware.py
+++ b/authentik/root/middleware.py
@ -49,7 +49,7 @@ class SessionMiddleware(UpstreamSessionMiddleware):
        return False

    @staticmethod
-    def decode_session_key(key: str) -> str:
+    def decode_session_key(key: str | None) -> str | None:
        """Decode raw session cookie, and parse JWT"""
        # We need to support the standard django format of just a session key
        # for testing setups, where the session is directly set
@ -64,7 +64,11 @@ class SessionMiddleware(UpstreamSessionMiddleware):
    def process_request(self, request: HttpRequest):
        raw_session = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        session_key = SessionMiddleware.decode_session_key(raw_session)
-        request.session = self.SessionStore(session_key)
+        request.session = self.SessionStore(
+            session_key,
+            last_ip=ClientIPMiddleware.get_client_ip(request),
+            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
+        )

    def process_response(self, request: HttpRequest, response: HttpResponse) -> HttpResponse:
        """
--- a/authentik/root/sessions/pickle.py
+++ b/authentik/root/sessions/pickle.py
@ -1,23 +0,0 @@
-"""
-Module for abstract serializer/unserializer base classes.
-"""
-
-import pickle  # nosec
-
-
-class PickleSerializer:
-    """
-    Simple wrapper around pickle to be used in signing.dumps()/loads() and
-    cache backends.
-    """
-
-    def __init__(self, protocol=None):
-        self.protocol = pickle.HIGHEST_PROTOCOL if protocol is None else protocol
-
-    def dumps(self, obj):
-        """Pickle data to be stored in redis"""
-        return pickle.dumps(obj, self.protocol)
-
-    def loads(self, data):
-        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -7,7 +7,6 @@ from pathlib import Path

 import orjson
 from celery.schedules import crontab
-from django.conf import ImproperlyConfigured
 from sentry_sdk import set_tag
 from xmlsec import enable_debug_trace

@ -43,7 +42,6 @@ SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False

 AUTHENTICATION_BACKENDS = [
-    "django.contrib.auth.backends.ModelBackend",
    BACKEND_INBUILT,
    BACKEND_APP_PASSWORD,
    BACKEND_LDAP,
@ -229,17 +227,7 @@ CACHES = {
 DJANGO_REDIS_SCAN_ITERSIZE = 1000
 DJANGO_REDIS_IGNORE_EXCEPTIONS = True
 DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
-match CONFIG.get("session_storage", "cache"):
-    case "cache":
-        SESSION_ENGINE = "django.contrib.sessions.backends.cache"
-    case "db":
-        SESSION_ENGINE = "django.contrib.sessions.backends.db"
-    case _:
-        raise ImproperlyConfigured(
-            "Invalid session_storage setting, allowed values are db and cache"
-        )
-SESSION_SERIALIZER = "authentik.root.sessions.pickle.PickleSerializer"
-SESSION_CACHE_ALIAS = "default"
+SESSION_ENGINE = "authentik.core.sessions"
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
@ -256,7 +244,7 @@ MIDDLEWARE = [
    "django_prometheus.middleware.PrometheusBeforeMiddleware",
    "authentik.root.middleware.ClientIPMiddleware",
    "authentik.stages.user_login.middleware.BoundSessionMiddleware",
-    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "authentik.core.middleware.AuthenticationMiddleware",
    "authentik.core.middleware.RequestIDMiddleware",
    "authentik.brands.middleware.BrandMiddleware",
    "authentik.events.middleware.AuditMiddleware",
--- a/Show More
+++ b/Show More