release: 2023.3.0

2023-03-13 18:30:48 +01:00
586 changed files with 33186 additions and 49858 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.4.1
+current_version = 2023.3.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.dockerignore
+++ b/.dockerignore
@ -6,4 +6,3 @@ dist/**
 build/**
 build_docs/**
 Dockerfile
-authentik/enterprise
--- a/.editorconfig
+++ b/.editorconfig
@ -7,14 +7,8 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true

-[*.html]
+[html]
 indent_size = 2

-[*.{yaml,yml}]
+[yaml]
 indent_size = 2
-
-[*.go]
-indent_style = tab
-
-[Makefile]
-indent_style = tab
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,9 +1,10 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-title: ""
+title: ''
 labels: bug
-assignees: ""
+assignees: ''
+
 ---

 **Describe the bug**
@ -11,7 +12,6 @@ A clear and concise description of what the bug is.

 **To Reproduce**
 Steps to reproduce the behavior:
-
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
@ -27,9 +27,8 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**
-
-   authentik version: [e.g. 2021.8.5]
-   Deployment: [e.g. docker-compose, helm]
+ - authentik version: [e.g. 2021.8.5]
+ - Deployment: [e.g. docker-compose, helm]

 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -1,9 +1,10 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-title: ""
+title: ''
 labels: enhancement
-assignees: ""
+assignees: ''
+
 ---

 **Is your feature request related to a problem? Please describe.**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -1,9 +1,10 @@
 ---
 name: Question
 about: Ask a question about a feature or specific configuration
-title: ""
+title: ''
 labels: question
-assignees: ""
+assignees: ''
+
 ---

 **Describe your question/**
@ -19,9 +20,8 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**
-
-   authentik version: [e.g. 2021.8.5]
-   Deployment: [e.g. docker-compose, helm]
+ - authentik version: [e.g. 2021.8.5]
+ - Deployment: [e.g. docker-compose, helm]

 **Additional context**
 Add any other context about the problem here.
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -1,5 +1,5 @@
-name: "Comment usage instructions on PRs"
-description: "Comment usage instructions on PRs"
+name: 'Comment usage instructions on PRs'
+description: 'Comment usage instructions on PRs'

 inputs:
  tag:
@ -17,7 +17,7 @@ runs:
      id: fc
      with:
        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: "github-actions[bot]"
+        comment-author: 'github-actions[bot]'
        body-includes: authentik PR Installation instructions
    - name: Create or update comment
      uses: peter-evans/create-or-update-comment@v2
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -1,5 +1,5 @@
-name: "Prepare docker environment variables"
-description: "Prepare docker environment variables"
+name: 'Prepare docker environment variables'
+description: 'Prepare docker environment variables'

 outputs:
  shouldBuild:
@ -51,14 +51,12 @@ runs:
        version_family = ".".join(version.split(".")[:-1])
        safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")

-        sha = os.environ["GITHUB_SHA"] if not "${{ github.event.pull_request.head.sha }}" else "${{ github.event.pull_request.head.sha }}"
-
        with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
            print("branchName=%s" % branch_name, file=_output)
            print("branchNameContainer=%s" % safe_branch_name, file=_output)
            print("timestamp=%s" % int(time()), file=_output)
-            print("sha=%s" % sha, file=_output)
-            print("shortHash=%s" % sha[:7], file=_output)
+            print("sha=%s" % os.environ["GITHUB_SHA"], file=_output)
+            print("shortHash=%s" % os.environ["GITHUB_SHA"][:7], file=_output)
            print("shouldBuild=%s" % should_build, file=_output)
            print("version=%s" % version, file=_output)
            print("versionFamily=%s" % version_family, file=_output)
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -1,10 +1,5 @@
-name: "Setup authentik testing environment"
-description: "Setup authentik testing environment"
-
-inputs:
-  postgresql_tag:
-    description: "Optional postgresql image tag"
-    default: "12"
+name: 'Setup authentik testing environment'
+description: 'Setup authentik testing environment'

 runs:
  using: "composite"
@ -18,18 +13,17 @@ runs:
    - name: Setup python and restore poetry
      uses: actions/setup-python@v3
      with:
-        python-version: "3.11"
-        cache: "poetry"
+        python-version: '3.11'
+        cache: 'poetry'
    - name: Setup node
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v3.1.0
      with:
-        node-version: "20"
-        cache: "npm"
+        node-version: '18'
+        cache: 'npm'
        cache-dependency-path: web/package-lock.json
    - name: Setup dependencies
      shell: bash
      run: |
-        export PSQL_TAG=${{ inputs.postgresql_tag }}
        docker-compose -f .github/actions/setup/docker-compose.yml up -d
        poetry env use python3.11
        poetry install
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -1,21 +1,23 @@
-version: "3.7"
+version: '3.7'

 services:
  postgresql:
-    image: docker.io/library/postgres:${PSQL_TAG:-12}
+    container_name: postgres
+    image: library/postgres:12
    volumes:
-      - db-data:/var/lib/postgresql/data
+    - db-data:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
      POSTGRES_DB: authentik
    ports:
-      - 5432:5432
+    - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis
+    container_name: redis
+    image: library/redis
    ports:
-      - 6379:6379
+    - 6379:6379
    restart: always

 volumes:
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@ -1,10 +1,3 @@
 coverage:
-  status:
-    project:
-      default:
-        target: auto
-        # adjust accordingly based on how flaky your tests are
-        # this allows a 1% drop from the previous base commit coverage
-        threshold: 1%
-  notify:
-    after_n_builds: 3
+  precision: 2
+  round: up
--- a/.github/codespell-dictionary.txt
+++ b/.github/codespell-dictionary.txt
@ -1 +0,0 @@
-authentic->authentik
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,62 +1,62 @@
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "ci:"
-  - package-ecosystem: gomod
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "core:"
-  - package-ecosystem: npm
-    directory: "/web"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "web:"
-  - package-ecosystem: npm
-    directory: "/website"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "website:"
-  - package-ecosystem: pip
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "core:"
-  - package-ecosystem: docker
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "@goauthentik/core"
-    commit-message:
-      prefix: "core:"
+    - package-ecosystem: "github-actions"
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "ci:"
+    - package-ecosystem: gomod
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
+    - package-ecosystem: npm
+      directory: "/web"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "web:"
+    - package-ecosystem: npm
+      directory: "/website"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "website:"
+    - package-ecosystem: pip
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
+    - package-ecosystem: docker
+      directory: "/"
+      schedule:
+          interval: daily
+          time: "04:00"
+      open-pull-requests-limit: 10
+      reviewers:
+          - "@goauthentik/core"
+      commit-message:
+          prefix: "core:"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -5,35 +5,15 @@ Please check the [Contributing guidelines](https://github.com/goauthentik/authen
 -->

 # Details
-
-   **Does this resolve an issue?**
-    Resolves #
+* **Does this resolve an issue?**
+Resolves #

 ## Changes
-
 ### New Features
-
-   Adds feature which does x, y, and z.
+* Adds feature which does x, y, and z.

 ### Breaking Changes
+* Adds breaking change which causes \<issue\>.

-   Adds breaking change which causes \<issue\>.
-
-## Checklist
-
-   [ ] Local tests pass (`ak test authentik/`)
-   [ ] The code has been formatted (`make lint-fix`)
-
-If an API change has been made
-
-   [ ] The API schema has been updated (`make gen-build`)
-
-If changes to the frontend have been made
-
-   [ ] The code has been formatted (`make web`)
-   [ ] The translation files have been updated (`make i18n-extract`)
-
-If applicable
-
-   [ ] The documentation has been updated
-   [ ] The documentation has been formatted (`make website`)
+## Additional
+Any further notes or comments you want to make.
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -16,4 +16,3 @@ markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
-only: issues
--- a/.github/transifex.yml
+++ b/.github/transifex.yml
@ -6,11 +6,11 @@ git:
      source_language: en
      source_file: web/src/locales/en.po
      # path expression to translation files, must contain <lang> placeholder
-      translation_files_expression: "web/src/locales/<lang>.po"
+      translation_files_expression: 'web/src/locales/<lang>.po'
    - filter_type: file
      # all supported i18n types: https://docs.transifex.com/formats
      file_format: PO
      source_language: en
      source_file: locale/en/LC_MESSAGES/django.po
      # path expression to translation files, must contain <lang> placeholder
-      translation_files_expression: "locale/<lang>/LC_MESSAGES/django.po"
+      translation_files_expression: 'locale/<lang>/LC_MESSAGES/django.po'
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -23,14 +23,12 @@ jobs:
      fail-fast: false
      matrix:
        job:
-          - bandit
-          - black
-          - codespell
-          - isort
-          - pending-migrations
          - pylint
+          - black
+          - isort
+          - bandit
          - pyright
-          - ruff
+          - pending-migrations
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
@ -61,7 +59,7 @@ jobs:
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
          cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout $(git describe --abbrev=0 --match 'version/*')
          rm -rf .github/ scripts/
          mv ../.github ../scripts .
      - name: Setup authentik env (ensure stable deps are installed)
@ -81,21 +79,12 @@ jobs:
      - name: migrate to latest
        run: poetry run python -m lifecycle.migrate
  test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }}
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        psql:
-          - 11-alpine
-          - 12-alpine
    steps:
      - uses: actions/checkout@v3
      - name: Setup authentik env
        uses: ./.github/actions/setup
-        with:
-          postgresql_tag: ${{ matrix.psql }}
      - name: run unittest
        run: |
          poetry run make test
@ -139,8 +128,6 @@ jobs:
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
          - name: ldap
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: radius
-            glob: tests/e2e/test_provider_radius*
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
@ -187,8 +174,6 @@ jobs:
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2.1.0
      - name: Set up Docker Buildx
@ -214,7 +199,6 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
@ -231,8 +215,6 @@ jobs:
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2.1.0
      - name: Set up Docker Buildx
@ -258,7 +240,6 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-arm64
-            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.sha }}-arm64
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.shortHash }}-arm64
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -15,9 +15,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v3
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - name: Prepare and generate API
        run: |
          # Create folder structure for go embeds
@ -30,14 +30,13 @@ jobs:
        uses: golangci/golangci-lint-action@v3
        with:
          args: --timeout 5000s
-          skip-pkg-cache: true
  test-unittest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v3
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - name: Generate API
        run: make gen-client-go
      - name: Go unittests
@ -60,12 +59,11 @@ jobs:
        type:
          - proxy
          - ldap
-          - radius
+        arch:
+          - 'linux/amd64'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2.1.0
      - name: Set up Docker Buildx
@ -95,7 +93,7 @@ jobs:
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.arch }}
          context: .
  build-binary:
    timeout-minutes: 120
@ -108,20 +106,17 @@ jobs:
        type:
          - proxy
          - ldap
-          - radius
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v4
-        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - name: Generate API
        run: make gen-client-go
@ -136,3 +131,7 @@ jobs:
          export GOOS=${{ matrix.goos }}
          export GOARCH=${{ matrix.goarch }}
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
+      - uses: actions/upload-artifact@v3
+        with:
+          name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          path: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -17,8 +17,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
@ -33,8 +33,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
@ -49,8 +49,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
@ -65,8 +65,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: |
@ -97,8 +97,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -17,8 +17,8 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
@ -31,40 +31,18 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
      - name: test
        working-directory: website/
        run: npm test
-  build:
-    runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
-          - build-docs-only
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.6.0
-        with:
-          node-version: "20"
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        run: npm ci
-      - name: build
-        working-directory: website/
-        run: npm run ${{ matrix.job }}
  ci-website-mark:
    needs:
      - lint-prettier
      - test
-      - build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,11 +2,12 @@ name: "CodeQL"

 on:
  push:
-    branches: [main, "*", next, version*]
+    branches: [ main, '*', next, version* ]
  pull_request:
-    branches: [main]
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
  schedule:
-    - cron: "30 6 * * 5"
+    - cron: '30 6 * * 5'

 jobs:
  analyze:
@ -20,17 +21,40 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: ["go", "javascript", "python"]
+        language: [ 'go', 'javascript', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: ${{ matrix.language }}
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -2,7 +2,7 @@ name: ghcr-retention

 on:
  schedule:
-    - cron: "0 0 * * *" # every day at midnight
+    - cron: '0 0 * * *'  # every day at midnight
  workflow_dispatch:

 jobs:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -52,12 +52,11 @@ jobs:
        type:
          - proxy
          - ldap
-          - radius
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v3
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2.1.0
      - name: Set up Docker Buildx
@ -100,18 +99,17 @@ jobs:
        type:
          - proxy
          - ldap
-          - radius
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v3
        with:
-          go-version-file: "go.mod"
+          go-version: "^1.17"
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          cache: "npm"
+          node-version: '18'
+          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - name: Build web
        working-directory: web/
@ -173,5 +171,5 @@ jobs:
          SENTRY_PROJECT: authentik
        with:
          version: authentik@${{ steps.ev.outputs.version }}
-          sourcemaps: "./web/dist"
-          url_prefix: "~/static/dist"
+          sourcemaps: './web/dist'
+          url_prefix: '~/static/dist'
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -3,7 +3,7 @@ name: authentik-on-tag
 on:
  push:
    tags:
-      - "version/*"
+    - 'version/*'

 jobs:
  build:
--- a/.github/workflows/translation-advice.yml
+++ b/.github/workflows/translation-advice.yml
@ -1,34 +0,0 @@
-name: authentik-translation-advice
-
-on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "!**"
-      - "locale/**"
-      - "web/src/locales/**"
-
-jobs:
-  post-comment:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Find Comment
-        uses: peter-evans/find-comment@v2
-        id: fc
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: "github-actions[bot]"
-          body-includes: authentik translations instructions
-      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@v2
-        with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          issue-number: ${{ github.event.pull_request.number }}
-          edit-mode: replace
-          body: |
-            ### authentik translations instructions
-
-            Thanks for your pull request!
-
-            authentik translations are handled using [Transifex](https://explore.transifex.com/authentik/authentik/). Please edit translations over there and they'll be included automatically.
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -1,9 +1,12 @@
 name: authentik-backend-translate-compile
 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
-      - "locale/**"
+      - '/locale/'
+  pull_request:
+    paths:
+      - '/locale/'
  workflow_dispatch:

 env:
@ -21,9 +24,9 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run compile
-        run: poetry run ak compilemessages
+        run: poetry run ./manage.py compilemessages
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v4
        id: cpr
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -1,9 +1,9 @@
 name: authentik-web-api-publish
 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
-      - "schema.yml"
+      - 'schema.yml'
  workflow_dispatch:
 jobs:
  build:
@ -14,8 +14,8 @@ jobs:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
      - uses: actions/setup-node@v3.6.0
        with:
-          node-version: "20"
-          registry-url: "https://registry.npmjs.org"
+          node-version: '18'
+          registry-url: 'https://registry.npmjs.org'
      - name: Generate API Client
        run: make gen-client-ts
      - name: Publish package
@ -30,7 +30,7 @@ jobs:
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v5
+      - uses: peter-evans/create-pull-request@v4
        id: cpr
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
@ -42,7 +42,7 @@ jobs:
          signoff: true
          team-reviewers: "@goauthentik/core"
          author: authentik bot <github-bot@goauthentik.io>
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@v2
        with:
          token: ${{ secrets.BOT_GITHUB_TOKEN }}
          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -20,7 +20,6 @@ The following is a set of guidelines for contributing to authentik and its compo
 -   [Reporting Bugs](#reporting-bugs)
 -   [Suggesting Enhancements](#suggesting-enhancements)
 -   [Your First Code Contribution](#your-first-code-contribution)
-   [Help with the Docs](#help-with-the-docs)
 -   [Pull Requests](#pull-requests)

 [Styleguides](#styleguides)
@ -136,9 +135,6 @@ authentik can be run locally, all though depending on which part you want to wor

 This is documented in the [developer docs](https://goauthentik.io/developer-docs/?utm_source=github)

-### Help with the Docs
-Contributions to the technical documentation are greatly appreciated. Open a PR if you have improvements to make or new content to add. If you have questions or suggestions about the documentation, open an Issue. No contribution is too small.
-
 ### Pull Requests

 The process described here has several goals:
--- a/16
+++ b/16
@ -1,5 +1,5 @@
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder

 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
@ -10,7 +10,7 @@ WORKDIR /work/website
 RUN npm ci && npm run build-docs-only

 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:18 as web-builder

 COPY ./web /work/web/
 COPY ./website /work/website/
@ -20,7 +20,7 @@ WORKDIR /work/web
 RUN npm ci && npm run build

 # Stage 3: Poetry to requirements.txt export
-FROM docker.io/python:3.11.3-slim-bullseye AS poetry-locker
+FROM docker.io/python:3.11.2-slim-bullseye AS poetry-locker

 WORKDIR /work
 COPY ./pyproject.toml /work
@ -31,7 +31,7 @@ RUN pip install --no-cache-dir poetry && \
    poetry export -f requirements.txt --dev --output requirements-dev.txt

 # Stage 4: Build go proxy
-FROM docker.io/golang:1.20.4-bullseye AS go-builder
+FROM docker.io/golang:1.20.2-bullseye AS go-builder

 WORKDIR /work

@ -47,7 +47,7 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/

 # Stage 5: MaxMind GeoIP
-FROM docker.io/maxmindinc/geoipupdate:v5.0 as geoip
+FROM docker.io/maxmindinc/geoipupdate:v4.10 as geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City"
 ENV GEOIPUPDATE_VERBOSE="true"
@ -62,7 +62,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    "

 # Stage 6: Run
-FROM docker.io/python:3.11.3-slim-bullseye AS final-image
+FROM docker.io/python:3.11.2-slim-bullseye AS final-image

 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
@ -83,7 +83,7 @@ RUN apt-get update && \
    # Required for runtime
    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
    # Required for bootstrap & healtcheck
-    apt-get install -y --no-install-recommends runit && \
+    apt-get install -y --no-install-recommends curl runit && \
    pip install --no-cache-dir -r /requirements.txt && \
    apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev && \
    apt-get autoremove --purge -y && \
@ -102,7 +102,7 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY --from=go-builder /work/authentik /bin/authentik
+COPY --from=go-builder /work/authentik /authentik-proxy
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/help/ /website/help/
--- a/9
+++ b/9
@ -1,11 +1,6 @@
-Copyright (c) 2023 Jens Langhammer
+MIT License

-Portions of this software are licensed as follows:
-* All content residing under the "website/" directory of this repository is licensed under "Creative Commons: CC BY-SA 4.0 license".
-* All content that resides under the "authentik/enterprise/" directory of this repository, if that directory exists, is licensed under the license defined in "authentik/enterprise/LICENSE".
-* All client-side JavaScript (when served directly or after being compiled, arranged, augmented, or combined), is licensed under the "MIT Expat" license.
-* All third party components incorporated into the authentik are licensed under the original license provided by the owner of the applicable component.
-* Content outside of the above mentioned directories or restrictions above is available under the "MIT" license as defined below.
+Copyright (c) 2022 Jens Langhammer

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/71
+++ b/71
@ -3,21 +3,6 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle
-
-CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
-		-I .github/codespell-words.txt \
-		-S 'web/src/locales/**' \
-		authentik \
-		internal \
-		cmd \
-		web/src \
-		website/src \
-		website/blog \
-		website/developer-docs \
-		website/docs \
-		website/integrations \
-		website/src

 all: lint-fix lint test gen web

@ -39,19 +24,28 @@ test:
 	coverage report

 lint-fix:
-	isort authentik $(PY_SOURCES)
-	black authentik $(PY_SOURCES)
-	ruff authentik $(PY_SOURCES)
-	codespell -w $(CODESPELL_ARGS)
+	isort authentik tests scripts lifecycle
+	black authentik tests scripts lifecycle
+	codespell -I .github/codespell-words.txt -S 'web/src/locales/**' -w \
+		authentik \
+		internal \
+		cmd \
+		web/src \
+		website/src \
+		website/docs \
+		website/developer-docs

 lint:
-	pylint $(PY_SOURCES)
-	bandit -r $(PY_SOURCES) -x node_modules
+	pylint authentik tests lifecycle
+	bandit -r authentik tests lifecycle -x node_modules
 	golangci-lint run -v

 migrate:
 	python -m lifecycle.migrate

+run:
+	go run -v ./cmd/server/
+
 i18n-extract: i18n-extract-core web-extract

 i18n-extract-core:
@ -65,20 +59,15 @@ gen-build:
 	AUTHENTIK_DEBUG=true ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true ak spectacular --file schema.yml

-gen-changelog:
-	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
-	npx prettier --write changelog.md
-
 gen-diff:
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
+	git show $(shell git describe --abbrev=0):schema.yml > old_schema.yml
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-diff:2.1.0-beta.6 \
+		docker.io/openapitools/openapi-diff:2.1.0-beta.3 \
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
-	npx prettier --write diff.md

 gen-clean:
 	rm -rf web/api/src/
@ -88,7 +77,7 @@ gen-client-ts:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/gen-ts-api \
@ -101,21 +90,20 @@ gen-client-ts:
 	\cp -rfv gen-ts-api/* web/node_modules/@goauthentik/api

 gen-client-go:
-	mkdir -p ./gen-go-api ./gen-go-api/templates
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./gen-go-api/config.yaml
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./gen-go-api/templates/README.mustache
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./gen-go-api/templates/go.mod.mustache
-	cp schema.yml ./gen-go-api/
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O config.yaml
+	mkdir -p templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O templates/go.mod.mustache
 	docker run \
-		--rm -v ${PWD}/gen-go-api:/local \
+		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g go \
-		-o /local/ \
+		-o /local/gen-go-api \
 		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./gen-go-api
-	rm -rf ./gen-go-api/config.yaml ./gen-go-api/templates/
+	rm -rf config.yaml ./templates/

 gen-dev-config:
 	python -m scripts.generate_config
@ -173,6 +161,7 @@ website-watch:

 # These targets are use by GitHub actions to allow usage of matrix
 # which makes the YAML File a lot smaller
+PY_SOURCES=authentik tests lifecycle
 ci--meta-debug:
 	python -V
 	node --version
@ -183,12 +172,6 @@ ci-pylint: ci--meta-debug
 ci-black: ci--meta-debug
 	black --check $(PY_SOURCES)

-ci-ruff: ci--meta-debug
-	ruff check $(PY_SOURCES)
-
-ci-codespell: ci--meta-debug
-	codespell $(CODESPELL_ARGS) -s
-
 ci-isort: ci--meta-debug
 	isort --check $(PY_SOURCES)

--- a/README.md
+++ b/README.md
@ -15,13 +15,13 @@

 ## What is authentik?

-Authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols. Authentik is also a great solution for implementing sign-up, recovery, and other similar features in your application, saving you the hassle of dealing with them.
+authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols. authentik is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.

 ## Installation

-For small/test setups it is recommended to use Docker Compose; refer to the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github).
+For small/test setups it is recommended to use docker-compose, see the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github)

-For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github).
+For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github)

 ## Screenshots

@ -32,15 +32,15 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h

 ## Development

-See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
+See [Development Documentation](https://goauthentik.io/developer-docs/?utm_source=github)

 ## Security

 See [SECURITY.md](SECURITY.md)

-## Adoption and Contributions
+## Support

-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR!

 ## Sponsors

--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,9 @@ Authentik takes security very seriously. We follow the rules of [responsible dis

 | Version   | Supported          |
 | --------- | ------------------ |
+| 2022.12.x | :white_check_mark: |
+| 2023.1.x  | :white_check_mark: |
 | 2023.2.x  | :white_check_mark: |
-| 2023.3.x  | :white_check_mark: |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional

-__version__ = "2023.4.1"
+__version__ = "2023.3.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -7,13 +7,82 @@ API Browser - {{ tenant.branding_title }}
 {% endblock %}

 {% block head %}
-<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
-<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
-<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
-<link rel="icon" href="{{ tenant.branding_favicon }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
+<script type="module" src="{% static 'dist/rapidoc-min.js' %}"></script>
+<script>
+function getCookie(name) {
+    let cookieValue = "";
+    if (document.cookie && document.cookie !== "") {
+        const cookies = document.cookie.split(";");
+        for (let i = 0; i < cookies.length; i++) {
+            const cookie = cookies[i].trim();
+            // Does this cookie string begin with the name we want?
+            if (cookie.substring(0, name.length + 1) === name + "=") {
+                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                break;
+            }
+        }
+    }
+    return cookieValue;
+}
+window.addEventListener('DOMContentLoaded', (event) => {
+    const rapidocEl = document.querySelector('rapi-doc');
+    rapidocEl.addEventListener('before-try', (e) => {
+        e.detail.request.headers.append('X-authentik-CSRF', getCookie("authentik_csrf"));
+    });
+});
+</script>
+<style>
+    img.logo {
+        width: 100%;
+        padding: 1rem 0.5rem 1.5rem 0.5rem;
+        min-height: 48px;
+    }
+</style>
 {% endblock %}

 {% block body %}
-<ak-api-browser schemaPath="{{ path }}"></ak-api-browser>
+<rapi-doc
+    spec-url="{{ path }}"
+    heading-text=""
+    theme="light"
+    render-style="read"
+    default-schema-tab="schema"
+    primary-color="#fd4b2d"
+    nav-bg-color="#212427"
+    bg-color="#000000"
+    text-color="#000000"
+    nav-text-color="#ffffff"
+    nav-hover-bg-color="#3c3f42"
+    nav-accent-color="#4f5255"
+    nav-hover-text-color="#ffffff"
+    use-path-in-nav-bar="true"
+    nav-item-spacing="relaxed"
+    allow-server-selection="false"
+    show-header="false"
+    allow-spec-url-load="false"
+    allow-spec-file-load="false">
+    <div slot="nav-logo">
+        <img  alt="authentik Logo" class="logo" src="{% static 'dist/assets/icons/icon_left_brand.png' %}" />
+    </div>
+</rapi-doc>
+<script>
+const rapidoc = document.querySelector("rapi-doc");
+const matcher = window.matchMedia("(prefers-color-scheme: light)");
+const changer = (ev) => {
+    const style = getComputedStyle(document.documentElement);
+    let bg, text = "";
+    if (matcher.matches) {
+        bg = style.getPropertyValue('--pf-global--BackgroundColor--light-300');
+        text = style.getPropertyValue('--pf-global--Color--300');
+    } else {
+        bg = style.getPropertyValue('--ak-dark-background');
+        text = style.getPropertyValue('--ak-dark-foreground');
+    }
+    rapidoc.attributes.getNamedItem("bg-color").value = bg.trim();
+    rapidoc.attributes.getNamedItem("text-color").value = text.trim();
+    rapidoc.requestUpdate();
+};
+matcher.addEventListener("change", changer);
+window.addEventListener("load", changer);
+</script>
 {% endblock %}
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -29,7 +29,6 @@ class Capabilities(models.TextChoices):
    CAN_GEO_IP = "can_geo_ip"
    CAN_IMPERSONATE = "can_impersonate"
    CAN_DEBUG = "can_debug"
-    IS_ENTERPRISE = "is_enterprise"


 class ErrorReportingConfigSerializer(PassiveSerializer):
@ -71,8 +70,6 @@ class ConfigView(APIView):
            caps.append(Capabilities.CAN_IMPERSONATE)
        if settings.DEBUG:  # pragma: no cover
            caps.append(Capabilities.CAN_DEBUG)
-        if "authentik.enterprise" in settings.INSTALLED_APPS:
-            caps.append(Capabilities.IS_ENTERPRISE)
        return caps

    def get_config(self) -> ConfigSerializer:
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -56,7 +56,6 @@ from authentik.providers.oauth2.api.tokens import (
    RefreshTokenViewSet,
 )
 from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet
-from authentik.providers.radius.api import RadiusOutpostConfigViewSet, RadiusProviderViewSet
 from authentik.providers.saml.api.property_mapping import SAMLPropertyMappingViewSet
 from authentik.providers.saml.api.providers import SAMLProviderViewSet
 from authentik.providers.scim.api.property_mapping import SCIMMappingViewSet
@ -129,7 +128,6 @@ router.register("outposts/service_connections/docker", DockerServiceConnectionVi
 router.register("outposts/service_connections/kubernetes", KubernetesServiceConnectionViewSet)
 router.register("outposts/proxy", ProxyOutpostConfigViewSet)
 router.register("outposts/ldap", LDAPOutpostConfigViewSet)
-router.register("outposts/radius", RadiusOutpostConfigViewSet)

 router.register("flows/instances", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
@ -168,7 +166,6 @@ router.register("providers/proxy", ProxyProviderViewSet)
 router.register("providers/oauth2", OAuth2ProviderViewSet)
 router.register("providers/saml", SAMLProviderViewSet)
 router.register("providers/scim", SCIMProviderViewSet)
-router.register("providers/radius", RadiusProviderViewSet)

 router.register("oauth2/authorization_codes", AuthorizationCodeViewSet)
 router.register("oauth2/refresh_tokens", RefreshTokenViewSet)
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -49,8 +49,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        context = self.instance.context if self.instance else {}
        valid, logs = Importer(content, context).validate()
        if not valid:
-            text_logs = "\n".join([x["event"] for x in logs])
-            raise ValidationError(_("Failed to validate blueprint: %(logs)s" % {"logs": text_logs}))
+            raise ValidationError(_("Failed to validate blueprint"), *[x["msg"] for x in logs])
        return content

    def validate(self, attrs: dict) -> dict:
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@ -55,11 +55,11 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
        """Load v1 tasks"""
        self.import_module("authentik.blueprints.v1.tasks")

-    def reconcile_blueprints_discovery(self):
+    def reconcile_blueprints_discover(self):
        """Run blueprint discovery"""
-        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
+        from authentik.blueprints.v1.tasks import blueprints_discover, clear_failed_blueprints

-        blueprints_discovery.delay()
+        blueprints_discover.delay()
        clear_failed_blueprints.delay()

    def import_models(self):
--- a/authentik/blueprints/management/commands/apply_blueprint.py
+++ b/authentik/blueprints/management/commands/apply_blueprint.py
@ -19,8 +19,10 @@ class Command(BaseCommand):
        for blueprint_path in options.get("blueprints", []):
            content = BlueprintInstance(path=blueprint_path).retrieve()
            importer = Importer(content)
-            valid, _ = importer.validate()
+            valid, logs = importer.validate()
            if not valid:
+                for log in logs:
+                    getattr(LOGGER, log.pop("log_level"))(**log)
                self.stderr.write("blueprint invalid")
                sys_exit(1)
            importer.apply()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -1,17 +1,12 @@
 """Generate JSON Schema for blueprints"""
-from json import dumps
-from typing import Any
+from json import dumps, loads
+from pathlib import Path

 from django.core.management.base import BaseCommand, no_translations
-from django.db.models import Model
-from drf_jsonschema_serializer.convert import field_to_converter
-from rest_framework.fields import Field, JSONField, UUIDField
-from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger

 from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.blueprints.v1.meta.registry import registry
-from authentik.lib.models import SerializerModel

 LOGGER = get_logger()

@ -21,138 +16,21 @@ class Command(BaseCommand):

    schema: dict

-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.schema = {
-            "$schema": "http://json-schema.org/draft-07/schema",
-            "$id": "https://goauthentik.io/blueprints/schema.json",
-            "type": "object",
-            "title": "authentik Blueprint schema",
-            "required": ["version", "entries"],
-            "properties": {
-                "version": {
-                    "$id": "#/properties/version",
-                    "type": "integer",
-                    "title": "Blueprint version",
-                    "default": 1,
-                },
-                "metadata": {
-                    "$id": "#/properties/metadata",
-                    "type": "object",
-                    "required": ["name"],
-                    "properties": {
-                        "name": {"type": "string"},
-                        "labels": {"type": "object", "additionalProperties": {"type": "string"}},
-                    },
-                },
-                "context": {
-                    "$id": "#/properties/context",
-                    "type": "object",
-                    "additionalProperties": True,
-                },
-                "entries": {
-                    "type": "array",
-                    "items": {
-                        "oneOf": [],
-                    },
-                },
-            },
-            "$defs": {},
-        }
-
    @no_translations
    def handle(self, *args, **options):
        """Generate JSON Schema for blueprints"""
-        self.build()
-        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
+        path = Path(__file__).parent.joinpath("./schema_template.json")
+        with open(path, "r", encoding="utf-8") as _template_file:
+            self.schema = loads(_template_file.read())
+        self.set_model_allowed()
+        self.stdout.write(dumps(self.schema, indent=4))

-    @staticmethod
-    def json_default(value: Any) -> Any:
-        """Helper that handles gettext_lazy strings that JSON doesn't handle"""
-        return str(value)
-
-    def build(self):
-        """Build all models into the schema"""
+    def set_model_allowed(self):
+        """Set model enum"""
+        model_names = []
        for model in registry.get_models():
-            if model._meta.abstract:
-                continue
            if not is_model_allowed(model):
                continue
-            model_instance: Model = model()
-            if not isinstance(model_instance, SerializerModel):
-                continue
-            serializer = model_instance.serializer()
-            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, serializer)
-            )
-
-    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
-        """Template entry for a single model"""
-        model_schema = self.to_jsonschema(serializer)
-        model_schema["required"] = []
-        def_name = f"model_{model_path}"
-        def_path = f"#/$defs/{def_name}"
-        self.schema["$defs"][def_name] = model_schema
-        return {
-            "type": "object",
-            "required": ["model", "attrs"],
-            "properties": {
-                "model": {"const": model_path},
-                "id": {"type": "string"},
-                "state": {
-                    "type": "string",
-                    "enum": ["absent", "present", "created"],
-                    "default": "present",
-                },
-                "conditions": {"type": "array", "items": {"type": "boolean"}},
-                "attrs": {"$ref": def_path},
-                "identifiers": {"$ref": def_path},
-            },
-        }
-
-    def field_to_jsonschema(self, field: Field) -> dict:
-        """Convert a single field to json schema"""
-        if isinstance(field, Serializer):
-            result = self.to_jsonschema(field)
-        else:
-            try:
-                converter = field_to_converter[field]
-                result = converter.convert(field)
-            except KeyError:
-                if isinstance(field, JSONField):
-                    result = {"type": "object", "additionalProperties": True}
-                elif isinstance(field, UUIDField):
-                    result = {"type": "string", "format": "uuid"}
-                else:
-                    raise
-        if field.label:
-            result["title"] = field.label
-        if field.help_text:
-            result["description"] = field.help_text
-        return self.clean_result(result)
-
-    def clean_result(self, result: dict) -> dict:
-        """Remove enumNames from result, recursively"""
-        result.pop("enumNames", None)
-        for key, value in result.items():
-            if isinstance(value, dict):
-                result[key] = self.clean_result(value)
-        return result
-
-    def to_jsonschema(self, serializer: Serializer) -> dict:
-        """Convert serializer to json schema"""
-        properties = {}
-        required = []
-        for name, field in serializer.fields.items():
-            if field.read_only:
-                continue
-            sub_schema = self.field_to_jsonschema(field)
-            if field.required:
-                required.append(name)
-            properties[name] = sub_schema
-
-        result = {"type": "object", "properties": properties}
-        if required:
-            result["required"] = required
-        return result
+            model_names.append(f"{model._meta.app_label}.{model._meta.model_name}")
+        model_names.sort()
+        self.schema["properties"]["entries"]["items"]["properties"]["model"]["enum"] = model_names
--- a/authentik/blueprints/management/commands/schema_template.json
+++ b/authentik/blueprints/management/commands/schema_template.json
@ -0,0 +1,105 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema",
+    "$id": "http://example.com/example.json",
+    "type": "object",
+    "title": "authentik Blueprint schema",
+    "default": {},
+    "required": [
+        "version",
+        "entries"
+    ],
+    "properties": {
+        "version": {
+            "$id": "#/properties/version",
+            "type": "integer",
+            "title": "Blueprint version",
+            "default": 1
+        },
+        "metadata": {
+            "$id": "#/properties/metadata",
+            "type": "object",
+            "required": [
+                "name"
+            ],
+            "properties": {
+                "name": {
+                    "type": "string"
+                },
+                "labels": {
+                    "type": "object"
+                }
+            }
+        },
+        "context": {
+            "$id": "#/properties/context",
+            "type": "object",
+            "additionalProperties": true
+        },
+        "entries": {
+            "type": "array",
+            "items": {
+                "$id": "#entry",
+                "type": "object",
+                "required": [
+                    "model"
+                ],
+                "properties": {
+                    "model": {
+                        "type": "string",
+                        "enum": [
+                            "placeholder"
+                        ]
+                    },
+                    "id": {
+                        "type": "string"
+                    },
+                    "state": {
+                        "type": "string",
+                        "enum": [
+                            "absent",
+                            "present",
+                            "created"
+                        ],
+                        "default": "present"
+                    },
+                    "conditions": {
+                        "type": "array",
+                        "items": {
+                            "type": "boolean"
+                        }
+                    },
+                    "attrs": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "description": "Commonly available field, may not exist on all models"
+                            }
+                        },
+                        "default": {},
+                        "additionalProperties": true
+                    },
+                    "identifiers": {
+                        "type": "object",
+                        "default": {},
+                        "properties": {
+                            "pk": {
+                                "description": "Commonly available field, may not exist on all models",
+                                "anyOf": [
+                                    {
+                                        "type": "number"
+                                    },
+                                    {
+                                        "type": "string",
+                                        "format": "uuid"
+                                    }
+                                ]
+                            }
+                        },
+                        "additionalProperties": true
+                    }
+                }
+            }
+        }
+    }
+}
--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@ -6,6 +6,7 @@ from pathlib import Path
 import django.contrib.postgres.fields
 from dacite.core import from_dict
 from django.apps.registry import Apps
+from django.conf import settings
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from yaml import load
@ -14,7 +15,7 @@ from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
 from authentik.lib.config import CONFIG


-def check_blueprint_v1_file(BlueprintInstance: type, path: Path):
+def check_blueprint_v1_file(BlueprintInstance: type["BlueprintInstance"], path: Path):
    """Check if blueprint should be imported"""
    from authentik.blueprints.models import BlueprintInstanceStatus
    from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata
--- a/authentik/blueprints/migrations/0003_alter_blueprintinstance_name.py
+++ b/authentik/blueprints/migrations/0003_alter_blueprintinstance_name.py
@ -1,20 +0,0 @@
-# Generated by Django 4.1.7 on 2023-04-28 10:49
-
-from django.db import migrations, models
-
-from authentik.lib.migrations import fallback_names
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_blueprints", "0002_blueprintinstance_content"),
-    ]
-
-    operations = [
-        migrations.RunPython(fallback_names("authentik_blueprints", "blueprintinstance", "name")),
-        migrations.AlterField(
-            model_name="blueprintinstance",
-            name="name",
-            field=models.TextField(unique=True),
-        ),
-    ]
--- a/authentik/blueprints/models.py
+++ b/authentik/blueprints/models.py
@ -57,7 +57,7 @@ class BlueprintInstance(SerializerModel, ManagedModel, CreatedUpdatedModel):

    instance_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

-    name = models.TextField(unique=True)
+    name = models.TextField()
    metadata = models.JSONField(default=dict)
    path = models.TextField(default="", blank=True)
    content = models.TextField(default="", blank=True)
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@ -5,7 +5,7 @@ from authentik.lib.utils.time import fqdn_rand

 CELERY_BEAT_SCHEDULE = {
    "blueprints_v1_discover": {
-        "task": "authentik.blueprints.v1.tasks.blueprints_discovery",
+        "task": "authentik.blueprints.v1.tasks.blueprints_discover",
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@ -1,5 +1,6 @@
 """Blueprint helpers"""
 from functools import wraps
+from pathlib import Path
 from typing import Callable

 from django.apps import apps
@ -44,3 +45,13 @@ def reconcile_app(app_name: str):
        return wrapper

    return wrapper_outer
+
+
+def load_yaml_fixture(path: str, **kwargs) -> str:
+    """Load yaml fixture, optionally formatting it with kwargs"""
+    with open(Path(__file__).resolve().parent / Path(path), "r", encoding="utf-8") as _fixture:
+        fixture = _fixture.read()
+        try:
+            return fixture % kwargs
+        except TypeError:
+            return fixture
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -3,12 +3,12 @@ from os import environ

 from django.test import TransactionTestCase

+from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.core.models import Group
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource
@ -113,14 +113,14 @@ class TestBlueprintsV1(TransactionTestCase):
        """Test export and import it twice"""
        count_initial = Prompt.objects.filter(field_key="username").count()

-        importer = Importer(load_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())

        count_before = Prompt.objects.filter(field_key="username").count()
        self.assertEqual(count_initial + 1, count_before)

-        importer = Importer(load_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
        self.assertTrue(importer.apply())

        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
@ -130,7 +130,7 @@ class TestBlueprintsV1(TransactionTestCase):
        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
        Group.objects.filter(name="test").delete()
        environ["foo"] = generate_id()
-        importer = Importer(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
+        importer = Importer(load_yaml_fixture("fixtures/tags.yaml"), {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@ -67,7 +67,4 @@ class TestBlueprintsV1API(APITestCase):
            },
        )
        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(
-            res.content.decode(),
-            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
-        )
+        self.assertJSONEqual(res.content.decode(), {"content": ["Failed to validate blueprint"]})
--- a/authentik/blueprints/tests/test_v1_conditions.py
+++ b/authentik/blueprints/tests/test_v1_conditions.py
@ -1,10 +1,10 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase

+from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.importer import Importer
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture


 class TestBlueprintsV1Conditions(TransactionTestCase):
@ -14,7 +14,7 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
        """Test conditions fulfilled"""
        flow_slug1 = generate_id()
        flow_slug2 = generate_id()
-        import_yaml = load_fixture(
+        import_yaml = load_yaml_fixture(
            "fixtures/conditions_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
        )

@ -31,7 +31,7 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
        """Test conditions not fulfilled"""
        flow_slug1 = generate_id()
        flow_slug2 = generate_id()
-        import_yaml = load_fixture(
+        import_yaml = load_yaml_fixture(
            "fixtures/conditions_not_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
        )

--- a/authentik/blueprints/tests/test_v1_state.py
+++ b/authentik/blueprints/tests/test_v1_state.py
@ -1,10 +1,10 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase

+from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.importer import Importer
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture


 class TestBlueprintsV1State(TransactionTestCase):
@ -13,7 +13,7 @@ class TestBlueprintsV1State(TransactionTestCase):
    def test_state_present(self):
        """Test state present"""
        flow_slug = generate_id()
-        import_yaml = load_fixture("fixtures/state_present.yaml", id=flow_slug)
+        import_yaml = load_yaml_fixture("fixtures/state_present.yaml", id=flow_slug)

        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
@ -39,7 +39,7 @@ class TestBlueprintsV1State(TransactionTestCase):
    def test_state_created(self):
        """Test state created"""
        flow_slug = generate_id()
-        import_yaml = load_fixture("fixtures/state_created.yaml", id=flow_slug)
+        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)

        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
@ -65,7 +65,7 @@ class TestBlueprintsV1State(TransactionTestCase):
    def test_state_absent(self):
        """Test state absent"""
        flow_slug = generate_id()
-        import_yaml = load_fixture("fixtures/state_created.yaml", id=flow_slug)
+        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)

        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
@ -74,7 +74,7 @@ class TestBlueprintsV1State(TransactionTestCase):
        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
        self.assertEqual(flow.slug, flow_slug)

-        import_yaml = load_fixture("fixtures/state_absent.yaml", id=flow_slug)
+        import_yaml = load_yaml_fixture("fixtures/state_absent.yaml", id=flow_slug)
        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@ -6,7 +6,7 @@ from django.test import TransactionTestCase
 from yaml import dump

 from authentik.blueprints.models import BlueprintInstance, BlueprintInstanceStatus
-from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discovery, blueprints_find
+from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discover, blueprints_find
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id

@ -53,7 +53,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
            file.seek(0)
            file_hash = sha512(file.read().encode()).hexdigest()
            file.flush()
-            blueprints_discovery()  # pylint: disable=no-value-for-parameter
+            blueprints_discover()  # pylint: disable=no-value-for-parameter
            instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
            self.assertEqual(instance.last_applied_hash, file_hash)
            self.assertEqual(
@ -81,7 +81,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discovery()  # pylint: disable=no-value-for-parameter
+            blueprints_discover()  # pylint: disable=no-value-for-parameter
            blueprint = BlueprintInstance.objects.filter(name="foo").first()
            self.assertEqual(
                blueprint.last_applied_hash,
@ -106,7 +106,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discovery()  # pylint: disable=no-value-for-parameter
+            blueprints_discover()  # pylint: disable=no-value-for-parameter
            blueprint.refresh_from_db()
            self.assertEqual(
                blueprint.last_applied_hash,
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -40,10 +40,6 @@ from authentik.lib.models import SerializerModel
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel

-# Context set when the serializer is created in a blueprint context
-# Update website/developer-docs/blueprints/v1/models.md when used
-SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
-

 def is_model_allowed(model: type[Model]) -> bool:
    """Check if model is allowed"""
@ -162,12 +158,7 @@ class Importer:
            raise EntryInvalidError(f"Model {model} not allowed")
        if issubclass(model, BaseMetaModel):
            serializer_class: type[Serializer] = model.serializer()
-            serializer = serializer_class(
-                data=entry.get_attrs(self.__import),
-                context={
-                    SERIALIZER_CONTEXT_BLUEPRINT: entry,
-                },
-            )
+            serializer = serializer_class(data=entry.get_attrs(self.__import))
            try:
                serializer.is_valid(raise_exception=True)
            except ValidationError as exc:
@ -226,12 +217,7 @@ class Importer:
        always_merger.merge(full_data, updated_identifiers)
        serializer_kwargs["data"] = full_data

-        serializer: Serializer = model().serializer(
-            context={
-                SERIALIZER_CONTEXT_BLUEPRINT: entry,
-            },
-            **serializer_kwargs,
-        )
+        serializer: Serializer = model().serializer(**serializer_kwargs)
        try:
            serializer.is_valid(raise_exception=True)
        except ValidationError as exc:
@ -299,7 +285,7 @@ class Importer:
        orig_import = deepcopy(self.__import)
        if self.__import.version != 1:
            self.logger.warning("Invalid blueprint version")
-            return False, [{"event": "Invalid blueprint version"}]
+            return False, []
        with (
            transaction_rollback(),
            capture_logs() as logs,
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -76,7 +76,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
            return
        if isinstance(event, FileCreatedEvent):
            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discovery.delay()
+            blueprints_discover.delay()
        if isinstance(event, FileModifiedEvent):
            path = Path(event.src_path)
            root = Path(CONFIG.y("blueprints_dir")).absolute()
@ -101,10 +101,7 @@ def blueprints_find():
    """Find blueprints and return valid ones"""
    blueprints = []
    root = Path(CONFIG.y("blueprints_dir"))
-    for path in root.rglob("**/*.yaml"):
-        # Check if any part in the path starts with a dot and assume a hidden file
-        if any(part for part in path.parts if part.startswith(".")):
-            continue
+    for path in root.glob("**/*.yaml"):
        LOGGER.debug("found blueprint", path=str(path))
        with open(path, "r", encoding="utf-8") as blueprint_file:
            try:
@ -125,7 +122,7 @@ def blueprints_find():
        )
        blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
        blueprints.append(blueprint)
-        LOGGER.debug(
+        LOGGER.info(
            "parsed & loaded blueprint",
            hash=file_hash,
            path=str(path),
@ -137,7 +134,7 @@ def blueprints_find():
    throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
@prefill_task
-def blueprints_discovery(self: MonitoredTask):
+def blueprints_discover(self: MonitoredTask):
    """Find blueprints and check if they need to be created in the database"""
    count = 0
    for blueprint in blueprints_find():
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -93,6 +93,7 @@ class PropertyMappingViewSet(
                {
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
+                    # pyright: reportGeneralTypeIssues=false
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -25,6 +25,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):

    def get_component(self, obj: Provider) -> str:  # pragma: no cover
        """Get object component so that we know how to edit the object"""
+        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Provider:
            return ""
        return obj.component
@ -34,7 +35,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
        fields = [
            "pk",
            "name",
-            "authentication_flow",
            "authorization_flow",
            "property_mappings",
            "component",
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -40,6 +40,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):

    def get_component(self, obj: Source) -> str:
        """Get object component so that we know how to edit the object"""
+        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Source:
            return ""
        return obj.component
@ -138,6 +139,7 @@ class SourceViewSet(
                component = subclass.__bases__[0]().component
            else:
                component = subclass().component
+            # pyright: reportGeneralTypeIssues=false
            data.append(
                {
                    "name": subclass._meta.verbose_name,
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -16,7 +16,6 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.api.decorators import permission_required
 from authentik.blueprints.api import ManagedSerializer
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
@ -30,11 +29,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):

    user_obj = UserSerializer(required=False, source="user", read_only=True)

-    def __init__(self, *args, **kwargs) -> None:
-        super().__init__(*args, **kwargs)
-        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            self.fields["key"] = CharField()
-
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
        request: Request = self.context.get("request")
--- a/authentik/core/api/used_by.py
+++ b/authentik/core/api/used_by.py
@ -56,6 +56,7 @@ class UsedByMixin:
    # pylint: disable=too-many-locals
    def used_by(self, request: Request, *args, **kwargs) -> Response:
        """Get a list of all objects that use this object"""
+        # pyright: reportGeneralTypeIssues=false
        model: Model = self.get_object()
        used_by = []
        shadows = []
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -211,9 +211,8 @@ class UserMetricsSerializer(PassiveSerializer):
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
-        request = self.context["request"]
        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
@ -224,9 +223,8 @@ class UserMetricsSerializer(PassiveSerializer):
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
-        request = self.context["request"]
        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED, context__username=user.username
            )
            # 3 data points per day, so 8 hour spans
@ -237,9 +235,8 @@ class UserMetricsSerializer(PassiveSerializer):
    def get_authorizations(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
-        request = self.context["request"]
        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
@ -474,9 +471,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    def metrics(self, request: Request, pk: int) -> Response:
        """User metrics per 1h"""
        user: User = self.get_object()
-        serializer = UserMetricsSerializer(instance={})
+        serializer = UserMetricsSerializer(True)
        serializer.context["user"] = user
-        serializer.context["request"] = request
        return Response(serializer.data)

    @permission_required("authentik_core.reset_user_password")
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -11,7 +11,6 @@ class AuthentikCoreConfig(ManagedAppConfig):
    label = "authentik_core"
    verbose_name = "authentik Core"
    mountpoint = ""
-    ws_mountpoint = "authentik.core.urls"
    default = True

    def reconcile_load_core_signals(self):
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -21,14 +21,11 @@ PROPERTY_MAPPING_TIME = Histogram(
 class PropertyMappingEvaluator(BaseEvaluator):
    """Custom Evaluator that adds some different context variables."""

-    dry_run: bool
-
    def __init__(
        self,
        model: Model,
        user: Optional[User] = None,
        request: Optional[HttpRequest] = None,
-        dry_run: Optional[bool] = False,
        **kwargs,
    ):
        if hasattr(model, "name"):
@ -45,13 +42,9 @@ class PropertyMappingEvaluator(BaseEvaluator):
            req.http_request = request
        self._context["request"] = req
        self._context.update(**kwargs)
-        self.dry_run = dry_run

    def handle_error(self, exc: Exception, expression_source: str):
        """Exception Handler"""
-        # For dry-run requests we don't save exceptions
-        if self.dry_run:
-            return
        error_string = exception_to_string(exc)
        event = Event.new(
            EventAction.PROPERTY_MAPPING_EXCEPTION,
--- a/authentik/core/migrations/0027_alter_user_uuid.py
+++ b/authentik/core/migrations/0027_alter_user_uuid.py
@ -1,19 +0,0 @@
-# Generated by Django 4.1.7 on 2023-03-19 21:57
-
-import uuid
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_core", "0026_alter_propertymapping_name_alter_provider_name"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="user",
-            name="uuid",
-            field=models.UUIDField(default=uuid.uuid4, editable=False, unique=True),
-        ),
-    ]
--- a/authentik/core/migrations/0028_provider_authentication_flow.py
+++ b/authentik/core/migrations/0028_provider_authentication_flow.py
@ -1,25 +0,0 @@
-# Generated by Django 4.1.7 on 2023-03-23 21:44
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
-        ("authentik_core", "0027_alter_user_uuid"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="provider",
-            name="authentication_flow",
-            field=models.ForeignKey(
-                help_text="Flow used for authentication when the associated application is accessed by an un-authenticated user.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="provider_authentication",
-                to="authentik_flows.flow",
-            ),
-        ),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -146,7 +146,7 @@ class UserManager(DjangoUserManager):
 class User(SerializerModel, GuardianUserMixin, AbstractUser):
    """Custom User model to allow easier adding of user-based settings"""

-    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
+    uuid = models.UUIDField(default=uuid4, editable=False)
    name = models.TextField(help_text=_("User's display name."))
    path = models.TextField(default="users")

@ -249,17 +249,6 @@ class Provider(SerializerModel):

    name = models.TextField(unique=True)

-    authentication_flow = models.ForeignKey(
-        "authentik_flows.Flow",
-        null=True,
-        on_delete=models.SET_NULL,
-        help_text=_(
-            "Flow used for authentication when the associated application is accessed by an "
-            "un-authenticated user."
-        ),
-        related_name="provider_authentication",
-    )
-
    authorization_flow = models.ForeignKey(
        "authentik_flows.Flow",
        on_delete=models.CASCADE,
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -9,13 +9,16 @@
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}">
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
-        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
+        <script src="{% static 'dist/poly.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -1,6 +1,7 @@
 {% extends "base/skeleton.html" %}

 {% load static %}
+{% load i18n %}

 {% block head %}
 <script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
@ -14,6 +15,19 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-admin>
-    <ak-loading></ak-loading>
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+        <div class="pf-c-empty-state" style="height: 100vh;">
+            <div class="pf-c-empty-state__content">
+                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
+                    <span class="pf-c-spinner__clipper"></span>
+                    <span class="pf-c-spinner__lead-ball"></span>
+                    <span class="pf-c-spinner__tail-ball"></span>
+                </span>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans "Loading..." %}
+                </h1>
+            </div>
+        </div>
+    </section>
 </ak-interface-admin>
 {% endblock %}
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -1,6 +1,7 @@
 {% extends "base/skeleton.html" %}

 {% load static %}
+{% load i18n %}

 {% block head_before %}
 {{ block.super }}
@ -30,6 +31,19 @@ window.authentik.flow = {
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-flow-executor>
-    <ak-loading></ak-loading>
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+        <div class="pf-c-empty-state" style="height: 100vh;">
+            <div class="pf-c-empty-state__content">
+                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
+                    <span class="pf-c-spinner__clipper"></span>
+                    <span class="pf-c-spinner__lead-ball"></span>
+                    <span class="pf-c-spinner__tail-ball"></span>
+                </span>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans "Loading..." %}
+                </h1>
+            </div>
+        </div>
+    </section>
 </ak-flow-executor>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -1,6 +1,7 @@
 {% extends "base/skeleton.html" %}

 {% load static %}
+{% load i18n %}

 {% block head %}
 <script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
@ -14,6 +15,19 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-user>
-    <ak-loading></ak-loading>
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+        <div class="pf-c-empty-state" style="height: 100vh;">
+            <div class="pf-c-empty-state__content">
+                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
+                    <span class="pf-c-spinner__clipper"></span>
+                    <span class="pf-c-spinner__lead-ball"></span>
+                    <span class="pf-c-spinner__tail-ball"></span>
+                </span>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans "Loading..." %}
+                </h1>
+            </div>
+        </div>
+    </section>
 </ak-interface-user>
 {% endblock %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -43,14 +43,14 @@ class TestApplicationsAPI(APITestCase):
        self.assertEqual(
            self.client.patch(
                reverse("authentik_api:application-detail", kwargs={"slug": self.allowed.slug}),
-                {"meta_launch_url": "https://%(username)s-test.test.goauthentik.io/%(username)s"},
+                {"meta_launch_url": "https://%(username)s.test.goauthentik.io/%(username)s"},
            ).status_code,
            200,
        )
        self.allowed.refresh_from_db()
        self.assertEqual(
            self.allowed.get_launch_url(self.user),
-            f"https://{self.user.username}-test.test.goauthentik.io/{self.user.username}",
+            f"https://{self.user.username}.test.goauthentik.io/{self.user.username}",
        )

    def test_set_icon(self):
@ -129,7 +129,6 @@ class TestApplicationsAPI(APITestCase):
                        "provider_obj": {
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
-                            "authentication_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@ -179,7 +178,6 @@ class TestApplicationsAPI(APITestCase):
                        "provider_obj": {
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
-                            "authentication_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
--- a/authentik/core/tests/test_property_mapping.py
+++ b/authentik/core/tests/test_property_mapping.py
@ -4,10 +4,7 @@ from guardian.shortcuts import get_anonymous_user

 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.models import PropertyMapping
-from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
-from authentik.lib.generators import generate_id
-from authentik.policies.expression.models import ExpressionPolicy


 class TestPropertyMappings(TestCase):
@ -15,24 +12,23 @@ class TestPropertyMappings(TestCase):

    def setUp(self) -> None:
        super().setUp()
-        self.user = create_test_admin_user()
        self.factory = RequestFactory()

    def test_expression(self):
        """Test expression"""
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression="return 'test'")
+        mapping = PropertyMapping.objects.create(name="test", expression="return 'test'")
        self.assertEqual(mapping.evaluate(None, None), "test")

    def test_expression_syntax(self):
        """Test expression syntax error"""
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression="-")
+        mapping = PropertyMapping.objects.create(name="test", expression="-")
        with self.assertRaises(PropertyMappingExpressionException):
            mapping.evaluate(None, None)

    def test_expression_error_general(self):
        """Test expression error"""
        expr = "return aaa"
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
+        mapping = PropertyMapping.objects.create(name="test", expression=expr)
        with self.assertRaises(PropertyMappingExpressionException):
            mapping.evaluate(None, None)
        events = Event.objects.filter(
@ -45,7 +41,7 @@ class TestPropertyMappings(TestCase):
        """Test expression error (with user and http request"""
        expr = "return aaa"
        request = self.factory.get("/")
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
+        mapping = PropertyMapping.objects.create(name="test", expression=expr)
        with self.assertRaises(PropertyMappingExpressionException):
            mapping.evaluate(get_anonymous_user(), request)
        events = Event.objects.filter(
@ -56,23 +52,3 @@ class TestPropertyMappings(TestCase):
        event = events.first()
        self.assertEqual(event.user["username"], "AnonymousUser")
        self.assertEqual(event.client_ip, "127.0.0.1")
-
-    def test_call_policy(self):
-        """test ak_call_policy"""
-        expr = ExpressionPolicy.objects.create(
-            name=generate_id(),
-            execution_logging=True,
-            expression="return request.http_request.path",
-        )
-        http_request = self.factory.get("/")
-        tmpl = (
-            """
-        res = ak_call_policy('%s')
-        result = [request.http_request.path, res.raw_result]
-        return result
-        """
-            % expr.name
-        )
-        evaluator = PropertyMapping(expression=tmpl, name=generate_id())
-        res = evaluator.evaluate(self.user, http_request)
-        self.assertEqual(res, ["/", "/"])
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@ -27,6 +27,6 @@ class UserSettingSerializer(PassiveSerializer):

    object_uid = CharField()
    component = CharField()
-    title = CharField(required=True)
+    title = CharField()
    configure_url = CharField(required=False)
    icon_url = CharField(required=False)
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -1,6 +1,4 @@
 """authentik URL Configuration"""
-from channels.auth import AuthMiddleware
-from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
@ -11,9 +9,6 @@ from authentik.core.views import apps, impersonate
 from authentik.core.views.debug import AccessDeniedView
 from authentik.core.views.interface import FlowInterfaceView, InterfaceView
 from authentik.core.views.session import EndSessionView
-from authentik.root.asgi_middleware import SessionMiddleware
-from authentik.root.messages.consumer import MessageConsumer
-from authentik.root.middleware import ChannelsLoggingMiddleware

 urlpatterns = [
    path(
@ -69,15 +64,6 @@ urlpatterns = [
    ),
 ]

-websocket_urlpatterns = [
-    path(
-        "ws/client/",
-        ChannelsLoggingMiddleware(
-            CookieMiddleware(SessionMiddleware(AuthMiddleware(MessageConsumer.as_asgi())))
-        ),
-    ),
-]
-
 if settings.DEBUG:
    urlpatterns += [
        path("debug/policy/deny/", AccessDeniedView.as_view(), name="debug-policy-deny"),
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -12,19 +12,16 @@ from authentik.flows.challenge import (
    RedirectChallenge,
 )
 from authentik.flows.exceptions import FlowNonApplicableException
-from authentik.flows.models import FlowDesignation, in_memory_stage
+from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import (
-    SESSION_KEY_APPLICATION_PRE,
-    SESSION_KEY_PLAN,
-    ToDefaultFlow,
-)
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
    PLAN_CONTEXT_CONSENT_HEADER,
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
 )
+from authentik.tenants.models import Tenant


 class RedirectToAppLaunch(View):
@ -39,10 +36,10 @@ class RedirectToAppLaunch(View):
        # Check if we're authenticated already, saves us the flow run
        if request.user.is_authenticated:
            return HttpResponseRedirect(app.get_launch_url(request.user))
-        self.request.session[SESSION_KEY_APPLICATION_PRE] = app
        # otherwise, do a custom flow plan that includes the application that's
        # being accessed, to improve usability
-        flow = ToDefaultFlow(request=request, designation=FlowDesignation.AUTHENTICATION).get_flow()
+        tenant: Tenant = request.tenant
+        flow = tenant.flow_authentication
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        try:
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -160,7 +160,6 @@ class CertificateKeyPairSerializer(ModelSerializer):
            "managed",
        ]
        extra_kwargs = {
-            "managed": {"read_only": True},
            "key_data": {"write_only": True},
            "certificate_data": {"write_only": True},
        }
--- a/authentik/crypto/migrations/0002_create_self_signed_kp.py
+++ b/authentik/crypto/migrations/0002_create_self_signed_kp.py
@ -2,6 +2,8 @@

 from django.db import migrations

+from authentik.lib.generators import generate_id
+

 class Migration(migrations.Migration):
    dependencies = [
--- a/authentik/crypto/migrations/0004_alter_certificatekeypair_name.py
+++ b/authentik/crypto/migrations/0004_alter_certificatekeypair_name.py
@ -1,20 +0,0 @@
-# Generated by Django 4.1.7 on 2023-04-28 10:49
-
-from django.db import migrations, models
-
-from authentik.lib.migrations import fallback_names
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_crypto", "0003_certificatekeypair_managed"),
-    ]
-
-    operations = [
-        migrations.RunPython(fallback_names("authentik_crypto", "certificatekeypair", "name")),
-        migrations.AlterField(
-            model_name="certificatekeypair",
-            name="name",
-            field=models.TextField(unique=True),
-        ),
-    ]
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@ -26,7 +26,7 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):

    kp_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

-    name = models.TextField(unique=True)
+    name = models.TextField()
    certificate_data = models.TextField(help_text=_("PEM-encoded Certificate data"))
    key_data = models.TextField(
        help_text=_(
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -37,22 +37,20 @@ class TestCrypto(APITestCase):
        keypair = create_test_cert()
        self.assertTrue(
            CertificateKeyPairSerializer(
-                instance=keypair,
                data={
                    "name": keypair.name,
                    "certificate_data": keypair.certificate_data,
                    "key_data": keypair.key_data,
-                },
+                }
            ).is_valid()
        )
        self.assertFalse(
            CertificateKeyPairSerializer(
-                instance=keypair,
                data={
                    "name": keypair.name,
                    "certificate_data": "test",
                    "key_data": "test",
-                },
+                }
            ).is_valid()
        )

@ -248,6 +246,7 @@ class TestCrypto(APITestCase):
            with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
                _key.write(builder.private_key)
            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                # pyright: reportGeneralTypeIssues=false
                certificate_discovery()  # pylint: disable=no-value-for-parameter
        keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
            managed=MANAGED_DISCOVERED % "foo"
--- a/authentik/enterprise/LICENSE
+++ b/authentik/enterprise/LICENSE
@ -1,45 +0,0 @@
-The authentik Enterprise Edition (EE) license (the “EE License”)
-Copyright (c) 2022-present Authentik Security Inc.
-
-With regard to the authentik Software:
-
-This software and associated documentation files (the "Software") may only be
-used in production, if you (and any entity that you represent) have agreed to,
-and are in compliance with, the Authentik Subscription Terms of Service, available
-at https://goauthentik.io/legal/terms (the "EE Terms"), or other
-agreement governing the use of the Software, as agreed by you and authentik Security Inc,
-and otherwise have a valid authentik Enterprise Edition subscription for the
-correct number of user seats. Subject to the foregoing sentence, you are free to
-modify this Software and publish patches to the Software. You agree that Authentik
-Security Inc. and/or its licensors (as applicable) retain all right, title and interest
-in and to all such modifications and/or patches, and all such modifications and/or
-patches may only be used, copied, modified, displayed, distributed, or otherwise
-exploited with a valid authentik Enterprise Edition subscription for the  correct
-number of user seats.  Notwithstanding the foregoing, you may copy and modify
-the Software for development and testing purposes, without requiring a
-subscription.  You agree that Authentik Security Inc. and/or its
-licensors (as applicable) retain all right, title and interest in
-and to all such modifications.  You are not granted any other rights
-beyond what is expressly stated herein.  Subject to the
-foregoing, it is forbidden to copy, merge, publish, distribute, sublicense,
-and/or sell the Software.
-
-This EE License applies only to the part of this Software that is not
-distributed as part of authentik Open Source (OSS). Any part of this Software
-distributed as part of authentik OSS or is served client-side as an image, font,
-cascading stylesheet (CSS), file which produces or is compiled, arranged,
-augmented, or combined into client-side JavaScript, in whole or in part, is
-copyrighted under the MIT license. The full text of this EE License shall
-be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-For all third party components incorporated into the authentik Software, those
-components are licensed under the original license provided by the owner of the
-applicable component.
--- a/authentik/enterprise/apps.py
+++ b/authentik/enterprise/apps.py
@ -1,11 +0,0 @@
-"""Enterprise app config"""
-from authentik.blueprints.apps import ManagedAppConfig
-
-
-class AuthentikEnterpriseConfig(ManagedAppConfig):
-    """Enterprise app config"""
-
-    name = "authentik.enterprise"
-    label = "authentik_enterprise"
-    verbose_name = "authentik Enterprise"
-    default = True
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -1 +0,0 @@
-"""Enterprise additional settings"""
--- a/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
+++ b/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
@ -11,6 +11,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.events.models
 import authentik.lib.models
+from authentik.events.models import EventAction, NotificationSeverity, TransportMode
 from authentik.lib.migrations import progress_bar


--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -214,18 +214,11 @@ class Event(SerializerModel, ExpiringModel):
        Events independently from requests.
        `user` arguments optionally overrides user from requests."""
        if request:
-            from authentik.flows.views.executor import QS_QUERY
-
            self.context["http_request"] = {
                "path": request.path,
                "method": request.method,
-                "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
+                "args": QueryDict(request.META.get("QUERY_STRING", "")),
            }
-            # Special case for events created during flow execution
-            # since they keep the http query within a wrapped query
-            if QS_QUERY in self.context["http_request"]["args"]:
-                wrapped = self.context["http_request"]["args"][QS_QUERY]
-                self.context["http_request"]["args"] = cleanse_dict(QueryDict(wrapped))
        if hasattr(request, "tenant"):
            tenant: Tenant = request.tenant
            # Because self.created only gets set on save, we can't use it's value here
@ -453,6 +446,7 @@ class NotificationTransport(SerializerModel):
        try:
            from authentik.stages.email.tasks import send_mail

+            # pyright: reportGeneralTypeIssues=false
            return send_mail(mail.__dict__)  # pylint: disable=no-value-for-parameter
        except (SMTPException, ConnectionError, OSError) as exc:
            raise NotificationTransportError(exc) from exc
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -41,7 +41,7 @@ class TaskResult:

    def with_error(self, exc: Exception) -> "TaskResult":
        """Since errors might not always be pickle-able, set the traceback"""
-        self.messages.append(exception_to_string(exc))
+        self.messages.append(str(exc))
        return self


--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -57,6 +57,10 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
            LOGGER.debug("e(trigger): attempting to prevent infinite loop", trigger=trigger)
            return

+    if not trigger.group:
+        LOGGER.debug("e(trigger): trigger has no group", trigger=trigger)
+        return
+
    LOGGER.debug("e(trigger): checking if trigger applies", trigger=trigger)
    try:
        user = User.objects.filter(pk=event.user.get("pk")).first() or get_anonymous_user()
@ -73,10 +77,6 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
    if not result.passing:
        return

-    if not trigger.group:
-        LOGGER.debug("e(trigger): trigger has no group", trigger=trigger)
-        return
-
    LOGGER.debug("e(trigger): event trigger matched", trigger=trigger)
    # Create the notification objects
    for transport in trigger.transports.all():
--- a/authentik/events/tests/test_event.py
+++ b/authentik/events/tests/test_event.py
@ -1,25 +1,17 @@
 """event tests"""
-from urllib.parse import urlencode

 from django.contrib.contenttypes.models import ContentType
-from django.test import RequestFactory, TestCase
-from django.views.debug import SafeExceptionReporterFilter
+from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import Group
 from authentik.events.models import Event
-from authentik.flows.views.executor import QS_QUERY
-from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
-from authentik.tenants.models import Tenant


 class TestEvents(TestCase):
    """Test Event"""

-    def setUp(self) -> None:
-        self.factory = RequestFactory()
-
    def test_new_with_model(self):
        """Create a new Event passing a model as kwarg"""
        test_model = Group.objects.create(name="test")
@ -48,58 +40,3 @@ class TestEvents(TestCase):
        model_content_type = ContentType.objects.get_for_model(temp_model)
        self.assertEqual(event.context.get("model").get("app"), model_content_type.app_label)
        self.assertEqual(event.context.get("model").get("pk"), temp_model.pk.hex)
-
-    def test_from_http_basic(self):
-        """Test plain from_http"""
-        event = Event.new("unittest").from_http(self.factory.get("/"))
-        self.assertEqual(
-            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
-        )
-
-    def test_from_http_clean_querystring(self):
-        """Test cleansing query string"""
-        request = self.factory.get(f"/?token={generate_id()}")
-        event = Event.new("unittest").from_http(request)
-        self.assertEqual(
-            event.context,
-            {
-                "http_request": {
-                    "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
-                    "method": "GET",
-                    "path": "/",
-                }
-            },
-        )
-
-    def test_from_http_clean_querystring_flow(self):
-        """Test cleansing query string (nested query string like flow executor)"""
-        nested_qs = {"token": generate_id()}
-        request = self.factory.get(f"/?{QS_QUERY}={urlencode(nested_qs)}")
-        event = Event.new("unittest").from_http(request)
-        self.assertEqual(
-            event.context,
-            {
-                "http_request": {
-                    "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
-                    "method": "GET",
-                    "path": "/",
-                }
-            },
-        )
-
-    def test_from_http_tenant(self):
-        """Test from_http tenant"""
-        # Test tenant
-        request = self.factory.get("/")
-        tenant = Tenant(domain="test-tenant")
-        setattr(request, "tenant", tenant)
-        event = Event.new("unittest").from_http(request)
-        self.assertEqual(
-            event.tenant,
-            {
-                "app": "authentik_tenants",
-                "model_name": "tenant",
-                "name": "Tenant test-tenant",
-                "pk": tenant.pk.hex,
-            },
-        )
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -27,6 +27,7 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):

    def get_component(self, obj: Stage) -> str:
        """Get object type so that we know how to edit the object"""
+        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Stage:
            return ""
        return obj.component
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -182,4 +182,5 @@ class HttpChallengeResponse(JsonResponse):
    """Subclass of JsonResponse that uses the `DataclassEncoder`"""

    def __init__(self, challenge, **kwargs) -> None:
+        # pyright: reportGeneralTypeIssues=false
        super().__init__(challenge.data, encoder=DataclassEncoder, **kwargs)
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -271,15 +271,6 @@ class ConfigurableStage(models.Model):
        abstract = True


-class FriendlyNamedStage(models.Model):
-    """Abstract base class for a Stage that can have a user friendly name configured."""
-
-    friendly_name = models.TextField(null=True)
-
-    class Meta:
-        abstract = True
-
-
 class FlowToken(Token):
    """Subclass of a standard Token, stores the currently active flow plan upon creation.
    Can be used to later resume a flow."""
--- a/authentik/flows/tests/test_views_helper.py
+++ b/authentik/flows/tests/test_views_helper.py
@ -2,13 +2,10 @@
 from django.test import TestCase
 from django.urls import reverse

-from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_flow
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_PLAN
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.flows.views.executor import SESSION_KEY_PLAN


 class TestHelperView(TestCase):
@ -25,41 +22,6 @@ class TestHelperView(TestCase):
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, expected_url)

-    def test_default_view_app(self):
-        """Test that ToDefaultFlow returns the expected URL (when accessing an application)"""
-        Flow.objects.filter(designation=FlowDesignation.AUTHENTICATION).delete()
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        self.client.session[SESSION_KEY_APPLICATION_PRE] = Application(
-            name=generate_id(),
-            slug=generate_id(),
-            provider=OAuth2Provider(
-                name=generate_id(),
-                authentication_flow=flow,
-            ),
-        )
-        response = self.client.get(
-            reverse("authentik_flows:default-authentication"),
-        )
-        expected_url = reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, expected_url)
-
-    def test_default_view_app_no_provider(self):
-        """Test that ToDefaultFlow returns the expected URL
-        (when accessing an application, without a provider)"""
-        Flow.objects.filter(designation=FlowDesignation.AUTHENTICATION).delete()
-        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-        self.client.session[SESSION_KEY_APPLICATION_PRE] = Application(
-            name=generate_id(),
-            slug=generate_id(),
-        )
-        response = self.client.get(
-            reverse("authentik_flows:default-authentication"),
-        )
-        expected_url = reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, expected_url)
-
    def test_default_view_invalid_plan(self):
        """Test that ToDefaultFlow returns the expected URL (with an invalid plan)"""
        Flow.objects.filter(designation=FlowDesignation.INVALIDATION).delete()
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -22,7 +22,6 @@ from sentry_sdk.api import set_tag
 from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger

-from authentik.core.models import Application
 from authentik.events.models import Event, EventAction, cleanse_dict
 from authentik.flows.challenge import (
    Challenge,
@ -69,7 +68,6 @@ SESSION_KEY_GET = "authentik/flows/get"
 SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
 QS_KEY_TOKEN = "flow_token"  # nosec
-QS_QUERY = "query"


 def challenge_types():
@ -174,7 +172,7 @@ class FlowExecutorView(APIView):
            op="authentik.flow.executor.dispatch", description=self.flow.slug
        ) as span:
            span.set_data("authentik Flow", self.flow.slug)
-            get_params = QueryDict(request.GET.get(QS_QUERY, ""))
+            get_params = QueryDict(request.GET.get("query", ""))
            if QS_KEY_TOKEN in get_params:
                plan = self._check_flow_token(get_params[QS_KEY_TOKEN])
                if plan:
@ -477,32 +475,20 @@ class ToDefaultFlow(View):
        LOGGER.debug("flow_by_policy: no flow found", filters=flow_filter)
        return None

-    def get_flow(self) -> Flow:
-        """Get a flow for the selected designation"""
-        tenant: Tenant = self.request.tenant
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
+        tenant: Tenant = request.tenant
        flow = None
        # First, attempt to get default flow from tenant
        if self.designation == FlowDesignation.AUTHENTICATION:
            flow = tenant.flow_authentication
-            # Check if we have a default flow from application
-            application: Optional[Application] = self.request.session.get(
-                SESSION_KEY_APPLICATION_PRE
-            )
-            if application and application.provider and application.provider.authentication_flow:
-                flow = application.provider.authentication_flow
-        elif self.designation == FlowDesignation.INVALIDATION:
+        if self.designation == FlowDesignation.INVALIDATION:
            flow = tenant.flow_invalidation
-        if flow:
-            return flow
        # If no flow was set, get the first based on slug and policy
-        flow = self.flow_by_policy(self.request, designation=self.designation)
-        if flow:
-            return flow
+        if not flow:
+            flow = self.flow_by_policy(request, designation=self.designation)
        # If we still don't have a flow, 404
-        raise Http404
-
-    def dispatch(self, request: HttpRequest) -> HttpResponse:
-        flow = self.get_flow()
+        if not flow:
+            raise Http404
        # If user already has a pending plan, clear it so we don't have to later.
        if SESSION_KEY_PLAN in self.request.session:
            plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -177,6 +177,7 @@ class ConfigLoader:
        # Walk each component of the path
        path_parts = path.split(sep)
        for comp in path_parts[:-1]:
+            # pyright: reportGeneralTypeIssues=false
            if comp not in root:
                root[comp] = {}
            root = root.get(comp, {})
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -8,7 +8,6 @@ from typing import Any, Iterable, Optional
 from cachetools import TLRUCache, cached
 from django.core.exceptions import FieldError
 from django_otp import devices_for_user
-from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
@ -17,9 +16,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import User
 from authentik.events.models import Event
 from authentik.lib.utils.http import get_http_session
-from authentik.policies.models import Policy, PolicyBinding
-from authentik.policies.process import PolicyProcess
-from authentik.policies.types import PolicyRequest, PolicyResult
+from authentik.policies.types import PolicyRequest

 LOGGER = get_logger()

@ -40,20 +37,19 @@ class BaseEvaluator:
        # update website/docs/expressions/_objects.md
        # update website/docs/expressions/_functions.md
        self._globals = {
-            "ak_call_policy": self.expr_func_call_policy,
-            "ak_create_event": self.expr_event_create,
-            "ak_is_group_member": BaseEvaluator.expr_is_group_member,
-            "ak_logger": get_logger(self._filename).bind(),
-            "ak_user_by": BaseEvaluator.expr_user_by,
-            "ak_user_has_authenticator": BaseEvaluator.expr_func_user_has_authenticator,
-            "ip_address": ip_address,
-            "ip_network": ip_network,
-            "list_flatten": BaseEvaluator.expr_flatten,
            "regex_match": BaseEvaluator.expr_regex_match,
            "regex_replace": BaseEvaluator.expr_regex_replace,
-            "requests": get_http_session(),
+            "list_flatten": BaseEvaluator.expr_flatten,
+            "ak_is_group_member": BaseEvaluator.expr_is_group_member,
+            "ak_user_by": BaseEvaluator.expr_user_by,
+            "ak_user_has_authenticator": BaseEvaluator.expr_func_user_has_authenticator,
            "resolve_dns": BaseEvaluator.expr_resolve_dns,
            "reverse_dns": BaseEvaluator.expr_reverse_dns,
+            "ak_create_event": self.expr_event_create,
+            "ak_logger": get_logger(self._filename).bind(),
+            "requests": get_http_session(),
+            "ip_address": ip_address,
+            "ip_network": ip_network,
        }
        self._context = {}

@ -156,19 +152,6 @@ class BaseEvaluator:
                return
        event.save()

-    def expr_func_call_policy(self, name: str, **kwargs) -> PolicyResult:
-        """Call policy by name, with current request"""
-        policy = Policy.objects.filter(name=name).select_subclasses().first()
-        if not policy:
-            raise ValueError(f"Policy '{name}' not found.")
-        user = self._context.get("user", get_anonymous_user())
-        req = PolicyRequest(user)
-        if "request" in self._context:
-            req = self._context["request"]
-        req.context.update(kwargs)
-        proc = PolicyProcess(PolicyBinding(policy=policy), request=req, connection=None)
-        return proc.profiling_wrapper()
-
    def wrap_expression(self, expression: str, params: Iterable[str]) -> str:
        """Wrap expression in a function, call it, and save the result as `result`"""
        handler_signature = ",".join(params)
--- a/authentik/lib/models.py
+++ b/authentik/lib/models.py
@ -81,8 +81,7 @@ class DomainlessFormattedURLValidator(DomainlessURLValidator):

    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
-        self.formatter_re = r"([%\(\)a-zA-Z])*"
-        self.host_re = "(" + self.formatter_re + self.hostname_re + self.domain_re + "|localhost)"
+        self.host_re = r"([%\(\)a-zA-Z])+" + self.domain_re + self.domain_re
        self.regex = _lazy_re_compile(
            r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
            r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -19,12 +19,9 @@ from rest_framework.exceptions import APIException
 from sentry_sdk import HttpTransport
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
-from sentry_sdk.integrations.argv import ArgvIntegration
 from sentry_sdk.integrations.celery import CeleryIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.redis import RedisIntegration
-from sentry_sdk.integrations.socket import SocketIntegration
-from sentry_sdk.integrations.stdlib import StdlibIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException
@ -64,13 +61,10 @@ def sentry_init(**sentry_init_kwargs):
    sentry_sdk_init(
        dsn=CONFIG.y("error_reporting.sentry_dsn"),
        integrations=[
-            ArgvIntegration(),
-            StdlibIntegration(),
            DjangoIntegration(transaction_style="function_name"),
            CeleryIntegration(),
            RedisIntegration(),
            ThreadingIntegration(propagate_hub=True),
-            SocketIntegration(),
        ],
        before_send=before_send,
        traces_sampler=traces_sampler,
--- a/authentik/lib/tests/utils.py
+++ b/authentik/lib/tests/utils.py
@ -1,7 +1,4 @@
 """Test utils"""
-from inspect import currentframe
-from pathlib import Path
-
 from django.contrib.messages.middleware import MessageMiddleware
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http import HttpRequest
@ -14,21 +11,6 @@ def dummy_get_response(request: HttpRequest):  # pragma: no cover
    return None


-def load_fixture(path: str, **kwargs) -> str:
-    """Load fixture, optionally formatting it with kwargs"""
-    current = currentframe()
-    parent = current.f_back
-    calling_file_path = parent.f_globals["__file__"]
-    with open(
-        Path(calling_file_path).resolve().parent / Path(path), "r", encoding="utf-8"
-    ) as _fixture:
-        fixture = _fixture.read()
-        try:
-            return fixture % kwargs
-        except TypeError:
-            return fixture
-
-
 def get_request(*args, user=None, **kwargs):
    """Get a request with usable session"""
    request = RequestFactory().get(*args, **kwargs)
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -38,17 +38,13 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
    if OUTPOST_REMOTE_IP_HEADER not in request.META or OUTPOST_TOKEN_HEADER not in request.META:
        return None
    fake_ip = request.META[OUTPOST_REMOTE_IP_HEADER]
-    token = (
-        Token.filter_not_expired(
-            key=request.META.get(OUTPOST_TOKEN_HEADER), intent=TokenIntents.INTENT_API
-        )
-        .select_related("user")
-        .first()
+    tokens = Token.filter_not_expired(
+        key=request.META.get(OUTPOST_TOKEN_HEADER), intent=TokenIntents.INTENT_API
    )
-    if not token:
+    if not tokens.exists():
        LOGGER.warning("Attempted remote-ip override without token", fake_ip=fake_ip)
        return None
-    user = token.user
+    user = tokens.first().user
    if not user.group_attributes(request).get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
        LOGGER.warning(
            "Remote-IP override: user doesn't have permission",
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -28,7 +28,6 @@ from authentik.outposts.models import (
 )
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
-from authentik.providers.radius.models import RadiusProvider


 class OutpostSerializer(ModelSerializer):
@ -52,7 +51,6 @@ class OutpostSerializer(ModelSerializer):
        type_map = {
            OutpostType.LDAP: LDAPProvider,
            OutpostType.PROXY: ProxyProvider,
-            OutpostType.RADIUS: RadiusProvider,
            None: Provider,
        }
        for provider in providers:
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@ -31,6 +31,7 @@ class ServiceConnectionSerializer(ModelSerializer, MetaNameSerializer):

    def get_component(self, obj: OutpostServiceConnection) -> str:
        """Get object type so that we know how to edit the object"""
+        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == OutpostServiceConnection:
            return ""
        return obj.component
@ -76,6 +77,7 @@ class ServiceConnectionViewSet(
        data = []
        for subclass in all_subclasses(self.queryset.model):
            subclass: OutpostServiceConnection
+            # pyright: reportGeneralTypeIssues=false
            data.append(
                {
                    "name": subclass._meta.verbose_name,
--- a/Show More
+++ b/Show More